SHA256
1
0
forked from pool/vsftpd
vsftpd/vsftpd-allow-dev-log-socket.patch

31 lines
1.1 KiB
Diff
Raw Normal View History

From: mvyskocil@suse.com
Subject: enable /dev/log related socket call
Linux-PAM try to open /dev/log, but as socket is not enabled in seccomp
sandbox, daemon is killed by SIGSYS. Because the attempt is made by process
with RLIMIT_NOFILE, the correct fix would be to test if we can open a new fd in
pam. Anyway I would say the risc is small, and other socket syscalls are disabled.
Fixes: https://bugzilla.novell.com/show_bug.cgi?id=786024
Index: vsftpd-3.0.2/seccompsandbox.c
===================================================================
--- vsftpd-3.0.2.orig/seccompsandbox.c
+++ vsftpd-3.0.2/seccompsandbox.c
@@ -353,6 +353,15 @@ seccomp_sandbox_setup_prelogin(const str
{
allow_nr_1_arg_match(__NR_recvmsg, 3, 0);
}
+
+ //this is very probably an attempt to open /dev/log
+ //it fails because process cannot open any file, so it might be safe
+ //socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = -1 EMFILE (Too many open files)
+ allow_nr_3_arg_match(__NR_socket,
+ 1, PF_FILE,
+ 2, SOCK_DGRAM | SOCK_CLOEXEC,
+ 3, 0);
+
}
void