seccomp: Forge return codes for POSIX ACL syscalls
Commands such as "cp -p" also use fsetxattr() in addition to fchown(), so we need to make sure these syscalls always return successful as well in order to avoid nasty "Invalid value" errors. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This commit is contained in:
parent
651a18dd24
commit
ed64976cec
2 changed files with 6 additions and 1 deletions
|
@ -1659,6 +1659,10 @@ void setupSeccomp(void) {
|
|||
FORCE_SUCCESS(fchownat);
|
||||
FORCE_SUCCESS(lchown);
|
||||
|
||||
FORCE_SUCCESS(setxattr);
|
||||
FORCE_SUCCESS(lsetxattr);
|
||||
FORCE_SUCCESS(fsetxattr);
|
||||
|
||||
if (seccomp_load(ctx) != 0) {
|
||||
seccomp_release(ctx);
|
||||
throw SysError("unable to load seccomp BPF program");
|
||||
|
|
|
@ -16,7 +16,7 @@ let
|
|||
|
||||
sandboxTestScript = pkgs.writeText "sandbox-testscript.sh" ''
|
||||
[ $(id -u) -eq 0 ]
|
||||
touch foo
|
||||
cp -p "$testfile" foo
|
||||
chown 1024:1024 foo
|
||||
touch "$out"
|
||||
'';
|
||||
|
@ -31,6 +31,7 @@ let
|
|||
builder = "''${utils}/bin/bash";
|
||||
args = ["-e" ${sandboxTestScript}];
|
||||
PATH = "''${utils}/bin";
|
||||
testfile = builtins.toFile "test" "i am a test file";
|
||||
}
|
||||
'';
|
||||
|
||||
|
|
Loading…
Reference in a new issue