sandbox: Work around Firebuild

Fixes https://gitlab.com/man-db/man-db/-/issues/15. * lib/sandbox.c (make_seccomp_filter): Allow some socket-related system calls if libfirebuild.so is preloaded. * NEWS.md: Document this.
author: Colin Watson <cjwatson@debian.org> 2023-03-10 17:08:41 +0000
committer: Colin Watson <cjwatson@debian.org> 2023-03-10 17:08:41 +0000
commit: f106ef50f607b1fbb232b291363872ac3894ee3a (patch)
tree: 457390f49c69a282cc849e19a6f40fb60fbd0c06 /lib
parent: a7786662a26e9fd5d23a48cd1888d05a671eeeec (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/lib/sandbox.c b/lib/sandbox.c
index 9563ee2e..7eb69e8b 100644
--- a/lib/sandbox.c
+++ b/lib/sandbox.c
@@ -560,10 +560,14 @@ static scmp_filter_ctx make_seccomp_filter (bool permissive)
 	 * don't want to allow these syscalls in general, but if such a
 	 * thing is in use we probably have no choice.
 	 *
+	 * Firebuild is a build accelerator that connects to its supervisor
+	 * using a Unix-domain socket.
+	 *
 	 * snoopy is an execve monitoring tool that may log messages to
 	 * /dev/log.
 	 */
 	if (search_ld_preload ("libesets_pac.so") ||
+	    search_ld_preload ("libfirebuild.so") ||
 	    search_ld_preload ("libscep_pac.so") ||
 	    search_ld_preload ("libsnoopy.so")) {
 		SC_ALLOW ("connect");
author	Colin Watson <cjwatson@debian.org>	2023-03-10 17:08:41 +0000
committer	Colin Watson <cjwatson@debian.org>	2023-03-10 17:08:41 +0000
commit	f106ef50f607b1fbb232b291363872ac3894ee3a (patch)
tree	457390f49c69a282cc849e19a6f40fb60fbd0c06 /lib
parent	a7786662a26e9fd5d23a48cd1888d05a671eeeec (diff)