Add newfstatat to white list.

The newfstatat system call is used in glibc 2.33 during normal operation. This fixes a core dump (which is expected behaviour when an illegal system call is performed) spotted and reported by abbasmaheryar on github. Applied suggested fix by collidedscope on github as well. See issue #28 for more details. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
stoeckmann · Feb 6, 2021 · 90d906b · 90d906b
1 parent f41f0db
commit 90d906b
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/seccomp.c b/seccomp.c
@@ -81,6 +81,7 @@ add_common_stage2_rules(scmp_filter_ctx ctx)
 	    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect), 0) ||
 	    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0) ||
 	    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(nanosleep), 0) ||
+	    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat), 0) ||
 	    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(pipe), 0) ||
 	    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(pipe2), 0) ||
 	    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(poll), 0) ||