From: Damien Miller <djm@mindrot.org>
Date: Thu, 19 May 2016 23:56:53 +0000 (+1000)
Subject: Deny lstat syscalls in seccomp sandbox
X-Git-Tag: V_7_3_P1~100
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f64062b1f74ad5ee20a8a49aab2732efd0f7ce30;p=thirdparty%2Fopenssh-portable.git

Deny lstat syscalls in seccomp sandbox

Avoids sandbox violations for some krb/gssapi libraries.
---

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index d132e2646..2e1ed2c52 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -103,6 +103,12 @@ static const struct sock_filter preauth_insns[] = {
 		offsetof(struct seccomp_data, nr)),
 
 	/* Syscalls to non-fatally deny */
+#ifdef __NR_lstat
+	SC_DENY(lstat, EACCES),
+#endif
+#ifdef __NR_lstat64
+	SC_DENY(lstat64, EACCES),
+#endif
 #ifdef __NR_fstat
 	SC_DENY(fstat, EACCES),
 #endif