External/cloud-hypervisor
1
0
Fork 0
mirror of https://github.com/cloud-hypervisor/cloud-hypervisor.git synced 2025-03-20 07:58:55 +00:00
Code

vmm: seccomp: Ensure that umask() can be reprogrammed

Browse Source 
When doing self spawning the child will attempt to set the umask() again. Let
it through the seccomp rules so long as it the safe mask again.

Signed-off-by: Rob Bradford <robert.bradford@intel.com>
This commit is contained in:
Rob Bradford 2020-05-27 15:35:28 +01:00
parent 3497eeff49
commit 0728bece0c
1 changed files with 4 additions and 0 deletions

4
vmm/src/seccomp_filters.rs

@ -276,6 +276,10 @@ pub fn vmm_thread_filter() -> Result<SeccompFilter, Error> {
allow_syscall(libc::SYS_statx),
allow_syscall(libc::SYS_tgkill),
allow_syscall(libc::SYS_tkill),
allow_syscall_if(
libc::SYS_umask,
or![and![Cond::new(0, ArgLen::DWORD, Eq, 0o077)?]],
),
#[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_unlink),
allow_syscall(libc::SYS_wait4),