Fix sandbox use with systemd. bug 16212.

diff --git a/changes/bug16212 b/changes/bug16212
new file mode 100644 (file)
index 0000000..bc12463
--- /dev/null
+++ b/changes/bug16212
@@ -0,0 +1,5 @@
+  o Minor bugfixes (sandbox, systemd):
+    - Allow systemd connections to work with the Linux seccomp2 sandbox
+      code.  Fixes bug 16212; bugfix on 0.2.6.2-alpha.
+      Patch by Peter Palfrader.
+

diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 49316c6193f14730284fa6675ead1f534893734d..a32bd0d901624ff89e669d9cd06c335be016873c 100644 (file)
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -170,6 +170,7 @@ static int filter_nopar_gen[] = {
     SCMP_SYS(read),
     SCMP_SYS(rt_sigreturn),
     SCMP_SYS(sched_getaffinity),
+    SCMP_SYS(sendmsg),
     SCMP_SYS(set_robust_list),
 #ifdef __NR_sigreturn
     SCMP_SYS(sigreturn),
@@ -547,6 +548,15 @@ sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
       SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
       SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
       SCMP_CMP(2, SCMP_CMP_EQ, 0));
+  if (rc)
+    return rc;
+
+  rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
+      SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
+      SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM),
+      SCMP_CMP(2, SCMP_CMP_EQ, 0));
+  if (rc)
+    return rc;
 
   rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
       SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK),