Allow setsockopt(IPV6_V6ONLY) in sandbox.

Fixes bug 20247. We started setting V6ONLY in 0.2.3.13-alpha and added the sandbox on 0.2.5.1-alpha.
2024-11-19 18:00:33 +01:00 · 2017-07-05 13:09:21 -04:00 · 2017-07-05 13:09:21 -04:00 · 16d2bce893
commit 16d2bce893
parent bb97f680e7
2 changed files with 12 additions and 0 deletions
--- a/changes/bug20247
+++ b/changes/bug20247
@ -0,0 +1,4 @@
+  o Minor bugfixes (linux seccomp2 sandbox):
+    - Avoid a sandbox failure when trying to re-bind to a socket and mark
+      it as IPv6-only. Fixes bug 20247; bugfix on 0.2.5.1-alpha.
+
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@ -728,6 +728,14 @@ sb_setsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
    return rc;
 #endif

+#ifdef IPV6_V6ONLY
+  rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
+      SCMP_CMP(1, SCMP_CMP_EQ, IPPROTO_IPV6),
+      SCMP_CMP(2, SCMP_CMP_EQ, IPV6_V6ONLY));
+  if (rc)
+    return rc;
+#endif
+
  return 0;
 }