diff --git a/openssh-6.7p1-seccomp-aarch64.patch b/openssh-6.7p1-seccomp-aarch64.patch index 9f0cf30..60d88c8 100644 --- a/openssh-6.7p1-seccomp-aarch64.patch +++ b/openssh-6.7p1-seccomp-aarch64.patch @@ -21,6 +21,32 @@ diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 095b04a..52f6810 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c +@@ -43,6 +43,7 @@ + #include + #include + ++#include + #include + #include + #include +@@ -80,6 +81,17 @@ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) + ++#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \ ++ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 3), \ ++ /* load first syscall argument */ \ ++ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ ++ offsetof(struct seccomp_data, args[(_arg_nr)])), \ ++ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \ ++ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \ ++ /* reload syscall number; all rules expect it in accumulator */ \ ++ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ ++ offsetof(struct seccomp_data, nr)) ++ + /* Syscall filtering set for preauth. */ + static const struct sock_filter preauth_insns[] = { + /* Ensure the syscall arch convention is as expected. */ @@ -90,8 +90,23 @@ static const struct sock_filter preauth_insns[] = { /* Load the syscall number for checking. */ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, @@ -66,3 +92,13 @@ index 095b04a..52f6810 100644 SC_ALLOW(madvise), #ifdef __NR_mmap2 /* EABI ARM only has mmap2() */ SC_ALLOW(mmap2), +@@ -154,6 +157,9 @@ static const struct sock_filter preauth_insns[] = { + #else + SC_ALLOW(sigprocmask), + #endif ++#ifdef __NR_socketcall ++ SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN), ++#endif + BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), + }; +