From 4ae8a24b5ccbee904875a10b7b2301369080a88d Mon Sep 17 00:00:00 2001
From: Christos Zoulas <christos@zoulas.com>
Date: Sun, 6 May 2018 16:36:41 +0000
Subject: [PATCH] add more syscalls; newfstatat is used for stat'ing the magic
 file, getdents64 is used for getting the magic entries during compilation.

Upstream-commit: aeddbff330fad0edff2ab4b02dbf0863cd593c3c
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 src/seccomp.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/src/seccomp.c b/src/seccomp.c
index 7c8a3144..481a5624 100644
--- a/src/seccomp.c
+++ b/src/seccomp.c
@@ -59,12 +59,7 @@ enable_sandbox_basic(void)
 	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
 		return -1;
 
-#if 0
-	// prevent escape via ptrace
-	prctl(PR_SET_DUMPABLE, 0);
-#endif
-
-	if (prctl (PR_SET_DUMPABLE, 0, 0, 0, 0) == -1)
+	if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1)
 		return -1;
 
 	// initialize the filter
@@ -171,6 +166,9 @@ enable_sandbox_full(void)
 	ALLOW_RULE(fcntl);  
 	ALLOW_RULE(fstat);
 	ALLOW_RULE(getdents);
+#ifdef __NR_getdents64
+	ALLOW_RULE(getdents64);
+#endif
 	ALLOW_RULE(ioctl);
 	ALLOW_RULE(lseek);
 	ALLOW_RULE(lstat);
@@ -178,6 +176,9 @@ enable_sandbox_full(void)
 	ALLOW_RULE(mprotect);
 	ALLOW_RULE(mremap);
 	ALLOW_RULE(munmap);
+#ifdef __NR_newfstatat
+	ALLOW_RULE(newfstatat);
+#endif
 	ALLOW_RULE(open);
 	ALLOW_RULE(openat);
 	ALLOW_RULE(pread64);
-- 
2.17.0