commit 3c0375e405857c074c428ddb3330d6286fcc47aa
from: Omar Polo <op@omarpolo.com>
date: Wed Jan 20 16:09:04 2021 UTC

fix BPF

commit - de4f71318422e6bd66ea7836dbb235ecb463f7f8
commit + 3c0375e405857c074c428ddb3330d6286fcc47aa
blob - 195fa36f52c3e163bb3ddf620b5478b296eb16e9
blob + 3d3b6195a0debd845efda2f404cee2e087c87091
--- sandbox.c
+++ sandbox.c
@@ -24,6 +24,7 @@ sandbox()
 #include <linux/seccomp.h>
 
 #include <errno.h>
+#include <fcntl.h>
 #include <stddef.h>
 #include <stdio.h>
 #include <seccomp.h>
@@ -162,18 +163,16 @@ sandbox()
 
 		SC_ALLOW(exit),
 		SC_ALLOW(exit_group),
-
-		/* allow only F_GETFL and F_SETFL fcntl */
-		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 6);
+                /* allow only F_GETFL and F_SETFL fcntl */
+		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 6),
 		BPF_STMT(BPF_LD  | BPF_W | BPF_ABS,
-		    (offsetof(struct seccomp_data, args[1])));
-		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_GETFL, 0 1);
-		BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW);
-		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFL, 0, 1);
-		BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW);
-		BPF_STMT(BPF_RET | BPF_K, SC_FAIL);
-
-		/* re-load the syscall number */
+		    (offsetof(struct seccomp_data, args[1]))),
+		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_GETFL, 0, 1),
+		BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
+		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFL, 0, 1),
+		BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
+		BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
+                /* re-load the syscall number */
 		BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
 		    (offsetof(struct seccomp_data, nr))),