dd9d4a1979
```sh
git grep -l '^patch_args=-Np0' "srcpkgs/$1*/template" |
while read template; do
for p in ${template%/template}/patches/*; do
sed -i '
\,^[+-][+-][+-] /dev/null,b
/^[*-]\+ [0-9]\+\(,[0-9]\+\)\? [*-]\+$/b
s,^[*][*][*] ,&a/,
/^--- /{
s,\(^--- \)\(./\)*,\1a/,
s,[.][Oo][Rr][Ii][Gg]\([ /]\),\1,
s/[.][Oo][Rr][Ii][Gg]$//
s/[.]patched[.]\([^.]\)/.\1/
h
}
/^+++ -/{
g
s/^--- a/+++ b/
b
}
s,\(^+++ \)\(./\)*,\1b/,
' "$p"
done
sed -i '/^patch_args=/d' $template
done
```
61 lines
1.3 KiB
Diff
61 lines
1.3 KiB
Diff
--- a/sandbox-seccomp-filter.c
|
|
+++ b/sandbox-seccomp-filter.c
|
|
@@ -89,7 +89,12 @@
|
|
/* Load the syscall number for checking. */
|
|
BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
|
|
offsetof(struct seccomp_data, nr)),
|
|
+#ifdef __NR_open
|
|
SC_DENY(open, EACCES),
|
|
+#endif
|
|
+#ifdef __NR_openat
|
|
+ SC_DENY(openat, EACCES),
|
|
+#endif
|
|
SC_ALLOW(getpid),
|
|
SC_ALLOW(gettimeofday),
|
|
SC_ALLOW(clock_gettime),
|
|
@@ -121,12 +126,16 @@
|
|
#ifdef __NR_ppoll
|
|
SC_ALLOW(ppoll),
|
|
#endif
|
|
+#ifdef __NR_poll
|
|
SC_ALLOW(poll),
|
|
+#endif
|
|
#ifdef __NR__newselect
|
|
SC_ALLOW(_newselect),
|
|
#else
|
|
+#ifdef __NR_select
|
|
SC_ALLOW(select),
|
|
#endif
|
|
+#endif
|
|
SC_ALLOW(madvise),
|
|
#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
|
|
SC_ALLOW(mmap2),
|
|
@@ -159,7 +168,12 @@
|
|
/* Load the syscall number for checking. */
|
|
BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
|
|
offsetof(struct seccomp_data, nr)),
|
|
+#ifdef __NR_open
|
|
SC_DENY(open, EACCES),
|
|
+#endif
|
|
+#ifdef __NR_openat
|
|
+ SC_DENY(openat, EACCES),
|
|
+#endif
|
|
SC_ALLOW(getpid),
|
|
#ifdef __NR_getrandom
|
|
SC_ALLOW(getrandom),
|
|
@@ -184,11 +198,15 @@
|
|
#ifdef __NR_ppoll
|
|
SC_ALLOW(ppoll),
|
|
#endif
|
|
+#ifdef __NR_poll
|
|
SC_ALLOW(poll),
|
|
+#endif
|
|
#ifdef __NR__newselect
|
|
SC_ALLOW(_newselect),
|
|
#else
|
|
+#ifdef __NR_select
|
|
SC_ALLOW(select),
|
|
+#endif
|
|
#endif
|
|
SC_ALLOW(madvise),
|
|
#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
|