Restrict seccomp filters for UDS support.

This commit further restricts the seccomp filters required for Gofer access ot Unix Domain Sockets (UDS).
2019-07-30 14:58:26 -07:00 · 2019-07-30 14:58:26 -07:00 · 07d329d89f
parent c319b360d1
commit 07d329d89f
1 changed files with 3 additions and 0 deletions
--- a/runsc/fsgofer/filter/config.go
+++ b/runsc/fsgofer/filter/config.go
@ -39,6 +39,8 @@ var allowedSyscalls = seccomp.SyscallRules{
 	syscall.SYS_SETSOCKOPT: []seccomp.Rule{
 		{
 			seccomp.AllowAny{},
+			seccomp.AllowValue(syscall.SOL_SOCKET),
+			seccomp.AllowValue(syscall.SO_BROADCAST),
 		},
 	},
 	syscall.SYS_GETSOCKNAME: []seccomp.Rule{
@ -110,6 +112,7 @@ var allowedSyscalls = seccomp.SyscallRules{
 		},
 		{
 			seccomp.AllowAny{},
+			seccomp.AllowValue(syscall.F_DUPFD_CLOEXEC),
 		},
 	},
 	syscall.SYS_FSTAT:     {},