Merge pull request #49 from otargowski/seccomp-poll

otargowski · web-flow · commit da72e3dfc8fb · 2025-11-10T21:40:11.000Z
Allow poll and similiar syscalls, update cmake configs
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -1,4 +1,5 @@
-CMAKE_MINIMUM_REQUIRED(VERSION 3.0)
+CMAKE_MINIMUM_REQUIRED(VERSION 3.0...4.1)
+PROJECT(sio2jail)
 
 INCLUDE(${CMAKE_ROOT}/Modules/ExternalProject.cmake)
 INCLUDE(${CMAKE_ROOT}/Modules/GNUInstallDirs.cmake)
diff --git a/external/libseccomp.cmake b/external/libseccomp.cmake
@@ -61,6 +61,7 @@ IF((NOT DEFINED LIBSECCOMP_BUILD_OWN AND (NOT EXISTS "${libseccomp_LIB_PATH}" OR
     ExternalProject_Add(seccomp_project
         URL https://github.com/seccomp/libseccomp/releases/download/v2.5.4/libseccomp-2.5.4.tar.gz
         URL_HASH SHA256=d82902400405cf0068574ef3dc1fe5f5926207543ba1ae6f8e7a1576351dcbdb
+        DOWNLOAD_EXTRACT_TIMESTAMP TRUE
 
         CONFIGURE_COMMAND
             CFLAGS=${EXTRA_FLAGS} CXXFLAGS=${EXTRA_FLAGS} <SOURCE_DIR>/configure
diff --git a/external/libtclap.cmake b/external/libtclap.cmake
@@ -16,6 +16,7 @@ IF((NOT DEFINED LIBTCLAP_BUILD_OWN AND NOT EXISTS "${libtclap_INC_PATH}") OR LIB
     ExternalProject_Add(libtclap_project
         URL https://netcologne.dl.sourceforge.net/project/tclap/tclap-1.2.2.tar.gz
         URL_HASH SHA256=f5013be7fcaafc69ba0ce2d1710f693f61e9c336b6292ae4f57554f59fde5837
+        DOWNLOAD_EXTRACT_TIMESTAMP TRUE
 
         CONFIGURE_COMMAND
             <SOURCE_DIR>/configure --prefix=<INSTALL_DIR>
diff --git a/src/seccomp/policy/DefaultPolicy.cc b/src/seccomp/policy/DefaultPolicy.cc
@@ -134,6 +134,19 @@ void DefaultPolicy::addInputOutputRules() {
     // Allow reading from any file descriptor
     allowSyscalls({"read", "readv", "dup", "fcntl", "fcntl64", "pread64"});
 
+    // Allow monitoring any file descriptor
+    allowSyscalls(
+            {"poll",
+             "ppoll",
+             "epoll_create",
+             "epoll_create1",
+             "epoll_ctl",
+             "epoll_pwait",
+             "epoll_pwait2",
+             "epoll_wait",
+             "select",
+             "pselect6"});
+
     rules_.emplace_back(SeccompRule("ioctl", action::ActionErrno(ENOTTY)));
 
     // Allow seeking any file other than stdin/stdou/stderr
