Remove socketpair from the seccomp syscall filter whitelist.
socketpair() is called only before privileges are dropped, so it does not need to be in the whitelist.
This commit is contained in:
Nicholas J. Kain
parent
5fa2030bab
commit
cab9162d8d
@ -50,7 +50,6 @@ int enforce_seccomp_ndhc(void)
|
|||||||
ALLOW_SYSCALL(sendto), // used for glibc syslog routines
|
ALLOW_SYSCALL(sendto), // used for glibc syslog routines
|
||||||
ALLOW_SYSCALL(recvmsg),
|
ALLOW_SYSCALL(recvmsg),
|
||||||
ALLOW_SYSCALL(connect),
|
ALLOW_SYSCALL(connect),
|
||||||
ALLOW_SYSCALL(socketpair),
|
|
||||||
#elif defined(__i386__)
|
#elif defined(__i386__)
|
||||||
ALLOW_SYSCALL(socketcall),
|
ALLOW_SYSCALL(socketcall),
|
||||||
#else
|
#else
|
||||||
@ -121,7 +120,6 @@ int enforce_seccomp_ifch(void)
|
|||||||
ALLOW_SYSCALL(sendto), // used for glibc syslog routines
|
ALLOW_SYSCALL(sendto), // used for glibc syslog routines
|
||||||
ALLOW_SYSCALL(recvmsg),
|
ALLOW_SYSCALL(recvmsg),
|
||||||
ALLOW_SYSCALL(socket),
|
ALLOW_SYSCALL(socket),
|
||||||
ALLOW_SYSCALL(socketpair),
|
|
||||||
#elif defined(__i386__)
|
#elif defined(__i386__)
|
||||||
ALLOW_SYSCALL(socketcall),
|
ALLOW_SYSCALL(socketcall),
|
||||||
#else
|
#else
|
||||||
@ -181,7 +179,6 @@ int enforce_seccomp_sockd(void)
|
|||||||
ALLOW_SYSCALL(socket),
|
ALLOW_SYSCALL(socket),
|
||||||
ALLOW_SYSCALL(setsockopt),
|
ALLOW_SYSCALL(setsockopt),
|
||||||
ALLOW_SYSCALL(bind),
|
ALLOW_SYSCALL(bind),
|
||||||
ALLOW_SYSCALL(socketpair),
|
|
||||||
#elif defined(__i386__)
|
#elif defined(__i386__)
|
||||||
ALLOW_SYSCALL(socketcall),
|
ALLOW_SYSCALL(socketcall),
|
||||||
ALLOW_SYSCALL(fcntl64),
|
ALLOW_SYSCALL(fcntl64),
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user