Seccomp filter: allow reading the current time (Bug#47708).

author Philipp Stephani <phst@google.com>

Sun, 11 Apr 2021 17:42:44 +0000 (19:42 +0200)

committer Philipp Stephani <phst@google.com>

Sun, 11 Apr 2021 17:50:45 +0000 (19:50 +0200)
author Philipp Stephani <phst@google.com>
Sun, 11 Apr 2021 17:42:44 +0000 (19:42 +0200)
committer Philipp Stephani <phst@google.com>
Sun, 11 Apr 2021 17:50:45 +0000 (19:50 +0200)
diff --git a/lib-src/seccomp-filter.c b/lib-src/seccomp-filter.c

index e4d56e01b4d87bba532955861a9c33e8c3a16e34..9d25a5fe142649031474fc54fae4d199b65f5e9d 100644 (file)
--- a/lib-src/seccomp-filter.c
+++ b/lib-src/seccomp-filter.c
@@ -40,6 +40,7 @@ human-readable representation to out.pfc.  */
  #include <stdlib.h>
  #include <stdint.h>
  #include <stdio.h>
+#include <time.h>
  
  #include <sys/ioctl.h>
  #include <sys/mman.h>
@@ -286,6 +287,12 @@ main (int argc, char **argv)
    RULE (SCMP_ACT_ALLOW, SCMP_SYS (sigprocmask));
    RULE (SCMP_ACT_ALLOW, SCMP_SYS (rt_sigprocmask));
  
+  /* Allow reading the current time.  */
+  RULE (SCMP_ACT_ALLOW, SCMP_SYS (clock_gettime),
+        SCMP_A0_32 (SCMP_CMP_EQ, CLOCK_REALTIME));
+  RULE (SCMP_ACT_ALLOW, SCMP_SYS (time));
+  RULE (SCMP_ACT_ALLOW, SCMP_SYS (gettimeofday));
+
    /* Allow timer support.  */
    RULE (SCMP_ACT_ALLOW, SCMP_SYS (timer_create));
    RULE (SCMP_ACT_ALLOW, SCMP_SYS (timerfd_create));
author	Philipp Stephani <phst@google.com>
	Sun, 11 Apr 2021 17:42:44 +0000 (19:42 +0200)
committer	Philipp Stephani <phst@google.com>
	Sun, 11 Apr 2021 17:50:45 +0000 (19:50 +0200)