diff --git a/src/limits/ThreadsLimitListener.cc b/src/limits/ThreadsLimitListener.cc index c9fc741..941436a 100644 --- a/src/limits/ThreadsLimitListener.cc +++ b/src/limits/ThreadsLimitListener.cc @@ -5,6 +5,7 @@ #include "seccomp/SeccompRule.h" #include "seccomp/action/ActionAllow.h" #include "seccomp/action/ActionKill.h" +#include "seccomp/action/ActionErrno.h" #include "seccomp/filter/LibSeccompFilter.h" #include @@ -25,6 +26,8 @@ ThreadsLimitListener::ThreadsLimitListener(int32_t threadsLimit) // Disable threads support syscallRules_.emplace_back( seccomp::SeccompRule("clone", seccomp::action::ActionKill{})); + syscallRules_.emplace_back( + seccomp::SeccompRule("clone3", seccomp::action::ActionKill{})); } else { // Enable threads support @@ -38,6 +41,10 @@ ThreadsLimitListener::ThreadsLimitListener(int32_t threadsLimit) seccomp::action::ActionKill(), (Arg(2) & CLONE_VM) == 0)); + syscallRules_.emplace_back(seccomp::SeccompRule( + "clone3", + seccomp::action::ActionErrno(ENOSYS))); + // And various thread related syscallRules_.emplace_back(seccomp::SeccompRule( // TODO: allow sleep up to time limit diff --git a/src/seccomp/policy/DefaultPolicy.cc b/src/seccomp/policy/DefaultPolicy.cc index 3695089..6ba0a58 100644 --- a/src/seccomp/policy/DefaultPolicy.cc +++ b/src/seccomp/policy/DefaultPolicy.cc @@ -154,6 +154,7 @@ void DefaultPolicy::addFileSystemAccessRules(bool readOnly) { "stat64", "fstat", "fstat64", + "fstatat64", "newfstatat", "lstat", "lstat64", @@ -176,6 +177,7 @@ void DefaultPolicy::addFileSystemAccessRules(bool readOnly) { "statfs64", "fstatfs", "fstatfs64", + "statx", }) { rules_.emplace_back(SeccompRule(syscall, action::ActionErrno(ENOSYS))); }