From 285b33afd0dac92e871375a6e00434b78af2053b Mon Sep 17 00:00:00 2001
From: Patrick McLean <chutzpah@gentoo.org>
Date: Tue, 8 Jul 2014 11:40:15 -0700
Subject: [PATCH] lldpd: whitelist sendto, poll, recvmsg and readv in seccomp
 sandbox

With privilege separation and seccomp enabled, the monitor thread was
dying due to seccomp errors, while leaving the child alive. This whitelists
some extra syscalls to allow the monitor process to stay alive.
---
 src/daemon/priv-seccomp.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/daemon/priv-seccomp.c b/src/daemon/priv-seccomp.c
index 7eb49d6f..c69d82a3 100644
--- a/src/daemon/priv-seccomp.c
+++ b/src/daemon/priv-seccomp.c
@@ -160,6 +160,10 @@ priv_seccomp_init(int remote, int child)
 	    (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(stat), 0)) < 0 ||
 	    (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0)) < 0 ||
 	    (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0)) < 0 ||
+	    (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendto), 0)) < 0 ||
+	    (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(poll), 0)) < 0 ||
+	    (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvmsg), 0)) < 0 ||
+	    (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(readv), 0)) < 0 ||
 	    /* The following are for resolving addresses */
 	    (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0)) < 0 ||
 	    (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0)) < 0 ||
-- 
2.39.5