From 9fa747fd5ccc834c8501d6652f2ac4e428d6162d Mon Sep 17 00:00:00 2001
From: Michael Santos <michael.santos@gmail.com>
Date: Fri, 30 Jun 2017 10:01:02 -0400
Subject: [PATCH] seccomp: allow llseek(2) for TLS verification

libstrophe 0.9.2 uses OpenSSL to validate TLS certs by checking against
the system cert store.

Allow llseek(2). Probably a better way of handling syscalls is to allow
classes of syscalls based on OpenBSD's pledge.
---
 src/xmppipe_sandbox_seccomp.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/xmppipe_sandbox_seccomp.c b/src/xmppipe_sandbox_seccomp.c
index 71cea7d..89b9732 100644
--- a/src/xmppipe_sandbox_seccomp.c
+++ b/src/xmppipe_sandbox_seccomp.c
@@ -147,6 +147,12 @@ xmppipe_sandbox_init(xmppipe_state_t *state)
 #ifdef __NR_getsockopt
         SC_ALLOW(getsockopt),
 #endif
+#ifdef __NR_lseek
+        SC_ALLOW(lseek),
+#endif
+#ifdef __NR__llseek
+        SC_ALLOW(_llseek),
+#endif
 
         /* uuid */
 #ifdef __NR_gettimeofday