From b0fc5016d449e5f4d06d50ca0a3bf1b036e7aa05 Mon Sep 17 00:00:00 2001 From: zsugabubus Date: Sun, 19 Apr 2020 13:35:44 +0200 Subject: [PATCH] Fix seccomp filters in strict mode --- zathura/seccomp-filters.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/zathura/seccomp-filters.c b/zathura/seccomp-filters.c index 509a71f..7eccedf 100644 --- a/zathura/seccomp-filters.c +++ b/zathura/seccomp-filters.c @@ -163,6 +163,7 @@ seccomp_enable_strict_filter(void) ALLOW_RULE(getgid); ALLOW_RULE(getuid); ALLOW_RULE(getpid); + ALLOW_RULE(gettid); /* ALLOW_RULE (getpeername); */ ALLOW_RULE(getresgid); ALLOW_RULE(getresuid); @@ -219,6 +220,9 @@ seccomp_enable_strict_filter(void) ALLOW_RULE(writev); ALLOW_RULE(wait4); /* trying to open links should not crash the app */ + ADD_RULE("errno", SCMP_ACT_ERRNO(EPERM), sched_setattr, 0); + ADD_RULE("errno", SCMP_ACT_ERRNO(EPERM), sched_getattr, 0); + /* Special requirements for ioctl, allowed on stdout/stderr */ ADD_RULE("allow", SCMP_ACT_ALLOW, ioctl, 1, SCMP_CMP(0, SCMP_CMP_EQ, 1)); ADD_RULE("allow", SCMP_ACT_ALLOW, ioctl, 1, SCMP_CMP(0, SCMP_CMP_EQ, 2));