commit 94c5f99ab038efafa5f5a841d8092a995d9ee03c
from: Omar Polo <op@omarpolo.com>
date: Sun Feb 13 15:32:10 2022 UTC

sort syscalls in seccomp filter

commit - 67347fb02188b5cad33b647df942b38226471b9c
commit + 94c5f99ab038efafa5f5a841d8092a995d9ee03c
blob - 2b5e9e04039d1ddb3fc19dbb3e4216777756f853
blob + 8881cbbcf9d87b9ec3418b8f57a66cbdc7a7bb3b
--- sandbox.c
+++ sandbox.c
@@ -307,6 +307,9 @@ static struct sock_filter filter[] = {
 #endif
 #ifdef __NR_fstat64
 	SC_ALLOW(fstat64),
+#endif
+#ifdef __NR_fstatat64
+	SC_ALLOW(fstatat64),
 #endif
 #ifdef __NR_getdents64
 	SC_ALLOW(getdents64),
@@ -326,6 +329,9 @@ static struct sock_filter filter[] = {
 	/* allow FIONREAD needed by libevent */
 	SC_ALLOW_ARG(__NR_ioctl, 1, FIONREAD),
 #endif
+#ifdef __NR__llseek
+	SC_ALLOW(_llseek),
+#endif
 #ifdef __NR_lseek
 	SC_ALLOW(lseek),
 #endif
@@ -343,9 +349,6 @@ static struct sock_filter filter[] = {
 #endif
 #ifdef __NR_newfstatat
 	SC_ALLOW(newfstatat),
-#endif
-#ifdef __NR_fstatat64
-	SC_ALLOW(fstatat64),
 #endif
 #ifdef __NR_oldfstat
 	SC_ALLOW(oldfstat),
@@ -374,6 +377,9 @@ static struct sock_filter filter[] = {
 #ifdef __NR_sendmsg
 	SC_ALLOW(sendmsg),
 #endif
+#ifdef __NR_sigreturn
+	SC_ALLOW(sigreturn),
+#endif
 #ifdef __NR_statx
 	SC_ALLOW(statx),
 #endif
@@ -386,12 +392,6 @@ static struct sock_filter filter[] = {
 #ifdef __NR_writev
 	SC_ALLOW(writev),
 #endif
-#ifdef __NR__llseek
-	SC_ALLOW(_llseek),
-#endif
-#ifdef __NR_sigreturn
-	SC_ALLOW(sigreturn),
-#endif
 
 	/* disallow everything else */
 	BPF_STMT(BPF_RET | BPF_K, SC_FAIL),