From 1e52914f2e3a4586e62431162dfe49e53a686cc1 Mon Sep 17 00:00:00 2001
From: "Nicholas J. Kain" <nicholas@kain.us>
Date: Sun, 6 Apr 2014 05:21:56 -0400
Subject: [PATCH] Remove a lot of permitted syscalls from the seccomp filter
 list.

Probably the most notable is that setsockopt is only allowed from sockd.
This change prevents ndhc and ifch from removing BPF filters that have been
installed onto a socket.
---
 ndhc/seccomp.c | 14 --------------
 1 file changed, 14 deletions(-)

diff --git a/ndhc/seccomp.c b/ndhc/seccomp.c
index c512853..f703ca5 100644
--- a/ndhc/seccomp.c
+++ b/ndhc/seccomp.c
@@ -49,20 +49,14 @@ int enforce_seccomp_ndhc(void)
 #if defined(__x86_64__) || (defined(__arm__) && defined(__ARM_EABI__))
         ALLOW_SYSCALL(sendto), // used for glibc syslog routines
         ALLOW_SYSCALL(recvmsg),
-        ALLOW_SYSCALL(socket),
-        ALLOW_SYSCALL(setsockopt),
-        ALLOW_SYSCALL(getsockname),
         ALLOW_SYSCALL(connect),
-        ALLOW_SYSCALL(bind),
         ALLOW_SYSCALL(socketpair),
 #elif defined(__i386__)
         ALLOW_SYSCALL(socketcall),
-        ALLOW_SYSCALL(fcntl64),
 #else
 #error Target platform does not support seccomp-filter.
 #endif
 
-        ALLOW_SYSCALL(fcntl),
         ALLOW_SYSCALL(open),
 
         // Allowed by vDSO
@@ -127,14 +121,9 @@ int enforce_seccomp_ifch(void)
         ALLOW_SYSCALL(sendto), // used for glibc syslog routines
         ALLOW_SYSCALL(recvmsg),
         ALLOW_SYSCALL(socket),
-        ALLOW_SYSCALL(setsockopt),
-        ALLOW_SYSCALL(getsockname),
-        ALLOW_SYSCALL(connect),
-        ALLOW_SYSCALL(bind),
         ALLOW_SYSCALL(socketpair),
 #elif defined(__i386__)
         ALLOW_SYSCALL(socketcall),
-        ALLOW_SYSCALL(fcntl64),
 #else
 #error Target platform does not support seccomp-filter.
 #endif
@@ -144,7 +133,6 @@ int enforce_seccomp_ifch(void)
         ALLOW_SYSCALL(fsync),
         ALLOW_SYSCALL(lseek),
         ALLOW_SYSCALL(truncate),
-        ALLOW_SYSCALL(fcntl),
 
         ALLOW_SYSCALL(rt_sigreturn),
 #ifdef __NR_sigreturn
@@ -192,8 +180,6 @@ int enforce_seccomp_sockd(void)
         ALLOW_SYSCALL(recvmsg),
         ALLOW_SYSCALL(socket),
         ALLOW_SYSCALL(setsockopt),
-        ALLOW_SYSCALL(getsockname),
-        ALLOW_SYSCALL(connect),
         ALLOW_SYSCALL(bind),
         ALLOW_SYSCALL(socketpair),
 #elif defined(__i386__)