[seccomp] allow fcntl F_SETFD

musl does a F_SETFD in its fdopendir
author: Omar Polo <op@omarpolo.com> 2021-01-24 19:12:32 +0000
committer: Omar Polo <op@omarpolo.com> 2021-01-24 19:12:32 +0000
commit: f88311e5344ed934d8b05c3738cca2a978491987 (patch)
tree: 71ebf6f5c8bc41c51cbb2f91ad8e86de7c510d95
parent: 252908e6bb335c42249a3d5fe6ecaa4daf5a3e3e (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/sandbox.c b/sandbox.c
index d24e602..030112b 100644
--- a/sandbox.c
+++ b/sandbox.c
@@ -179,17 +179,22 @@ sandbox()
 		/* alpine on amd64 does a clock_gettime(2) */
 		SC_ALLOW(clock_gettime),
 
+		/* for directory listing */
+		SC_ALLOW(getdents64),
+
 		SC_ALLOW(exit),
 		SC_ALLOW(exit_group),
 
 		/* allow only F_GETFL and F_SETFL fcntl */
-		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 6),
+		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 8),
 		BPF_STMT(BPF_LD  | BPF_W | BPF_ABS,
 		    (offsetof(struct seccomp_data, args[1]))),
 		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_GETFL, 0, 1),
 		BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
 		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFL, 0, 1),
 		BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
+		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFD, 0, 1),
+		BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
 		BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
 
 		/* re-load the syscall number */
author	Omar Polo <op@omarpolo.com>	2021-01-24 19:12:32 +0000
committer	Omar Polo <op@omarpolo.com>	2021-01-24 19:12:32 +0000
commit	f88311e5344ed934d8b05c3738cca2a978491987 (patch)
tree	71ebf6f5c8bc41c51cbb2f91ad8e86de7c510d95
parent	252908e6bb335c42249a3d5fe6ecaa4daf5a3e3e (diff)