sys_linux: fix seccomp filter for BINDTODEVICE option

The BINDTODEVICE socket option is the first option in the seccomp filter
setting a string instead of int. Remove the length check from the
setsockopt rules to allow a device name longer than 3 characters.

This was reported in Debian bug #995207.

Fixes: b9f5ce83b02e ("sys_linux: allow BINDTODEVICE option in seccomp filter")

diff --git a/sys_linux.c b/sys_linux.c
index 8fba259e7e5b345b78eaf833d27c852498787734..9cab2efaa7b96ee3a0a4c7923575601af2619268 100644 (file)
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -739,10 +739,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
 
     /* Allow selected socket options */
     for (i = 0; i < sizeof (socket_options) / sizeof (*socket_options); i++) {
-      if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 3,
+      if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 2,
                            SCMP_A1(SCMP_CMP_EQ, socket_options[i][0]),
-                           SCMP_A2(SCMP_CMP_EQ, socket_options[i][1]),
-                           SCMP_A4(SCMP_CMP_LE, sizeof (int))) < 0)
+                           SCMP_A2(SCMP_CMP_EQ, socket_options[i][1])))
         goto add_failed;
     }