]> git.ipfire.org Git - thirdparty/openssh-portable.git/commitdiff
projects / thirdparty / openssh-portable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a991cc5)
Deny (non-fatal) ipc in preauth privsep child. V_8_1 anongit/V_8_1 github-selfhosted/V_8_1 github/V_8_1
authorJeremy Drake <github@jdrake.com>
Sat, 12 Oct 2019 01:31:05 +0000 (18:31 -0700)
committerDarren Tucker <dtucker@dtucker.net>
Wed, 8 Jan 2020 10:48:37 +0000 (21:48 +1100)
As noted in openssh/openssh-portable#149, i386 does not have have
_NR_shmget etc.  Instead, it has a single ipc syscall (see man 2 ipc,
https://linux.die.net/man/2/ipc).  Add this syscall, if present, to the
list of syscalls that seccomp will deny non-fatally.

sandbox-seccomp-filter.c patch | blob | blame | history

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 999c46c9fa544055c046c94dd118376590bd900d..0914e48baeaa4042edd33bbaefa2a76d768da54f 100644 (file)
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -177,6 +177,9 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR_shmdt
        SC_DENY(__NR_shmdt, EACCES),
 #endif
+#ifdef __NR_ipc
+       SC_DENY(__NR_ipc, EACCES),
+#endif
 
        /* Syscalls to permit */
 #ifdef __NR_brk
Mirror of https://github.com/openssh/openssh-portable.git