bug 1102277 - Update seccomp filter for newer bionic. r=jld
authorKai-Zhen Li <kli@mozilla.com>
Fri, 21 Nov 2014 01:07:15 +0800
changeset 220172 ff45d829cf6b0664727921dd4665db9a925cc407
parent 220171 0dbec06f698b8e145be423d245c0189b329cdd21
child 220173 280016219735e16b8bde0bccaadda4ee4d4bd877
push id10457
push userryanvm@gmail.com
push dateThu, 18 Dec 2014 01:54:25 +0000
treeherderfx-team@0e441ff66c5e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjld
bugs1102277
milestone37.0a1
bug 1102277 - Update seccomp filter for newer bionic. r=jld
security/sandbox/linux/SandboxFilter.cpp
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@@ -127,16 +127,17 @@ SandboxFilterImplContent::Build() {
 #if SYSCALL_EXISTS(mmap2)
   Allow(SYSCALL(mmap2));
 #else
   Allow(SYSCALL(mmap));
 #endif
 
   Allow(SYSCALL(clock_gettime));
   Allow(SYSCALL(epoll_wait));
+  Allow(SYSCALL(epoll_pwait));
   Allow(SYSCALL(gettimeofday));
   Allow(SYSCALL(read));
   Allow(SYSCALL(write));
   // 32-bit lseek is used, at least on Android, to implement ANSI fseek.
 #if SYSCALL_EXISTS(_llseek)
   Allow(SYSCALL(_llseek));
 #endif
   Allow(SYSCALL(lseek));
@@ -163,16 +164,19 @@ SandboxFilterImplContent::Build() {
   Allow(SYSCALL(getpid));
   Allow(SYSCALL(gettid));
   Allow(SYSCALL(getrusage));
   Allow(SYSCALL(times));
   Allow(SYSCALL(madvise));
   Allow(SYSCALL(dup));
   Allow(SYSCALL(nanosleep));
   Allow(SYSCALL(poll));
+  Allow(SYSCALL(ppoll));
+  Allow(SYSCALL(openat));
+  Allow(SYSCALL(faccessat));
   // select()'s arguments used to be passed by pointer as a struct.
 #if SYSCALL_EXISTS(_newselect)
   Allow(SYSCALL(_newselect));
 #else
   Allow(SYSCALL(select));
 #endif
   // Some archs used to have 16-bit uid/gid instead of 32-bit.
 #if SYSCALL_EXISTS(getuid32)
@@ -294,16 +298,19 @@ SandboxFilterImplContent::Build() {
   Allow(SOCKETCALL(getpeername, GETPEERNAME));
   Allow(SYSCALL(eventfd2));
   Allow(SYSCALL(clock_getres));
   Allow(SYSCALL(sysinfo));
   Allow(SYSCALL(getresuid));
   Allow(SYSCALL(umask));
   Allow(SYSCALL(getresgid));
   Allow(SYSCALL(poll));
+  Allow(SYSCALL(ppoll));
+  Allow(SYSCALL(openat));
+  Allow(SYSCALL(faccessat));
   Allow(SYSCALL(inotify_init1));
   Allow(SYSCALL(wait4));
   Allow(SYSVIPCCALL(shmctl, SHMCTL));
   Allow(SYSCALL(set_robust_list));
   Allow(SYSCALL(rmdir));
   Allow(SOCKETCALL(recvfrom, RECVFROM));
   Allow(SYSVIPCCALL(shmdt, SHMDT));
   Allow(SYSCALL(pipe2));
@@ -353,16 +360,17 @@ void SandboxFilterImplGMP::Build() {
 
   Allow(SYSCALL_WITH_ARG(clock_gettime, 0, CLOCK_MONOTONIC, CLOCK_REALTIME));
   Allow(SYSCALL(futex));
   Allow(SYSCALL(gettimeofday));
   Allow(SYSCALL(poll));
   Allow(SYSCALL(write));
   Allow(SYSCALL(read));
   Allow(SYSCALL(epoll_wait));
+  Allow(SYSCALL(epoll_pwait));
   Allow(SOCKETCALL(recvmsg, RECVMSG));
   Allow(SOCKETCALL(sendmsg, SENDMSG));
   Allow(SYSCALL(time));
 
   // Nothing after this line is performance-critical.
 
 #if SYSCALL_EXISTS(mmap2)
   Allow(SYSCALL(mmap2));