Add execveat to the list of allowed syscalls

Since glibc 2.27, fexecve uses execveat: https://sourceware.org/bugzilla/show_bug.cgi?id=22134 Fixes: https://github.com/NVIDIA/nvidia-docker/issues/660

Add execveat to the list of allowed syscalls
Since glibc 2.27, fexecve uses execveat: https://sourceware.org/bugzilla/show_bug.cgi?id=22134 Fixes: https://github.com/NVIDIA/nvidia-docker/issues/660
cef6c8f1 · Felix Abecassis · be797da0 · cef6c8f1 · cef6c8f1
隐藏空白更改
内联并排

Showing with 7 addition and 0 deletion

src/common.h src/common.h +6 -0

src/nvc_ldcache.c src/nvc_ldcache.c +1 -0

未找到文件。
--- a/src/common.h
+++ b/src/common.h
@@ -35,11 +35,17 @@
 # define LIB32_ARCH               LD_I386_LIB32
 # define USR_LIB_MULTIARCH_DIR    "/usr/lib/x86_64-linux-gnu"
 # define USR_LIB32_MULTIARCH_DIR  "/usr/lib/i386-linux-gnu"
+# if !defined(__NR_execveat)
+#  define __NR_execveat 322
+# endif /* !defined(__NR_execveat) */
 #elif defined(__powerpc64__)
 # define LIB_ARCH                 LD_POWERPC_LIB64
 # define LIB32_ARCH               LD_UNKNOWN
 # define USR_LIB_MULTIARCH_DIR    "/usr/lib/powerpc64le-linux-gnu"
 # define USR_LIB32_MULTIARCH_DIR  "/var/empty"
+# if !defined(__NR_execveat)
+#  define __NR_execveat 362
+# endif /* !defined(__NR_execveat) */
 #else
 # error "unsupported architecture"
 #endif /* defined(__x86_64__) */

--- a/src/nvc_ldcache.c
+++ b/src/nvc_ldcache.c
@@ -242,6 +242,7 @@ limit_syscalls(struct error *err)
                SCMP_SYS(chmod),
                SCMP_SYS(close),
                SCMP_SYS(execve),
+                SCMP_SYS(execveat),
                SCMP_SYS(exit),
                SCMP_SYS(fcntl),
                SCMP_SYS(fstat),