diff options
author | Stanisław Pitucha <viraptor@gmail.com> | 2018-03-12 20:05:45 +1100 |
---|---|---|
committer | dormando <dormando@rydia.net> | 2018-03-14 12:33:58 -0700 |
commit | 7a646616fa176b1771d081d810d5de6bf639446a (patch) | |
tree | 9709421b800a8d55d12c3f4f3292edfe8a0d1ac6 /linux_priv.c | |
parent | 14c9bf80e114ac67ebbacc55e3205eed58b7a324 (diff) | |
download | memcached-7a646616fa176b1771d081d810d5de6bf639446a.tar.gz |
Update with syscalls found on Arch
Diffstat (limited to 'linux_priv.c')
-rw-r--r-- | linux_priv.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/linux_priv.c b/linux_priv.c index e34c1e6..5c696bc 100644 --- a/linux_priv.c +++ b/linux_priv.c @@ -31,6 +31,7 @@ void drop_privileges(void) { rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1, SCMP_A1(SCMP_CMP_EQ, TIOCGWINSZ)); + rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1, SCMP_A1(SCMP_CMP_EQ, TCGETS)); #ifdef MEMCACHED_DEBUG rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0); @@ -40,6 +41,12 @@ void drop_privileges(void) { rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(lseek), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpid), 0); + + if (settings.relaxed_privileges) { + rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 0); + rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mkdir), 0); + rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(access), 0); + } #endif if (rc != 0) { @@ -102,6 +109,9 @@ void drop_worker_privileges(void) { } if (settings.relaxed_privileges) { + rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 0); + rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mkdir), 0); + rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(access), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 0); rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(lseek), 0); |