Fix some seccomp2 issues

Fix for #10563.  This is a compatibility issue with libseccomp-2.1.
I guess you could call it a bugfix on 0.2.5.1?

diff --git a/changes/seccomp2-fixes b/changes/seccomp2-fixes
new file mode 100644 (file)
index 0000000..600feec
--- /dev/null
+++ b/changes/seccomp2-fixes
@@ -0,0 +1,3 @@
+  o Minor bugfixes:
+    - Fix compilation warnings and startup issues when running with
+      libseccomp-2.1.0. Fixes bug 10563.

diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 7ef577dbec7088b931d399c84061e67c45d38c1e..0b67b18973d7992c497eba90d411ec1fc914f346 100644 (file)
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -250,6 +250,7 @@ static int
 sb_mmap2(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
 {
   int rc = 0;
+  (void)filter;
 
   rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2,
        SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ),
@@ -403,6 +404,14 @@ sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
   if (rc)
     return rc;
 
+  rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 3,
+      SCMP_CMP(0, SCMP_CMP_EQ, PF_INET),
+      SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK),
+      SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_TCP));
+  if (rc)
+    return rc;
+
+
   rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 3,
       SCMP_CMP(0, SCMP_CMP_EQ, PF_INET),
       SCMP_CMP(1, SCMP_CMP_EQ, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK),
@@ -504,6 +513,7 @@ static int
 sb_fcntl64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
 {
   int rc = 0;
+  (void) filter;
 
   rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64), 1,
       SCMP_CMP(1, SCMP_CMP_EQ, F_GETFL));