45 lines
1.3 KiB
Diff
45 lines
1.3 KiB
Diff
|
From: Michal Vyskocil <mvyskocil@suse.cz>
|
||
|
|
Subject: Enable fcntl F_SETFL
|
||
|
|
|
||
|
|
The fcntl with F_SETFL is called from various parts of a vsftpd code, thus add
|
||
|
|
it unconditionally to seccomp sandbox. I've failed to limit it more, however
|
||
|
|
most arguments of F_SETFL are ignored on Linux and the remaining set seems to be
|
||
|
|
safe.
|
||
|
|
|
||
|
|
fixes: bnc#786024
|
||
|
|
|
||
|
|
---
|
||
|
|
seccompsandbox.c | 22 ++++++++++++++++++++++
|
||
|
|
5 files changed, 45 insertions(+), 6 deletions(-)
|
||
|
|
|
||
|
|
Index: vsftpd-3.0.2/seccompsandbox.c
|
||
|
|
===================================================================
|
||
|
|
--- vsftpd-3.0.2.orig/seccompsandbox.c
|
||
|
|
+++ vsftpd-3.0.2/seccompsandbox.c
|
||
|
|
@@ -306,6 +306,25 @@ seccomp_sandbox_setup_base()
|
||
|
|
|
||
|
|
/* Always need to be able to exit ! */
|
||
|
|
allow_nr(__NR_exit_group);
|
||
|
|
+
|
||
|
|
+ /*
|
||
|
|
+ * MV: this is needed for
|
||
|
|
+ * vsf_sysutil_activate_noblock
|
||
|
|
+ * vsf_sysutil_deactivate_noblock
|
||
|
|
+ *
|
||
|
|
+ * both called from various places (like all those die, bug in utilities),
|
||
|
|
+ * so lets enable it by default
|
||
|
|
+ */
|
||
|
|
+ allow_nr_1_arg_match(__NR_fcntl, 2, F_GETFL);
|
||
|
|
+ allow_nr_1_arg_match(__NR_fcntl, 2, F_SETFL);
|
||
|
|
+
|
||
|
|
+ /*
|
||
|
|
+ * MV: this form have newer worked, neither with O_RDWR, O_RDWR|O_NONBLOCK
|
||
|
|
+ * however fcntl(2) says that most of arguments to fcntl are ignored on Linux
|
||
|
|
+ * thus this might be safe to do
|
||
|
|
+ */
|
||
|
|
+ //allow_nr_2_arg_match(__NR_fcntl, 2, F_SETFL, 3, O_RDWR);
|
||
|
|
+
|
||
|
|
}
|
||
|
|
|
||
|
|
void
|