Add missing gettimeofday to syscall sandbox

Also, sort entries. Can be reviewed with: --color-moved=dimmed-zebra

Author: MarcoFalke

src/util/syscall_sandbox.cpp

@@ -169,6 +169,10 @@ const std::map<uint32_t, std::string> LINUX_SYSCALLS{
     {__NR_ftruncate, "ftruncate"},
     {__NR_futex, "futex"},
     {__NR_futimesat, "futimesat"},
+    {__NR_get_kernel_syms, "get_kernel_syms"},
+    {__NR_get_mempolicy, "get_mempolicy"},
+    {__NR_get_robust_list, "get_robust_list"},
+    {__NR_get_thread_area, "get_thread_area"},
     {__NR_getcpu, "getcpu"},
     {__NR_getcwd, "getcwd"},
     {__NR_getdents, "getdents"},
@@ -178,8 +182,6 @@ const std::map<uint32_t, std::string> LINUX_SYSCALLS{
     {__NR_getgid, "getgid"},
     {__NR_getgroups, "getgroups"},
     {__NR_getitimer, "getitimer"},
-    {__NR_get_kernel_syms, "get_kernel_syms"},
-    {__NR_get_mempolicy, "get_mempolicy"},
     {__NR_getpeername, "getpeername"},
     {__NR_getpgid, "getpgid"},
     {__NR_getpgrp, "getpgrp"},
@@ -191,12 +193,10 @@ const std::map<uint32_t, std::string> LINUX_SYSCALLS{
     {__NR_getresgid, "getresgid"},
     {__NR_getresuid, "getresuid"},
     {__NR_getrlimit, "getrlimit"},
-    {__NR_get_robust_list, "get_robust_list"},
     {__NR_getrusage, "getrusage"},
     {__NR_getsid, "getsid"},
     {__NR_getsockname, "getsockname"},
     {__NR_getsockopt, "getsockopt"},
-    {__NR_get_thread_area, "get_thread_area"},
     {__NR_gettid, "gettid"},
     {__NR_gettimeofday, "gettimeofday"},
     {__NR_getuid, "getuid"},
@@ -207,15 +207,15 @@ const std::map<uint32_t, std::string> LINUX_SYSCALLS{
     {__NR_inotify_init1, "inotify_init1"},
     {__NR_inotify_rm_watch, "inotify_rm_watch"},
     {__NR_io_cancel, "io_cancel"},
-    {__NR_ioctl, "ioctl"},
     {__NR_io_destroy, "io_destroy"},
     {__NR_io_getevents, "io_getevents"},
+    {__NR_io_setup, "io_setup"},
+    {__NR_io_submit, "io_submit"},
+    {__NR_ioctl, "ioctl"},
     {__NR_ioperm, "ioperm"},
     {__NR_iopl, "iopl"},
     {__NR_ioprio_get, "ioprio_get"},
     {__NR_ioprio_set, "ioprio_set"},
-    {__NR_io_setup, "io_setup"},
-    {__NR_io_submit, "io_submit"},
     {__NR_kcmp, "kcmp"},
     {__NR_kexec_file_load, "kexec_file_load"},
     {__NR_kexec_load, "kexec_load"},
@@ -271,8 +271,8 @@ const std::map<uint32_t, std::string> LINUX_SYSCALLS{
     {__NR_newfstatat, "newfstatat"},
     {__NR_nfsservctl, "nfsservctl"},
     {__NR_open, "open"},
-    {__NR_openat, "openat"},
     {__NR_open_by_handle_at, "open_by_handle_at"},
+    {__NR_openat, "openat"},
     {__NR_pause, "pause"},
     {__NR_perf_event_open, "perf_event_open"},
     {__NR_personality, "personality"},
@@ -307,6 +307,7 @@ const std::map<uint32_t, std::string> LINUX_SYSCALLS{
 #ifdef __NR_pwritev2
     {__NR_pwritev2, "pwritev2"},
 #endif
+    {__NR__sysctl, "_sysctl"},
     {__NR_query_module, "query_module"},
     {__NR_quotactl, "quotactl"},
     {__NR_read, "read"},
@@ -334,11 +335,11 @@ const std::map<uint32_t, std::string> LINUX_SYSCALLS{
     {__NR_rt_sigsuspend, "rt_sigsuspend"},
     {__NR_rt_sigtimedwait, "rt_sigtimedwait"},
     {__NR_rt_tgsigqueueinfo, "rt_tgsigqueueinfo"},
