1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
From: Zhiyuan Wan <h@iloli.bid>
Date: Mon, 21 Nov 2022 15:41:08 +0800
Subject: seccomp: allow essential syscalls on 32-bit platform.
This fix ocserv auth issue on armv7 platform.
Not tested with other 32-bit platforms, be careful.
Solves issue #474
Signed-off-by: Zhiyuan Wan <h@iloli.bid>
---
src/worker-privs.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/src/worker-privs.c b/src/worker-privs.c
index b4143ea..8a7a001 100644
--- a/src/worker-privs.c
+++ b/src/worker-privs.c
@@ -73,7 +73,6 @@ int set_sigsys_handler(struct worker_st *ws)
#endif
-
int disable_system_calls(struct worker_st *ws)
{
int ret;
@@ -122,8 +121,14 @@ int disable_system_calls(struct worker_st *ws)
ADD_SYSCALL(gettimeofday, 0);
#if defined(HAVE_CLOCK_GETTIME)
ADD_SYSCALL(clock_gettime, 0);
+#if defined(SYS_clock_gettime64) || defined(__NR_clock_gettime64)
+ ADD_SYSCALL(clock_gettime64, 0);
+#endif
#endif
ADD_SYSCALL(clock_nanosleep, 0);
+#if defined(SYS_clock_nanosleep64) || defined(__NR_clock_nanosleep64)
+ ADD_SYSCALL(clock_nanosleep64, 0);
+#endif
ADD_SYSCALL(nanosleep, 0);
ADD_SYSCALL(getrusage, 0);
ADD_SYSCALL(alarm, 0);
@@ -135,7 +140,7 @@ int disable_system_calls(struct worker_st *ws)
ADD_SYSCALL(brk, 0);
ADD_SYSCALL(mmap, 0);
-#ifdef __NR_getrandom
+#if defined(SYS_getrandom) || defined(__NR_getrandom)
ADD_SYSCALL(getrandom, 0); /* used by gnutls 3.5.x */
#endif
ADD_SYSCALL(recvmsg, 0);
@@ -171,6 +176,9 @@ int disable_system_calls(struct worker_st *ws)
/* allow setting non-blocking sockets */
ADD_SYSCALL(fcntl, 0);
+#if defined(SYS_fcntl64) || defined(__NR_fcntl64)
+ ADD_SYSCALL(fcntl64, 0);
+#endif
ADD_SYSCALL(close, 0);
ADD_SYSCALL(exit, 0);
ADD_SYSCALL(exit_group, 0);
@@ -180,6 +188,9 @@ int disable_system_calls(struct worker_st *ws)
ADD_SYSCALL(openat, 0);
ADD_SYSCALL(fstat, 0);
ADD_SYSCALL(stat, 0);
+#if defined(SYS_fstat64) || defined(__NR_fstat64)
+ ADD_SYSCALL(fstat64, 0);
+#endif
ADD_SYSCALL(stat64, 0);
ADD_SYSCALL(newfstatat, 0);
ADD_SYSCALL(lseek, 0);
|
