properly seccomp keymgr

src/keymgr.c

@@ -61,15 +61,28 @@ static struct sock_filter filter_keymgr[] = {
 	KORE_SYSCALL_ALLOW(open),
 	KORE_SYSCALL_ALLOW(read),
 	KORE_SYSCALL_ALLOW(close),
+	KORE_SYSCALL_ALLOW(fstat),
+	KORE_SYSCALL_ALLOW(futex),
+	KORE_SYSCALL_ALLOW(openat),
 
-	/* Allow it to read/write messages. */
-	KORE_SYSCALL_ALLOW(write),
+	/* Net related. */
 	KORE_SYSCALL_ALLOW(read),
+	KORE_SYSCALL_ALLOW(write),
+	KORE_SYSCALL_ALLOW(epoll_wait),
 
 	/* Process things. */
 	KORE_SYSCALL_ALLOW(exit),
+	KORE_SYSCALL_ALLOW(kill),
+	KORE_SYSCALL_ALLOW(getpid),
+	KORE_SYSCALL_ALLOW(arch_prctl),
+	KORE_SYSCALL_ALLOW(exit_group),
 	KORE_SYSCALL_ALLOW(sigaltstack),
+	KORE_SYSCALL_ALLOW(rt_sigreturn),
 	KORE_SYSCALL_ALLOW(rt_sigaction),
+
+	/* Other things. */
+	KORE_SYSCALL_ALLOW(munmap),
+	KORE_SYSCALL_ALLOW(getrandom),
 };
 #endif
 

src/seccomp.c

@@ -154,6 +154,7 @@ kore_seccomp_enable(void)
 	struct sock_fprog		prog;
 	struct kore_runtime_call	*rcall;
 	struct filter			*filter;
+	int				skip_worker_filter;
 	size_t				prog_len, pos, jmp_off, i;
 
 #if defined(KORE_DEBUG)
@@ -174,9 +175,18 @@ kore_seccomp_enable(void)
 		kore_free(rcall);
 	}
 
-	/* Add worker required syscalls. */
-	kore_seccomp_filter("worker", filter_kore,
-	    KORE_FILTER_LEN(filter_kore));
+	skip_worker_filter = 0;
+
+#if !defined(KORE_NO_TLS)
+	if (worker->id == KORE_WORKER_KEYMGR)
+		skip_worker_filter = 1;
+#endif
+
+	if (skip_worker_filter == 0) {
+		/* Add worker required syscalls. */
+		kore_seccomp_filter("worker", filter_kore,
+		    KORE_FILTER_LEN(filter_kore));
+	}
 
 	/*
 	 * Construct the entire BPF program by adding all relevant parts

src/worker.c

@@ -310,14 +310,7 @@ kore_worker_privdrop(const char *runas, const char *root)
 			fatalx("cannot drop privileges");
 	}
 
-#if defined(__linux__) && !defined(KORE_NO_TLS)
-	/* keymgr gets its own privileges. */
-	if (worker->id == KORE_WORKER_KEYMGR)
-		return;
-#endif
-
 	kore_platform_sandbox();
-
 }
 
 void