Remove some seccomp deny rules to make it work with cuda (#48)

oOraph · web-flow · commit 447fff164c58 · 2024-10-28T18:50:50.000+01:00
diff --git a/sandbox.c b/sandbox.c
@@ -19,11 +19,17 @@ int main(int argc, char* argv[]) {
         return EXIT_FAILURE;
     }
 
-    // Block network-related syscalls
-    seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(socket), 0);
+    // Block relevant network-related syscalls, so as to block egress internet access
+
+    // We cannot deny these calls as they are needed by cuda
+    // This should not be a big deal for our use case if what we want is to block egress network access
+    // (just blocking connect should actually be enough)
+
+    // seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(socket), 0);
+    // seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(bind), 0);
+    // seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(listen), 0);
+
     seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(connect), 0);
-    seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(bind), 0);
-    seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(listen), 0);
     seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(accept), 0);
     seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(send), 0);
     seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(sendto), 0);
