diff options
Diffstat (limited to 'seccomp')
| -rw-r--r-- | seccomp/x86_64/block_device.policy | 3 | ||||
| -rw-r--r-- | seccomp/x86_64/net_device.policy | 2 | ||||
| -rw-r--r-- | seccomp/x86_64/rng_device.policy | 3 | ||||
| -rw-r--r-- | seccomp/x86_64/vhost_net_device.policy | 2 | ||||
| -rw-r--r-- | seccomp/x86_64/vhost_vsock_device.policy | 2 | ||||
| -rw-r--r-- | seccomp/x86_64/wl_device.policy | 3 |
6 files changed, 12 insertions, 3 deletions
diff --git a/seccomp/x86_64/block_device.policy b/seccomp/x86_64/block_device.policy index f1f31f8..581169a 100644 --- a/seccomp/x86_64/block_device.policy +++ b/seccomp/x86_64/block_device.policy @@ -3,6 +3,8 @@ # found in the LICENSE file. close: 1 +dup: 1 +dup2: 1 exit_group: 1 futex: 1 lseek: 1 @@ -20,6 +22,5 @@ sigaltstack: 1 clone: arg0 & 0x00010000 write: 1 eventfd2: 1 -dup: 1 poll: 1 getpid: 1 diff --git a/seccomp/x86_64/net_device.policy b/seccomp/x86_64/net_device.policy index e15a00e..23abcfe 100644 --- a/seccomp/x86_64/net_device.policy +++ b/seccomp/x86_64/net_device.policy @@ -3,6 +3,8 @@ # found in the LICENSE file. close: 1 +dup: 1 +dup2: 1 exit_group: 1 futex: 1 # Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit diff --git a/seccomp/x86_64/rng_device.policy b/seccomp/x86_64/rng_device.policy index a5e5bf7..429e94d 100644 --- a/seccomp/x86_64/rng_device.policy +++ b/seccomp/x86_64/rng_device.policy @@ -3,6 +3,8 @@ # found in the LICENSE file. close: 1 +dup: 1 +dup2: 1 exit_group: 1 futex: 1 # Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit @@ -19,6 +21,5 @@ sigaltstack: 1 clone: arg0 & 0x00010000 write: 1 eventfd2: 1 -dup: 1 poll: 1 getpid: 1 diff --git a/seccomp/x86_64/vhost_net_device.policy b/seccomp/x86_64/vhost_net_device.policy index 30f79d9..6e61bba 100644 --- a/seccomp/x86_64/vhost_net_device.policy +++ b/seccomp/x86_64/vhost_net_device.policy @@ -3,6 +3,8 @@ # found in the LICENSE file. close: 1 +dup: 1 +dup2: 1 exit_group: 1 futex: 1 # Whitelist vhost_net ioctls only. diff --git a/seccomp/x86_64/vhost_vsock_device.policy b/seccomp/x86_64/vhost_vsock_device.policy index 0310470..fe54042 100644 --- a/seccomp/x86_64/vhost_vsock_device.policy +++ b/seccomp/x86_64/vhost_vsock_device.policy @@ -3,6 +3,8 @@ # found in the LICENSE file. close: 1 +dup: 1 +dup2: 1 exit_group: 1 futex: 1 # Whitelist vhost_vsock ioctls only. diff --git a/seccomp/x86_64/wl_device.policy b/seccomp/x86_64/wl_device.policy index be404be..7f1ee1b 100644 --- a/seccomp/x86_64/wl_device.policy +++ b/seccomp/x86_64/wl_device.policy @@ -1,4 +1,6 @@ close: 1 +dup: 1 +dup2: 1 getpid: 1 exit_group: 1 futex: 1 @@ -18,7 +20,6 @@ sigaltstack: 1 clone: arg0 & 0x00010000 write: 1 eventfd2: 1 -dup: 1 # Used to connect to wayland. arg0 == AF_UNIX && arg1 == SOCK_STREAM|SOCK_CLOEXEC socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0 # arg1 == FIONBIO |