From e7cb6c37fc65bc0f81f4ce589eb8072aef027ba4 Mon Sep 17 00:00:00 2001
From: Frances Wingerter <fw@immunant.com>
Date: Tue, 17 Oct 2023 23:37:22 -0400
Subject: [PATCH] runtime/seccomp_filter: allow dup/dup2/fcntl

these are needed to gracefully handle the case of exec() of the child failing
---
 runtime/seccomp_filter.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/runtime/seccomp_filter.c b/runtime/seccomp_filter.c
index ff3b68327..9ab008e8c 100644
--- a/runtime/seccomp_filter.c
+++ b/runtime/seccomp_filter.c
@@ -41,8 +41,11 @@ struct sock_filter ia2_filter[] = {
     BPF_SYSCALL_POLICY(brk, ALLOW),
     BPF_SYSCALL_POLICY(clone3, ALLOW),
     BPF_SYSCALL_POLICY(close, ALLOW),
+    BPF_SYSCALL_POLICY(dup, ALLOW),
+    BPF_SYSCALL_POLICY(dup2, ALLOW),
     BPF_SYSCALL_POLICY(execve, ALLOW),
     BPF_SYSCALL_POLICY(exit_group, ALLOW),
+    BPF_SYSCALL_POLICY(fcntl, ALLOW),
     BPF_SYSCALL_POLICY(futex, ALLOW),
     BPF_SYSCALL_POLICY(getpid, ALLOW),
     BPF_SYSCALL_POLICY(getrandom, ALLOW),