seccomp: allow socket syscall in jail

setup namespaces: old valgrind versions dont support the setns syscall, so use unshare if previous failed

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>

2 files changed, 13 insertions, 2 deletions

diff --git a/src/pseccomp.c b/src/pseccomp.c
index dc06615..07569f3 100644
--- a/src/pseccomp.c
+++ b/src/pseccomp.c
@@ -108,6 +108,7 @@ static const int jail_allowed_syscalls[] = {
     SCMP_SYS(close), SCMP_SYS(wait4),
     SCMP_SYS(sigprocmask), SCMP_SYS(tgkill), SCMP_SYS(gettid), SCMP_SYS(set_tls),
     SCMP_SYS(fork), SCMP_SYS(clone), SCMP_SYS(execve),
+    SCMP_SYS(socket),
     SCMP_SYS(mmap), SCMP_SYS(mmap2), SCMP_SYS(brk), SCMP_SYS(madvise),
     SCMP_SYS(mprotect), SCMP_SYS(munmap), SCMP_SYS(futex),
     SCMP_SYS(open), SCMP_SYS(openat), SCMP_SYS(fstat), SCMP_SYS(fstat64),
diff --git a/src/utils.c b/src/utils.c
index fc0770a..d5f14d2 100644
--- a/src/utils.c
+++ b/src/utils.c
@@ -22,6 +22,9 @@
 #include <linux/limits.h>
 #include <libgen.h>
 #include <assert.h>
+#ifdef HAVE_VALGRIND
+#include <valgrind.h>
+#endif
 
 #include "utils.h"
 #include "log.h"
@@ -477,8 +480,8 @@ int setup_network_namespace(const char *name)
     }
 
     if (path_is_mountpoint(netns_path)) {
-        N2("Network namespace '%s' already mounted, doing nothing.", netns_path);
-        return 0;
+        W2("Network namespace '%s' already mounted, doing nothing.", netns_path);
+        return 1;
     }
 
     while (mount("", getopt_str(OPT_NETNS_RUN_DIR), "none",
@@ -544,6 +547,13 @@ int switch_network_namespace(const char *name)
     if (setns(netns, CLONE_NEWNET) < 0) {
         E_STRERR("Setting the network namespace '%s'", name);
         close(netns);
+#ifdef HAVE_VALGRIND
+        /* older valgrind versions dont support the setns syscall */
+        if (RUNNING_ON_VALGRIND) {
+            W2("%s", "Running on valgrind, using unshare instead of setns ..");
+            return unshare(CLONE_NEWNET) != 0;
+        }
+#endif
         return 1;
     }
     close(netns);