1 files changed, 14 insertions, 7 deletions

diff --git a/src/seccomp.c b/src/seccomp.c
index 7c8a31443b43..a5abb4a159f9 100644
--- a/src/seccomp.c
+++ b/src/seccomp.c
@@ -27,7 +27,7 @@
 #include "file.h"
 
 #ifndef	lint
-FILE_RCSID("@(#)$File: seccomp.c,v 1.2 2017/11/04 01:14:25 christos Exp $")
+FILE_RCSID("@(#)$File: seccomp.c,v 1.6 2018/06/26 20:29:29 christos Exp $")
 #endif	/* lint */
 
 #if HAVE_LIBSECCOMP
@@ -59,12 +59,7 @@ enable_sandbox_basic(void)
 	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
 		return -1;
 
-#if 0
-	// prevent escape via ptrace
-	prctl(PR_SET_DUMPABLE, 0);
-#endif
-
-	if (prctl (PR_SET_DUMPABLE, 0, 0, 0, 0) == -1)
+	if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1)
 		return -1;
 
 	// initialize the filter
@@ -169,15 +164,26 @@ enable_sandbox_full(void)
 	ALLOW_RULE(exit);
 	ALLOW_RULE(exit_group);
 	ALLOW_RULE(fcntl);  
+ 	ALLOW_RULE(fcntl64);  
 	ALLOW_RULE(fstat);
+ 	ALLOW_RULE(fstat64);  
 	ALLOW_RULE(getdents);
+#ifdef __NR_getdents64
+	ALLOW_RULE(getdents64);
+#endif
 	ALLOW_RULE(ioctl);
 	ALLOW_RULE(lseek);
+ 	ALLOW_RULE(_llseek);
 	ALLOW_RULE(lstat);
+ 	ALLOW_RULE(lstat64);
 	ALLOW_RULE(mmap);
+ 	ALLOW_RULE(mmap2);
 	ALLOW_RULE(mprotect);
 	ALLOW_RULE(mremap);
 	ALLOW_RULE(munmap);
+#ifdef __NR_newfstatat
+	ALLOW_RULE(newfstatat);
+#endif
 	ALLOW_RULE(open);
 	ALLOW_RULE(openat);
 	ALLOW_RULE(pread64);
@@ -188,6 +194,7 @@ enable_sandbox_full(void)
 	ALLOW_RULE(rt_sigreturn);
 	ALLOW_RULE(select);
 	ALLOW_RULE(stat);
+	ALLOW_RULE(stat64);
 	ALLOW_RULE(sysinfo);
 	ALLOW_RULE(unlink);
 	ALLOW_RULE(write);