whitelist socket for logging purposes
Since minijail runs inprocess, it needs to whitelist syslog related
syscalls when using the -L option. Thus far we've only whitelisted
calls needed to log messages while assuming the syslog connection
stays open/active. There are scenarios though where syslog needs to
be re-opened (the program called closelog, or there was a temporary
failure in writing, etc...) in which case the C lib will use socket
to reconnect. If we don't whitelist, we end up crashing when we try
to log the program's crash.
Simple reproduction:
$ cat seccomp
prctl: 1
close: 1
$ cat test.c
main() { closelog(); unlink(); }
$ gcc test.c
$ sudo minijail -L -S ./seccomp ./a.out
<syslog doesn't say anything about unlink, just a crash>
Now after enabling socket(), we get a message about the unlink syscall
violating the filter.
BUG=chromium:769047
TEST=ran a test program with closelog() and checked minijail could still log
Change-Id: Ic7a2aa4ea4b841315e5a44b8293654efca2e11fb
1 file changed