diff options
Diffstat (limited to 'sandbox-seccomp-filter.c')
| -rw-r--r-- | sandbox-seccomp-filter.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 3a1aedce72c2..ca75cc719b18 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -50,6 +50,9 @@ #include <elf.h> #include <asm/unistd.h> +#ifdef __s390__ +#include <asm/zcrypt.h> +#endif #include <errno.h> #include <signal.h> @@ -222,6 +225,7 @@ static const struct sock_filter preauth_insns[] = { #endif #ifdef __NR_socketcall SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN), + SC_DENY(__NR_socketcall, EACCES), #endif #if defined(__NR_ioctl) && defined(__s390__) /* Allow ioctls for ICA crypto card on s390 */ @@ -235,7 +239,7 @@ static const struct sock_filter preauth_insns[] = { * x86-64 syscall under some circumstances, e.g. * https://bugs.debian.org/849923 */ - SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT); + SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT), #endif /* Default deny */ |