- (djm) [sandbox-seccomp-filter.c sandbox-systrace.c] Allow shutdown(2)

   syscall from sandboxes; it may be called by packet_close.

diff --git a/ChangeLog b/ChangeLog
index c0dab651bfffa06aeee1f121f1bbed4553997eaa..f9740631e568e8157eab3f5c805d0a6f310cab1c 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+20140131
+ - (djm) [sandbox-seccomp-filter.c sandbox-systrace.c] Allow shutdown(2)
+   syscall from sandboxes; it may be called by packet_close.
+
 20140130
  - (djm) [configure.ac] Only check for width-specified integer types
    in headers that actually exist. patch from Tom G. Christensen;

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 2f73067e1a3263da01a7cc1b1917c49e20614e21..dbda60bab11283040cc48648f605785dc3a074e6 100644 (file)
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -98,6 +98,7 @@ static const struct sock_filter preauth_insns[] = {
        SC_ALLOW(read),
        SC_ALLOW(write),
        SC_ALLOW(close),
+       SC_ALLOW(shutdown),
        SC_ALLOW(brk),
        SC_ALLOW(poll),
 #ifdef __NR__newselect

diff --git a/sandbox-systrace.c b/sandbox-systrace.c
index 53fbd47cb5aa0d14fe45e32b5d1fbb1487610983..3d467783843a0a685de92ff50b792ce085f63c20 100644 (file)
--- a/sandbox-systrace.c
+++ b/sandbox-systrace.c
@@ -66,6 +66,7 @@ static const struct sandbox_policy preauth_policy[] = {
        { SYS_munmap, SYSTR_POLICY_PERMIT },
        { SYS_read, SYSTR_POLICY_PERMIT },
        { SYS_select, SYSTR_POLICY_PERMIT },
+       { SYS_shutdown, SYSTR_POLICY_PERMIT },
        { SYS_sigprocmask, SYSTR_POLICY_PERMIT },
        { SYS_write, SYSTR_POLICY_PERMIT },
        { -1, -1 }