From 192780946fdf584c5e504b24f47dbd9bd411a3a6 Mon Sep 17 00:00:00 2001 From: Fabricio Voznika Date: Thu, 11 Feb 2021 10:58:55 -0800 Subject: Allow rt_sigaction in gofer seccomp rt_sigaction may be called by Go runtime when trying to panic: https://cs.opensource.google/go/go/+/master:src/runtime/signal_unix.go;drc=ed3e4afa12d655a0c5606bcf3dd4e1cdadcb1476;bpv=1;bpt=1;l=780?q=rt_sigaction&ss=go Updates #5038 PiperOrigin-RevId: 357013186 --- runsc/fsgofer/filter/config.go | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/runsc/fsgofer/filter/config.go b/runsc/fsgofer/filter/config.go index f92e2f80e..d1af539cb 100644 --- a/runsc/fsgofer/filter/config.go +++ b/runsc/fsgofer/filter/config.go @@ -182,9 +182,11 @@ var allowedSyscalls = seccomp.SyscallRules{ }, syscall.SYS_RENAMEAT: {}, syscall.SYS_RESTART_SYSCALL: {}, - syscall.SYS_RT_SIGPROCMASK: {}, - syscall.SYS_RT_SIGRETURN: {}, - syscall.SYS_SCHED_YIELD: {}, + // May be used by the runtime during panic(). + syscall.SYS_RT_SIGACTION: {}, + syscall.SYS_RT_SIGPROCMASK: {}, + syscall.SYS_RT_SIGRETURN: {}, + syscall.SYS_SCHED_YIELD: {}, syscall.SYS_SENDMSG: []seccomp.Rule{ // Used by fdchannel.Endpoint.SendFD(). { -- cgit v1.2.3