vsftpd/vsftpd-allow-dev-log-socket.patch

From: mvyskocil@suse.com
Subject: enable /dev/log related socket call

Linux-PAM try to open /dev/log, but as socket is not enabled in seccomp
sandbox, daemon is killed by SIGSYS. Because the attempt is made by process
with RLIMIT_NOFILE, the correct fix would be to test if we can open a new fd in
pam. Anyway I would say the risc is small, and other socket syscalls are disabled.

Fixes: https://bugzilla.novell.com/show_bug.cgi?id=786024

Index: vsftpd-3.0.5/seccompsandbox.c
===================================================================
--- vsftpd-3.0.5.orig/seccompsandbox.c	2022-02-02 11:03:38.133860169 +0100
+++ vsftpd-3.0.5/seccompsandbox.c	2022-02-02 11:03:38.177859528 +0100
@@ -366,6 +366,15 @@ seccomp_sandbox_init()
   {
     bug("bad state in seccomp_sandbox_init");
   }
+
+  //this is very probably an attempt to open /dev/log
+  //it fails because process cannot open any file, so it might be safe
+  //socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = -1 EMFILE (Too many open files)
+  allow_nr_3_arg_match(__NR_socket,
+                       1, PF_FILE,
+                       2, SOCK_DGRAM | SOCK_CLOEXEC,
+                       3, 0);
+
 }
 
 void
Import missing patches from SLE-12-SP4. OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=156 2022-02-02 11:24:40 +01:00			`From: mvyskocil@suse.com`
			`Subject: enable /dev/log related socket call`

			`Linux-PAM try to open /dev/log, but as socket is not enabled in seccomp`
			`sandbox, daemon is killed by SIGSYS. Because the attempt is made by process`
			`with RLIMIT_NOFILE, the correct fix would be to test if we can open a new fd in`
			`pam. Anyway I would say the risc is small, and other socket syscalls are disabled.`

			`Fixes: https://bugzilla.novell.com/show_bug.cgi?id=786024`

			`Index: vsftpd-3.0.5/seccompsandbox.c`
			`===================================================================`
			`--- vsftpd-3.0.5.orig/seccompsandbox.c 2022-02-02 11:03:38.133860169 +0100`
			`+++ vsftpd-3.0.5/seccompsandbox.c 2022-02-02 11:03:38.177859528 +0100`
			`@@ -366,6 +366,15 @@ seccomp_sandbox_init()`
			`{`
			`bug("bad state in seccomp_sandbox_init");`
			`}`
			`+`
			`+ //this is very probably an attempt to open /dev/log`
			`+ //it fails because process cannot open any file, so it might be safe`
			`+ //socket(PF_FILE, SOCK_DGRAM\|SOCK_CLOEXEC, 0) = -1 EMFILE (Too many open files)`
			`+ allow_nr_3_arg_match(__NR_socket,`
			`+ 1, PF_FILE,`
			`+ 2, SOCK_DGRAM \| SOCK_CLOEXEC,`
			`+ 3, 0);`
			`+`
			`}`

			`void`