Skip to content

Commit

Permalink
Allow futex() syscall in sandbox
Browse files Browse the repository at this point in the history 
The rdrview sandbox has been broken again for more than a year:

  #15 (comment)

I can reproduce this myself since my last Ubuntu upgrade. The culprit
this time is the futex() syscall, which should have been obvious given
the error message. It seems harmless, so add it to the whitelist.

Take this chance to also allow fstat(). It's not really needed, but it
does get called for some reason, so allowing it makes the strace output
cleaner.
  • Loading branch information
@eafer
eafer committed Oct 27, 2024
1 parent 3642800 commit 0be77ae
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions src/sandbox.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,8 @@ static void do_start_sandbox(void)
fail |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0);
fail |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 0);
fail |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0);
fail |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 0);
fail |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat), 0);
#ifdef __ANDROID__
fail |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(madvise), 1,
SCMP_A2_32(SCMP_CMP_EQ, MADV_DONTNEED, 0));
Expand Down

0 comments on commit 0be77ae

Please sign in to comment.