vishalmishra434 / rpms / openssh

Forked from rpms/openssh 3 months ago
Clone
Jakub Jelen bc083e
diff --git a/configure.ac b/configure.ac
Jakub Jelen bc083e
index 4065d0e..d59ad44 100644
665648
--- a/configure.ac
665648
+++ b/configure.ac
Jakub Jelen bc083e
@@ -764,9 +764,12 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
665648
 	i*86-*)
665648
 		seccomp_audit_arch=AUDIT_ARCH_I386
665648
 		;;
665648
-        arm*-*)
665648
+	aarch64*-*)
665648
+		seccomp_audit_arch=AUDIT_ARCH_AARCH64
665648
+		;;
665648
+	arm*-*)
665648
 		seccomp_audit_arch=AUDIT_ARCH_ARM
665648
-                ;;
665648
+		;;
665648
 	esac
665648
 	if test "x$seccomp_audit_arch" != "x" ; then
665648
 		AC_MSG_RESULT(["$seccomp_audit_arch"])
665648
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
Jakub Jelen bc083e
index 095b04a..52f6810 100644
665648
--- a/sandbox-seccomp-filter.c
665648
+++ b/sandbox-seccomp-filter.c
Jakub Jelen bc083e
@@ -90,8 +90,20 @@ static const struct sock_filter preauth_insns[] = {
665648
 	/* Load the syscall number for checking. */
665648
 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
665648
 		offsetof(struct seccomp_data, nr)),
665648
-	SC_DENY(open, EACCES),
Jakub Jelen bc083e
-	SC_DENY(stat, EACCES),
Jakub Jelen bc083e
+	SC_DENY(openat, EACCES),
Jakub Jelen bc083e
+#ifdef __NR_open
Jakub Jelen 68fa4f
+	SC_DENY(open, EACCES), /* not on AArch64 */
Jakub Jelen bc083e
+#endif
Jakub Jelen bc083e
+#ifdef __NR_fstat
Jakub Jelen 68fa4f
+	SC_DENY(fstat, EACCES), /* x86_64, Aarch64 */
Jakub Jelen bc083e
+#endif
Jakub Jelen bc083e
+#if defined(__NR_stat64) && defined(__NR_fstat64)
Jakub Jelen 68fa4f
+	SC_DENY(stat64, EACCES), /* ix86, arm */
Jakub Jelen bc083e
+	SC_DENY(fstat64, EACCES),
Jakub Jelen bc083e
+#endif
Jakub Jelen bc083e
+#ifdef __NR_newfstatat
Jakub Jelen 68fa4f
+	SC_DENY(newfstatat, EACCES), /* Aarch64 */
665648
+#endif
665648
 	SC_ALLOW(getpid),
665648
 	SC_ALLOW(gettimeofday),
665648
 	SC_ALLOW(clock_gettime),
Jakub Jelen bc083e
@@ -111,12 +123,19 @@ static const struct sock_filter preauth_insns[] = {
665648
 	SC_ALLOW(shutdown),
665648
 #endif
665648
 	SC_ALLOW(brk),
Jakub Jelen 68fa4f
+#ifdef __NR_poll /* not on AArch64 */
665648
 	SC_ALLOW(poll),
665648
+#endif
665648
 #ifdef __NR__newselect
665648
 	SC_ALLOW(_newselect),
665648
 #else
Jakub Jelen 68fa4f
+#ifdef __NR_select /* not on AArch64 */
665648
 	SC_ALLOW(select),
665648
 #endif
Jakub Jelen 68fa4f
+#ifdef __NR_pselect6 /* AArch64 */
Jakub Jelen bc083e
+	SC_ALLOW(pselect6),
Jakub Jelen bc083e
+#endif
665648
+#endif
665648
 	SC_ALLOW(madvise),
665648
 #ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
665648
 	SC_ALLOW(mmap2),