[master] seccomp sandboxing wasn't working in nonthreaded builds

diff --git a/bin/named/include/named/seccomp.h b/bin/named/include/named/seccomp.h
index ce8e0e260cd13f605ebfb90fce5bc43dd047eb46..2b3c0a8ca3c93f808055f79127e56780db717d40 100644 (file)
--- a/bin/named/include/named/seccomp.h
+++ b/bin/named/include/named/seccomp.h
@@ -24,6 +24,7 @@
 #include <sys/resource.h>
 #include <unistd.h>
 #include <seccomp.h>
+#include <isc/platform.h>
 
 /*%
  * For each architecture, the scmp_syscalls and
@@ -59,38 +60,100 @@ int scmp_syscalls[] = {
        SCMP_SYS(gettimeofday),
        SCMP_SYS(unlink),
        SCMP_SYS(socket),
-       SCMP_SYS(sendto)
+       SCMP_SYS(sendto),
+#ifndef ISC_PLATFORM_USETHREADS
+       SCMP_SYS(bind),
+       SCMP_SYS(accept),
+       SCMP_SYS(connect),
+       SCMP_SYS(listen),
+       SCMP_SYS(fcntl),
+       SCMP_SYS(sendmsg),
+       SCMP_SYS(recvmsg),
+       SCMP_SYS(uname),
+       SCMP_SYS(setrlimit),
+       SCMP_SYS(getrlimit),
+       SCMP_SYS(setsockopt),
+       SCMP_SYS(getsockopt),
+       SCMP_SYS(getsockname),
+       SCMP_SYS(lstat),
+       SCMP_SYS(lseek),
+       SCMP_SYS(getgid),
+       SCMP_SYS(getegid),
+       SCMP_SYS(getuid),
+       SCMP_SYS(geteuid),
+       SCMP_SYS(setresgid),
+       SCMP_SYS(setresuid),
+       SCMP_SYS(setgid),
+       SCMP_SYS(setuid),
+       SCMP_SYS(prctl),
+       SCMP_SYS(epoll_wait),
+       SCMP_SYS(openat),
+       SCMP_SYS(getdents),
+       SCMP_SYS(rename),
+       SCMP_SYS(utimes),
+#endif
 };
 const char *scmp_syscall_names[] = {
-       "access",
-       "open",
-       "clock_gettime",
-       "time",
-       "read",
-       "write",
-       "close",
-       "brk",
-       "poll",
-       "select",
-       "madvise",
-       "mmap",
-       "munmap",
-       "exit_group",
-       "rt_sigprocmask",
-       "rt_sigaction",
-       "fsync",
-       "rt_sigreturn",
-       "setsid",
-       "chdir",
-       "futex",
-       "stat",
-       "rt_sigsuspend",
-       "fstat",
-       "epoll_ctl",
-       "gettimeofday",
-       "unlink",
-       "socket",
-       "sendto"
+       "access",
+       "open",
+       "clock_gettime",
+       "time",
+       "read",
+       "write",
+       "close",
+       "brk",
+       "poll",
+       "select",
+       "madvise",
+       "mmap",
+       "munmap",
+       "exit_group",
+       "rt_sigprocmask",
+       "rt_sigaction",
+       "fsync",
+       "rt_sigreturn",
+       "setsid",
+       "chdir",
+       "futex",
+       "stat",
+       "rt_sigsuspend",
+       "fstat",
+       "epoll_ctl",
+       "gettimeofday",
+       "unlink",
+       "socket",
+       "sendto",
+#ifndef ISC_PLATFORM_USETHREADS
+       "bind",
+       "accept",
+       "connect",
+       "listen",
+       "fcntl",
+       "sendmsg",
+       "recvmsg",
+       "uname",
+       "setrlimit",
+       "getrlimit",
+       "setsockopt",
+       "getsockopt",
+       "getsockname",
+       "lstat",
+       "lseek",
+       "getgid",
+       "getegid",
+       "getuid",
+       "geteuid",
+       "setresgid",
+       "setresuid",
+       "setgid",
+       "setuid",
+       "prctl",
+       "epoll_wait",
+       "openat",
+       "getdents",
+       "rename",
+       "utimes",
+#endif
 };
 #endif /* __x86_64__ */
 #ifdef __i386__