From: Roy Marples <roy@marples.name>
Date: Sun, 20 Sep 2020 18:44:23 +0000 (+0100)
Subject: privsep: Allow more syscalls for seccomp
X-Git-Tag: v9.3.0~28
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=100a3839b0b84c36e06ac00d993879799bee908e;p=thirdparty%2Fdhcpcd.git

privsep: Allow more syscalls for seccomp

dumplease now works over the control socket and stdin.
---

diff --git a/src/privsep-linux.c b/src/privsep-linux.c
index ab844365..eefca262 100644
--- a/src/privsep-linux.c
+++ b/src/privsep-linux.c
@@ -177,6 +177,9 @@ static struct sock_filter ps_seccomp_filter[] = {
 	/* Allow syscalls */
 	BPF_STMT(BPF_LD + BPF_W + BPF_ABS,
 		offsetof(struct seccomp_data, nr)),
+#ifdef __NR_accept
+	SECCOMP_ALLOW(__NR_accept),
+#endif
 #ifdef __NR_brk
 	SECCOMP_ALLOW(__NR_brk),
 #endif
@@ -192,6 +195,12 @@ static struct sock_filter ps_seccomp_filter[] = {
 #ifdef __NR_close
 	SECCOMP_ALLOW(__NR_close),
 #endif
+#ifdef __NR_fcntl
+	SECCOMP_ALLOW(__NR_fcntl),
+#endif
+#ifdef __NR_fstat
+	SECCOMP_ALLOW(__NR_fstat),
+#endif
 #ifdef __NR_getpid
 	SECCOMP_ALLOW(__NR_getpid),
 #endif
@@ -234,6 +243,9 @@ static struct sock_filter ps_seccomp_filter[] = {
 #ifdef __NR_shutdown
 	SECCOMP_ALLOW(__NR_shutdown),
 #endif
+#ifdef __NR_wait4
+	SECCOMP_ALLOW(__NR_wait4),
+#endif
 #ifdef __NR_write
 	SECCOMP_ALLOW(__NR_write),
 #endif