1*4882a593SmuzhiyunFrom 0d4f4f2b239c687c1f815b66084a8cceae6fa1d4 Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Jeffy Chen <jeffy.chen@rock-chips.com> 3*4882a593SmuzhiyunDate: Mon, 19 Sep 2022 17:49:57 +0800 4*4882a593SmuzhiyunSubject: [PATCH] HACK: seccomp: Allow new syscalls for old {arm, aarch64} 5*4882a593Smuzhiyun 6*4882a593SmuzhiyunThe new glibc would try new syscalls unconditionally. 7*4882a593Smuzhiyun 8*4882a593SmuzhiyunSigned-off-by: Jeffy Chen <jeffy.chen@rock-chips.com> 9*4882a593Smuzhiyun--- 10*4882a593Smuzhiyun sandbox-seccomp-filter.c | 6 ++++++ 11*4882a593Smuzhiyun 1 file changed, 6 insertions(+) 12*4882a593Smuzhiyun 13*4882a593Smuzhiyundiff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c 14*4882a593Smuzhiyunindex 4ce80cb..a449a80 100644 15*4882a593Smuzhiyun--- a/sandbox-seccomp-filter.c 16*4882a593Smuzhiyun+++ b/sandbox-seccomp-filter.c 17*4882a593Smuzhiyun@@ -186,6 +186,10 @@ static const struct sock_filter preauth_insns[] = { 18*4882a593Smuzhiyun #endif 19*4882a593Smuzhiyun #ifdef __NR_statx 20*4882a593Smuzhiyun SC_DENY(__NR_statx, EACCES), 21*4882a593Smuzhiyun+#elif defined __arm__ 22*4882a593Smuzhiyun+ SC_DENY(397, ENOSYS), 23*4882a593Smuzhiyun+#elif defined __aarch64__ 24*4882a593Smuzhiyun+ SC_DENY(291, ENOSYS), 25*4882a593Smuzhiyun #endif 26*4882a593Smuzhiyun 27*4882a593Smuzhiyun /* Syscalls to permit */ 28*4882a593Smuzhiyun@@ -197,6 +201,8 @@ static const struct sock_filter preauth_insns[] = { 29*4882a593Smuzhiyun #endif 30*4882a593Smuzhiyun #ifdef __NR_clock_gettime64 31*4882a593Smuzhiyun SC_ALLOW(__NR_clock_gettime64), 32*4882a593Smuzhiyun+#else 33*4882a593Smuzhiyun+ SC_DENY(403, ENOSYS), 34*4882a593Smuzhiyun #endif 35*4882a593Smuzhiyun #ifdef __NR_close 36*4882a593Smuzhiyun SC_ALLOW(__NR_close), 37*4882a593Smuzhiyun-- 38*4882a593Smuzhiyun2.20.1 39*4882a593Smuzhiyun 40