[File] [PATCH] Fix seccomp on ARM64 Linux
Icenowy Zheng
icenowy at aosc.io
Tue Apr 6 18:12:20 UTC 2021
On ARM64 Linux access() syscall is no longer a real syscall to the
kernel. Instead it's emulated by glibc with a new faccessat() syscall.
faccessat() adds the functionality to do access permission check for a
path relative to a file descriptor. As this seems to be not granting
too much permission, add it to the whilelist of seccomp, to allow file
command to run correctly on ARM64 Linux machines.
---
src/seccomp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/seccomp.c b/src/seccomp.c
index 0da907ff..d812e262 100644
--- a/src/seccomp.c
+++ b/src/seccomp.c
@@ -171,6 +171,9 @@ enable_sandbox_full(void)
ALLOW_RULE(dup2);
ALLOW_RULE(exit);
ALLOW_RULE(exit_group);
+#ifdef __NR_faccessat
+ ALLOW_RULE(faccessat);
+#endif
ALLOW_RULE(fcntl);
ALLOW_RULE(fcntl64);
ALLOW_RULE(fstat);
--
2.30.2
More information about the File
mailing list