vendor/openssh/6.7p1

author: Dag-Erling Smørgrav <des@FreeBSD.org> 2015-01-05 16:09:55 +0000
committer: Dag-Erling Smørgrav <des@FreeBSD.org> 2015-01-05 16:09:55 +0000
commit: c0bbca73c6f7f15d5401332151fc9f9755abaf8f (patch)
tree: 1bbed0bec45f927ff35eedaf91618215ccbf5fb7 /sandbox-seccomp-filter.c
parent: 12459a528f0a5dfa735c6917135c071754daa020 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index c0c17c2fc098..b6f6258f2345 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -25,6 +25,8 @@
  */
 /* #define SANDBOX_SECCOMP_FILTER_DEBUG 1 */
 
+/* XXX it should be possible to do logging via the log socket safely */
+
 #ifdef SANDBOX_SECCOMP_FILTER_DEBUG
 /* Use the kernel headers in case of an older toolchain. */
 # include <asm/siginfo.h>
@@ -89,6 +91,7 @@ static const struct sock_filter preauth_insns[] = {
 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
 		offsetof(struct seccomp_data, nr)),
 	SC_DENY(open, EACCES),
+	SC_DENY(stat, EACCES),
 	SC_ALLOW(getpid),
 	SC_ALLOW(gettimeofday),
 	SC_ALLOW(clock_gettime),
@@ -115,6 +118,10 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR_mmap
 	SC_ALLOW(mmap),
 #endif
+#ifdef __dietlibc__
+	SC_ALLOW(mremap),
+	SC_ALLOW(exit),
+#endif
 	SC_ALLOW(munmap),
 	SC_ALLOW(exit_group),
 #ifdef __NR_rt_sigprocmask
author	Dag-Erling Smørgrav <des@FreeBSD.org>	2015-01-05 16:09:55 +0000
committer	Dag-Erling Smørgrav <des@FreeBSD.org>	2015-01-05 16:09:55 +0000
commit	c0bbca73c6f7f15d5401332151fc9f9755abaf8f (patch)
tree	1bbed0bec45f927ff35eedaf91618215ccbf5fb7 /sandbox-seccomp-filter.c
parent	12459a528f0a5dfa735c6917135c071754daa020 (diff)