+    {__NR_sched_get_priority_max, "sched_get_priority_max"},
+    {__NR_sched_get_priority_min, "sched_get_priority_min"},
     {__NR_sched_getaffinity, "sched_getaffinity"},
     {__NR_sched_getattr, "sched_getattr"},
     {__NR_sched_getparam, "sched_getparam"},
-    {__NR_sched_get_priority_max, "sched_get_priority_max"},
-    {__NR_sched_get_priority_min, "sched_get_priority_min"},
     {__NR_sched_getscheduler, "sched_getscheduler"},
     {__NR_sched_rr_get_interval, "sched_rr_get_interval"},
     {__NR_sched_setaffinity, "sched_setaffinity"},
@@ -357,14 +358,17 @@ const std::map<uint32_t, std::string> LINUX_SYSCALLS{
     {__NR_sendmmsg, "sendmmsg"},
     {__NR_sendmsg, "sendmsg"},
     {__NR_sendto, "sendto"},
+    {__NR_set_mempolicy, "set_mempolicy"},
+    {__NR_set_robust_list, "set_robust_list"},
+    {__NR_set_thread_area, "set_thread_area"},
+    {__NR_set_tid_address, "set_tid_address"},
     {__NR_setdomainname, "setdomainname"},
     {__NR_setfsgid, "setfsgid"},
     {__NR_setfsuid, "setfsuid"},
     {__NR_setgid, "setgid"},
     {__NR_setgroups, "setgroups"},
     {__NR_sethostname, "sethostname"},
     {__NR_setitimer, "setitimer"},
-    {__NR_set_mempolicy, "set_mempolicy"},
     {__NR_setns, "setns"},
     {__NR_setpgid, "setpgid"},
     {__NR_setpriority, "setpriority"},
@@ -373,11 +377,8 @@ const std::map<uint32_t, std::string> LINUX_SYSCALLS{
     {__NR_setresuid, "setresuid"},
     {__NR_setreuid, "setreuid"},
     {__NR_setrlimit, "setrlimit"},
-    {__NR_set_robust_list, "set_robust_list"},
     {__NR_setsid, "setsid"},
     {__NR_setsockopt, "setsockopt"},
-    {__NR_set_thread_area, "set_thread_area"},
-    {__NR_set_tid_address, "set_tid_address"},
     {__NR_settimeofday, "settimeofday"},
     {__NR_setuid, "setuid"},
     {__NR_setxattr, "setxattr"},
@@ -402,7 +403,6 @@ const std::map<uint32_t, std::string> LINUX_SYSCALLS{
     {__NR_sync, "sync"},
     {__NR_sync_file_range, "sync_file_range"},
     {__NR_syncfs, "syncfs"},
-    {__NR__sysctl, "_sysctl"},
     {__NR_sysfs, "sysfs"},
     {__NR_sysinfo, "sysinfo"},
     {__NR_syslog, "syslog"},
@@ -411,12 +411,12 @@ const std::map<uint32_t, std::string> LINUX_SYSCALLS{
     {__NR_time, "time"},
     {__NR_timer_create, "timer_create"},
     {__NR_timer_delete, "timer_delete"},
-    {__NR_timerfd_create, "timerfd_create"},
-    {__NR_timerfd_gettime, "timerfd_gettime"},
-    {__NR_timerfd_settime, "timerfd_settime"},
     {__NR_timer_getoverrun, "timer_getoverrun"},
     {__NR_timer_gettime, "timer_gettime"},
     {__NR_timer_settime, "timer_settime"},
+    {__NR_timerfd_create, "timerfd_create"},
+    {__NR_timerfd_gettime, "timerfd_gettime"},
+    {__NR_timerfd_settime, "timerfd_settime"},
     {__NR_times, "times"},
     {__NR_tkill, "tkill"},
     {__NR_truncate, "truncate"},
@@ -650,6 +650,7 @@ class SeccompPolicyBuilder
     {
         allowed_syscalls.insert(__NR_clock_getres);  // find the resolution (precision) of the specified clock
         allowed_syscalls.insert(__NR_clock_gettime); // retrieve the time of the specified clock
+        allowed_syscalls.insert(__NR_gettimeofday);  // get timeval
     }
 
     void AllowGlobalProcessEnvironment()