+++ /dev/null
-diff --git a/configure.ac b/configure.ac
-index 4065d0e..d59ad44 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -764,9 +764,12 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
- i*86-*)
- seccomp_audit_arch=AUDIT_ARCH_I386
- ;;
-- arm*-*)
-+ aarch64*-*)
-+ seccomp_audit_arch=AUDIT_ARCH_AARCH64
-+ ;;
-+ arm*-*)
- seccomp_audit_arch=AUDIT_ARCH_ARM
-- ;;
-+ ;;
- esac
- if test "x$seccomp_audit_arch" != "x" ; then
- AC_MSG_RESULT(["$seccomp_audit_arch"])
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index 095b04a..52f6810 100644
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-@@ -90,8 +90,20 @@ static const struct sock_filter preauth_insns[] = {
- /* Load the syscall number for checking. */
- BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
- offsetof(struct seccomp_data, nr)),
-- SC_DENY(open, EACCES),
-- SC_DENY(stat, EACCES),
-+ SC_DENY(openat, EACCES),
-+#ifdef __NR_open
-+ SC_DENY(open, EACCES), /* not on AArch64 */
-+#endif
-+#ifdef __NR_fstat
-+ SC_DENY(fstat, EACCES), /* x86_64, Aarch64 */
-+#endif
-+#if defined(__NR_stat64) && defined(__NR_fstat64)
-+ SC_DENY(stat64, EACCES), /* ix86, arm */
-+ SC_DENY(fstat64, EACCES),
-+#endif
-+#ifdef __NR_newfstatat
-+ SC_DENY(newfstatat, EACCES), /* Aarch64 */
-+#endif
- SC_ALLOW(getpid),
- SC_ALLOW(gettimeofday),
- SC_ALLOW(clock_gettime),
-@@ -111,12 +123,19 @@ static const struct sock_filter preauth_insns[] = {
- SC_ALLOW(shutdown),
- #endif
- SC_ALLOW(brk),
-+#ifdef __NR_poll /* not on AArch64 */
- SC_ALLOW(poll),
-+#endif
- #ifdef __NR__newselect
- SC_ALLOW(_newselect),
- #else
-+#ifdef __NR_select /* not on AArch64 */
- SC_ALLOW(select),
- #endif
-+#ifdef __NR_pselect6 /* AArch64 */
-+ SC_ALLOW(pselect6),
-+#endif
-+#endif
- SC_ALLOW(madvise),
- #ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
- SC_ALLOW(mmap2),
projects / people / arne_f / ipfire-3.x.git / blobdiff