From f832b71eddc80198660003f88eb574b37b23b005 Mon Sep 17 00:00:00 2001
From: Fredrik Thulin <fredrik@thulin.net>
Date: Tue, 29 Jan 2013 14:37:06 +0100
Subject: [PATCH] Add seccomp allows to get through SoftHSM test suite.

---
 gck-rpc-daemon-standalone.c | 21 ++++++++++++++++++---
 gck-rpc-dispatch.c          | 16 ++++++++++++++++
 2 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/gck-rpc-daemon-standalone.c b/gck-rpc-daemon-standalone.c
index 212999f..6510b3e 100644
--- a/gck-rpc-daemon-standalone.c
+++ b/gck-rpc-daemon-standalone.c
@@ -114,17 +114,32 @@ static int install_syscall_filter(const int sock, const char *tls_psk_keyfile, c
 	if (path[0] &&
 	    strncmp(path, "tcp://", strlen("tcp://")) != 0 &&
 	    strncmp(path, "tls://", strlen("tls://")) != 0)
-		/* XXX only permit unlink(path) */
 		seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(unlink), 0);
 
 	/*
-	 * Syscalls to allow spawned threads to initialize a new (stricter) seccomp policy.
+	 * Allow spawned threads to initialize a new seccomp policy (subset of this).
 	 */
 	seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(prctl), 0);
 
+	/*
+	 * SoftHSM required syscalls
+	 */
+	seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(getcwd), 0);
+	seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(stat), 0);
+	seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
+	seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 0);
+	seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(fstat), 0);
+	seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(lseek), 0);
+	seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(access), 0);
+	seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(fsync), 0);
+	seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(unlink), 0);
+	seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(ftruncate), 0);
+	seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(select), 0);
+	seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(futex), 0);
+
 #ifdef DEBUG_SECCOMP
 	/* Dumps the generated BPF rules in sort-of human readable syntax. */
-	seccomp_export_pfc(2);
+	seccomp_export_pfc(STDERR_FILENO);
 
 	/* Print the name of syscalls stopped by seccomp. Should not be used in production. */
         if (install_syscall_reporter())
diff --git a/gck-rpc-dispatch.c b/gck-rpc-dispatch.c
index 48fb2a4..ff4f222 100644
--- a/gck-rpc-dispatch.c
+++ b/gck-rpc-dispatch.c
@@ -2695,6 +2695,22 @@ static int _install_dispatch_syscall_filter(int use_tls)
 	seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(mprotect), 1,
 			 SCMP_A2(SCMP_CMP_EQ, PROT_READ|PROT_WRITE));
 
+	/*
+	 * SoftHSM
+	 */
+	seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(getcwd), 0);
+	seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(stat), 0);
+	seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
+	seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 0);
+	seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(fstat), 0);
+	seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(lseek), 0);
+	seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(access), 0);
+	seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(fsync), 0);
+	seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(unlink), 0);
+	seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(ftruncate), 0);
+	seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(select), 0);
+	seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(futex), 0);
+
 	rc = seccomp_load();
 	if (rc < 0)
 		goto failure_scmp;