Add the poll() syscall as permitted by the sandbox

Apparently, sometimes getpwnam will call this. Fixes bug 25513.
2018-03-20 08:22:28 -04:00 · 2018-03-20 08:22:28 -04:00 · 070eda5a21
parent 3370b3cfef
commit 070eda5a21
2 changed files with 6 additions and 1 deletions
--- a/changes/feature25313
+++ b/changes/feature25313
@ -0,0 +1,4 @@
+  o Minor features (sandbox):
+    - Explicitly permit the poll() system call when the Linux seccomp2-based
+      sandbox is enabled: apparently, some versions of libc use poll() when
+      calling getpwnam(). Closes ticket 25313.
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@ -247,7 +247,8 @@ static int filter_nopar_gen[] = {
    SCMP_SYS(recvmsg),
    SCMP_SYS(recvfrom),
    SCMP_SYS(sendto),
-    SCMP_SYS(unlink)
+    SCMP_SYS(unlink),
+    SCMP_SYS(poll)
 };

 /* These macros help avoid the error where the number of filters we add on a