[File] [PATCH] Fix seccomp rules for executing decompressor on glibc
Michał Górny
mgorny at gentoo.org
Thu Sep 15 08:10:11 UTC 2022
Add ALLOW_RULE for all the syscalls used by glibc on my system to spawn
the decompressor. With them present, `file -z ...` starts working again
when not using external libraries, at least on amd64. Other
architectures may need more syscalls.
---
src/seccomp.c | 34 ++++++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/src/seccomp.c b/src/seccomp.c
index 7993177b..1c80b540 100644
--- a/src/seccomp.c
+++ b/src/seccomp.c
@@ -236,6 +236,40 @@ enable_sandbox_full(void)
ALLOW_RULE(write);
ALLOW_RULE(writev);
+ // The following are needed to spawn decompressor on GNU/Linux
+#ifdef __NR_arch_prctl
+ ALLOW_RULE(arch_prctl);
+#endif
+#ifdef __NR_clone3
+ ALLOW_RULE(clone3);
+#endif
+#ifdef __NR_execve
+ ALLOW_RULE(execve);
+#endif
+#ifdef __NR_getrandom
+ ALLOW_RULE(getrandom);
+#endif
+#ifdef __NR_pipe2
+ ALLOW_RULE(pipe2);
+#endif
+#ifdef __NR_prlimit64
+ ALLOW_RULE(prlimit64);
+#endif
+#ifdef __NR_rseq
+ ALLOW_RULE(rseq);
+#endif
+#ifdef __NR_set_robust_list
+ ALLOW_RULE(set_robust_list);
+#endif
+#ifdef __NR_set_tid_address
+ ALLOW_RULE(set_tid_address);
+#endif
+#ifdef __NR_ugetrlimit
+ ALLOW_RULE(ugetrlimit);
+#endif
+#ifdef __NR_wait4
+ ALLOW_RULE(wait4);
+#endif
#if 0
// needed by valgrind
--
2.37.3
More information about the File
mailing list