vishalmishra434 / rpms / openssh

Forked from rpms/openssh 3 months ago
Clone
Blob Blame History Raw
diff --git a/configure.ac b/configure.ac
index 4065d0e..d59ad44 100644
--- a/configure.ac
+++ b/configure.ac
@@ -764,9 +764,12 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
 	i*86-*)
 		seccomp_audit_arch=AUDIT_ARCH_I386
 		;;
-        arm*-*)
+	aarch64*-*)
+		seccomp_audit_arch=AUDIT_ARCH_AARCH64
+		;;
+	arm*-*)
 		seccomp_audit_arch=AUDIT_ARCH_ARM
-                ;;
+		;;
 	esac
 	if test "x$seccomp_audit_arch" != "x" ; then
 		AC_MSG_RESULT(["$seccomp_audit_arch"])
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 095b04a..52f6810 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -43,6 +43,7 @@
 #include <sys/resource.h>
 #include <sys/prctl.h>
 
+#include <linux/net.h>
 #include <linux/audit.h>
 #include <linux/filter.h>
 #include <linux/seccomp.h>
@@ -80,6 +81,17 @@
 	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
 
+#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 3), \
+	/* load first syscall argument */ \
+	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
+	    offsetof(struct seccomp_data, args[(_arg_nr)])), \
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \
+	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
+	/* reload syscall number; all rules expect it in accumulator */ \
+	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
+		offsetof(struct seccomp_data, nr))
+
 /* Syscall filtering set for preauth. */
 static const struct sock_filter preauth_insns[] = {
 	/* Ensure the syscall arch convention is as expected. */
@@ -90,8 +90,23 @@ static const struct sock_filter preauth_insns[] = {
 	/* Load the syscall number for checking. */
 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
 		offsetof(struct seccomp_data, nr)),
-	SC_DENY(open, EACCES),
+#ifdef __NR_stat
 	SC_DENY(stat, EACCES),
+#endif
+	SC_DENY(openat, EACCES),
+#ifdef __NR_open
+	SC_DENY(open, EACCES), /* not on AArch64 */
+#endif
+#ifdef __NR_fstat
+	SC_DENY(fstat, EACCES), /* x86_64, Aarch64 */
+#endif
+#if defined(__NR_stat64) && defined(__NR_fstat64)
+	SC_DENY(stat64, EACCES), /* ix86, arm */
+	SC_DENY(fstat64, EACCES),
+#endif
+#ifdef __NR_newfstatat
+	SC_DENY(newfstatat, EACCES), /* Aarch64 */
+#endif
 	SC_ALLOW(getpid),
 	SC_ALLOW(gettimeofday),
 	SC_ALLOW(clock_gettime),
@@ -111,12 +123,19 @@ static const struct sock_filter preauth_insns[] = {
 	SC_ALLOW(shutdown),
 #endif
 	SC_ALLOW(brk),
+#ifdef __NR_poll /* not on AArch64 */
 	SC_ALLOW(poll),
+#endif
 #ifdef __NR__newselect
 	SC_ALLOW(_newselect),
 #else
+#ifdef __NR_select /* not on AArch64 */
 	SC_ALLOW(select),
 #endif
+#ifdef __NR_pselect6 /* AArch64 */
+	SC_ALLOW(pselect6),
+#endif
+#endif
 	SC_ALLOW(madvise),
 #ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
 	SC_ALLOW(mmap2),
@@ -154,6 +157,9 @@ static const struct sock_filter preauth_insns[] = {
 #else
 	SC_ALLOW(sigprocmask),
 #endif
+#ifdef __NR_socketcall
+	SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
+#endif
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
 };