From 1def824404cfcab9f64b687da1cb7a4b4b51bbe0 Mon Sep 17 00:00:00 2001 From: David Sastre Medina Date: Tue, 11 Jan 2022 14:55:05 +0100 Subject: [PATCH] daemon: add additional syscalls to SECCOMP filter when running in the foreground Running lldpd in the foreground as follows: strace -c /usr/sbin/lldpd -d -cfse -D -C lldpd-peer -I lldpd-peer \ -S lldpd-system-name -m 192.168.50.6 Requires additional syscalls to be filtered (non relevant syscalls removed): % time seconds usecs/call calls errors syscall ------ ----------- ----------- --------- --------- ---------------- 0.47 0.000026 6 4 ppoll 0.33 0.000018 3 5 rt_sigprocmask 0.27 0.000015 3 4 getsockopt ------ ----------- ----------- --------- --------- ---------------- 100.00 0.005520 8 637 22 total --- src/daemon/priv-seccomp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/daemon/priv-seccomp.c b/src/daemon/priv-seccomp.c index 32097d31..3f78e61f 100644 --- a/src/daemon/priv-seccomp.c +++ b/src/daemon/priv-seccomp.c @@ -179,6 +179,9 @@ priv_seccomp_init(int remote, int child) (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat), 0)) < 0 || (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(pread64), 0)) < 0 || (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(access), 0)) < 0 || + (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 0)) < 0 || + (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt), 0)) < 0 || + (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ppoll), 0)) < 0 || /* The following are for resolving addresses */ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0)) < 0 || (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0)) < 0 || -- 2.39.5