51 lines
1.3 KiB
Diff
51 lines
1.3 KiB
Diff
|
--- a/configure.ac
|
||
|
|
+++ b/configure.ac
|
||
|
|
@@ -764,9 +764,12 @@ main() { if (NSVersionOfRunTimeLibrary("
|
||
|
|
i*86-*)
|
||
|
|
seccomp_audit_arch=AUDIT_ARCH_I386
|
||
|
|
;;
|
||
|
|
- arm*-*)
|
||
|
|
+ aarch64*-*)
|
||
|
|
+ seccomp_audit_arch=AUDIT_ARCH_AARCH64
|
||
|
|
+ ;;
|
||
|
|
+ arm*-*)
|
||
|
|
seccomp_audit_arch=AUDIT_ARCH_ARM
|
||
|
|
- ;;
|
||
|
|
+ ;;
|
||
|
|
esac
|
||
|
|
if test "x$seccomp_audit_arch" != "x" ; then
|
||
|
|
AC_MSG_RESULT(["$seccomp_audit_arch"])
|
||
|
|
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
||
|
|
index 095b04a..59c3682 100644
|
||
|
|
--- a/sandbox-seccomp-filter.c
|
||
|
|
+++ b/sandbox-seccomp-filter.c
|
||
|
|
@@ -90,8 +90,10 @@ static const struct sock_filter preauth_insns[] = {
|
||
|
|
/* Load the syscall number for checking. */
|
||
|
|
BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
|
||
|
|
offsetof(struct seccomp_data, nr)),
|
||
|
|
- SC_DENY(open, EACCES),
|
||
|
|
+ SC_DENY(openat, EACCES), /* no open() on AArch64 */
|
||
|
|
+#ifdef __NR_stat
|
||
|
|
SC_DENY(stat, EACCES),
|
||
|
|
+#endif
|
||
|
|
SC_ALLOW(getpid),
|
||
|
|
SC_ALLOW(gettimeofday),
|
||
|
|
SC_ALLOW(clock_gettime),
|
||
|
|
@@ -111,12 +113,16 @@ static const struct sock_filter preauth_insns[] = {
|
||
|
|
SC_ALLOW(shutdown),
|
||
|
|
#endif
|
||
|
|
SC_ALLOW(brk),
|
||
|
|
+#ifdef __NR_poll /* Not available on AArch64 */
|
||
|
|
SC_ALLOW(poll),
|
||
|
|
+#endif
|
||
|
|
#ifdef __NR__newselect
|
||
|
|
SC_ALLOW(_newselect),
|
||
|
|
#else
|
||
|
|
+#ifdef __NR_select /* Not available on AArch64 */
|
||
|
|
SC_ALLOW(select),
|
||
|
|
#endif
|
||
|
|
+#endif
|
||
|
|
SC_ALLOW(madvise),
|
||
|
|
#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
|
||
|
|
SC_ALLOW(mmap2),
|