diff options
author | Colin Watson <cjwatson@debian.org> | 2019-01-05 09:10:58 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2019-01-05 09:10:58 +0000 |
commit | 97591079ee87b6f72fd57ba393dbd1a29d4d84f5 (patch) | |
tree | fc57c57eb67737463446df2643f03150bfc37d80 /lib | |
parent | 5740c40bf00795a839c0670b27c95e5d5dc1063f (diff) |
sandbox: Work around Microsoft SCEP
This is a proprietary antivirus program and I've only been able to guess
at how to handle it. Note that it is no longer supported by Microsoft
and so users should probably replace it with something else, but I still
want to minimise the number of support requests I get related to it.
* lib/sandbox.c (make_seccomp_filter): If libscep_pac.so is preloaded,
then allow some system calls related to sockets and System V message
queues.
* NEWS: Document this.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/sandbox.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/sandbox.c b/lib/sandbox.c index 9321d810..c097482b 100644 --- a/lib/sandbox.c +++ b/lib/sandbox.c @@ -529,6 +529,7 @@ static scmp_filter_ctx make_seccomp_filter (int permissive) * /dev/log. */ if (search_ld_preload ("libesets_pac.so") || + search_ld_preload ("libscep_pac.so") || search_ld_preload ("libsnoopy.so")) { SC_ALLOW ("connect"); SC_ALLOW ("recvmsg"); @@ -537,7 +538,8 @@ static scmp_filter_ctx make_seccomp_filter (int permissive) SC_ALLOW_ARG_1 ("socket", SCMP_A0 (SCMP_CMP_EQ, AF_UNIX)); } /* ESET sends messages to a System V message queue. */ - if (search_ld_preload ("libesets_pac.so")) { + if (search_ld_preload ("libesets_pac.so") || + search_ld_preload ("libscep_pac.so")) { SC_ALLOW_ARG_1 ("msgget", SCMP_A1 (SCMP_CMP_EQ, 0)); SC_ALLOW ("msgsnd"); } |