seccomp: Forge return codes for POSIX ACL syscalls

Commands such as "cp -p" also use fsetxattr() in addition to fchown(),
so we need to make sure these syscalls always return successful as well
in order to avoid nasty "Invalid value" errors.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This commit is contained in:
aszlig 2016-11-16 17:25:00 +01:00
parent 651a18dd24
commit ed64976cec
No known key found for this signature in database
GPG key ID: 1DE8E48E57DB5436
2 changed files with 6 additions and 1 deletions

View file

@ -1659,6 +1659,10 @@ void setupSeccomp(void) {
FORCE_SUCCESS(fchownat); FORCE_SUCCESS(fchownat);
FORCE_SUCCESS(lchown); FORCE_SUCCESS(lchown);
FORCE_SUCCESS(setxattr);
FORCE_SUCCESS(lsetxattr);
FORCE_SUCCESS(fsetxattr);
if (seccomp_load(ctx) != 0) { if (seccomp_load(ctx) != 0) {
seccomp_release(ctx); seccomp_release(ctx);
throw SysError("unable to load seccomp BPF program"); throw SysError("unable to load seccomp BPF program");

View file

@ -16,7 +16,7 @@ let
sandboxTestScript = pkgs.writeText "sandbox-testscript.sh" '' sandboxTestScript = pkgs.writeText "sandbox-testscript.sh" ''
[ $(id -u) -eq 0 ] [ $(id -u) -eq 0 ]
touch foo cp -p "$testfile" foo
chown 1024:1024 foo chown 1024:1024 foo
touch "$out" touch "$out"
''; '';
@ -31,6 +31,7 @@ let
builder = "''${utils}/bin/bash"; builder = "''${utils}/bin/bash";
args = ["-e" ${sandboxTestScript}]; args = ["-e" ${sandboxTestScript}];
PATH = "''${utils}/bin"; PATH = "''${utils}/bin";
testfile = builtins.toFile "test" "i am a test file";
} }
''; '';