Forward ioctl(TCSETSF) calls on host ttys to the host kernel.

We already forward TCSETS and TCSETSW. TCSETSF is roughly equivalent but discards pending input. The filters were relaxed to allow host ioctls with TCSETSF argument. This fixes programs like "passwd" that prevent user input from being displayed on the terminal. Before: root@b8a0240fc836:/# passwd Enter new UNIX password: 123 Retype new UNIX password: 123 passwd: password updated successfully After: root@ae6f5dabe402:/# passwd Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully PiperOrigin-RevId: 214869788 Change-Id: I31b4d1373c1388f7b51d0f2f45ce40aa8e8b0b58
author: Nicolas Lacasse <nlacasse@google.com> 2018-09-27 18:15:07 -0700
committer: Shentubot <shentubot@google.com> 2018-09-27 18:17:38 -0700
commit: b709d239870143102cf4e44b65cc26cea78a6ccb (patch)
tree: 085090abbc7401b5d2354d0b89aa99d2c63ef6d6 /runsc/boot
parent: 491faac03b2815ca1bc9b5425c1b3f6291468e20 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/runsc/boot/filter/config.go b/runsc/boot/filter/config.go
index 0bcc640d5..352c64253 100644
--- a/runsc/boot/filter/config.go
+++ b/runsc/boot/filter/config.go
@@ -149,6 +149,11 @@ var allowedSyscalls = seccomp.SyscallRules{
 		},
 		{
 			seccomp.AllowAny{}, /* fd */
+			seccomp.AllowValue(linux.TCSETSF),
+			seccomp.AllowAny{}, /* termios struct */
+		},
+		{
+			seccomp.AllowAny{}, /* fd */
 			seccomp.AllowValue(linux.TCSETSW),
 			seccomp.AllowAny{}, /* termios struct */
 		},
author	Nicolas Lacasse <nlacasse@google.com>	2018-09-27 18:15:07 -0700
committer	Shentubot <shentubot@google.com>	2018-09-27 18:17:38 -0700
commit	b709d239870143102cf4e44b65cc26cea78a6ccb (patch)
tree	085090abbc7401b5d2354d0b89aa99d2c63ef6d6 /runsc/boot
parent	491faac03b2815ca1bc9b5425c1b3f6291468e20 (diff)