diff options
author | Colin Watson <cjwatson@debian.org> | 2023-03-10 17:08:41 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2023-03-10 17:08:41 +0000 |
commit | f106ef50f607b1fbb232b291363872ac3894ee3a (patch) | |
tree | 457390f49c69a282cc849e19a6f40fb60fbd0c06 /lib | |
parent | a7786662a26e9fd5d23a48cd1888d05a671eeeec (diff) |
sandbox: Work around Firebuild
Fixes https://gitlab.com/man-db/man-db/-/issues/15.
* lib/sandbox.c (make_seccomp_filter): Allow some socket-related system
calls if libfirebuild.so is preloaded.
* NEWS.md: Document this.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/sandbox.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/lib/sandbox.c b/lib/sandbox.c index 9563ee2e..7eb69e8b 100644 --- a/lib/sandbox.c +++ b/lib/sandbox.c @@ -560,10 +560,14 @@ static scmp_filter_ctx make_seccomp_filter (bool permissive) * don't want to allow these syscalls in general, but if such a * thing is in use we probably have no choice. * + * Firebuild is a build accelerator that connects to its supervisor + * using a Unix-domain socket. + * * snoopy is an execve monitoring tool that may log messages to * /dev/log. */ if (search_ld_preload ("libesets_pac.so") || + search_ld_preload ("libfirebuild.so") || search_ld_preload ("libscep_pac.so") || search_ld_preload ("libsnoopy.so")) { SC_ALLOW ("connect"); |