diff options
| author | bptato <nincsnevem662@gmail.com> | 2024-09-04 20:10:19 +0200 |
|---|---|---|
| committer | bptato <nincsnevem662@gmail.com> | 2024-09-04 20:42:35 +0200 |
| commit | 412a78efc4eff3ea2b73f79cba8baee97cba9f18 (patch) | |
| tree | ec65615bab94174038a1103a3143535e4f07fc81 /src/bindings | |
| parent | 9666c5a994830859a61078a1fabfef16b483c714 (diff) | |
| download | chawan-412a78efc4eff3ea2b73f79cba8baee97cba9f18.tar.gz | |
sixel, stbi, sandbox: fix fstat sandbox violation
Until recently, glibc used to implement it as fstatat. So don't trap for fstatat (and for consistency, fstat), but return EPERM. Just to be sure, rewrite sixel & stbi to never call fread.
Diffstat (limited to 'src/bindings')
| -rw-r--r-- | src/bindings/libseccomp.nim | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/bindings/libseccomp.nim b/src/bindings/libseccomp.nim index 81a6e969..3f02e4d9 100644 --- a/src/bindings/libseccomp.nim +++ b/src/bindings/libseccomp.nim @@ -37,6 +37,9 @@ const SCMP_ACT_KILL_PROCESS* = 0x80000000u32 const SCMP_ACT_ALLOW* = 0x7FFF0000u32 const SCMP_ACT_TRAP* = 0x00030000u32 +template SCMP_ACT_ERRNO*(x: uint16): uint32 = + 0x50000u32 or x + proc seccomp_init*(def_action: uint32): scmp_filter_ctx proc seccomp_reset*(ctx: scmp_filter_ctx; def_action: uint32): cint proc seccomp_syscall_resolve_name*(name: cstring): cint |