From f0840ed4c9f17f199d73b8b9788b08af0265026d Mon Sep 17 00:00:00 2001
From: Cristian Toader <cristian.matei.toader@gmail.com>
Date: Wed, 31 Jul 2013 00:27:14 +0300
Subject: [PATCH] epoll_ctl

---
 src/common/sandbox.c | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index acf3038145..6de95da4dc 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -33,6 +33,7 @@
 #include <sys/mman.h>
 #include <sys/syscall.h>
 #include <sys/types.h>
+#include <sys/epoll.h>
 #include <bits/signum.h>
 
 #include <seccomp.h>
@@ -52,7 +53,6 @@ static int filter_nopar_gen[] = {
     SCMP_SYS(close),
     SCMP_SYS(clone),
     SCMP_SYS(epoll_create),
-    SCMP_SYS(epoll_ctl),
     SCMP_SYS(epoll_wait),
     SCMP_SYS(fcntl),
 
@@ -326,6 +326,24 @@ sb_fcntl64(scmp_filter_ctx ctx)
 }
 #endif
 
+static int
+sb_epoll_ctl(scmp_filter_ctx ctx)
+{
+  int rc = 0;
+
+  rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl), 1,
+      SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_ADD));
+  if (rc)
+    return rc;
+
+  rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl), 1,
+      SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_MOD));
+  if (rc)
+    return rc;
+
+  return 0;
+}
+
 static sandbox_filter_func_t filter_func[] = {
     sb_rt_sigaction,
     sb_execve,
@@ -335,7 +353,8 @@ static sandbox_filter_func_t filter_func[] = {
     sb_open,
     sb_openat,
     sb_clock_gettime,
-    sb_fcntl64
+    sb_fcntl64,
+    sb_epoll_ctl
 };
 
 const char*
-- 
GitLab