From: Darren Tucker <dtucker@dtucker.net>
Date: Fri, 12 Mar 2021 04:58:57 +0000 (+1100)
Subject: Allow (but return EACCES) fstatat64 in sandbox.
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=refs%2Fremotes%2Fanongit%2FV_8_5;p=thirdparty%2Fopenssh-portable.git

Allow (but return EACCES) fstatat64 in sandbox.

This is apparently used in some configurations of OpenSSL when glibc
has getrandom().  bz#3276, patch from Kris Karas, ok djm@
---

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index d8dc7120b..7981c84ad 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -154,6 +154,9 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR_fstat64
 	SC_DENY(__NR_fstat64, EACCES),
 #endif
+#ifdef __NR_fstatat64
+	SC_DENY(__NR_fstatat64, EACCES),
+#endif
 #ifdef __NR_open
 	SC_DENY(__NR_open, EACCES),
 #endif