commit c214d1ab67b2eee5a6424f518a795ab7883b868f
from: Omar Polo <op@omarpolo.com>
date: Mon Feb 08 18:39:23 2021 UTC

allow sigreturn and sigaction on linux

commit - df58efff26529acd6a5675d3b4044d494b138397
commit + c214d1ab67b2eee5a6424f518a795ab7883b868f
blob - 2a2504f7eee13b21b8814ddb5107d9ee2dfd8382
blob + 1d96a0ece842c9b09bbeace141ef6d4f98ad1fbd
--- sandbox.c
+++ sandbox.c
@@ -161,6 +161,10 @@ sandbox()
 		SC_ALLOW(brk),
 		SC_ALLOW(mmap),
 		SC_ALLOW(munmap),
+
+		/* needed for signal handling */
+		SC_ALLOW(rt_sigreturn),
+		SC_ALLOW(rt_sigaction),
 
 		/* we need recvmsg to receive fd */
 		SC_ALLOW(recvmsg),
@@ -187,7 +191,7 @@ sandbox()
 		SC_ALLOW(sendto),
 		SC_ALLOW(connect),
 
-		/* allow only F_GETFL and F_SETFL fcntl */
+		/* allow only F_GETFL, F_SETFL & F_SETFD fcntl */
 		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 8),
 		BPF_STMT(BPF_LD  | BPF_W | BPF_ABS,
 		    (offsetof(struct seccomp_data, args[1]))),