From 76f90815e2951c3c973d3f0f23c41ae414143aa6be2bc06c65a82a6d87738b84 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Wed, 21 Jul 2021 11:52:05 +0000 Subject: [PATCH] Accepting request 907161 from home:elvigia:branches:network - The linux kernel has close_range(2) syscall which current glibc uses to implement closefrom(3) which will be then used by openssh. whitelist the new system call so closefrom does not fail or fallback to iterating proc/self/fd (openssh-whitelist-syscalls.patch) OBS-URL: https://build.opensuse.org/request/show/907161 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=233 --- openssh-whitelist-syscalls.patch | 16 ++++++++++++---- openssh.changes | 8 ++++++++ 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/openssh-whitelist-syscalls.patch b/openssh-whitelist-syscalls.patch index edc4183..d612867 100644 --- a/openssh-whitelist-syscalls.patch +++ b/openssh-whitelist-syscalls.patch @@ -1,8 +1,16 @@ -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index 797a14b..02698cc 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c -@@ -204,6 +204,9 @@ static const struct sock_filter preauth_insns[] = { +@@ -195,6 +195,9 @@ + #ifdef __NR_close + SC_ALLOW(__NR_close), + #endif ++#ifdef __NR_close_range ++ SC_ALLOW(__NR_close_range), ++#endif + #ifdef __NR_exit + SC_ALLOW(__NR_exit), + #endif +@@ -204,6 +207,9 @@ #ifdef __NR_futex SC_ALLOW(__NR_futex), #endif @@ -12,7 +20,7 @@ index 797a14b..02698cc 100644 #ifdef __NR_geteuid SC_ALLOW(__NR_geteuid), #endif -@@ -282,6 +285,9 @@ static const struct sock_filter preauth_insns[] = { +@@ -282,6 +288,9 @@ #ifdef __NR_pselect6 SC_ALLOW(__NR_pselect6), #endif diff --git a/openssh.changes b/openssh.changes index 56c8b87..6581c76 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Mon Jul 19 14:51:08 UTC 2021 - Cristian Rodríguez + +- The linux kernel has close_range(2) syscall which current glibc + uses to implement closefrom(3) which will be then used by openssh. + whitelist the new system call so closefrom does not fail or + fallback to iterating proc/self/fd (openssh-whitelist-syscalls.patch) + ------------------------------------------------------------------- Wed Jun 23 18:32:20 UTC 2021 - Hans Petter Jansson