* lib-src/seccomp-filter.c (main): Also allow O_NOFOLLOW.

2021-04-11 21:14:09 +02:00 · 2021-04-11 21:14:09 +02:00 · cf0701eff0
commit cf0701eff0
parent 9a57897ea1
1 changed files with 2 additions and 2 deletions
--- a/lib-src/seccomp-filter.c
+++ b/lib-src/seccomp-filter.c
@ -241,12 +241,12 @@ main (int argc, char **argv)
  RULE (SCMP_ACT_ALLOW, SCMP_SYS (open),
        SCMP_A1_32 (SCMP_CMP_MASKED_EQ,
                    ~(O_RDONLY | O_BINARY | O_CLOEXEC | O_PATH
-                      | O_DIRECTORY),
+                      | O_DIRECTORY | O_NOFOLLOW),
                    0));
  RULE (SCMP_ACT_ALLOW, SCMP_SYS (openat),
        SCMP_A2_32 (SCMP_CMP_MASKED_EQ,
                    ~(O_RDONLY | O_BINARY | O_CLOEXEC | O_PATH
-                      | O_DIRECTORY),
+                      | O_DIRECTORY | O_NOFOLLOW),
                    0));

  /* Allow `tcgetpgrp'.  */