aboutsummaryrefslogtreecommitdiff
path: root/src/lib/sandbox/sandbox.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/sandbox/sandbox.c')
-rw-r--r--src/lib/sandbox/sandbox.c40
1 files changed, 2 insertions, 38 deletions
diff --git a/src/lib/sandbox/sandbox.c b/src/lib/sandbox/sandbox.c
index e2356a1720..8f577b0660 100644
--- a/src/lib/sandbox/sandbox.c
+++ b/src/lib/sandbox/sandbox.c
@@ -491,24 +491,6 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
}
}
- rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open),
- SCMP_CMP_MASKED(1, O_CLOEXEC|O_NONBLOCK|O_NOCTTY|O_NOFOLLOW,
- O_RDONLY));
- if (rc != 0) {
- log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
- "error %d", rc);
- return rc;
- }
-
- rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(openat),
- SCMP_CMP_MASKED(2, O_CLOEXEC|O_NONBLOCK|O_NOCTTY|O_NOFOLLOW,
- O_RDONLY));
- if (rc != 0) {
- log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received "
- "libseccomp error %d", rc);
- return rc;
- }
-
return 0;
}
@@ -562,23 +544,6 @@ sb_chown(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
return 0;
}
-static int
-sb__sysctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
-{
- int rc;
- (void) filter;
- (void) ctx;
-
- rc = seccomp_rule_add_0(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(_sysctl));
- if (rc != 0) {
- log_err(LD_BUG,"(Sandbox) failed to add _sysctl syscall, "
- "received libseccomp error %d", rc);
- return rc;
- }
-
- return 0;
-}
-
/**
* Function responsible for setting up the rename syscall for
* the seccomp filter sandbox.
@@ -1141,7 +1106,6 @@ static sandbox_filter_func_t filter_func[] = {
sb_chmod,
sb_open,
sb_openat,
- sb__sysctl,
sb_rename,
#ifdef __NR_fcntl64
sb_fcntl64,
@@ -1518,14 +1482,14 @@ install_syscall_filter(sandbox_cfg_t* cfg)
int rc = 0;
scmp_filter_ctx ctx;
- ctx = seccomp_init(SCMP_ACT_TRAP);
+ ctx = seccomp_init(SCMP_ACT_ERRNO(EPERM));
if (ctx == NULL) {
log_err(LD_BUG,"(Sandbox) failed to initialise libseccomp context");
rc = -1;
goto end;
}
- // protectign sandbox parameter strings
+ // protecting sandbox parameter strings
if ((rc = prot_strings(ctx, cfg))) {
goto end;
}
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion