[File] [PATCH] Fix seccomp on ARM64 Linux

Christos Zoulas christos at zoulas.com
Tue Apr 6 22:02:34 UTC 2021


Applied, thanks!

christos

> On Apr 6, 2021, at 2:12 PM, Icenowy Zheng <icenowy at aosc.io> wrote:
> 
> On ARM64 Linux access() syscall is no longer a real syscall to the
> kernel. Instead it's emulated by glibc with a new faccessat() syscall.
> 
> faccessat() adds the functionality to do access permission check for a
> path relative to a file descriptor. As this seems to be not granting
> too much permission, add it to the whilelist of seccomp, to allow file
> command to run correctly on ARM64 Linux machines.
> ---
> src/seccomp.c | 3 +++
> 1 file changed, 3 insertions(+)
> 
> diff --git a/src/seccomp.c b/src/seccomp.c
> index 0da907ff..d812e262 100644
> --- a/src/seccomp.c
> +++ b/src/seccomp.c
> @@ -171,6 +171,9 @@ enable_sandbox_full(void)
> 	ALLOW_RULE(dup2);
> 	ALLOW_RULE(exit);
> 	ALLOW_RULE(exit_group);
> +#ifdef __NR_faccessat
> +	ALLOW_RULE(faccessat);
> +#endif
> 	ALLOW_RULE(fcntl);
>  	ALLOW_RULE(fcntl64);
> 	ALLOW_RULE(fstat);
> --
> 2.30.2
> --
> File mailing list
> File at astron.com
> https://mailman.astron.com/mailman/listinfo/file

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP
URL: <https://mailman.astron.com/pipermail/file/attachments/20210406/8e087541/attachment.asc>


More information about the File mailing list