Merge branch 'maint-0.3.1' into release-0.3.1

2 files changed, 19 insertions, 1 deletions

diff --git a/changes/bug24198 b/changes/bug24198
new file mode 100644
index 0000000000..6790706872
--- /dev/null
+++ b/changes/bug24198
@@ -0,0 +1,4 @@
+  o Minor bugfixes (controller, linux seccomp2 sandbox):
+    - Avoid a crash when attempting to use the seccomp2 sandbox
+      together with the OwningControllerProcess feature.
+      Fixes bug 24198; bugfix on 0.2.5.1-alpha.
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 2a343aac57..1b73f31265 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -1118,6 +1118,19 @@ sb_stat64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
 }
 #endif
 
+static int
+sb_kill(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+{
+  (void) filter;
+#ifdef __NR_kill
+  /* Allow killing anything with signal 0 -- it isn't really a kill. */
+  return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(kill),
+       SCMP_CMP(1, SCMP_CMP_EQ, 0));
+#else
+  return 0;
+#endif
+}
+
 /**
  * Array of function pointers responsible for filtering different syscalls at
  * a parameter level.
@@ -1156,7 +1169,8 @@ static sandbox_filter_func_t filter_func[] = {
     sb_socket,
     sb_setsockopt,
     sb_getsockopt,
-    sb_socketpair
+    sb_socketpair,
+    sb_kill
 };
 
 const char *