seccomp: Forge return codes for POSIX ACL syscalls
Commands such as "cp -p" also use fsetxattr() in addition to fchown(), so we need to make sure these syscalls always return successful as well in order to avoid nasty "Invalid value" errors. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This commit is contained in:
parent
651a18dd24
commit
ed64976cec
2 changed files with 6 additions and 1 deletions
|
@ -1659,6 +1659,10 @@ void setupSeccomp(void) {
|
||||||
FORCE_SUCCESS(fchownat);
|
FORCE_SUCCESS(fchownat);
|
||||||
FORCE_SUCCESS(lchown);
|
FORCE_SUCCESS(lchown);
|
||||||
|
|
||||||
|
FORCE_SUCCESS(setxattr);
|
||||||
|
FORCE_SUCCESS(lsetxattr);
|
||||||
|
FORCE_SUCCESS(fsetxattr);
|
||||||
|
|
||||||
if (seccomp_load(ctx) != 0) {
|
if (seccomp_load(ctx) != 0) {
|
||||||
seccomp_release(ctx);
|
seccomp_release(ctx);
|
||||||
throw SysError("unable to load seccomp BPF program");
|
throw SysError("unable to load seccomp BPF program");
|
||||||
|
|
|
@ -16,7 +16,7 @@ let
|
||||||
|
|
||||||
sandboxTestScript = pkgs.writeText "sandbox-testscript.sh" ''
|
sandboxTestScript = pkgs.writeText "sandbox-testscript.sh" ''
|
||||||
[ $(id -u) -eq 0 ]
|
[ $(id -u) -eq 0 ]
|
||||||
touch foo
|
cp -p "$testfile" foo
|
||||||
chown 1024:1024 foo
|
chown 1024:1024 foo
|
||||||
touch "$out"
|
touch "$out"
|
||||||
'';
|
'';
|
||||||
|
@ -31,6 +31,7 @@ let
|
||||||
builder = "''${utils}/bin/bash";
|
builder = "''${utils}/bin/bash";
|
||||||
args = ["-e" ${sandboxTestScript}];
|
args = ["-e" ${sandboxTestScript}];
|
||||||
PATH = "''${utils}/bin";
|
PATH = "''${utils}/bin";
|
||||||
|
testfile = builtins.toFile "test" "i am a test file";
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue