2024-12-13 10:56:38 +01:00
|
|
|
From 3cb58bb51d47b8e61611350324b751eaa46166a5 Mon Sep 17 00:00:00 2001
|
|
|
|
|
From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= <crrodriguez@opensuse.org>
|
|
|
|
|
Date: Fri, 8 Nov 2024 08:28:12 +0100
|
|
|
|
|
Subject: [PATCH] Allow getrandom, rseq, and prctl for glibc malloc
|
|
|
|
|
|
|
|
|
|
glibc uses getrandom in malloc, rseq, and prctl in various other
|
|
|
|
|
places, allow these syscalls in seccomp filter.
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
export GLIBC_TUNABLES=glibc.mem.decorate_maps=1
|
|
|
|
|
make check
|
|
|
|
|
```
|
|
|
|
|
|
2025-03-26 11:07:43 +01:00
|
|
|
Remove the dumb prctl allow rule as for glibc malloc the prctl PR_SET_VMA
|
|
|
|
|
with flag PR_SET_VMA_ANON_NAME is already allowed
|
|
|
|
|
|
2024-12-13 10:56:38 +01:00
|
|
|
Signed-off-by: Werner Fink <werner@suse.de>
|
2025-03-26 11:07:43 +01:00
|
|
|
|
2024-12-13 10:56:38 +01:00
|
|
|
---
|
2025-03-26 11:07:43 +01:00
|
|
|
src/seccomp.c | 2 ++
|
|
|
|
|
1 file changed, 2 insertions(+)
|
2024-12-13 10:56:38 +01:00
|
|
|
|
|
|
|
|
diff --git a/src/seccomp.c b/src/seccomp.c
|
|
|
|
|
--- a/src/seccomp.c
|
|
|
|
|
+++ b/src/seccomp.c
|
2025-03-26 11:07:43 +01:00
|
|
|
@@ -80,6 +80,8 @@ enable_sandbox(void)
|
2024-12-13 10:56:38 +01:00
|
|
|
if (ctx == NULL)
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
|
|
+ ALLOW_RULE(getrandom);
|
|
|
|
|
+ ALLOW_RULE(rseq);
|
|
|
|
|
ALLOW_RULE(access);
|
|
|
|
|
ALLOW_RULE(brk);
|
|
|
|
|
ALLOW_RULE(close);
|
