Deny lstat syscalls in seccomp sandbox

Avoids sandbox violations for some krb/gssapi libraries.
2016-05-20 09:56:53 +10:00 · 2016-05-20 09:56:53 +10:00 · f64062b1f7
parent 531c135409
commit f64062b1f7
1 changed files with 6 additions and 0 deletions
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@ -103,6 +103,12 @@ static const struct sock_filter preauth_insns[] = {
 		offsetof(struct seccomp_data, nr)),

 	/* Syscalls to non-fatally deny */
+#ifdef __NR_lstat
+	SC_DENY(lstat, EACCES),
+#endif
+#ifdef __NR_lstat64
+	SC_DENY(lstat64, EACCES),
+#endif
 #ifdef __NR_fstat
 	SC_DENY(fstat, EACCES),
 #endif