From 4747da3a5b639b5a336b737e7e3cbf060cf2efcf Mon Sep 17 00:00:00 2001
From: practicalswift <practicalswift@users.noreply.github.com>
Date: Fri, 1 Oct 2021 13:53:59 +0000
Subject: Add syscall sandboxing (seccomp-bpf)

---
 src/checkqueue.h | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src/checkqueue.h')

diff --git a/src/checkqueue.h b/src/checkqueue.h
index 4ceeb3600a..7c20e2013c 100644
--- a/src/checkqueue.h
+++ b/src/checkqueue.h
@@ -7,6 +7,7 @@
 
 #include <sync.h>
 #include <tinyformat.h>
+#include <util/syscall_sandbox.h>
 #include <util/threadnames.h>
 
 #include <algorithm>
@@ -151,6 +152,7 @@ public:
         for (int n = 0; n < threads_num; ++n) {
             m_worker_threads.emplace_back([this, n]() {
                 util::ThreadRename(strprintf("scriptch.%i", n));
+                SetSyscallSandboxPolicy(SyscallSandboxPolicy::VALIDATION_SCRIPT_CHECK);
                 Loop(false /* worker thread */);
             });
         }
-- 
cgit v1.2.3