tightens seccomp filter: allow only openat(O_RDONLY)

be more strict and allow an openat only with the O_RDONLY flag. This is kind of redundant with landlock, but still good to have. Landlock is not yet widely available and won't kill the process upon policy violation; furthermore, landlock can be disabled at boot time. tested on GNU and musl libc on arch and alpine amd64.
author: Omar Polo <op@omarpolo.com> 2022-02-13 16:20:27 +0000
committer: Omar Polo <op@omarpolo.com> 2022-02-13 16:20:27 +0000
commit: 4f0e893cd3889acb8e3d40d359610749189adc25 (patch)
tree: 7b89bda32789455e29cae756f6ea8dd5955a9510 /sandbox.c
parent: 94c5f99ab038efafa5f5a841d8092a995d9ee03c (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/sandbox.c b/sandbox.c
index 8881cbb..0ab50d1 100644
--- a/sandbox.c
+++ b/sandbox.c
@@ -354,7 +354,7 @@ static struct sock_filter filter[] = {
 	SC_ALLOW(oldfstat),
 #endif
 #ifdef __NR_openat
-	SC_ALLOW(openat),
+	SC_ALLOW_ARG(__NR_openat, 3, O_RDONLY),
 #endif
 #ifdef __NR_prlimit64
 	SC_ALLOW(prlimit64),
author	Omar Polo <op@omarpolo.com>	2022-02-13 16:20:27 +0000
committer	Omar Polo <op@omarpolo.com>	2022-02-13 16:20:27 +0000
commit	4f0e893cd3889acb8e3d40d359610749189adc25 (patch)
tree	7b89bda32789455e29cae756f6ea8dd5955a9510 /sandbox.c
parent	94c5f99ab038efafa5f5a841d8092a995d9ee03c (diff)