diff options
author | Omar Polo <op@omarpolo.com> | 2022-02-13 15:32:10 +0000 |
---|---|---|
committer | Omar Polo <op@omarpolo.com> | 2022-02-13 15:32:10 +0000 |
commit | 94c5f99ab038efafa5f5a841d8092a995d9ee03c (patch) | |
tree | 4560923d22d0712f500971095683c885cb5bccf6 | |
parent | 67347fb02188b5cad33b647df942b38226471b9c (diff) |
sort syscalls in seccomp filter
-rw-r--r-- | sandbox.c | 18 |
1 files changed, 9 insertions, 9 deletions
@@ -308,6 +308,9 @@ static struct sock_filter filter[] = { #ifdef __NR_fstat64 SC_ALLOW(fstat64), #endif +#ifdef __NR_fstatat64 + SC_ALLOW(fstatat64), +#endif #ifdef __NR_getdents64 SC_ALLOW(getdents64), #endif @@ -326,6 +329,9 @@ static struct sock_filter filter[] = { /* allow FIONREAD needed by libevent */ SC_ALLOW_ARG(__NR_ioctl, 1, FIONREAD), #endif +#ifdef __NR__llseek + SC_ALLOW(_llseek), +#endif #ifdef __NR_lseek SC_ALLOW(lseek), #endif @@ -344,9 +350,6 @@ static struct sock_filter filter[] = { #ifdef __NR_newfstatat SC_ALLOW(newfstatat), #endif -#ifdef __NR_fstatat64 - SC_ALLOW(fstatat64), -#endif #ifdef __NR_oldfstat SC_ALLOW(oldfstat), #endif @@ -374,6 +377,9 @@ static struct sock_filter filter[] = { #ifdef __NR_sendmsg SC_ALLOW(sendmsg), #endif +#ifdef __NR_sigreturn + SC_ALLOW(sigreturn), +#endif #ifdef __NR_statx SC_ALLOW(statx), #endif @@ -386,12 +392,6 @@ static struct sock_filter filter[] = { #ifdef __NR_writev SC_ALLOW(writev), #endif -#ifdef __NR__llseek - SC_ALLOW(_llseek), -#endif -#ifdef __NR_sigreturn - SC_ALLOW(sigreturn), -#endif /* disallow everything else */ BPF_STMT(BPF_RET | BPF_K, SC_FAIL), |