|
0 |
diff --git a/src/sandbox/seccomp.rs b/src/sandbox/seccomp.rs
|
|
1 |
index bfa2e49..0cb5837 100644
|
|
2 |
--- a/src/sandbox/seccomp.rs
|
|
3 |
+++ b/src/sandbox/seccomp.rs
|
|
4 |
@@ -43,6 +44,8 @@ pub fn activate_stage1() -> Result<(), syscallz::Error> {
|
|
5 |
#[cfg(target_arch = "arm")]
|
|
6 |
ctx.allow_syscall(Syscall::send)?;
|
|
7 |
ctx.allow_syscall(Syscall::sendto)?;
|
|
8 |
+ #[cfg(target_arch = "arm")]
|
|
9 |
+ ctx.allow_syscall(Syscall::recv)?;
|
|
10 |
ctx.allow_syscall(Syscall::recvfrom)?;
|
|
11 |
ctx.allow_syscall(Syscall::sendmsg)?;
|
|
12 |
ctx.allow_syscall(Syscall::recvmsg)?;
|
|
13 |
@@ -99,7 +102,7 @@ pub fn activate_stage1() -> Result<(), syscallz::Error> {
|
|
14 |
ctx.allow_syscall(Syscall::exit_group)?;
|
|
15 |
ctx.allow_syscall(Syscall::set_robust_list)?;
|
|
16 |
ctx.allow_syscall(Syscall::openat)?;
|
|
17 |
- #[cfg(target_arch = "aarch64")]
|
|
18 |
+ #[cfg(any(target_arch = "x86_64", target_arch = "aarch64"))]
|
|
19 |
ctx.allow_syscall(Syscall::newfstatat)?;
|
|
20 |
ctx.allow_syscall(Syscall::seccomp)?; // needed for stage2
|
|
21 |
ctx.allow_syscall(Syscall::getrandom)?;
|
|
22 |
@@ -117,6 +120,7 @@ pub fn activate_stage1() -> Result<(), syscallz::Error> {
|
|
23 |
#[cfg(not(target_arch = "aarch64"))]
|
|
24 |
ctx.allow_syscall(Syscall::access)?; // needed for debian /etc/ld.so.nohwcap
|
|
25 |
ctx.allow_syscall(Syscall::faccessat)?; // needed for debian /etc/ld.so.nohwcap
|
|
26 |
+ ctx.allow_syscall(Syscall::eventfd2)?;
|
|
27 |
|
|
28 |
ctx.load()?;
|
|
29 |
|
|
30 |
@@ -153,13 +157,15 @@ pub fn activate_stage2() -> Result<(), syscallz::Error> {
|
|
31 |
// ctx.allow_syscall(Syscall::socket)?;
|
|
32 |
// ctx.allow_syscall(Syscall::connect)?;
|
|
33 |
// ctx.allow_syscall(Syscall::sendto)?;
|
|
34 |
+ #[cfg(target_arch = "arm")]
|
|
35 |
+ ctx.allow_syscall(Syscall::recv)?;
|
|
36 |
// ctx.allow_syscall(Syscall::recvfrom)?;
|
|
37 |
// ctx.allow_syscall(Syscall::sendmsg)?;
|
|
38 |
// ctx.allow_syscall(Syscall::recvmsg)?;
|
|
39 |
// ctx.allow_syscall(Syscall::bind)?;
|
|
40 |
- // ctx.allow_syscall(Syscall::getsockname)?;
|
|
41 |
+ ctx.allow_syscall(Syscall::getsockname)?;
|
|
42 |
ctx.allow_syscall(Syscall::setsockopt)?;
|
|
43 |
- // ctx.allow_syscall(Syscall::getsockopt)?;
|
|
44 |
+ ctx.allow_syscall(Syscall::getsockopt)?;
|
|
45 |
ctx.allow_syscall(Syscall::clone)?;
|
|
46 |
// ctx.allow_syscall(Syscall::uname)?;
|
|
47 |
// ctx.allow_syscall(Syscall::fcntl)?;
|