sys_linux: allow setsockopt(SOL_IP, IP_TOS) in seccomp

This system call is required by the DSCP marking feature introduced in commit
6a5665ca5877 ("conf: add dscp directive").

Before this change, enabling seccomp filtering (chronyd -F 1) and specifying a
custom DSCP value in the configuration (for example "dscp 46") caused the
process to be killed by seccomp due to IP_TOS not being allowed by the filter.

Tested before and after the change on Ubuntu 21.04, kernel 5.11.0-13-generic.
IP_TOS is available since Linux 1.0, so I didn't add any ifdefs for it.

Signed-off-by: Foster Snowhill <forst@forstwoof.ru>

diff --git a/sys_linux.c b/sys_linux.c
index 06ec45f9fd4b1a25c8226d80382a64dd50c0b57f..a33887f8544cc0290699ff54e0323411512c289e 100644 (file)
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -621,7 +621,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
   };
 
   const static int socket_options[][2] = {
-    { SOL_IP, IP_PKTINFO }, { SOL_IP, IP_FREEBIND },
+    { SOL_IP, IP_PKTINFO }, { SOL_IP, IP_FREEBIND }, { SOL_IP, IP_TOS },
 #ifdef FEAT_IPV6
     { SOL_IPV6, IPV6_V6ONLY }, { SOL_IPV6, IPV6_RECVPKTINFO },
 #endif