adjust seccomp filter for select->poll conversion

Needed to add ppoll syscall but also to relax the fallback rlimit
sandbox. Linux poll() fails with EINVAL if npfds > RLIMIT_NOFILE,
so we have to allow a single fd in the rlimit.

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 798b24bd878f44f72bce1086aed700b87f38a6fc..f5e462806e05a675eb353628911ac4a189979567 100644 (file)
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -270,6 +270,9 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR__newselect
        SC_ALLOW(__NR__newselect),
 #endif
+#ifdef __NR_ppoll
+       SC_ALLOW(__NR_ppoll),
+#endif
 #ifdef __NR_poll
        SC_ALLOW(__NR_poll),
 #endif
@@ -391,7 +394,7 @@ ssh_sandbox_child_debugging(void)
 void
 ssh_sandbox_child(struct ssh_sandbox *box)
 {
-       struct rlimit rl_zero;
+       struct rlimit rl_zero, rl_one = {.rlim_cur = 1, .rlim_max = 1};
        int nnp_failed = 0;
 
        /* Set rlimits for completeness if possible. */
@@ -399,7 +402,11 @@ ssh_sandbox_child(struct ssh_sandbox *box)
        if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
                fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
                        __func__, strerror(errno));
-       if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
+       /*
+        * Cannot use zero for nfds, because poll(2) will fail with
+        * errno=EINVAL if npfds>RLIMIT_NOFILE.
+        */
+       if (setrlimit(RLIMIT_NOFILE, &rl_one) == -1)
                fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
                        __func__, strerror(errno));
        if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)