From eedbb4ea7526a57b6b4b1bcdcf1034624a5a7743041fe4cfe9528eb5545c82e7 Mon Sep 17 00:00:00 2001 From: Petr Cerny Date: Mon, 17 Feb 2014 11:31:08 +0000 Subject: [PATCH 1/4] Accepting request 222560 from home:pcerny:factory - reverting to rlimit sandbox even for newer distributions, since it seems not to work properly (bnc#864171) OBS-URL: https://build.opensuse.org/request/show/222560 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=65 --- openssh.changes | 6 ++++++ openssh.spec | 10 +++++----- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/openssh.changes b/openssh.changes index 5c78c3a..267c4a3 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Feb 17 11:29:21 UTC 2014 - pcerny@suse.com + +- reverting to rlimit sandbox even for newer distributions, since + it seems not to work properly (bnc#864171) + ------------------------------------------------------------------- Wed Feb 12 01:24:16 UTC 2014 - pcerny@suse.com diff --git a/openssh.spec b/openssh.spec index 1fdb4e0..299206a 100644 --- a/openssh.spec +++ b/openssh.spec @@ -53,11 +53,11 @@ %endif %define sandbox_seccomp 0 -%ifarch %ix86 x86_64 -%if 0%{?suse_version} > 1220 -%define sandbox_seccomp 1 -%endif -%endif +#ifarch %ix86 x86_64 +#if 0%{?suse_version} > 1220 +#define sandbox_seccomp 0 +#endif +#endif %define _fwdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d %define _fwdefdir %{_fwdir}/services From f2774839fb8a661e9f04ab4395afd14b7be14fe9cf3f6ffe5d25e29b37937bea Mon Sep 17 00:00:00 2001 From: Petr Cerny Date: Tue, 18 Feb 2014 13:04:57 +0000 Subject: [PATCH 2/4] Accepting request 222710 from home:pcerny:factory - re-enabling the seccomp sandbox (allowing use of getuid the syscall) OBS-URL: https://build.opensuse.org/request/show/222710 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=66 --- openssh-6.5p1-seccomp_getuid.patch | 26 ++++++++++++++++++++++++++ openssh.changes | 6 ++++++ openssh.spec | 12 +++++++----- 3 files changed, 39 insertions(+), 5 deletions(-) create mode 100644 openssh-6.5p1-seccomp_getuid.patch diff --git a/openssh-6.5p1-seccomp_getuid.patch b/openssh-6.5p1-seccomp_getuid.patch new file mode 100644 index 0000000..5859269 --- /dev/null +++ b/openssh-6.5p1-seccomp_getuid.patch @@ -0,0 +1,26 @@ +# HG changeset patch +# Parent d625afd0d51ac51161b25728bc2f227c098fa0fb +add 'getuid' syscall to list of allowed ones to prevent the sanboxed thread +from being killed by the seccomp filter + +diff --git a/openssh-6.5p1/sandbox-seccomp-filter.c b/openssh-6.5p1/sandbox-seccomp-filter.c +--- a/openssh-6.5p1/sandbox-seccomp-filter.c ++++ b/openssh-6.5p1/sandbox-seccomp-filter.c +@@ -85,16 +85,17 @@ static const struct sock_filter preauth_ + offsetof(struct seccomp_data, arch)), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_AUDIT_ARCH, 1, 0), + BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), + /* Load the syscall number for checking. */ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, + offsetof(struct seccomp_data, nr)), + SC_DENY(open, EACCES), + SC_ALLOW(getpid), ++ SC_ALLOW(getuid), + SC_ALLOW(gettimeofday), + SC_ALLOW(clock_gettime), + #ifdef __NR_time /* not defined on EABI ARM */ + SC_ALLOW(time), + #endif + SC_ALLOW(read), + SC_ALLOW(write), + SC_ALLOW(close), diff --git a/openssh.changes b/openssh.changes index 267c4a3..801224a 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Feb 18 12:56:31 UTC 2014 - pcerny@suse.com + +- re-enabling the seccomp sandbox + (allowing use of getuid the syscall) + ------------------------------------------------------------------- Mon Feb 17 11:29:21 UTC 2014 - pcerny@suse.com diff --git a/openssh.spec b/openssh.spec index 299206a..a39f50e 100644 --- a/openssh.spec +++ b/openssh.spec @@ -53,11 +53,11 @@ %endif %define sandbox_seccomp 0 -#ifarch %ix86 x86_64 -#if 0%{?suse_version} > 1220 -#define sandbox_seccomp 0 -#endif -#endif +%ifarch %ix86 x86_64 +%if 0%{?suse_version} > 1220 +%define sandbox_seccomp 1 +%endif +%endif %define _fwdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d %define _fwdefdir %{_fwdir}/services @@ -142,6 +142,7 @@ Patch31: openssh-6.5p1-no_fork-no_pid_file.patch Patch32: openssh-6.5p1-host_ident.patch Patch33: openssh-6.5p1-sftp_homechroot.patch Patch34: openssh-6.5p1-sftp_force_permissions.patch +Patch35: openssh-6.5p1-seccomp_getuid.