Accepting request 156829 from network

PLEASE COPY TO 12.3! - add vsftpd-allow-dev-log-socket.patch (bnc#786024) * whitelist /dev/log related socket syscall OBS-URL: https://build.opensuse.org/request/show/156829 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/vsftpd?expand=0&rev=37
2013-03-01 08:06:02 +00:00 · 2013-03-01 08:06:02 +00:00 · 1265a2b4ae
commit 1265a2b4ae
parent 0a4005396e 861f8bae8f
3 changed files with 39 additions and 1 deletions
--- a/vsftpd-allow-dev-log-socket.patch
+++ b/vsftpd-allow-dev-log-socket.patch
@ -0,0 +1,30 @@
+From: mvyskocil@suse.com
+Subject: enable /dev/log related socket call
+
+Linux-PAM try to open /dev/log, but as socket is not enabled in seccomp
+sandbox, daemon is killed by SIGSYS. Because the attempt is made by process
+with RLIMIT_NOFILE, the correct fix would be to test if we can open a new fd in
+pam. Anyway I would say the risc is small, and other socket syscalls are disabled.
+
+Fixes: https://bugzilla.novell.com/show_bug.cgi?id=786024
+
+Index: vsftpd-3.0.2/seccompsandbox.c
+===================================================================
+--- vsftpd-3.0.2.orig/seccompsandbox.c
+++ vsftpd-3.0.2/seccompsandbox.c
+@@ -353,6 +353,15 @@ seccomp_sandbox_setup_prelogin(const str
+   {
+     allow_nr_1_arg_match(__NR_recvmsg, 3, 0);
+   }
+
+  //this is very probably an attempt to open /dev/log
+  //it fails because process cannot open any file, so it might be safe
+  //socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = -1 EMFILE (Too many open files)
+  allow_nr_3_arg_match(__NR_socket,
+                       1, PF_FILE,
+                       2, SOCK_DGRAM | SOCK_CLOEXEC,
+                       3, 0);
+
+ }
+ 
+ void
--- a/vsftpd.changes
+++ b/vsftpd.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Feb 28 13:30:07 UTC 2013 - mvyskocil@suse.com
+
+- add vsftpd-allow-dev-log-socket.patch (bnc#786024)
+  * whitelist /dev/log related socket syscall
+
 -------------------------------------------------------------------
 Tue Nov 20 17:19:03 CET 2012 - sbrabec@suse.cz

--- a/vsftpd.spec
+++ b/vsftpd.spec
@ -1,7 +1,7 @@
 #
 # spec file for package vsftpd
 #
-# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -54,6 +54,7 @@ Patch8:         vsftpd-2.0.5-utf8-log-names.patch
 Patch9:         vsftpd-2.3.5-conf.patch
 Patch10:        vsftpd-3.0.0_gnu_source_defines.patch
 Patch11:        vsftpd-3.0.0-optional-seccomp.patch
+Patch12:        vsftpd-allow-dev-log-socket.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Provides:       ftp-server
 PreReq:         %insserv_prereq /usr/sbin/useradd
@ -84,6 +85,7 @@ tests.
 %patch9
 %patch10 -p1
 %patch11 -p1
+%patch12 -p1

 %build
 %define seccomp_opts %{nil}