Loading src/app/main/main.c +6 −2 Original line number Diff line number Diff line Loading @@ -841,8 +841,10 @@ sandbox_init_filter(void) OPEN_DATADIR2(name, name2 suffix); \ } while (0) // KeyDirectory is a directory, but it is only opened in check_private_dir // which calls open instead of opendir #define OPEN_KEY_DIRECTORY() \ OPENDIR(options->KeyDirectory) OPEN(options->KeyDirectory) #define OPEN_CACHEDIR(name) \ sandbox_cfg_allow_open_filename(&cfg, get_cachedir_fname(name)) #define OPEN_CACHEDIR_SUFFIX(name, suffix) do { \ Loading @@ -856,7 +858,9 @@ sandbox_init_filter(void) OPEN_KEYDIR(name suffix); \ } while (0) OPENDIR(options->DataDirectory); // DataDirectory is a directory, but it is only opened in check_private_dir // which calls open instead of opendir OPEN(options->DataDirectory); OPEN_KEY_DIRECTORY(); OPEN_CACHEDIR_SUFFIX("cached-certs", ".tmp"); Loading src/lib/sandbox/sandbox.c +1 −9 Original line number Diff line number Diff line Loading @@ -671,15 +671,7 @@ sb_opendir(scmp_filter_ctx ctx, sandbox_cfg_t *filter) if (param != NULL && param->prot == 1 && param->syscall == PHONY_OPENDIR_SYSCALL) { if (libc_uses_openat_for_opendir()) { rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD), SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value), SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|O_NONBLOCK|O_LARGEFILE| O_DIRECTORY|O_CLOEXEC)); } else { rc = allow_file_open(ctx, 0, param->value); } rc = allow_file_open(ctx, libc_uses_openat_for_opendir(), param->value); if (rc != 0) { log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received " "libseccomp error %d", rc); Loading Loading
src/app/main/main.c +6 −2 Original line number Diff line number Diff line Loading @@ -841,8 +841,10 @@ sandbox_init_filter(void) OPEN_DATADIR2(name, name2 suffix); \ } while (0) // KeyDirectory is a directory, but it is only opened in check_private_dir // which calls open instead of opendir #define OPEN_KEY_DIRECTORY() \ OPENDIR(options->KeyDirectory) OPEN(options->KeyDirectory) #define OPEN_CACHEDIR(name) \ sandbox_cfg_allow_open_filename(&cfg, get_cachedir_fname(name)) #define OPEN_CACHEDIR_SUFFIX(name, suffix) do { \ Loading @@ -856,7 +858,9 @@ sandbox_init_filter(void) OPEN_KEYDIR(name suffix); \ } while (0) OPENDIR(options->DataDirectory); // DataDirectory is a directory, but it is only opened in check_private_dir // which calls open instead of opendir OPEN(options->DataDirectory); OPEN_KEY_DIRECTORY(); OPEN_CACHEDIR_SUFFIX("cached-certs", ".tmp"); Loading
src/lib/sandbox/sandbox.c +1 −9 Original line number Diff line number Diff line Loading @@ -671,15 +671,7 @@ sb_opendir(scmp_filter_ctx ctx, sandbox_cfg_t *filter) if (param != NULL && param->prot == 1 && param->syscall == PHONY_OPENDIR_SYSCALL) { if (libc_uses_openat_for_opendir()) { rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD), SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value), SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|O_NONBLOCK|O_LARGEFILE| O_DIRECTORY|O_CLOEXEC)); } else { rc = allow_file_open(ctx, 0, param->value); } rc = allow_file_open(ctx, libc_uses_openat_for_opendir(), param->value); if (rc != 0) { log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received " "libseccomp error %d", rc); Loading
