1From 0d4f4f2b239c687c1f815b66084a8cceae6fa1d4 Mon Sep 17 00:00:00 2001 2From: Jeffy Chen <jeffy.chen@rock-chips.com> 3Date: Mon, 19 Sep 2022 17:49:57 +0800 4Subject: [PATCH] HACK: seccomp: Allow new syscalls for old {arm, aarch64} 5 6The new glibc would try new syscalls unconditionally. 7 8Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com> 9--- 10 sandbox-seccomp-filter.c | 6 ++++++ 11 1 file changed, 6 insertions(+) 12 13diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c 14index 4ce80cb..a449a80 100644 15--- a/sandbox-seccomp-filter.c 16+++ b/sandbox-seccomp-filter.c 17@@ -186,6 +186,10 @@ static const struct sock_filter preauth_insns[] = { 18 #endif 19 #ifdef __NR_statx 20 SC_DENY(__NR_statx, EACCES), 21+#elif defined __arm__ 22+ SC_DENY(397, ENOSYS), 23+#elif defined __aarch64__ 24+ SC_DENY(291, ENOSYS), 25 #endif 26 27 /* Syscalls to permit */ 28@@ -197,6 +201,8 @@ static const struct sock_filter preauth_insns[] = { 29 #endif 30 #ifdef __NR_clock_gettime64 31 SC_ALLOW(__NR_clock_gettime64), 32+#else 33+ SC_DENY(403, ENOSYS), 34 #endif 35 #ifdef __NR_close 36 SC_ALLOW(__NR_close), 37-- 382.20.1 39 40