diff --git a/openssh-whitelist-syscalls.patch b/openssh-whitelist-syscalls.patch index edc4183..d612867 100644 --- a/openssh-whitelist-syscalls.patch +++ b/openssh-whitelist-syscalls.patch @@ -1,8 +1,16 @@ -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index 797a14b..02698cc 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c -@@ -204,6 +204,9 @@ static const struct sock_filter preauth_insns[] = { +@@ -195,6 +195,9 @@ + #ifdef __NR_close + SC_ALLOW(__NR_close), + #endif ++#ifdef __NR_close_range ++ SC_ALLOW(__NR_close_range), ++#endif + #ifdef __NR_exit + SC_ALLOW(__NR_exit), + #endif +@@ -204,6 +207,9 @@ #ifdef __NR_futex SC_ALLOW(__NR_futex), #endif @@ -12,7 +20,7 @@ index 797a14b..02698cc 100644 #ifdef __NR_geteuid SC_ALLOW(__NR_geteuid), #endif -@@ -282,6 +285,9 @@ static const struct sock_filter preauth_insns[] = { +@@ -282,6 +288,9 @@ #ifdef __NR_pselect6 SC_ALLOW(__NR_pselect6), #endif diff --git a/openssh.changes b/openssh.changes index 56c8b87..6581c76 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Mon Jul 19 14:51:08 UTC 2021 - Cristian Rodríguez + +- The linux kernel has close_range(2) syscall which current glibc + uses to implement closefrom(3) which will be then used by openssh. + whitelist the new system call so closefrom does not fail or + fallback to iterating proc/self/fd (openssh-whitelist-syscalls.patch) + ------------------------------------------------------------------- Wed Jun 23 18:32:20 UTC 2021 - Hans Petter Jansson