[people/arne_f/ipfire-3.x.git] / openssh / patches / openssh-6.7p1-seccomp-aarch64.patch

diff --git a/configure.ac b/configure.ac
index 4065d0e..d59ad44 100644
--- a/configure.ac
+++ b/configure.ac
@@ -764,9 +764,12 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
 	i*86-*)
 		seccomp_audit_arch=AUDIT_ARCH_I386
 		;;
-        arm*-*)
+	aarch64*-*)
+		seccomp_audit_arch=AUDIT_ARCH_AARCH64
+		;;
+	arm*-*)
 		seccomp_audit_arch=AUDIT_ARCH_ARM
-                ;;
+		;;
 	esac
 	if test "x$seccomp_audit_arch" != "x" ; then
 		AC_MSG_RESULT(["$seccomp_audit_arch"])
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 095b04a..52f6810 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -90,8 +90,20 @@ static const struct sock_filter preauth_insns[] = {
 	/* Load the syscall number for checking. */
 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
 		offsetof(struct seccomp_data, nr)),
-	SC_DENY(open, EACCES),
-	SC_DENY(stat, EACCES),
+	SC_DENY(openat, EACCES),
+#ifdef __NR_open
+	SC_DENY(open, EACCES), /* not on AArch64 */
+#endif
+#ifdef __NR_fstat
+	SC_DENY(fstat, EACCES), /* x86_64, Aarch64 */
+#endif
+#if defined(__NR_stat64) && defined(__NR_fstat64)
+	SC_DENY(stat64, EACCES), /* ix86, arm */
+	SC_DENY(fstat64, EACCES),
+#endif
+#ifdef __NR_newfstatat
+	SC_DENY(newfstatat, EACCES), /* Aarch64 */
+#endif
 	SC_ALLOW(getpid),
 	SC_ALLOW(gettimeofday),
 	SC_ALLOW(clock_gettime),
@@ -111,12 +123,19 @@ static const struct sock_filter preauth_insns[] = {
 	SC_ALLOW(shutdown),
 #endif
 	SC_ALLOW(brk),
+#ifdef __NR_poll /* not on AArch64 */
 	SC_ALLOW(poll),
+#endif
 #ifdef __NR__newselect
 	SC_ALLOW(_newselect),
 #else
+#ifdef __NR_select /* not on AArch64 */
 	SC_ALLOW(select),
 #endif
+#ifdef __NR_pselect6 /* AArch64 */
+	SC_ALLOW(pselect6),
+#endif
+#endif
 	SC_ALLOW(madvise),
 #ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
 	SC_ALLOW(mmap2),
Commit	Line	Data
17d728c8 SS	1	diff --git a/configure.ac b/configure.ac
	2	index 4065d0e..d59ad44 100644
	3	--- a/configure.ac
	4	+++ b/configure.ac
	5	@@ -764,9 +764,12 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
	6	i86-)
	7	seccomp_audit_arch=AUDIT_ARCH_I386
	8	;;
	9	- arm-)
	10	+ aarch64-)
	11	+ seccomp_audit_arch=AUDIT_ARCH_AARCH64
	12	+ ;;
	13	+ arm-)
	14	seccomp_audit_arch=AUDIT_ARCH_ARM
	15	- ;;
	16	+ ;;
	17	esac
	18	if test "x$seccomp_audit_arch" != "x" ; then
	19	AC_MSG_RESULT(["$seccomp_audit_arch"])
	20	diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
	21	index 095b04a..52f6810 100644
	22	--- a/sandbox-seccomp-filter.c
	23	+++ b/sandbox-seccomp-filter.c
	24	@@ -90,8 +90,20 @@ static const struct sock_filter preauth_insns[] = {
	25	/* Load the syscall number for checking. */
	26	BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
	27	offsetof(struct seccomp_data, nr)),
	28	- SC_DENY(open, EACCES),
	29	- SC_DENY(stat, EACCES),
	30	+ SC_DENY(openat, EACCES),
	31	+#ifdef __NR_open
	32	+ SC_DENY(open, EACCES), /* not on AArch64 */
	33	+#endif
	34	+#ifdef __NR_fstat
	35	+ SC_DENY(fstat, EACCES), /* x86_64, Aarch64 */
	36	+#endif
	37	+#if defined(__NR_stat64) && defined(__NR_fstat64)
	38	+ SC_DENY(stat64, EACCES), /* ix86, arm */
	39	+ SC_DENY(fstat64, EACCES),
	40	+#endif
	41	+#ifdef __NR_newfstatat
	42	+ SC_DENY(newfstatat, EACCES), /* Aarch64 */
	43	+#endif
	44	SC_ALLOW(getpid),
	45	SC_ALLOW(gettimeofday),
	46	SC_ALLOW(clock_gettime),
	47	@@ -111,12 +123,19 @@ static const struct sock_filter preauth_insns[] = {
	48	SC_ALLOW(shutdown),
	49	#endif
	50	SC_ALLOW(brk),
	51	+#ifdef __NR_poll /* not on AArch64 */
	52	SC_ALLOW(poll),
	53	+#endif
	54	#ifdef __NR__newselect
	55	SC_ALLOW(_newselect),
	56	#else
	57	+#ifdef __NR_select /* not on AArch64 */
	58	SC_ALLOW(select),
	59	#endif
	60	+#ifdef __NR_pselect6 /* AArch64 */
	61	+ SC_ALLOW(pselect6),
	62	+#endif
	63	+#endif
	64	SC_ALLOW(madvise),
65	#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
66	SC_ALLOW(mmap2),