From: Damien Miller <djm@mindrot.org>
Date: Mon, 18 Aug 2025 03:44:53 +0000 (+1000)
Subject: handle futex_time64 properly in seccomp sandbox
X-Git-Tag: V_10_1_P1~157
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a00f5b02e171bc6d6fb130050afb7a08f5ece1d8;p=thirdparty%2Fopenssh-portable.git

handle futex_time64 properly in seccomp sandbox

Previously we only allowed __NR_futex, but some 32-bit systems
apparently support __NR_futex_time64. We had support for this
in the sandbox, but because of a macro error only __NR_futex was
allowlisted.

ok dtucker@
---

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index b31062c2b..827cb61ee 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -180,12 +180,12 @@
 
 /* Use this for both __NR_futex and __NR_futex_time64 */
 # define SC_FUTEX(_nr) \
-	SC_ALLOW_FUTEX_OP(__NR_futex, FUTEX_WAIT), \
-	SC_ALLOW_FUTEX_OP(__NR_futex, FUTEX_WAIT_BITSET), \
-	SC_ALLOW_FUTEX_OP(__NR_futex, FUTEX_WAKE), \
-	SC_ALLOW_FUTEX_OP(__NR_futex, FUTEX_WAKE_BITSET), \
-	SC_ALLOW_FUTEX_OP(__NR_futex, FUTEX_REQUEUE), \
-	SC_ALLOW_FUTEX_OP(__NR_futex, FUTEX_CMP_REQUEUE)
+	SC_ALLOW_FUTEX_OP(_nr, FUTEX_WAIT), \
+	SC_ALLOW_FUTEX_OP(_nr, FUTEX_WAIT_BITSET), \
+	SC_ALLOW_FUTEX_OP(_nr, FUTEX_WAKE), \
+	SC_ALLOW_FUTEX_OP(_nr, FUTEX_WAKE_BITSET), \
+	SC_ALLOW_FUTEX_OP(_nr, FUTEX_REQUEUE), \
+	SC_ALLOW_FUTEX_OP(_nr, FUTEX_CMP_REQUEUE)
 #endif /* __NR_futex || __NR_futex_time64 */
 
 #if defined(__NR_mmap) || defined(__NR_mmap2)