forked from pool/openssh
9fb40d132b
- curve25519 key exchange fix (-curve25519-6.6.1p1.patch)
- patch re-ordering (-audit3-key_auth_usage-fips.patch,
-audit4-kex_results-fips.patch)
OBS-URL: https://build.opensuse.org/request/show/231427
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=80
30 lines
1000 B
Diff
30 lines
1000 B
Diff
# HG changeset patch
|
|
# Parent bde6f1a808f345e141a976ebc3e37903c81a09cb
|
|
add 'getuid' syscall to list of allowed ones to prevent the sanboxed thread
|
|
from being killed by the seccomp filter
|
|
|
|
diff --git a/openssh-6.6p1/sandbox-seccomp-filter.c b/openssh-6.6p1/sandbox-seccomp-filter.c
|
|
--- a/openssh-6.6p1/sandbox-seccomp-filter.c
|
|
+++ b/openssh-6.6p1/sandbox-seccomp-filter.c
|
|
@@ -85,16 +85,20 @@ static const struct sock_filter preauth_
|
|
offsetof(struct seccomp_data, arch)),
|
|
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_AUDIT_ARCH, 1, 0),
|
|
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
|
|
/* Load the syscall number for checking. */
|
|
BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
|
|
offsetof(struct seccomp_data, nr)),
|
|
SC_DENY(open, EACCES),
|
|
SC_ALLOW(getpid),
|
|
+ SC_ALLOW(getuid),
|
|
+#ifdef __NR_getuid32
|
|
+ SC_ALLOW(getuid32),
|
|
+#endif
|
|
SC_ALLOW(gettimeofday),
|
|
SC_ALLOW(clock_gettime),
|
|
#ifdef __NR_time /* not defined on EABI ARM */
|
|
SC_ALLOW(time),
|
|
#endif
|
|
SC_ALLOW(read),
|
|
SC_ALLOW(write),
|
|
SC_ALLOW(close),
|