commit de4f71318422e6bd66ea7836dbb235ecb463f7f8
from: Omar Polo <op@omarpolo.com>
date: Wed Jan 20 15:54:26 2021 UTC

tighten the rules for fcntl

allow only the F_GETFL and F_SETFL commands

commit - 298e4b96dc9ef528a058cc8a0d9561ca54588f03
commit + de4f71318422e6bd66ea7836dbb235ecb463f7f8
blob - 6b98d99b67e32dc4460c70831a676aa0dc69d063
blob + 195fa36f52c3e163bb3ddf620b5478b296eb16e9
--- sandbox.c
+++ sandbox.c
@@ -145,7 +145,6 @@ sandbox()
 		SC_ALLOW(poll),
 #endif
 		SC_ALLOW(accept),
-		SC_ALLOW(fcntl),
 		SC_ALLOW(read),
 		SC_ALLOW(openat),
 		SC_ALLOW(fstat),
@@ -164,6 +163,20 @@ sandbox()
 		SC_ALLOW(exit),
 		SC_ALLOW(exit_group),
 
+		/* allow only F_GETFL and F_SETFL fcntl */
+		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 6);
+		BPF_STMT(BPF_LD  | BPF_W | BPF_ABS,
+		    (offsetof(struct seccomp_data, args[1])));
+		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_GETFL, 0 1);
+		BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW);
+		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFL, 0, 1);
+		BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW);
+		BPF_STMT(BPF_RET | BPF_K, SC_FAIL);
+
+		/* re-load the syscall number */
+		BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
+		    (offsetof(struct seccomp_data, nr))),
+
 		/* allow ioctl but only on fd 1, glibc doing stuff? */
 		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_ioctl, 0, 3),
 		BPF_STMT(BPF_LD | BPF_W | BPF_ABS,