openssh/openssh-7.6p1-seccomp_geteuid.patch

35 lines
904 B
Diff
Raw Normal View History

2017-11-06 15:50:53 +01:00
# HG changeset patch
# Parent 85f3cd6c8291c7feb0c1e7a0a3645c130532d206
Add the 'geteuid' syscall to allowed list, since it may becalled on the
mainframes when OpenSSL is using hardware crypto accelerator via libica
(via ibmica)
bsc#1004258
diff --git a/openssh-7.6p1/sandbox-seccomp-filter.c b/openssh-7.6p1/sandbox-seccomp-filter.c
--- a/openssh-7.6p1/sandbox-seccomp-filter.c
+++ b/openssh-7.6p1/sandbox-seccomp-filter.c
@@ -161,16 +161,22 @@ static const struct sock_filter preauth_
SC_ALLOW(__NR_close),
#endif
#ifdef __NR_exit
SC_ALLOW(__NR_exit),
#endif
#ifdef __NR_exit_group
SC_ALLOW(__NR_exit_group),
#endif
+#ifdef __NR_geteuid
+ SC_ALLOW(__NR_geteuid),
+#endif
+#ifdef __NR_geteuid32
+ SC_ALLOW(__NR_geteuid32),
+#endif
#ifdef __NR_getpgid
SC_ALLOW(__NR_getpgid),
#endif
#ifdef __NR_getpid
SC_ALLOW(__NR_getpid),
#endif
#ifdef __NR_getrandom
SC_ALLOW(__NR_getrandom),