security: whitelist fakeroot syscalls

Until we get a bit more dynamic here, whitelist the IPC syscalls that fakeroot uses since it is available via portage FEATURES. URL: https://bugs.gentoo.org/558482
author: Mike Frysinger <vapier@gentoo.org> 2015-08-26 02:27:27 -0400
committer: Mike Frysinger <vapier@gentoo.org> 2015-08-26 02:27:27 -0400
commit: c39a557a2b53f6fea61117d9b0d90ea51a738d6b (patch)
tree: e2e63f4c8e1e9f33bfc74b4c5b9813870a40f18d /security.c
parent: security: add a debug handler for seccomp (diff)
download: pax-utils-c39a557a2b53f6fea61117d9b0d90ea51a738d6b.tar.gz
pax-utils-c39a557a2b53f6fea61117d9b0d90ea51a738d6b.tar.bz2
pax-utils-c39a557a2b53f6fea61117d9b0d90ea51a738d6b.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/security.c b/security.c
index a62c798..1fa64a0 100644
--- a/security.c
+++ b/security.c
@@ -122,6 +122,13 @@ static void pax_seccomp_init(bool allow_forking)
 
 		/* Syscalls listed because of sandbox.  */
 		SCMP_SYS(readlink),
+
+		/* Syscalls listed because of fakeroot.  */
+		SCMP_SYS(msgget),
+		SCMP_SYS(msgrcv),
+		SCMP_SYS(msgsnd),
+		SCMP_SYS(semget),
+		SCMP_SYS(semop),
 	};
 	int fork_syscalls[] = {
 		SCMP_SYS(clone),
author	Mike Frysinger <vapier@gentoo.org>	2015-08-26 02:27:27 -0400
committer	Mike Frysinger <vapier@gentoo.org>	2015-08-26 02:27:27 -0400
commit	c39a557a2b53f6fea61117d9b0d90ea51a738d6b (patch)
tree	e2e63f4c8e1e9f33bfc74b4c5b9813870a40f18d /security.c
parent	security: add a debug handler for seccomp (diff)
download	pax-utils-c39a557a2b53f6fea61117d9b0d90ea51a738d6b.tar.gz pax-utils-c39a557a2b53f6fea61117d9b0d90ea51a738d6b.tar.bz2 pax-utils-c39a557a2b53f6fea61117d9b0d90ea51a738d6b.zip