vsftpd/seccomp-fixes.patch

Index: vsftpd-3.0.3/seccompsandbox.c
===================================================================
--- vsftpd-3.0.3.orig/seccompsandbox.c
+++ vsftpd-3.0.3/seccompsandbox.c
@@ -18,6 +18,7 @@
 #include "utility.h"
 
 #include <errno.h>
+#include <stdio.h>
 
 #include <netinet/in.h>
 #include <netinet/tcp.h>
@@ -60,6 +61,7 @@
 
 #define kMaxSyscalls 100
 
+//#define DEBUG_SIGSYS
 #ifdef DEBUG_SIGSYS
 
 #include <signal.h>
@@ -68,7 +70,10 @@
 void
 handle_sigsys(int sig)
 {
-  (void) sig;
+  char str[21];
+  snprintf(str, 21, "Rejected syscall %d", sig);
+
+  die(str);
 }
 #endif
 
@@ -443,6 +448,7 @@ seccomp_sandbox_setup_postlogin(const st
   allow_nr(__NR_getcwd);
   allow_nr(__NR_chdir);
   allow_nr(__NR_getdents);
+  allow_nr(__NR_getdents64);
   /* Misc */
   allow_nr(__NR_umask);
 
@@ -579,8 +585,8 @@ seccomp_sandbox_lockdown()
   p_filter->code = BPF_LD+BPF_W+BPF_ABS;
   p_filter->jt = 0;
   p_filter->jf = 0;
-  /* Offset 4 for syscall architecture. */
-  p_filter->k = 4;
+  /* Offset 5 for syscall architecture. */
+  p_filter->k = 5;
   p_filter++;
   p_filter->code = BPF_JMP+BPF_JEQ+BPF_K;
   p_filter->jt = 1;
Accepting request 856827 from home:namtrac:branches:network Copied from SLE counterpart. - Add seccomp-fixes.patch to allow getdents64 syscall in seccomp sandbox, fixes bsc#1179553 Also in the same patch, fix the architecture offset from 4 to 5, this change was documented in https://lore.kernel.org/patchwork/patch/554803/ OBS-URL: https://build.opensuse.org/request/show/856827 OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=147 2021-01-16 15:15:09 +00:00			`Index: vsftpd-3.0.3/seccompsandbox.c`
			`===================================================================`
			`--- vsftpd-3.0.3.orig/seccompsandbox.c`
			`+++ vsftpd-3.0.3/seccompsandbox.c`
			`@@ -18,6 +18,7 @@`
			`#include "utility.h"`

			`#include <errno.h>`
			`+#include <stdio.h>`

			`#include <netinet/in.h>`
			`#include <netinet/tcp.h>`
			`@@ -60,6 +61,7 @@`

			`#define kMaxSyscalls 100`

			`+//#define DEBUG_SIGSYS`
			`#ifdef DEBUG_SIGSYS`

			`#include <signal.h>`
			`@@ -68,7 +70,10 @@`
			`void`
			`handle_sigsys(int sig)`
			`{`
			`- (void) sig;`
			`+ char str[21];`
			`+ snprintf(str, 21, "Rejected syscall %d", sig);`
			`+`
			`+ die(str);`
			`}`
			`#endif`

			`@@ -443,6 +448,7 @@ seccomp_sandbox_setup_postlogin(const st`
			`allow_nr(__NR_getcwd);`
			`allow_nr(__NR_chdir);`
			`allow_nr(__NR_getdents);`
			`+ allow_nr(__NR_getdents64);`
			`/* Misc */`
			`allow_nr(__NR_umask);`

			`@@ -579,8 +585,8 @@ seccomp_sandbox_lockdown()`
			`p_filter->code = BPF_LD+BPF_W+BPF_ABS;`
			`p_filter->jt = 0;`
			`p_filter->jf = 0;`
			`- /* Offset 4 for syscall architecture. */`
			`- p_filter->k = 4;`
			`+ /* Offset 5 for syscall architecture. */`
			`+ p_filter->k = 5;`
			`p_filter++;`
			`p_filter->code = BPF_JMP+BPF_JEQ+BPF_K;`
			`p_filter->jt = 1;`