From 0310c733d5be61f577808627310571471fa824d0 Mon Sep 17 00:00:00 2001 From: Norman Feske Date: Fri, 3 Jul 2020 11:56:19 +0200 Subject: [PATCH] base-linux: let seccomp permit 'read' This is needed for using the 'wait_for_continue' debug mechanism. Fixes #3798 --- .../lib/seccomp/spec/arm/seccomp_bpf_policy.bin | Bin 304 -> 312 bytes .../seccomp/spec/x86_32/seccomp_bpf_policy.bin | Bin 344 -> 352 bytes .../seccomp/spec/x86_64/seccomp_bpf_policy.bin | Bin 360 -> 368 bytes tool/seccomp/seccomp_bpf_compiler.h | 3 +++ 4 files changed, 3 insertions(+) diff --git a/repos/base-linux/src/lib/seccomp/spec/arm/seccomp_bpf_policy.bin b/repos/base-linux/src/lib/seccomp/spec/arm/seccomp_bpf_policy.bin index 2303a9af394ffe2256753226c1a52ae4f5693cb5..a282275bec20bce71b81b2f5e9818641886eb77d 100644 GIT binary patch delta 46 scmdnMw1Y`ifq{X6g@J)Vlz~A-gMq;T#Ag8W6&V=8v;qV3MpGhMpi_@% diff --git a/repos/base-linux/src/lib/seccomp/spec/x86_64/seccomp_bpf_policy.bin b/repos/base-linux/src/lib/seccomp/spec/x86_64/seccomp_bpf_policy.bin index 5bb506b9346cf5581b3e90bd96a9b793ad322806..d35e2475dec2e2a605a33fa371fb661ecd5637ea 100644 GIT binary patch delta 57 zcmaFC^nuAhfq{X6g@J)Vlz~Cpj)CC-h|j>lz+lS2z{tSB;2_Gtpz;6z|No*4Y9L{T IjT#P&0R31AlK=n! delta 49 zcmeys^nyu4fq{X6g@J)Vlz~CZj)CC-h|j>lz+lS2z{tSB;2_Gtp#J~=|Nk2e92fz& Ch6z>x diff --git a/tool/seccomp/seccomp_bpf_compiler.h b/tool/seccomp/seccomp_bpf_compiler.h index 0f9e06c39..514c8578a 100644 --- a/tool/seccomp/seccomp_bpf_compiler.h +++ b/tool/seccomp/seccomp_bpf_compiler.h @@ -99,6 +99,9 @@ class Filter _add_allow_rule(SCMP_SYS(fstat)); _add_allow_rule(SCMP_SYS(fstat64)); + /* This syscall is used by the 'wait_for_continue' debug mechanism. */ + _add_allow_rule(SCMP_SYS(read)); + /* This syscall is used to wait for a condition. This should be safe. */ _add_allow_rule(SCMP_SYS(futex));