- (djm) [sandbox-seccomp-filter.c sandbox-systrace.c] Allow shutdown(2)

syscall from sandboxes; it may be called by packet_close.
author: Damien Miller <djm@mindrot.org> 2014-01-31 09:25:34 +1100
committer: Damien Miller <djm@mindrot.org> 2014-01-31 09:25:34 +1100
commit: 7e5cec6070673e9f9785ffc749837ada22fbe99f (patch)
tree: 33f3131fde802ea4da8346c2838dae62766275ca
parent: cdb6c90811caa5df2df856be9b0b16db020fe31d (diff)
3 files changed, 6 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index c0dab651..f9740631 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+20140131
+ - (djm) [sandbox-seccomp-filter.c sandbox-systrace.c] Allow shutdown(2)
+   syscall from sandboxes; it may be called by packet_close.
+
 20140130
  - (djm) [configure.ac] Only check for width-specified integer types
    in headers that actually exist. patch from Tom G. Christensen;
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 2f73067e..dbda60ba 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -98,6 +98,7 @@ static const struct sock_filter preauth_insns[] = {
 	SC_ALLOW(read),
 	SC_ALLOW(write),
 	SC_ALLOW(close),
+	SC_ALLOW(shutdown),
 	SC_ALLOW(brk),
 	SC_ALLOW(poll),
 #ifdef __NR__newselect
diff --git a/sandbox-systrace.c b/sandbox-systrace.c
index 53fbd47c..3d467783 100644
--- a/sandbox-systrace.c
+++ b/sandbox-systrace.c
@@ -66,6 +66,7 @@ static const struct sandbox_policy preauth_policy[] = {
 	{ SYS_munmap, SYSTR_POLICY_PERMIT },
 	{ SYS_read, SYSTR_POLICY_PERMIT },
 	{ SYS_select, SYSTR_POLICY_PERMIT },
+	{ SYS_shutdown, SYSTR_POLICY_PERMIT },
 	{ SYS_sigprocmask, SYSTR_POLICY_PERMIT },
 	{ SYS_write, SYSTR_POLICY_PERMIT },
 	{ -1, -1 }
author	Damien Miller <djm@mindrot.org>	2014-01-31 09:25:34 +1100
committer	Damien Miller <djm@mindrot.org>	2014-01-31 09:25:34 +1100
commit	7e5cec6070673e9f9785ffc749837ada22fbe99f (patch)
tree	33f3131fde802ea4da8346c2838dae62766275ca
parent	cdb6c90811caa5df2df856be9b0b16db020fe31d (diff)