From 0a4ac4f4d3e3c0bb2dfbb421c384265a6bdd5c14 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Feb 11 2015 13:08:42 +0000 Subject: Enable seccomp sandboxing after resolving problems with audit patch (#1062953) --- diff --git a/openssh-6.7p1-audit.patch b/openssh-6.7p1-audit.patch index b5c710b..292509d 100644 --- a/openssh-6.7p1-audit.patch +++ b/openssh-6.7p1-audit.patch @@ -2373,3 +2373,17 @@ index 4554b09..226a494 100644 int sshkey_is_cert(const struct sshkey *); int sshkey_type_is_cert(int); int sshkey_type_plain(int); + +diff -U3 openssh-6.6p1/sandbox-seccomp-filter.c openssh-6.6p1.seccomp/sandbox-seccomp-filter.c +--- openssh-6.6p1/sandbox-seccomp-filter.c 2014-02-06 01:17:50.000000000 +0100 ++++ openssh-6.6p1.seccomp/sandbox-seccomp-filter.c 2015-02-11 09:07:10.885000000 +0100 +@@ -95,6 +95,9 @@ + #ifdef __NR_time /* not defined on EABI ARM */ + SC_ALLOW(time), + #endif ++#ifdef SSH_AUDIT_EVENTS ++ SC_ALLOW(getuid), ++#endif + SC_ALLOW(read), + SC_ALLOW(write), + SC_ALLOW(close), diff --git a/openssh.spec b/openssh.spec index 9b000c3..7740c58 100644 --- a/openssh.spec +++ b/openssh.spec @@ -506,12 +506,7 @@ fi %endif %if %{WITH_SELINUX} --with-selinux --with-audit=linux \ -%if 0 -#seccomp_filter cannot be build right now --with-sandbox=seccomp_filter \ -%else - --with-sandbox=rlimit \ -%endif %endif %if %{kerberos5} --with-kerberos5${krb5_prefix:+=${krb5_prefix}} \