commit - de4f71318422e6bd66ea7836dbb235ecb463f7f8
commit + 3c0375e405857c074c428ddb3330d6286fcc47aa
blob - 195fa36f52c3e163bb3ddf620b5478b296eb16e9
blob + 3d3b6195a0debd845efda2f404cee2e087c87091
--- sandbox.c
+++ sandbox.c
#include <linux/seccomp.h>
#include <errno.h>
+#include <fcntl.h>
#include <stddef.h>
#include <stdio.h>
#include <seccomp.h>
SC_ALLOW(exit),
SC_ALLOW(exit_group),
-
- /* allow only F_GETFL and F_SETFL fcntl */
- BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 6);
+ /* allow only F_GETFL and F_SETFL fcntl */
+ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 6),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
- (offsetof(struct seccomp_data, args[1])));
- BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_GETFL, 0 1);
- BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW);
- BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFL, 0, 1);
- BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW);
- BPF_STMT(BPF_RET | BPF_K, SC_FAIL);
-
- /* re-load the syscall number */
+ (offsetof(struct seccomp_data, args[1]))),
+ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_GETFL, 0, 1),
+ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
+ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFL, 0, 1),
+ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
+ BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
+ /* re-load the syscall number */
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
(offsetof(struct seccomp_data, nr))),