- (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to remind myself to add sandbox violation logging via the log socket.

commit: 48abc47e60048461fe9117e108a7e99ea1ac2bb8 [log] [tgz]
author: Damien Miller <djm@mindrot.org> Mon Mar 17 14:45:56 2014 +1100
committer: Damien Miller <djm@mindrot.org> Mon Mar 17 14:45:56 2014 +1100
tree: 83ea12268ed3c5999697b7d9e75bfed93e71c0d8
parent: 9c36698ca2f554ec221dc7ef29c7a89e97c88705 [diff] [blame]
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index c0c17c2..c2be006 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c

@@ -25,6 +25,8 @@
  */
 /* #define SANDBOX_SECCOMP_FILTER_DEBUG 1 */
 
+/* XXX it should be possible to do logging via the log socket safely */
+
 #ifdef SANDBOX_SECCOMP_FILTER_DEBUG
 /* Use the kernel headers in case of an older toolchain. */
 # include <asm/siginfo.h>
@@ -89,6 +91,7 @@
 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
 		offsetof(struct seccomp_data, nr)),
 	SC_DENY(open, EACCES),
+	SC_DENY(stat, EACCES),
 	SC_ALLOW(getpid),
 	SC_ALLOW(gettimeofday),
 	SC_ALLOW(clock_gettime),
commit	48abc47e60048461fe9117e108a7e99ea1ac2bb8	[log] [tgz]
author	Damien Miller <djm@mindrot.org>	Mon Mar 17 14:45:56 2014 +1100
committer	Damien Miller <djm@mindrot.org>	Mon Mar 17 14:45:56 2014 +1100
tree	83ea12268ed3c5999697b7d9e75bfed93e71c0d8
parent	9c36698ca2f554ec221dc7ef29c7a89e97c88705 [diff] [blame]