[File] [PATCH] Allow getrandom, rseq, and prctl for glibc malloc
Christos Zoulas
christos at zoulas.com
Thu Nov 28 14:03:14 UTC 2024
Hmm, getrandom is already allowed... prctl is dangerous to allow its general use. There is a more specific rule already there. Perhaps add to that? rseq is fine.
christos
> On Nov 8, 2024, at 2:42 AM, Werner Fink <werner at suse.de> wrote:
>
> From: Cristian Rodríguez <crrodriguez at opensuse.org>
>
> glibc uses getrandom in malloc, rseq, and prctl in various other
> places, allow these syscalls in seccomp filter.
>
> ```
> export GLIBC_TUNABLES=glibc.mem.decorate_maps=1
> make check
> ```
>
> Signed-off-by: Werner Fink <werner at suse.de>
> ---
> src/seccomp.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/src/seccomp.c b/src/seccomp.c
> index ce824330..8a2c8a4c 100644
> --- a/src/seccomp.c
> +++ b/src/seccomp.c
> @@ -80,6 +80,9 @@ enable_sandbox(void)
> if (ctx == NULL)
> return -1;
>
> + ALLOW_RULE(prctl);
> + ALLOW_RULE(getrandom);
> + ALLOW_RULE(rseq);
> ALLOW_RULE(access);
> ALLOW_RULE(brk);
> ALLOW_RULE(close);
> --
> 2.43.0
>
> --
> File mailing list
> File at astron.com
> https://mailman.astron.com/mailman/listinfo/file
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP
URL: <https://mailman.astron.com/pipermail/file/attachments/20241128/6abc565b/attachment.asc>
More information about the File
mailing list