From 6e598bbcd8ee5b0dfec8f6713679988294cb2523 Mon Sep 17 00:00:00 2001
From: David Goulet <dgoulet@torproject.org>
Date: Thu, 7 Sep 2017 15:22:05 -0400
Subject: [PATCH] sched: Add sandbox support for KIST

Signed-off-by: David Goulet <dgoulet@torproject.org>
---
 src/common/sandbox.c | 34 +++++++++++++++++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index a85b1406fa..4d810fd373 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -653,6 +653,25 @@ sb_socketpair(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
   return 0;
 }
 
+#ifdef HAVE_KIST_SUPPORT
+
+#include <linux/sockios.h>
+
+static int
+sb_ioctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+{
+  int rc;
+  (void) filter;
+
+  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl),
+                          SCMP_CMP(1, SCMP_CMP_EQ, SIOCOUTQNSD));
+  if (rc)
+    return rc;
+  return 0;
+}
+
+#endif /* HAVE_KIST_SUPPORT */
+
 /**
  * Function responsible for setting up the setsockopt syscall for
  * the seccomp filter sandbox.
@@ -760,6 +779,15 @@ sb_getsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
     return rc;
 #endif
 
+#ifdef HAVE_KIST_SUPPORT
+#include <netinet/tcp.h>
+  rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
+      SCMP_CMP(1, SCMP_CMP_EQ, SOL_TCP),
+      SCMP_CMP(2, SCMP_CMP_EQ, TCP_INFO));
+  if (rc)
+    return rc;
+#endif
+
   return 0;
 }
 
@@ -1060,7 +1088,11 @@ static sandbox_filter_func_t filter_func[] = {
     sb_socket,
     sb_setsockopt,
     sb_getsockopt,
-    sb_socketpair
+    sb_socketpair,
+
+#ifdef HAVE_KIST_SUPPORT
+    sb_ioctl,
+#endif
 };
 
 const char *