rpms / file

Clone
Source Code
GIT

Blame SOURCES/file-5.33-seccomp.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c8 c8-beta c8s c9 c9-beta
  1.   d7e7c0338660090458308943258de7fe3006535e
  2.   SOURCES
  3.   file-5.33-seccomp.patch
Blob History Raw
fd8bad 
From 4ae8a24b5ccbee904875a10b7b2301369080a88d Mon Sep 17 00:00:00 2001
fd8bad 
From: Christos Zoulas <christos@zoulas.com>
fd8bad 
Date: Sun, 6 May 2018 16:36:41 +0000
fd8bad 
Subject: [PATCH] add more syscalls; newfstatat is used for stat'ing the magic
fd8bad 
 file, getdents64 is used for getting the magic entries during compilation.
fd8bad
fd8bad 
Upstream-commit: aeddbff330fad0edff2ab4b02dbf0863cd593c3c
fd8bad 
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
fd8bad 
---
fd8bad 
 src/seccomp.c | 15 ++++++++-------
fd8bad 
 1 file changed, 8 insertions(+), 7 deletions(-)
fd8bad
fd8bad 
diff --git a/src/seccomp.c b/src/seccomp.c
fd8bad 
index 7c8a3144..481a5624 100644
fd8bad 
--- a/src/seccomp.c
fd8bad 
+++ b/src/seccomp.c
fd8bad 
@@ -59,12 +59,7 @@ enable_sandbox_basic(void)
fd8bad 
 	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
fd8bad 
 		return -1;
fd8bad
fd8bad 
-#if 0
fd8bad 
-	// prevent escape via ptrace
fd8bad 
-	prctl(PR_SET_DUMPABLE, 0);
fd8bad 
-#endif
fd8bad 
-
fd8bad 
-	if (prctl (PR_SET_DUMPABLE, 0, 0, 0, 0) == -1)
fd8bad 
+	if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1)
fd8bad 
 		return -1;
fd8bad
fd8bad 
 	// initialize the filter
fd8bad 
@@ -171,6 +166,9 @@ enable_sandbox_full(void)
fd8bad 
 	ALLOW_RULE(fcntl);
fd8bad 
 	ALLOW_RULE(fstat);
fd8bad 
 	ALLOW_RULE(getdents);
fd8bad 
+#ifdef __NR_getdents64
fd8bad 
+	ALLOW_RULE(getdents64);
fd8bad 
+#endif
fd8bad 
 	ALLOW_RULE(ioctl);
fd8bad 
 	ALLOW_RULE(lseek);
fd8bad 
 	ALLOW_RULE(lstat);
fd8bad 
@@ -178,6 +176,9 @@ enable_sandbox_full(void)
fd8bad 
 	ALLOW_RULE(mprotect);
fd8bad 
 	ALLOW_RULE(mremap);
fd8bad 
 	ALLOW_RULE(munmap);
fd8bad 
+#ifdef __NR_newfstatat
fd8bad 
+	ALLOW_RULE(newfstatat);
fd8bad 
+#endif
fd8bad 
 	ALLOW_RULE(open);
fd8bad 
 	ALLOW_RULE(openat);
fd8bad 
 	ALLOW_RULE(pread64);
fd8bad 
--
fd8bad 
2.17.0
fd8bad

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation