diff options
| author | bptato <nincsnevem662@gmail.com> | 2024-09-06 20:32:38 +0200 |
|---|---|---|
| committer | bptato <nincsnevem662@gmail.com> | 2024-09-06 20:36:28 +0200 |
| commit | b1513c36d67b48458a0c33020d47784951774bfc (patch) | |
| tree | 24222dce4b56fffa21a3011dcd5c997a7eb0a321 /src/utils | |
| parent | 357f25e8145e194367edda8accdffa3bd752797e (diff) | |
| download | chawan-b1513c36d67b48458a0c33020d47784951774bfc.tar.gz | |
sandbox: allow futex in network/buffer sandbox
WSL needs it. It was already allowed on Android, so this just makes the sandboxes converge a little.
Diffstat (limited to 'src/utils')
| -rw-r--r-- | src/utils/sandbox.nim | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/utils/sandbox.nim b/src/utils/sandbox.nim index a7168408..6f42f638 100644 --- a/src/utils/sandbox.nim +++ b/src/utils/sandbox.nim @@ -90,7 +90,6 @@ elif SandboxMode == stLibSeccomp: const androidAllowList = [ cstring"rt_sigprocmask", "epoll_pwait", - "futex", "madvise" ] for it in androidAllowList: @@ -169,6 +168,7 @@ elif SandboxMode == stLibSeccomp: "exit_group", # for quit "fcntl", "fcntl64", # for changing blocking status "fork", # for when fork is really fork + "futex", # bionic libc & WSL both need it "getpid", # for determining current PID after we fork "getrlimit", # glibc uses it after fork it seems "getsockname", # Nim needs it for connecting @@ -225,6 +225,7 @@ elif SandboxMode == stLibSeccomp: "mmap", "mmap2", "mremap", "munmap", "brk", # memory allocation "poll", # curl needs poll "getpid", # used indirectly by OpenSSL EVP_RAND_CTX_new (through drbg) + "futex", # bionic libc & WSL both need it # we either have to use CURLOPT_NOSIGNAL or allow signals. # do the latter, otherwise the default name resolver will never time out. "signal", "sigaction", "rt_sigaction", |