commit patch 15595773

scantist-ossops-m2 · Dec 3, 2024 · 8d22094 · 8d22094
1 parent 1d20115
commit 8d22094
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/cmd/snap-seccomp-blacklist/snap-seccomp-blacklist.c b/cmd/snap-seccomp-blacklist/snap-seccomp-blacklist.c
@@ -101,7 +101,7 @@ static int populate_filter(scmp_filter_ctx ctx, const uint32_t *arch_tags, size_
      * NOTE: not using scmp_rule_add_exact as that was not doing anything
      * at all (presumably due to having all the architectures defined). */
 
-    const struct scmp_arg_cmp no_tty_inject = {
+    struct scmp_arg_cmp no_tty_inject = {
         /* We learned that existing programs make legitimate requests with all
          * bits set in the more significant 32bit word of the 64 bit double
          * word. While this kernel behavior remains suspect and presumably
@@ -122,6 +122,10 @@ static int populate_filter(scmp_filter_ctx ctx, const uint32_t *arch_tags, size_
     };
     sc_err = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), sys_ioctl_nr, 1, no_tty_inject);
 
+    /* also block use of TIOCLINUX */
+    no_tty_inject.datum_b = TIOCLINUX;
+    sc_err = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), sys_ioctl_nr, 1, no_tty_inject);
+
     if (sc_err < 0) {
         showerr("cannot add rule preventing the use high bits in ioctl");
         return sc_err;