1 files changed, 14 insertions, 5 deletions

diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 2e8467d7c1..efadeca84e 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -117,7 +117,6 @@ static int filter_nopar_gen[] = {
     SCMP_SYS(mprotect),
     SCMP_SYS(mremap),
     SCMP_SYS(munmap),
-    SCMP_SYS(openat),
     SCMP_SYS(poll),
     SCMP_SYS(prctl),
     SCMP_SYS(read),
@@ -158,7 +157,7 @@ static int filter_nopar_gen[] = {
 };
 
 const char*
-sandbox_intern_string(char *param)
+sandbox_intern_string(const char *param)
 {
   int i, filter_size;
   sandbox_cfg_t *elem;
@@ -228,15 +227,25 @@ prot_strdup(char* str)
 int
 sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
 {
-  sandbox_cfg_t *elem = (sandbox_cfg_t*) malloc(sizeof(sandbox_cfg_t));
+  sandbox_cfg_t *elem = NULL;
+  intptr_t prot_str = (intptr_t) prot_strdup((char*) file);
 
+  elem = (sandbox_cfg_t*) malloc(sizeof(sandbox_cfg_t));
   elem->syscall = SCMP_SYS(open);
   elem->pindex = 0;
   elem->ptype = PARAM_PTR;
-  elem->param = (intptr_t) prot_strdup((char*) file);
+  elem->param = prot_str;
   elem->prot = 1;
+  elem->next = filter_dynamic;
+  filter_dynamic = elem;
 
-  // fifo
+  // also allow openat
+  elem = (sandbox_cfg_t*) malloc(sizeof(sandbox_cfg_t));
+  elem->syscall = SCMP_SYS(openat);
+  elem->pindex = 1;
+  elem->ptype = PARAM_PTR;
+  elem->param = prot_str;
+  elem->prot = 1;
   elem->next = filter_dynamic;
   filter_dynamic = elem;