Bugzilla – Attachment 2962 Details for
Bug 2142
Make seccomp-bpf sandbox work for Linux/X32
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
updated diff
bz2142.diff (text/plain), 802 bytes, created by
Damien Miller
on 2017-03-14 18:00:25 AEDT
(
hide
)
Description:
updated diff
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2017-03-14 18:00:25 AEDT
Size:
802 bytes
patch
obsolete
>diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c >index 14006b99..3a1aedce 100644 >--- a/sandbox-seccomp-filter.c >+++ b/sandbox-seccomp-filter.c >@@ -228,7 +228,15 @@ static const struct sock_filter preauth_insns[] = { > SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK), > SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO), > SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT), >-#endif /* defined(__NR_ioctl) && defined(__s390__) */ >+#endif >+#if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT) >+ /* >+ * On Linux x32, the clock_gettime VDSO falls back to the >+ * x86-64 syscall under some circumstances, e.g. >+ * https://bugs.debian.org/849923 >+ */ >+ SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT); >+#endif > > /* Default deny */ > BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2962">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
dtucker
:
ok+
Actions:
View
|
Diff
Attachments on
bug 2142
:
2328
|
2563
|
2927
| 2962