--- a/ntpd/ntp_sandbox.c +++ b/ntpd/ntp_sandbox.c @@ -306,8 +306,8 @@ #endif #endif /* ENABLE_EARLY_DROPROOT */ - SCMP_SYS(accept), - SCMP_SYS(access), + SCMP_SYS(accept), + SCMP_SYS(access), SCMP_SYS(adjtimex), SCMP_SYS(bind), SCMP_SYS(brk), @@ -319,6 +319,9 @@ SCMP_SYS(connect), SCMP_SYS(exit), SCMP_SYS(exit_group), +#ifdef __NR_faccessat + SCMP_SYS(faccessat), /* riscv and aarch64 */ +#endif SCMP_SYS(fcntl), SCMP_SYS(fstat), SCMP_SYS(fsync), @@ -349,11 +352,13 @@ SCMP_SYS(lseek), SCMP_SYS(membarrier), /* Needed on Alpine 3.11.3 */ SCMP_SYS(munmap), + SCMP_SYS(newfstatat), /* riscv and aarch64 */ SCMP_SYS(open), #ifdef __NR_openat SCMP_SYS(openat), /* SUSE */ #endif SCMP_SYS(poll), + SCMP_SYS(pread64), SCMP_SYS(pselect6), SCMP_SYS(read), SCMP_SYS(recvfrom), /* Comment this out for testing. @@ -362,6 +367,9 @@ */ SCMP_SYS(recvmsg), SCMP_SYS(rename), +#ifdef __NR_renameat2 + SCMP_SYS(renameat2), /* riscv */ +#endif SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigprocmask), SCMP_SYS(rt_sigreturn), @@ -401,6 +409,7 @@ * rather than generate a trap. */ SCMP_SYS(clone), /* threads */ + SCMP_SYS(clone3), SCMP_SYS(kill), /* generate signal */ SCMP_SYS(madvise), SCMP_SYS(mprotect), @@ -415,9 +424,9 @@ SCMP_SYS(nanosleep), #endif #ifdef CLOCK_SHM - SCMP_SYS(shmget), - SCMP_SYS(shmat), - SCMP_SYS(shmdt), + SCMP_SYS(shmget), + SCMP_SYS(shmat), + SCMP_SYS(shmdt), #endif SCMP_SYS(fcntl64), @@ -445,15 +454,18 @@ SCMP_SYS(geteuid32), #endif +#ifdef __NR_rseq + SCMP_SYS(rseq), +#endif + #ifdef __NR_mmap /* gentoo 64-bit and 32-bit, Intel and Arm use mmap */ SCMP_SYS(mmap), #endif #if defined(__aarch64__) - SCMP_SYS(faccessat), - SCMP_SYS(newfstatat), - SCMP_SYS(renameat), SCMP_SYS(linkat), + SCMP_SYS(renameat), + SCMP_SYS(syscall), SCMP_SYS(unlinkat), #endif #if defined(__i386__) || defined(__arm__) || defined(__powerpc__) @@ -463,6 +475,9 @@ SCMP_SYS(send), SCMP_SYS(stat64), #endif +#if defined(__arm__) + SCMP_SYS(statx), +#endif }; { for (unsigned int i = 0; i < COUNTOF(scmp_sc); i++) {