sandbox: Work around Microsoft SCEP

This is a proprietary antivirus program and I've only been able to guess at how to handle it. Note that it is no longer supported by Microsoft and so users should probably replace it with something else, but I still want to minimise the number of support requests I get related to it. * lib/sandbox.c (make_seccomp_filter): If libscep_pac.so is preloaded, then allow some system calls related to sockets and System V message queues. * NEWS: Document this.
author: Colin Watson <cjwatson@debian.org> 2019-01-05 09:10:58 +0000
committer: Colin Watson <cjwatson@debian.org> 2019-01-05 09:10:58 +0000
commit: 97591079ee87b6f72fd57ba393dbd1a29d4d84f5 (patch)
tree: fc57c57eb67737463446df2643f03150bfc37d80 /lib
parent: 5740c40bf00795a839c0670b27c95e5d5dc1063f (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/sandbox.c b/lib/sandbox.c
index 9321d810..c097482b 100644
--- a/lib/sandbox.c
+++ b/lib/sandbox.c
@@ -529,6 +529,7 @@ static scmp_filter_ctx make_seccomp_filter (int permissive)
 	 * /dev/log.
 	 */
 	if (search_ld_preload ("libesets_pac.so") ||
+	    search_ld_preload ("libscep_pac.so") ||
 	    search_ld_preload ("libsnoopy.so")) {
 		SC_ALLOW ("connect");
 		SC_ALLOW ("recvmsg");
@@ -537,7 +538,8 @@ static scmp_filter_ctx make_seccomp_filter (int permissive)
 		SC_ALLOW_ARG_1 ("socket", SCMP_A0 (SCMP_CMP_EQ, AF_UNIX));
 	}
 	/* ESET sends messages to a System V message queue. */
-	if (search_ld_preload ("libesets_pac.so")) {
+	if (search_ld_preload ("libesets_pac.so") ||
+	    search_ld_preload ("libscep_pac.so")) {
 		SC_ALLOW_ARG_1 ("msgget", SCMP_A1 (SCMP_CMP_EQ, 0));
 		SC_ALLOW ("msgsnd");
 	}
author	Colin Watson <cjwatson@debian.org>	2019-01-05 09:10:58 +0000
committer	Colin Watson <cjwatson@debian.org>	2019-01-05 09:10:58 +0000
commit	97591079ee87b6f72fd57ba393dbd1a29d4d84f5 (patch)
tree	fc57c57eb67737463446df2643f03150bfc37d80 /lib
parent	5740c40bf00795a839c0670b27c95e5d5dc1063f (diff)