diff options
author | Jamie Liu <jamieliu@google.com> | 2020-06-01 15:31:59 -0700 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2020-06-01 15:33:30 -0700 |
commit | 3a987160aa09f814a8459ed3f6192ce741b701a3 (patch) | |
tree | c0e58a968a2b49f6c44587badecc288fd617fdda /runsc | |
parent | 6ef5924725812f5885880cf57821fe2cd49b808d (diff) |
Handle gofer blocking opens of host named pipes in VFS2.
Using tee instead of read to detect when a O_RDONLY|O_NONBLOCK pipe FD has a
writer circumvents the problem of what to do with the byte read from the pipe,
avoiding much of the complexity of the fdpipe package.
PiperOrigin-RevId: 314216146
Diffstat (limited to 'runsc')
-rw-r--r-- | runsc/boot/filter/config.go | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/runsc/boot/filter/config.go b/runsc/boot/filter/config.go index 98cdd90dd..60e33425f 100644 --- a/runsc/boot/filter/config.go +++ b/runsc/boot/filter/config.go @@ -288,6 +288,14 @@ var allowedSyscalls = seccomp.SyscallRules{ syscall.SYS_SIGALTSTACK: {}, unix.SYS_STATX: {}, syscall.SYS_SYNC_FILE_RANGE: {}, + syscall.SYS_TEE: []seccomp.Rule{ + { + seccomp.AllowAny{}, + seccomp.AllowAny{}, + seccomp.AllowValue(1), /* len */ + seccomp.AllowValue(unix.SPLICE_F_NONBLOCK), /* flags */ + }, + }, syscall.SYS_TGKILL: []seccomp.Rule{ { seccomp.AllowValue(uint64(os.Getpid())), |