Sandbox: Permit the clone3 system call

author Nick Mathewson <nickm@torproject.org>

Sun, 27 Mar 2022 22:34:25 +0000 (18:34 -0400)

committer Nick Mathewson <nickm@torproject.org>

Sun, 27 Mar 2022 22:34:25 +0000 (18:34 -0400)
author Nick Mathewson <nickm@torproject.org>
Sun, 27 Mar 2022 22:34:25 +0000 (18:34 -0400)
committer Nick Mathewson <nickm@torproject.org>
Sun, 27 Mar 2022 22:34:25 +0000 (18:34 -0400)
diff --git a/changes/clone3-sandbox b/changes/clone3-sandbox

new file mode 100644 (file)

index 0000000..dac8fe7
--- /dev/null
+++ b/changes/clone3-sandbox
@@ -0,0 +1,3 @@
+  o Minor features (linux seccomp2 sandbox):
+    - Permit the clone3 syscall, which is apparently used in glibc-2.34 and
+      later. Closes ticket 40590.
diff --git a/src/lib/sandbox/sandbox.c b/src/lib/sandbox/sandbox.c

index 8f577b066048e22fda3a54160e41d6ebbc95a0fc..df676fad2f7eb3fa52457cba6b7f9135d9b2456e 100644 (file)
--- a/src/lib/sandbox/sandbox.c
+++ b/src/lib/sandbox/sandbox.c
@@ -144,6 +144,9 @@ static int filter_nopar_gen[] = {
      SCMP_SYS(clock_gettime),
      SCMP_SYS(close),
      SCMP_SYS(clone),
+#ifdef __NR_clone3
+    SCMP_SYS(clone3),
+#endif
      SCMP_SYS(epoll_create),
      SCMP_SYS(epoll_wait),
  #ifdef __NR_epoll_pwait
author	Nick Mathewson <nickm@torproject.org>
	Sun, 27 Mar 2022 22:34:25 +0000 (18:34 -0400)
committer	Nick Mathewson <nickm@torproject.org>
	Sun, 27 Mar 2022 22:34:25 +0000 (18:34 -0400)
changes/clone3-sandbox	[new file with mode: 0644]	patch \| blob
src/lib/sandbox/sandbox.c		patch \| blob \| blame \| history