Conditionally deny poll for seccomp.

This is not a valid system call on aarch64, which uses ppoll internally.
kristapsdz · Nov 18, 2023 · e731d4c · e731d4c
1 parent a241bb5
commit e731d4c
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
@@ -89,7 +89,7 @@ static const struct sock_filter preauth_ctrl[] = {
 	/* Load the syscall number for checking. */
 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
 		offsetof(struct seccomp_data, nr)),
-#ifdef __NR_open
+#ifdef __NR_open /* not defined on aarch64 */
 	SC_DENY(open, EACCES),
 #endif
 #ifdef __NR_openat
@@ -129,7 +129,9 @@ static const struct sock_filter preauth_ctrl[] = {
 #ifdef __NR_ppoll
 	SC_ALLOW(ppoll),
 #endif
+#ifdef __NR_poll /* not defined on aarch64 */
 	SC_ALLOW(poll),
+#endif
 #ifdef __NR__newselect
 	SC_ALLOW(_newselect),
 #else
@@ -167,7 +169,7 @@ static const struct sock_filter preauth_work[] = {
 	/* Load the syscall number for checking. */
 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
 		offsetof(struct seccomp_data, nr)),
-#ifdef __NR_open
+#ifdef __NR_open /* not defined on aarch64 */
 	SC_DENY(open, EACCES),
 #endif
 #ifdef __NR_openat
@@ -202,7 +204,9 @@ static const struct sock_filter preauth_work[] = {
 #ifdef __NR_ppoll
 	SC_ALLOW(ppoll),
 #endif
+#ifdef __NR_poll /* not defined on aarch64 */
 	SC_ALLOW(poll),
+#endif
 #ifdef __NR__newselect
 	SC_ALLOW(_newselect),
 #else