From b71bd2f41bc6f7125de817e7bc4ef9b72ccab93e12a4edcee3c6957edec45480 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Tue, 18 Feb 2020 15:10:09 +0000 Subject: [PATCH] Accepting request 775237 from home:favogt:branches:network - Add patches to fix the sandbox blocking glibc on 32bit platforms (boo#1164061): * openssh-8.1p1-seccomp-clock_nanosleep_time64.patch * openssh-8.1p1-seccomp-clock_gettime64.patch OBS-URL: https://build.opensuse.org/request/show/775237 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=203 --- openssh-8.1p1-seccomp-clock_gettime64.patch | 25 +++++++++++++++++++ ...8.1p1-seccomp-clock_nanosleep_time64.patch | 24 ++++++++++++++++++ openssh-askpass-gnome.spec | 2 +- openssh.changes | 8 ++++++ openssh.spec | 4 ++- 5 files changed, 61 insertions(+), 2 deletions(-) create mode 100644 openssh-8.1p1-seccomp-clock_gettime64.patch create mode 100644 openssh-8.1p1-seccomp-clock_nanosleep_time64.patch diff --git a/openssh-8.1p1-seccomp-clock_gettime64.patch b/openssh-8.1p1-seccomp-clock_gettime64.patch new file mode 100644 index 0000000..d809ca0 --- /dev/null +++ b/openssh-8.1p1-seccomp-clock_gettime64.patch @@ -0,0 +1,25 @@ +From b110cefdfbf5a20f49b774a55062d6ded2fb6e22 Mon Sep 17 00:00:00 2001 +From: Khem Raj +Date: Tue, 7 Jan 2020 16:26:45 -0800 +Subject: [PATCH] seccomp: Allow clock_gettime64() in sandbox. + +This helps sshd accept connections on mips platforms with +upcoming glibc ( 2.31 ) +--- + sandbox-seccomp-filter.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index 3ef30c9d5..999c46c9f 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -248,6 +248,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_clock_nanosleep_time64 + SC_ALLOW(__NR_clock_nanosleep_time64), + #endif ++#ifdef __NR_clock_gettime64 ++ SC_ALLOW(__NR_clock_gettime64), ++#endif + #ifdef __NR__newselect + SC_ALLOW(__NR__newselect), + #endif diff --git a/openssh-8.1p1-seccomp-clock_nanosleep_time64.patch b/openssh-8.1p1-seccomp-clock_nanosleep_time64.patch new file mode 100644 index 0000000..558883b --- /dev/null +++ b/openssh-8.1p1-seccomp-clock_nanosleep_time64.patch @@ -0,0 +1,24 @@ +From 5af6fd5461bb709304e6979c8b7856c7af921c9e Mon Sep 17 00:00:00 2001 +From: Darren Tucker +Date: Mon, 16 Dec 2019 13:55:56 +1100 +Subject: [PATCH] Allow clock_nanosleep_time64 in seccomp sandbox. + +Needed on Linux ARM. bz#3100, patch from jjelen@redhat.com. +--- + sandbox-seccomp-filter.c | 3 +++ + 1 file changed, 3 insertions(+) + +Index: openssh-8.1p1/sandbox-seccomp-filter.c +=================================================================== +--- openssh-8.1p1.orig/sandbox-seccomp-filter.c ++++ openssh-8.1p1/sandbox-seccomp-filter.c +@@ -251,6 +251,9 @@ static const struct sock_filter preauth_ + #ifdef __NR_clock_nanosleep + SC_ALLOW(__NR_clock_nanosleep), + #endif ++#ifdef __NR_clock_nanosleep_time64 ++ SC_ALLOW(__NR_clock_nanosleep_time64), ++#endif + #ifdef __NR__newselect + SC_ALLOW(__NR__newselect), + #endif diff --git a/openssh-askpass-gnome.spec b/openssh-askpass-gnome.spec index 454461a..1f5bfd3 100644 --- a/openssh-askpass-gnome.spec +++ b/openssh-askpass-gnome.spec @@ -1,7 +1,7 @@ # # spec file for package openssh-askpass-gnome # -# Copyright (c) 2019 SUSE LLC. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed diff --git a/openssh.changes b/openssh.changes index c81379b..84b909c 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Feb 18 14:47:36 UTC 2020 - Fabian Vogt + +- Add patches to fix the sandbox blocking glibc on 32bit platforms + (boo#1164061): + * openssh-8.1p1-seccomp-clock_nanosleep_time64.patch + * openssh-8.1p1-seccomp-clock_gettime64.patch + ------------------------------------------------------------------- Fri Nov 8 18:05:37 UTC 2019 - Cristian Rodríguez diff --git a/openssh.spec b/openssh.spec index ddb8352..7bc3af3 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,7 +1,7 @@ # # spec file for package openssh # -# Copyright (c) 2019 SUSE LLC. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -100,6 +100,8 @@ Patch33: openssh-7.7p1-sftp_print_diagnostic_messages.patch Patch34: openssh-7.9p1-keygen-preserve-perms.patch Patch35: openssh-7.9p1-revert-new-qos-defaults.patch Patch36: openssh-8.1p1-seccomp-clock_nanosleep.patch +Patch37: openssh-8.1p1-seccomp-clock_nanosleep_time64.patch +Patch38: openssh-8.1p1-seccomp-clock_gettime64.patch BuildRequires: audit-devel BuildRequires: autoconf BuildRequires: groff