From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Wed, 6 Oct 2021 08:02:34 +0000 (+0200)
Subject: sys_linux: fix seccomp filter for BINDTODEVICE option
X-Git-Tag: 4.2-pre1~43
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=29d7d3176d9d1b208039a9d2ca3f26bc3cc5a387;p=thirdparty%2Fchrony.git

sys_linux: fix seccomp filter for BINDTODEVICE option

The BINDTODEVICE socket option is the first option in the seccomp filter
setting a string instead of int. Remove the length check from the
setsockopt rules to allow a device name longer than 3 characters.

This was reported in Debian bug #995207.

Fixes: b9f5ce83b02e ("sys_linux: allow BINDTODEVICE option in seccomp filter")
---

diff --git a/sys_linux.c b/sys_linux.c
index 8fba259e..9cab2efa 100644
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -739,10 +739,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
 
     /* Allow selected socket options */
     for (i = 0; i < sizeof (socket_options) / sizeof (*socket_options); i++) {
-      if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 3,
+      if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 2,
                            SCMP_A1(SCMP_CMP_EQ, socket_options[i][0]),
-                           SCMP_A2(SCMP_CMP_EQ, socket_options[i][1]),
-                           SCMP_A4(SCMP_CMP_LE, sizeof (int))) < 0)
+                           SCMP_A2(SCMP_CMP_EQ, socket_options[i][1])))
         goto add_failed;
     }