From 07d329d89f25e4649731199c3025f4fa0ed52bdb Mon Sep 17 00:00:00 2001
From: Robert Tonic <btonic@users.noreply.github.com>
Date: Tue, 30 Jul 2019 14:58:26 -0700
Subject: [PATCH] Restrict seccomp filters for UDS support.

This commit further restricts the seccomp filters required for Gofer
access ot Unix Domain Sockets (UDS).
---
 runsc/fsgofer/filter/config.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/runsc/fsgofer/filter/config.go b/runsc/fsgofer/filter/config.go
index 71f387bd0..c058c433b 100644
--- a/runsc/fsgofer/filter/config.go
+++ b/runsc/fsgofer/filter/config.go
@@ -39,6 +39,8 @@ var allowedSyscalls = seccomp.SyscallRules{
 	syscall.SYS_SETSOCKOPT: []seccomp.Rule{
 		{
 			seccomp.AllowAny{},
+			seccomp.AllowValue(syscall.SOL_SOCKET),
+			seccomp.AllowValue(syscall.SO_BROADCAST),
 		},
 	},
 	syscall.SYS_GETSOCKNAME: []seccomp.Rule{
@@ -110,6 +112,7 @@ var allowedSyscalls = seccomp.SyscallRules{
 		},
 		{
 			seccomp.AllowAny{},
+			seccomp.AllowValue(syscall.F_DUPFD_CLOEXEC),
 		},
 	},
 	syscall.SYS_FSTAT:     {},