[ipfire-2.x.git] / src / patches / dhcpcd / 01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses_socketcall.patch

diff --git a/src/privsep-linux.c b/src/privsep-linux.c
index 050a30cf..d31d720d 100644
--- a/src/privsep-linux.c
+++ b/src/privsep-linux.c
@@ -32,6 +32,7 @@
 
 #include <linux/audit.h>
 #include <linux/filter.h>
+#include <linux/net.h>
 #include <linux/seccomp.h>
 #include <linux/sockios.h>
 
@@ -304,6 +305,23 @@ static struct sock_filter ps_seccomp_filter[] = {
 #ifdef __NR_sendto
 	SECCOMP_ALLOW(__NR_sendto),
 #endif
+#ifdef __NR_socketcall
+	/* i386 needs this and demonstrates why SECCOMP
+	 * is poor compared to OpenBSD pledge(2) and FreeBSD capsicum(4)
+	 * as this is soooo tied to the kernel API which changes per arch
+	 * and likely libc as well. */
+	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_ACCEPT),
+	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_ACCEPT4),
+	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_LISTEN),
+	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_GETSOCKOPT),	/* overflow */
+	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECV),
+	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECVFROM),
+	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECVMSG),
+	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SEND),
+	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SENDMSG),
+	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SENDTO),
+	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
+#endif
 #ifdef __NR_shutdown
 	SECCOMP_ALLOW(__NR_shutdown),
 #endif
Commit	Line	Data
c1b356d2 MT	1	diff --git a/src/privsep-linux.c b/src/privsep-linux.c
	2	index 050a30cf..d31d720d 100644
	3	--- a/src/privsep-linux.c
	4	+++ b/src/privsep-linux.c
	5	@@ -32,6 +32,7 @@
	6
	7	#include <linux/audit.h>
	8	#include <linux/filter.h>
	9	+#include <linux/net.h>
	10	#include <linux/seccomp.h>
	11	#include <linux/sockios.h>
	12
	13	@@ -304,6 +305,23 @@ static struct sock_filter ps_seccomp_filter[] = {
	14	#ifdef __NR_sendto
	15	SECCOMP_ALLOW(__NR_sendto),
	16	#endif
	17	+#ifdef __NR_socketcall
	18	+ /* i386 needs this and demonstrates why SECCOMP
	19	+ * is poor compared to OpenBSD pledge(2) and FreeBSD capsicum(4)
	20	+ * as this is soooo tied to the kernel API which changes per arch
	21	+ * and likely libc as well. */
	22	+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_ACCEPT),
	23	+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_ACCEPT4),
	24	+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_LISTEN),
	25	+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_GETSOCKOPT), /* overflow */
	26	+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECV),
	27	+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECVFROM),
	28	+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECVMSG),
	29	+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SEND),
	30	+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SENDMSG),
	31	+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SENDTO),
	32	+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
	33	+#endif
	34	#ifdef __NR_shutdown
	35	SECCOMP_ALLOW(__NR_shutdown),
	36	#endif