Restrict seccomp filters for UDS support.

This commit further restricts the seccomp filters required for Gofer access ot Unix Domain Sockets (UDS).
author: Robert Tonic <btonic@users.noreply.github.com> 2019-07-30 14:58:26 -0700
committer: Robert Tonic <btonic@users.noreply.github.com> 2019-08-27 13:08:56 -0400
commit: 07d329d89f25e4649731199c3025f4fa0ed52bdb (patch)
tree: 64cdad31831981cd9b1457c0711f7fbbb86f7788 /runsc/fsgofer
parent: c319b360d134cff66000fd036fce8b3816c296ea (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/runsc/fsgofer/filter/config.go b/runsc/fsgofer/filter/config.go
index 71f387bd0..c058c433b 100644
--- a/runsc/fsgofer/filter/config.go
+++ b/runsc/fsgofer/filter/config.go
@@ -39,6 +39,8 @@ var allowedSyscalls = seccomp.SyscallRules{
 	syscall.SYS_SETSOCKOPT: []seccomp.Rule{
 		{
 			seccomp.AllowAny{},
+			seccomp.AllowValue(syscall.SOL_SOCKET),
+			seccomp.AllowValue(syscall.SO_BROADCAST),
 		},
 	},
 	syscall.SYS_GETSOCKNAME: []seccomp.Rule{
@@ -110,6 +112,7 @@ var allowedSyscalls = seccomp.SyscallRules{
 		},
 		{
 			seccomp.AllowAny{},
+			seccomp.AllowValue(syscall.F_DUPFD_CLOEXEC),
 		},
 	},
 	syscall.SYS_FSTAT:     {},
author	Robert Tonic <btonic@users.noreply.github.com>	2019-07-30 14:58:26 -0700
committer	Robert Tonic <btonic@users.noreply.github.com>	2019-08-27 13:08:56 -0400
commit	07d329d89f25e4649731199c3025f4fa0ed52bdb (patch)
tree	64cdad31831981cd9b1457c0711f7fbbb86f7788 /runsc/fsgofer
parent	c319b360d134cff66000fd036fce8b3816c296ea (diff)