daemon: add additional syscalls to SECCOMP filter when running in the foreground

Running lldpd in the foreground as follows:

strace -c /usr/sbin/lldpd -d -cfse -D -C lldpd-peer -I lldpd-peer \
       -S lldpd-system-name -m 192.168.50.6

Requires additional syscalls to be filtered (non relevant syscalls removed):

% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- ----------------
  0.47    0.000026           6         4           ppoll
  0.33    0.000018           3         5           rt_sigprocmask
  0.27    0.000015           3         4           getsockopt
------ ----------- ----------- --------- --------- ----------------
100.00    0.005520           8       637        22 total

diff --git a/src/daemon/priv-seccomp.c b/src/daemon/priv-seccomp.c
index 32097d31914b83a2bcf851077360c58a36c6ec83..3f78e61fb6a1e8a5da116c4e0017894bef2b833b 100644 (file)
--- a/src/daemon/priv-seccomp.c
+++ b/src/daemon/priv-seccomp.c
@@ -179,6 +179,9 @@ priv_seccomp_init(int remote, int child)
            (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat), 0)) < 0 ||
            (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(pread64), 0)) < 0 ||
            (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(access), 0)) < 0 ||
+           (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 0)) < 0 ||
+           (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt), 0)) < 0 ||
+           (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ppoll), 0)) < 0 ||
            /* The following are for resolving addresses */
            (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0)) < 0 ||
            (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0)) < 0 ||