Sandbox: permit O_NONBLOCK and O_NOCTTY for files we refuse

OpenSSL needs this, or RAND_poll() will kill the process. Also, refuse with EACCESS, not errno==-1 (!).

Sandbox: permit O_NONBLOCK and O_NOCTTY for files we refuse
f70cf998 · Nick Mathewson · c80a6bd9 · f70cf998
Commit f70cf998 authored 11 years ago by Nick Mathewson
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -363,8 +363,8 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
    }
  }

-  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(-1), SCMP_SYS(open),
-                          SCMP_CMP_MASKED(1, O_CLOEXEC, O_RDONLY));
+  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open),
+                SCMP_CMP_MASKED(1, O_CLOEXEC|O_NONBLOCK|O_NOCTTY, O_RDONLY));
  if (rc != 0) {
    log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
        "error %d", rc);