diff options
author | Philipp Stephani <phst@google.com> | 2022-01-22 17:11:37 +0100 |
---|---|---|
committer | Philipp Stephani <phst@google.com> | 2022-01-22 17:18:50 +0100 |
commit | 6d3608be88e1b30d2d10ee81f14dd485275c20ff (patch) | |
tree | dadeea204ad6dad93bbd7ac684fca784635361a2 /lib-src | |
parent | e58ecd01d51471e7e63d20ee059a5c26251220b7 (diff) | |
download | emacs-6d3608be88e1b30d2d10ee81f14dd485275c20ff.tar.gz |
Seccomp: improve support for newer versions of glibc (Bug#51073)
* lib-src/seccomp-filter.c (main): Allow 'pread64' and 'faccessat2'
system calls. Newer versions of glibc use these system call (starting
with commits 95c1056962a3f2297c94ce47f0eaf0c5b6563231 and
3d3ab573a5f3071992cbc4f57d50d1d29d55bde2, respectively).
Diffstat (limited to 'lib-src')
-rw-r--r-- | lib-src/seccomp-filter.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/lib-src/seccomp-filter.c b/lib-src/seccomp-filter.c index 552a9862391..d368cbb46c8 100644 --- a/lib-src/seccomp-filter.c +++ b/lib-src/seccomp-filter.c @@ -228,6 +228,7 @@ main (int argc, char **argv) capabilities, and operating on them shouldn't cause security issues. */ RULE (SCMP_ACT_ALLOW, SCMP_SYS (read)); + RULE (SCMP_ACT_ALLOW, SCMP_SYS (pread64)); RULE (SCMP_ACT_ALLOW, SCMP_SYS (write)); RULE (SCMP_ACT_ALLOW, SCMP_SYS (close)); RULE (SCMP_ACT_ALLOW, SCMP_SYS (lseek)); @@ -239,6 +240,7 @@ main (int argc, char **argv) should be further restricted using mount namespaces. */ RULE (SCMP_ACT_ALLOW, SCMP_SYS (access)); RULE (SCMP_ACT_ALLOW, SCMP_SYS (faccessat)); + RULE (SCMP_ACT_ALLOW, SCMP_SYS (faccessat2)); RULE (SCMP_ACT_ALLOW, SCMP_SYS (stat)); RULE (SCMP_ACT_ALLOW, SCMP_SYS (stat64)); RULE (SCMP_ACT_ALLOW, SCMP_SYS (lstat)); |