From 7315a9475d8fa37af49e9e7ed11e1534f23ef70b Mon Sep 17 00:00:00 2001 From: "S. Gilles" Date: Wed, 12 Aug 2020 16:40:07 -0400 Subject: Allow clock_gettime64; return ENOSYS so libcs can engage fallbacks libcs such as musl expect ENOSYS to be returned (not EPERM) in their fallback code, so change the seccomp filter to be more agreeable to them. At the same time, clock_gettime is permitted in the filter, so permit clock_gettime64 as well -- it will be needed by 2038 in any case. * lib/sandbox.c (make_seccomp_filter): Set default action to SCMP_ACT_ERRNO (ENOSYS). Allow clock_gettime64. * NEWS: Document this. --- NEWS | 9 +++++++++ lib/sandbox.c | 3 ++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/lib/sandbox.c b/lib/sandbox.c index 21ec28aa..d934a0f9 100644 --- a/lib/sandbox.c +++ b/lib/sandbox.c @@ -232,7 +232,7 @@ static scmp_filter_ctx make_seccomp_filter (int permissive) ; debug ("initialising seccomp filter (permissive: %d)\n", permissive); - ctx = seccomp_init (SCMP_ACT_ERRNO (EPERM)); + ctx = seccomp_init (SCMP_ACT_ERRNO (ENOSYS)); if (!ctx) error (FATAL, errno, "can't initialise seccomp filter"); @@ -271,6 +271,7 @@ static scmp_filter_ctx make_seccomp_filter (int permissive) /* systemd: SystemCallFilter=@default */ SC_ALLOW ("clock_getres"); SC_ALLOW ("clock_gettime"); + SC_ALLOW ("clock_gettime64"); SC_ALLOW ("clock_nanosleep"); SC_ALLOW ("execve"); SC_ALLOW ("exit"); -- cgit v1.2.1