Allow getsockopt(…, SOL_SOCKET, SO_ACCEPTCONN, …) in sandbox

SO_ACCEPTCONN checks whether socket listening is enabled and is
used ever since 9369152aae9527cc3764 has been merged.

Closes ticket #29150

diff --git a/src/lib/sandbox/sandbox.c b/src/lib/sandbox/sandbox.c
index 1f0f5d858fc694a8a1d614d648e5f8b3e6162585..b652397f5a0935d807b6d618404168c2b4b00de6 100644 (file)
--- a/src/lib/sandbox/sandbox.c
+++ b/src/lib/sandbox/sandbox.c
@@ -832,6 +832,12 @@ sb_getsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
   if (rc)
     return rc;
 
+  rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
+      SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
+      SCMP_CMP(2, SCMP_CMP_EQ, SO_ACCEPTCONN));
+  if (rc)
+    return rc;
+
 #ifdef HAVE_SYSTEMD
   rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
       SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),