From 9ca250755f139c2383ada58198ecfcd7a22954a1 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 31 Aug 2020 15:13:39 +0200 Subject: [PATCH] sys_linux: allow lstat and readlink in seccomp filter These syscalls seem to be needed when gnutls is loading system trusted certificates due to p11-kit >= 0.23.21 getting the program name from /proc/self/exe. --- sys_linux.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sys_linux.c b/sys_linux.c index 7cdd33c..2555e8b 100644 --- a/sys_linux.c +++ b/sys_linux.c @@ -533,7 +533,10 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_SystemCallContext context) SCMP_SYS(getdents), SCMP_SYS(getdents64), SCMP_SYS(lseek), + SCMP_SYS(lstat), + SCMP_SYS(lstat64), SCMP_SYS(newfstatat), + SCMP_SYS(readlink), SCMP_SYS(rename), SCMP_SYS(renameat), SCMP_SYS(renameat2),