From fc32eac99f8d17b0bb261efc8af3667818caf104 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Tue, 10 Jun 2014 19:10:46 -0700
Subject: [PATCH] [master] seccomp sandboxing wasn't working in nonthreaded
 builds

---
 bin/named/include/named/seccomp.h | 123 ++++++++++++++++++++++--------
 1 file changed, 93 insertions(+), 30 deletions(-)

diff --git a/bin/named/include/named/seccomp.h b/bin/named/include/named/seccomp.h
index ce8e0e260c..2b3c0a8ca3 100644
--- a/bin/named/include/named/seccomp.h
+++ b/bin/named/include/named/seccomp.h
@@ -24,6 +24,7 @@
 #include <sys/resource.h>
 #include <unistd.h>
 #include <seccomp.h>
+#include <isc/platform.h>
 
 /*%
  * For each architecture, the scmp_syscalls and
@@ -59,38 +60,100 @@ int scmp_syscalls[] = {
 	SCMP_SYS(gettimeofday),
 	SCMP_SYS(unlink),
 	SCMP_SYS(socket),
-	SCMP_SYS(sendto)
+	SCMP_SYS(sendto),
+#ifndef ISC_PLATFORM_USETHREADS
+	SCMP_SYS(bind),
+	SCMP_SYS(accept),
+	SCMP_SYS(connect),
+	SCMP_SYS(listen),
+	SCMP_SYS(fcntl),
+	SCMP_SYS(sendmsg),
+	SCMP_SYS(recvmsg),
+	SCMP_SYS(uname),
+	SCMP_SYS(setrlimit),
+	SCMP_SYS(getrlimit),
+	SCMP_SYS(setsockopt),
+	SCMP_SYS(getsockopt),
+	SCMP_SYS(getsockname),
+	SCMP_SYS(lstat),
+	SCMP_SYS(lseek),
+	SCMP_SYS(getgid),
+	SCMP_SYS(getegid),
+	SCMP_SYS(getuid),
+	SCMP_SYS(geteuid),
+	SCMP_SYS(setresgid),
+	SCMP_SYS(setresuid),
+	SCMP_SYS(setgid),
+	SCMP_SYS(setuid),
+	SCMP_SYS(prctl),
+	SCMP_SYS(epoll_wait),
+	SCMP_SYS(openat),
+	SCMP_SYS(getdents),
+	SCMP_SYS(rename),
+	SCMP_SYS(utimes),
+#endif
 };
 const char *scmp_syscall_names[] = {
-       "access",
-       "open",
-       "clock_gettime",
-       "time",
-       "read",
-       "write",
-       "close",
-       "brk",
-       "poll",
-       "select",
-       "madvise",
-       "mmap",
-       "munmap",
-       "exit_group",
-       "rt_sigprocmask",
-       "rt_sigaction",
-       "fsync",
-       "rt_sigreturn",
-       "setsid",
-       "chdir",
-       "futex",
-       "stat",
-       "rt_sigsuspend",
-       "fstat",
-       "epoll_ctl",
-       "gettimeofday",
-       "unlink",
-       "socket",
-       "sendto"
+	"access",
+	"open",
+	"clock_gettime",
+	"time",
+	"read",
+	"write",
+	"close",
+	"brk",
+	"poll",
+	"select",
+	"madvise",
+	"mmap",
+	"munmap",
+	"exit_group",
+	"rt_sigprocmask",
+	"rt_sigaction",
+	"fsync",
+	"rt_sigreturn",
+	"setsid",
+	"chdir",
+	"futex",
+	"stat",
+	"rt_sigsuspend",
+	"fstat",
+	"epoll_ctl",
+	"gettimeofday",
+	"unlink",
+	"socket",
+	"sendto",
+#ifndef ISC_PLATFORM_USETHREADS
+	"bind",
+	"accept",
+	"connect",
+	"listen",
+	"fcntl",
+	"sendmsg",
+	"recvmsg",
+	"uname",
+	"setrlimit",
+	"getrlimit",
+	"setsockopt",
+	"getsockopt",
+	"getsockname",
+	"lstat",
+	"lseek",
+	"getgid",
+	"getegid",
+	"getuid",
+	"geteuid",
+	"setresgid",
+	"setresuid",
+	"setgid",
+	"setuid",
+	"prctl",
+	"epoll_wait",
+	"openat",
+	"getdents",
+	"rename",
+	"utimes",
+#endif
 };
 #endif /* __x86_64__ */
 #ifdef __i386__