syscall: whitelist network access for msghand thread

apoelstra · apoelstra · commit 12152bf34136 · 2025-04-21T13:26:36.000Z
Unlike in Bitcoin, our message handling thread needs to open sockets in
order to call out to the mainchain RPC interface. We recently brought in
a seccomp syscall whitelist from upstream, which is enabled on my local
CI box (though apparently not on Github CI) and it is failing on this.
diff --git a/src/util/syscall_sandbox.cpp b/src/util/syscall_sandbox.cpp
@@ -867,6 +867,8 @@ void SetSyscallSandboxPolicy(SyscallSandboxPolicy syscall_policy)
         break;
     case SyscallSandboxPolicy::MESSAGE_HANDLER: // Thread: msghand
         seccomp_policy_builder.AllowFileSystem();
+        // ELEMENTS: Need network to call CallMainChainRPC
+        seccomp_policy_builder.AllowNetwork();
         break;
     case SyscallSandboxPolicy::NET: // Thread: net
         seccomp_policy_builder.AllowFileSystem();
