From: Patrick McLean <chutzpah@gentoo.org>
Date: Tue, 8 Jul 2014 18:40:15 +0000 (-0700)
Subject: lldpd: whitelist sendto, poll, recvmsg and readv in seccomp sandbox
X-Git-Tag: 0.7.10~34^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=285b33afd0dac92e871375a6e00434b78af2053b;p=thirdparty%2Flldpd.git

lldpd: whitelist sendto, poll, recvmsg and readv in seccomp sandbox

With privilege separation and seccomp enabled, the monitor thread was
dying due to seccomp errors, while leaving the child alive. This whitelists
some extra syscalls to allow the monitor process to stay alive.
---

diff --git a/src/daemon/priv-seccomp.c b/src/daemon/priv-seccomp.c
index 7eb49d6f..c69d82a3 100644
--- a/src/daemon/priv-seccomp.c
+++ b/src/daemon/priv-seccomp.c
@@ -160,6 +160,10 @@ priv_seccomp_init(int remote, int child)
 	    (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(stat), 0)) < 0 ||
 	    (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0)) < 0 ||
 	    (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0)) < 0 ||
+	    (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendto), 0)) < 0 ||
+	    (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(poll), 0)) < 0 ||
+	    (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvmsg), 0)) < 0 ||
+	    (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(readv), 0)) < 0 ||
 	    /* The following are for resolving addresses */
 	    (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0)) < 0 ||
 	    (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0)) < 0 ||