aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOmar Polo <op@omarpolo.com>2022-02-13 15:32:10 +0000
committerOmar Polo <op@omarpolo.com>2022-02-13 15:32:10 +0000
commit94c5f99ab038efafa5f5a841d8092a995d9ee03c (patch)
tree4560923d22d0712f500971095683c885cb5bccf6
parent67347fb02188b5cad33b647df942b38226471b9c (diff)
sort syscalls in seccomp filter
-rw-r--r--sandbox.c18
1 files changed, 9 insertions, 9 deletions
diff --git a/sandbox.c b/sandbox.c
index 2b5e9e0..8881cbb 100644
--- a/sandbox.c
+++ b/sandbox.c
@@ -308,6 +308,9 @@ static struct sock_filter filter[] = {
#ifdef __NR_fstat64
SC_ALLOW(fstat64),
#endif
+#ifdef __NR_fstatat64
+ SC_ALLOW(fstatat64),
+#endif
#ifdef __NR_getdents64
SC_ALLOW(getdents64),
#endif
@@ -326,6 +329,9 @@ static struct sock_filter filter[] = {
/* allow FIONREAD needed by libevent */
SC_ALLOW_ARG(__NR_ioctl, 1, FIONREAD),
#endif
+#ifdef __NR__llseek
+ SC_ALLOW(_llseek),
+#endif
#ifdef __NR_lseek
SC_ALLOW(lseek),
#endif
@@ -344,9 +350,6 @@ static struct sock_filter filter[] = {
#ifdef __NR_newfstatat
SC_ALLOW(newfstatat),
#endif
-#ifdef __NR_fstatat64
- SC_ALLOW(fstatat64),
-#endif
#ifdef __NR_oldfstat
SC_ALLOW(oldfstat),
#endif
@@ -374,6 +377,9 @@ static struct sock_filter filter[] = {
#ifdef __NR_sendmsg
SC_ALLOW(sendmsg),
#endif
+#ifdef __NR_sigreturn
+ SC_ALLOW(sigreturn),
+#endif
#ifdef __NR_statx
SC_ALLOW(statx),
#endif
@@ -386,12 +392,6 @@ static struct sock_filter filter[] = {
#ifdef __NR_writev
SC_ALLOW(writev),
#endif
-#ifdef __NR__llseek
- SC_ALLOW(_llseek),
-#endif
-#ifdef __NR_sigreturn
- SC_ALLOW(sigreturn),
-#endif
/* disallow everything else */
BPF_STMT(BPF_RET | BPF_K, SC_FAIL),