4581. [port] Linux: Add getpid and getrandom to the list of system

                        calls named uses for seccomp. [RT #44883]

diff --git a/CHANGES b/CHANGES
index 51dd906cbd5e452b0bd8131ebb5e2aa01468c5a7..90be225c3d7c7e37b706c5e7705c3c245a7c6131 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4581.  [port]          Linux: Add getpid and getrandom to the list of system
+                       calls named uses for seccomp. [RT #44883]
+
 4580.  [bug]           4578 introduced a regression when handling CNAME to
                        referral below the current domain. [RT #44850]
 

diff --git a/bin/named/include/named/seccomp.h b/bin/named/include/named/seccomp.h
index ecf12ee7c8612501e54a8790d2be188b19cc6c03..cec93c5922394d7a1cd30a61d39421baacfbd6c6 100644 (file)
--- a/bin/named/include/named/seccomp.h
+++ b/bin/named/include/named/seccomp.h
@@ -50,6 +50,10 @@ int scmp_syscalls[] = {
        SCMP_SYS(fstat),
        SCMP_SYS(epoll_ctl),
        SCMP_SYS(gettimeofday),
+       SCMP_SYS(getpid),
+#ifdef HAVE_GETRANDOM
+       SCMP_SYS(getrandom),
+#endif
        SCMP_SYS(unlink),
        SCMP_SYS(socket),
        SCMP_SYS(sendto),
@@ -113,6 +117,10 @@ const char *scmp_syscall_names[] = {
        "fstat",
        "epoll_ctl",
        "gettimeofday",
+       "getpid",
+#ifdef HAVE_GETRANDOM
+       "getrandom",
+#endif
        "unlink",
        "socket",
        "sendto",
@@ -182,6 +190,10 @@ int scmp_syscalls[] = {
        SCMP_SYS(fstat64),
        SCMP_SYS(epoll_ctl),
        SCMP_SYS(gettimeofday),
+       SCMP_SYS(getpid),
+#ifdef HAVE_GETRANDOM
+       SCMP_SYS(getrandom),
+#endif
        SCMP_SYS(unlink),
 #ifndef ISC_PLATFORM_USETHREADS
        SCMP_SYS(fcntl64),
@@ -218,6 +230,10 @@ const char *scmp_syscall_names[] = {
        "fstat64",
        "epoll_ctl",
        "gettimeofday",
+       "getpid",
+#ifdef HAVE_GETRANDOM
+       "getrandom",
+#endif
        "unlink",
 #ifndef ISC_PLATFORM_USETHREADS
        "fcntl64",

diff --git a/config.h.in b/config.h.in
index c4ecebf3e890e04a5addb6c449d72809719670fd..597f9e6ff26c63ee39f78c4d32eac98ac82d0728 100644 (file)
--- a/config.h.in
+++ b/config.h.in
@@ -254,6 +254,9 @@ int sigwait(const unsigned int *set, int *sig);
 /* Build with GeoIP Country IPv6 support */
 #undef HAVE_GEOIP_V6
 
+/* Define to 1 if you have the `getrandom' function. */
+#undef HAVE_GETRANDOM
+
 /* Define to use gperftools CPU profiler. */
 #undef HAVE_GPERFTOOLS_PROFILER
 

diff --git a/configure b/configure
index 7ebbee19c25d9c19537c59930cda2abce6049a80..71634e118b9c502e9e404a8a182134a4e0dfa76a 100755 (executable)
--- a/configure
+++ b/configure
@@ -11493,7 +11493,19 @@ yes)
        ;;
 esac
 
+
 #libseccomp sandboxing
+for ac_func in getrandom
+do :
+  ac_fn_c_check_func "$LINENO" "getrandom" "ac_cv_func_getrandom"
+if test "x$ac_cv_func_getrandom" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_GETRANDOM 1
+_ACEOF
+
+fi
+done
+
 # Check whether --enable-seccomp was given.
 if test "${enable_seccomp+set}" = set; then :
   enableval=$enable_seccomp;

diff --git a/configure.in b/configure.in
index 34f0408f49609218352d21d82e7236df208f00bc..97d9d1554f4ae1741c682b9309d47c2e7478e634 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -86,7 +86,9 @@ yes)
        ;;
 esac
 
+
 #libseccomp sandboxing
+AC_CHECK_FUNCS(getrandom)
 AC_ARG_ENABLE(seccomp,
        AS_HELP_STRING([--enable-seccomp],[enable support for libseccomp system call filtering [default=no]]))
 case "$enable_seccomp" in