From 95219181436b9c0b3ee5ed67e3aabf4b779b9517 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 30 Oct 2020 22:30:35 +0100 Subject: [PATCH] worker-privs: allow new syscalls This adds the syscalls used by socket wrapper as observed in Fedora builders, as well as syscalls observed in different platforms such as aarch64. Signed-off-by: Nikos Mavrogiannopoulos --- src/worker-privs.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/worker-privs.c b/src/worker-privs.c index ea503cd0..e128f180 100644 --- a/src/worker-privs.c +++ b/src/worker-privs.c @@ -107,6 +107,14 @@ int disable_system_calls(struct worker_st *ws) ADD_SYSCALL(getcwd, 0); ADD_SYSCALL(lstat, 0); + /* Socket wrapper tests use additional syscalls; only enable + * them when socket wrapper is active */ + if (getenv("SOCKET_WRAPPER_DIR") != NULL) { + ADD_SYSCALL(stat64, 0); + ADD_SYSCALL(readlink, 0); + ADD_SYSCALL(newfstatat, 0); + } + /* we use quite some system calls here, and in the end * we don't even know whether a newer libc will change the * underlying calls to something else. seccomp seems to be useful @@ -122,7 +130,11 @@ int disable_system_calls(struct worker_st *ws) ADD_SYSCALL(getrusage, 0); ADD_SYSCALL(alarm, 0); ADD_SYSCALL(getpid, 0); + + /* memory allocation - both are used by different platforms */ ADD_SYSCALL(brk, 0); + ADD_SYSCALL(mmap, 0); + #ifdef __NR_getrandom ADD_SYSCALL(getrandom, 0); /* used by gnutls 3.5.x */ #endif @@ -175,6 +187,8 @@ int disable_system_calls(struct worker_st *ws) list_for_each(ws->vconfig, vhost, list) { if (vhost->perm_config.config->xml_config_file) { ADD_SYSCALL(stat, 0); + ADD_SYSCALL(stat64, 0); + ADD_SYSCALL(newfstatat, 0); ADD_SYSCALL(open, 0); ADD_SYSCALL(openat, 0); break;