runtime/seccomp_filter: allow dup/dup2/fcntl

these are needed to gracefully handle the case of exec() of the child failing
immunant · Oct 18, 2023 · e7cb6c3 · e7cb6c3
1 parent 0276fb7
commit e7cb6c3
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/runtime/seccomp_filter.c b/runtime/seccomp_filter.c
@@ -41,8 +41,11 @@ struct sock_filter ia2_filter[] = {
     BPF_SYSCALL_POLICY(brk, ALLOW),
     BPF_SYSCALL_POLICY(clone3, ALLOW),
     BPF_SYSCALL_POLICY(close, ALLOW),
+    BPF_SYSCALL_POLICY(dup, ALLOW),
+    BPF_SYSCALL_POLICY(dup2, ALLOW),
     BPF_SYSCALL_POLICY(execve, ALLOW),
     BPF_SYSCALL_POLICY(exit_group, ALLOW),
+    BPF_SYSCALL_POLICY(fcntl, ALLOW),
     BPF_SYSCALL_POLICY(futex, ALLOW),
     BPF_SYSCALL_POLICY(getpid, ALLOW),
     BPF_SYSCALL_POLICY(getrandom, ALLOW),