Deny lstat syscalls in seccomp sandbox

author Damien Miller <djm@mindrot.org>

Thu, 19 May 2016 23:56:53 +0000 (09:56 +1000)

committer Damien Miller <djm@mindrot.org>

Thu, 19 May 2016 23:56:53 +0000 (09:56 +1000)
author Damien Miller <djm@mindrot.org>
Thu, 19 May 2016 23:56:53 +0000 (09:56 +1000)
committer Damien Miller <djm@mindrot.org>
Thu, 19 May 2016 23:56:53 +0000 (09:56 +1000)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c

index d132e26460dedb340bb07a4b1585b0d7eeb45bc3..2e1ed2c52727c38c72eacd4c98064543b83f79df 100644 (file)
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -103,6 +103,12 @@ static const struct sock_filter preauth_insns[] = {
                 offsetof(struct seccomp_data, nr)),
  
         /* Syscalls to non-fatally deny */
+#ifdef __NR_lstat
+       SC_DENY(lstat, EACCES),
+#endif
+#ifdef __NR_lstat64
+       SC_DENY(lstat64, EACCES),
+#endif
  #ifdef __NR_fstat
         SC_DENY(fstat, EACCES),
  #endif
author	Damien Miller <djm@mindrot.org>
	Thu, 19 May 2016 23:56:53 +0000 (09:56 +1000)
committer	Damien Miller <djm@mindrot.org>
	Thu, 19 May 2016 23:56:53 +0000 (09:56 +1000)