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -201,6 +202,7 @@ Helper applications for OpenSSH which retrieve keys from various sources. %patch32 -p2 %patch33 -p2 %patch34 -p2 +%patch35 -p2 cp %{SOURCE3} %{SOURCE4} . %build From 5ada588ef0351c8dbf9997713c7ab182e97b0133fd98fac242cf7f70271f6116 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Wed, 19 Feb 2014 13:22:51 +0000 Subject: [PATCH 3/4] OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=67 --- openssh-6.5p1-seccomp_getuid.patch | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openssh-6.5p1-seccomp_getuid.patch b/openssh-6.5p1-seccomp_getuid.patch index 5859269..88bb8bb 100644 --- a/openssh-6.5p1-seccomp_getuid.patch +++ b/openssh-6.5p1-seccomp_getuid.patch @@ -6,7 +6,7 @@ from being killed by the seccomp filter diff --git a/openssh-6.5p1/sandbox-seccomp-filter.c b/openssh-6.5p1/sandbox-seccomp-filter.c --- a/openssh-6.5p1/sandbox-seccomp-filter.c +++ b/openssh-6.5p1/sandbox-seccomp-filter.c -@@ -85,16 +85,17 @@ static const struct sock_filter preauth_ +@@ -85,16 +85,18 @@ static const struct sock_filter preauth_ offsetof(struct seccomp_data, arch)), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_AUDIT_ARCH, 1, 0), BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), @@ -16,6 +16,7 @@ diff --git a/openssh-6.5p1/sandbox-seccomp-filter.c b/openssh-6.5p1/sandbox-secc SC_DENY(open, EACCES), SC_ALLOW(getpid), + SC_ALLOW(getuid), ++ SC_ALLOW(getuid32), SC_ALLOW(gettimeofday), SC_ALLOW(clock_gettime), #ifdef __NR_time /* not defined on EABI ARM */ From 5f397d839b2a87316868f23b4f4a80c2f53980edba53aafe4eb58637d750be7c Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Wed, 19 Feb 2014 13:30:54 +0000 Subject: [PATCH 4/4] - openssh-6.5p1-seccomp_getuid.patch: re-enabling the seccomp sandbox (allowing use of the getuid syscall) (bnc#864171) OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=68 --- openssh-6.5p1-seccomp_getuid.patch | 4 +++- openssh.changes | 10 ++-------- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/openssh-6.5p1-seccomp_getuid.patch b/openssh-6.5p1-seccomp_getuid.patch index 88bb8bb..e10209e 100644 --- a/openssh-6.5p1-seccomp_getuid.patch +++ b/openssh-6.5p1-seccomp_getuid.patch @@ -6,7 +6,7 @@ from being killed by the seccomp filter diff --git a/openssh-6.5p1/sandbox-seccomp-filter.c b/openssh-6.5p1/sandbox-seccomp-filter.c --- a/openssh-6.5p1/sandbox-seccomp-filter.c +++ b/openssh-6.5p1/sandbox-seccomp-filter.c -@@ -85,16 +85,18 @@ static const struct sock_filter preauth_ +@@ -85,16 +85,20 @@ static const struct sock_filter preauth_ offsetof(struct seccomp_data, arch)), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_AUDIT_ARCH, 1, 0), BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), @@ -16,7 +16,9 @@ diff --git a/openssh-6.5p1/sandbox-seccomp-filter.c b/openssh-6.5p1/sandbox-secc SC_DENY(open, EACCES), SC_ALLOW(getpid), + SC_ALLOW(getuid), ++#ifdef __NR_getuid32 + SC_ALLOW(getuid32), ++#endif SC_ALLOW(gettimeofday), SC_ALLOW(clock_gettime), #ifdef __NR_time /* not defined on EABI ARM */ diff --git a/openssh.changes b/openssh.changes index 801224a..18287b1 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,14 +1,8 @@ ------------------------------------------------------------------- Tue Feb 18 12:56:31 UTC 2014 - pcerny@suse.com -- re-enabling the seccomp sandbox - (allowing use of getuid the syscall) - -------------------------------------------------------------------- -Mon Feb 17 11:29:21 UTC 2014 - pcerny@suse.com - -- reverting to rlimit sandbox even for newer distributions, since - it seems not to work properly (bnc#864171) +- openssh-6.5p1-seccomp_getuid.patch: re-enabling the seccomp sandbox + (allowing use of the getuid syscall) (bnc#864171) ------------------------------------------------------------------- Wed Feb 12 01:24:16 UTC 2014 - pcerny@suse.com