sys_linux: allow setsockopt(SOL_IP, IP_TOS) in seccomp
This system call is required by the DSCP marking feature introduced in commit
6a5665ca58 ("conf: add dscp directive").
Before this change, enabling seccomp filtering (chronyd -F 1) and specifying a
custom DSCP value in the configuration (for example "dscp 46") caused the
process to be killed by seccomp due to IP_TOS not being allowed by the filter.
Tested before and after the change on Ubuntu 21.04, kernel 5.11.0-13-generic.
IP_TOS is available since Linux 1.0, so I didn't add any ifdefs for it.
Signed-off-by: Foster Snowhill <forst@forstwoof.ru>
This commit is contained in:
Foster Snowhill
Miroslav Lichvar
parent
4f0dd72cf0
commit
966e6fd939
1 changed files with 1 additions and 1 deletions
|
|
@ -621,7 +621,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
|
|||
};
|
||||
|
||||
const static int socket_options[][2] = {
|
||||
{ SOL_IP, IP_PKTINFO }, { SOL_IP, IP_FREEBIND },
|
||||
{ SOL_IP, IP_PKTINFO }, { SOL_IP, IP_FREEBIND }, { SOL_IP, IP_TOS },
|
||||
#ifdef FEAT_IPV6
|
||||
{ SOL_IPV6, IPV6_V6ONLY }, { SOL_IPV6, IPV6_RECVPKTINFO },
|
||||
#endif
|
||||
|
|
|
|||
Loading…
Reference in a new issue