7 commits

Author	SHA1	Message	Date
W. J. van der Laan	64085b37f8	util: Add __NR_copy_file_range syscall constant for sandbox ... Kernel 4.4.0 doesn't define this.	2021-10-05 19:35:24 +02:00
W. J. van der Laan	89b910711c	Merge bitcoin/bitcoin#23178: util: Fix GUIX build with syscall sandbox ... 2d0279987e util: Make sure syscall numbers used in profile are defined (W. J. van der Laan) 8289d19ea5 util: Define SECCOMP_RET_KILL_PROCESS if not provided by the headers (W. J. van der Laan) Pull request description: Looks like we've broke the GUIX build in #20487. This attempts to fix it: - Define `__NR_statx` `__NR_getrandom` `__NR_membarrier` as some kernel headers lack them, and it's important to have the same profile independent on what kernel is used for building. - Define `SECCOMP_RET_KILL_PROCESS` as it isn't defined in the headers. ACKs for top commit: practicalswift: cr ACK 2d0279987e Tree-SHA512: c264c66f90af76bf364150e44d0a31876c2ef99f05777fcdd098a23f1e80efef43028f54bf9b3dad016110056d303320ed9741b0cb4c6266175fa9d5589b4277	2021-10-05 16:50:34 +02:00
W. J. van der Laan	2d0279987e	util: Make sure syscall numbers used in profile are defined ... Define the following syscall numbers for x86_64, so that the profile will be the same no matter what kernel is built against, including kernels that don't have `__NR_statx`: ```c++ #define __NR_statx 332 #define __NR_getrandom 318 #define __NR_membarrier 324 ```	2021-10-05 14:42:35 +02:00
W. J. van der Laan	8289d19ea5	util: Define SECCOMP_RET_KILL_PROCESS if not provided by the headers ... Define `SECCOMP_RET_KILL_PROCESS` as it isn't defined in the headers, as is the case for the GUIX build on this platform.	2021-10-05 08:15:04 +02:00
fanquake	44d77d2213	sandbox: add copy_file_range to allowed filesystem syscalls	2021-10-05 09:13:55 +08:00
fanquake	ee08741c9c	sandbox: add newfstatat to allowed filesystem syscalls	2021-10-05 08:41:41 +08:00
practicalswift	4747da3a5b	Add syscall sandboxing (seccomp-bpf)	2021-10-01 13:51:10 +00:00