Sandbox: permit O_NONBLOCK and O_NOCTTY for files we refuse

OpenSSL needs this, or RAND_poll() will kill the process.

Also, refuse with EACCESS, not errno==-1 (!).

diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 0722751745313f1c8b5cf30811bdf48587e7cd81..7067a72c7de744b05492251525dd0b797f050aea 100644 (file)
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -363,8 +363,8 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
     }
   }
 
-  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(-1), SCMP_SYS(open),
-                          SCMP_CMP_MASKED(1, O_CLOEXEC, O_RDONLY));
+  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open),
+                SCMP_CMP_MASKED(1, O_CLOEXEC|O_NONBLOCK|O_NOCTTY, O_RDONLY));
   if (rc != 0) {
     log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
         "error %d", rc);