umdns: add missing syscalls to seccomp filter
authorDaniel Golle <daniel@makrotopia.org>
Sat, 10 Apr 2021 16:30:49 +0000 (17:30 +0100)
committerHauke Mehrtens <hauke@hauke-m.de>
Sun, 18 Apr 2021 10:05:12 +0000 (12:05 +0200)
Looks like 'openat', 'pipe2' and 'ppoll' are now needed, possibly due
to changes on libraries used by umdns now using slightly different
calls.

Found using
/etc/init.d/umdns trace
now use umdns, ie. cover all ubus call etc., then
/etc/init.d/umdns stop
find list of syscalls traced in /tmp/umdns.*.json

Fixes: FS#3355 ("UMDNS: does not start on master with seccomp")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 00a85a163405fdf9bee4d8c3f0ee87ca9ed259d6)

package/network/services/umdns/files/umdns.json

index 4d5ed886d0dc3badf0f4844d49b15cdf7bf03edd..5533b7c5121ae9be2ccf45934e0e7e3d1174e9c8 100644 (file)
@@ -3,41 +3,44 @@
        "syscalls": [
                {
                        "names": [
-                               "read",
-                               "write",
-                               "writev",
-                               "open",
-                               "close",
-                               "time",
-                               "brk",
-                               "ioctl",
-                               "uname",
                                "bind",
+                               "brk",
+                               "clock_gettime",
+                               "close",
                                "connect",
-                               "getsockname",
-                               "recvmsg",
-                               "recvfrom",
-                               "sendmsg",
-                               "sendto",
-                               "setsockopt",
-                               "socket",
-                               "pipe",
-                               "poll",
-                               "fcntl64",
-                               "fstat",
                                "epoll_create",
                                "epoll_create1",
                                "epoll_ctl",
-                               "epoll_wait",
                                "epoll_pwait",
-                               "rt_sigaction",
-                               "sigreturn",
-                               "rt_sigreturn",
-                               "rt_sigprocmask",
-                               "exit_group",
+                               "epoll_wait",
                                "exit",
+                               "exit_group",
                                "fcntl",
-                               "clock_gettime"
+                               "fcntl64",
+                               "fstat",
+                               "getsockname",
+                               "ioctl",
+                               "open",
+                               "openat",
+                               "pipe",
+                               "pipe2",
+                               "poll",
+                               "ppoll",
+                               "read",
+                               "recvfrom",
+                               "recvmsg",
+                               "rt_sigaction",
+                               "rt_sigprocmask",
+                               "rt_sigreturn",
+                               "sendmsg",
+                               "sendto",
+                               "setsockopt",
+                               "sigreturn",
+                               "socket",
+                               "time",
+                               "uname",
+                               "write",
+                               "writev"
                        ],
                        "action": "SCMP_ACT_ALLOW"
                }