Whitelist utimensat(2).

utimensat is used by hostfs for setting timestamps on imported fds. Previously, this would crash the sandbox since utimensat was not allowed. Correct the VFS2 version of hostfs to match the call in VFS1. PiperOrigin-RevId: 301970121
author: Dean Deng <deandeng@google.com> 2020-03-19 23:29:15 -0700
committer: gVisor bot <gvisor-bot@google.com> 2020-03-19 23:30:21 -0700
commit: 248e46f320525704da917e148a8f69d9b74671a0 (patch)
tree: b1a204f393cfc9a3bc34643d8721de63824cba17 /runsc/boot
parent: 069f1edbe42ebd91800f9b35e8724babc4081613 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/runsc/boot/filter/config.go b/runsc/boot/filter/config.go
index f459d1973..06b9f888a 100644
--- a/runsc/boot/filter/config.go
+++ b/runsc/boot/filter/config.go
@@ -291,6 +291,14 @@ var allowedSyscalls = seccomp.SyscallRules{
 			seccomp.AllowValue(uint64(os.Getpid())),
 		},
 	},
+	syscall.SYS_UTIMENSAT: []seccomp.Rule{
+		{
+			seccomp.AllowAny{},
+			seccomp.AllowValue(0), /* null pathname */
+			seccomp.AllowAny{},
+			seccomp.AllowValue(0), /* flags */
+		},
+	},
 	syscall.SYS_WRITE: {},
 	// The only user in rawfile.NonBlockingWrite3 always passes iovcnt with
 	// values 2 or 3. Three iovec-s are passed, when the PACKET_VNET_HDR
author	Dean Deng <deandeng@google.com>	2020-03-19 23:29:15 -0700
committer	gVisor bot <gvisor-bot@google.com>	2020-03-19 23:30:21 -0700
commit	248e46f320525704da917e148a8f69d9b74671a0 (patch)
tree	b1a204f393cfc9a3bc34643d8721de63824cba17 /runsc/boot
parent	069f1edbe42ebd91800f9b35e8724babc4081613 (diff)