From 3cc74da2cc53cd717daeb54a6a212de6235b5728 Mon Sep 17 00:00:00 2001
From: Moe-hacker <moe-hacker@outlook.com>
Date: Sat, 23 Nov 2024 02:07:57 +0000
Subject: [PATCH] Fliter out TIOCSTI in Seccomp profile

---
 src/seccomp.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/seccomp.c b/src/seccomp.c
index 9e009ab..bdff33c 100644
--- a/src/seccomp.c
+++ b/src/seccomp.c
@@ -42,6 +42,7 @@ void ruri_setup_seccomp(const struct RURI_CONTAINER *_Nonnull container)
 	}
 	seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(add_key), 0);
 	if (ruri_is_in_caplist(container->drop_caplist, CAP_SYS_ADMIN)) {
+		seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ioctl), 1, SCMP_CMP(1, SCMP_CMP_EQ, TIOCSTI));
 		seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(bpf), 0);
 		seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(lookup_dcookie), 0);
 		seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(mount), 0);