Only allow sigaction for signals other than SIGALRM (making the rlimi…

…t/alarm mechanisms redundant again).
Eelis · Nov 7, 2015 · 920a444 · 920a444
1 parent 61922f6
commit 920a444
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/src/lockdown/lockdown.cpp b/src/lockdown/lockdown.cpp
@@ -5,8 +5,9 @@
 #include <iostream>
 #include <unistd.h>
 #include <utility>
-#include <sys/prctl.h>
 #include <sys/resource.h>
+#include <sys/prctl.h>
+#include <signal.h>
 
 #ifndef __x86_64__
 	#error Unsupported platform
@@ -71,7 +72,6 @@ auto rules =
 	, RULE(vfork,           ERRNO(0))
 	, RULE(rt_sigprocmask,  ERRNO(0))
 	, RULE(set_robust_list, ERRNO(0))
-	, RULE(rt_sigaction,    ALLOW) // must be allowed for diagnose_sigsys to work
 	};
 
 void e(char const * const what) { throw std::runtime_error(what); }
@@ -117,6 +117,10 @@ int main(int const argc, char * const * const argv)
 			SCMP_CMP(0, SCMP_CMP_MASKED_EQ, CLONE_THREAD, CLONE_THREAD)) != 0)
 			e("seccomp_rule_add");
 
+		if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigaction), 1,
+			SCMP_CMP(0, SCMP_CMP_NE, SIGALRM)) != 0)
+			e("seccomp_rule_add");
+
 		for (auto && p : rules)
 			if (seccomp_rule_add(ctx, p.second, p.first, 0) != 0)
 				e("seccomp_rule_add");