Skip to content

Commit

Permalink
Conditionally deny poll for seccomp.
Browse files Browse the repository at this point in the history
This is not a valid system call on aarch64, which uses ppoll internally.
  • Loading branch information
kristapsdz committed Nov 18, 2023
1 parent a241bb5 commit e731d4c
Showing 1 changed file with 6 additions and 2 deletions.
8 changes: 6 additions & 2 deletions sandbox-seccomp-filter.c
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ static const struct sock_filter preauth_ctrl[] = {
/* Load the syscall number for checking. */
BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
offsetof(struct seccomp_data, nr)),
#ifdef __NR_open
#ifdef __NR_open /* not defined on aarch64 */
SC_DENY(open, EACCES),
#endif
#ifdef __NR_openat
Expand Down Expand Up @@ -129,7 +129,9 @@ static const struct sock_filter preauth_ctrl[] = {
#ifdef __NR_ppoll
SC_ALLOW(ppoll),
#endif
#ifdef __NR_poll /* not defined on aarch64 */
SC_ALLOW(poll),
#endif
#ifdef __NR__newselect
SC_ALLOW(_newselect),
#else
Expand Down Expand Up @@ -167,7 +169,7 @@ static const struct sock_filter preauth_work[] = {
/* Load the syscall number for checking. */
BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
offsetof(struct seccomp_data, nr)),
#ifdef __NR_open
#ifdef __NR_open /* not defined on aarch64 */
SC_DENY(open, EACCES),
#endif
#ifdef __NR_openat
Expand Down Expand Up @@ -202,7 +204,9 @@ static const struct sock_filter preauth_work[] = {
#ifdef __NR_ppoll
SC_ALLOW(ppoll),
#endif
#ifdef __NR_poll /* not defined on aarch64 */
SC_ALLOW(poll),
#endif
#ifdef __NR__newselect
SC_ALLOW(_newselect),
#else
Expand Down

0 comments on commit e731d4c

Please sign in to comment.