vsftpd/vsftpd-enable-fcntl-f_setfl.patch

From: Michal Vyskocil <mvyskocil@suse.cz>
Subject: Enable fcntl F_SETFL

The fcntl with F_SETFL is called from various parts of a vsftpd code, thus add
it unconditionally to seccomp sandbox. I've failed to limit it more, however
most arguments of F_SETFL are ignored on Linux and the remaining set seems to be
safe.

fixes: bnc#786024

---
 seccompsandbox.c |   22 ++++++++++++++++++++++
 5 files changed, 45 insertions(+), 6 deletions(-)

Index: vsftpd-3.0.2/seccompsandbox.c
===================================================================
--- vsftpd-3.0.2.orig/seccompsandbox.c
+++ vsftpd-3.0.2/seccompsandbox.c
@@ -306,6 +306,25 @@ seccomp_sandbox_setup_base()
 
   /* Always need to be able to exit ! */
   allow_nr(__NR_exit_group);
+
+  /* 
+   * MV: this is needed for
+   * vsf_sysutil_activate_noblock
+   * vsf_sysutil_deactivate_noblock
+   * 
+   * both called from various places (like all those die, bug in utilities),
+   * so lets enable it by default
+   */
+  allow_nr_1_arg_match(__NR_fcntl, 2, F_GETFL);
+  allow_nr_1_arg_match(__NR_fcntl, 2, F_SETFL);
+
+  /*
+   * MV: this form have newer worked, neither with O_RDWR, O_RDWR|O_NONBLOCK
+   * however fcntl(2) says that most of arguments to fcntl are ignored on Linux
+   * thus this might be safe to do
+   */
+  //allow_nr_2_arg_match(__NR_fcntl, 2, F_SETFL, 3, O_RDWR);
+
 }
 
 void
Accepting request 162590 from home:mvyskocil:branches:network - add vsftpd-enable-dev-log-sendto.patch (bnc#812406#c1) * this enabled a sendto on /dev/log socket when syslog is enabled - provide more verbose explanation about isolate_network and seccomp_sanbox in config file template - don't install init file on openSUSE 13.1+ - drop a build support for SL 10 and older - add vsftpd-drop-newpid-from-clone.patch (bnc#786024#c38) * drop CLONE_NEWPID from clone to enable audit system - add vsftpd-enable-fcntl-f_setfl.patch (bnc#812406) * unconditionally enable F_SETFL patch - might be safe to do OBS-URL: https://build.opensuse.org/request/show/162590 OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=55 2013-04-04 12:09:44 +02:00			`From: Michal Vyskocil <mvyskocil@suse.cz>`
			`Subject: Enable fcntl F_SETFL`

			`The fcntl with F_SETFL is called from various parts of a vsftpd code, thus add`
			`it unconditionally to seccomp sandbox. I've failed to limit it more, however`
			`most arguments of F_SETFL are ignored on Linux and the remaining set seems to be`
			`safe.`

			`fixes: bnc#786024`

			`---`
			`seccompsandbox.c \| 22 ++++++++++++++++++++++`
			`5 files changed, 45 insertions(+), 6 deletions(-)`

			`Index: vsftpd-3.0.2/seccompsandbox.c`
			`===================================================================`
			`--- vsftpd-3.0.2.orig/seccompsandbox.c`
			`+++ vsftpd-3.0.2/seccompsandbox.c`
			`@@ -306,6 +306,25 @@ seccomp_sandbox_setup_base()`

			`/* Always need to be able to exit ! */`
			`allow_nr(__NR_exit_group);`
			`+`
			`+ /*`
			`+ * MV: this is needed for`
			`+ * vsf_sysutil_activate_noblock`
			`+ * vsf_sysutil_deactivate_noblock`
			`+ *`
			`+ * both called from various places (like all those die, bug in utilities),`
			`+ * so lets enable it by default`
			`+ */`
			`+ allow_nr_1_arg_match(__NR_fcntl, 2, F_GETFL);`
			`+ allow_nr_1_arg_match(__NR_fcntl, 2, F_SETFL);`
			`+`
			`+ /*`
			`+ * MV: this form have newer worked, neither with O_RDWR, O_RDWR\|O_NONBLOCK`
			`+ * however fcntl(2) says that most of arguments to fcntl are ignored on Linux`
			`+ * thus this might be safe to do`
			`+ */`
			`+ //allow_nr_2_arg_match(__NR_fcntl, 2, F_SETFL, 3, O_RDWR);`
			`+`
			`}`

			`void`