Accepting request 856827 from home:namtrac:branches:network

Copied from SLE counterpart. - Add seccomp-fixes.patch to allow getdents64 syscall in seccomp sandbox, fixes bsc#1179553 Also in the same patch, fix the architecture offset from 4 to 5, this change was documented in https://lore.kernel.org/patchwork/patch/554803/ OBS-URL: https://build.opensuse.org/request/show/856827 OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=147
2021-01-16 15:15:09 +00:00 · 2021-01-16 15:15:09 +00:00 · 475ab6e41e
commit 475ab6e41e
parent 3fa65078f1
3 changed files with 62 additions and 0 deletions
--- a/seccomp-fixes.patch
+++ b/seccomp-fixes.patch
@ -0,0 +1,51 @@
+Index: vsftpd-3.0.3/seccompsandbox.c
+===================================================================
+--- vsftpd-3.0.3.orig/seccompsandbox.c
+++ vsftpd-3.0.3/seccompsandbox.c
+@@ -18,6 +18,7 @@
+ #include "utility.h"
+ 
+ #include <errno.h>
+#include <stdio.h>
+ 
+ #include <netinet/in.h>
+ #include <netinet/tcp.h>
+@@ -60,6 +61,7 @@
+ 
+ #define kMaxSyscalls 100
+ 
+//#define DEBUG_SIGSYS
+ #ifdef DEBUG_SIGSYS
+ 
+ #include <signal.h>
+@@ -68,7 +70,10 @@
+ void
+ handle_sigsys(int sig)
+ {
+-  (void) sig;
+  char str[21];
+  snprintf(str, 21, "Rejected syscall %d", sig);
+
+  die(str);
+ }
+ #endif
+ 
+@@ -443,6 +448,7 @@ seccomp_sandbox_setup_postlogin(const st
+   allow_nr(__NR_getcwd);
+   allow_nr(__NR_chdir);
+   allow_nr(__NR_getdents);
+  allow_nr(__NR_getdents64);
+   /* Misc */
+   allow_nr(__NR_umask);
+ 
+@@ -579,8 +585,8 @@ seccomp_sandbox_lockdown()
+   p_filter->code = BPF_LD+BPF_W+BPF_ABS;
+   p_filter->jt = 0;
+   p_filter->jf = 0;
+-  /* Offset 4 for syscall architecture. */
+-  p_filter->k = 4;
+  /* Offset 5 for syscall architecture. */
+  p_filter->k = 5;
+   p_filter++;
+   p_filter->code = BPF_JMP+BPF_JEQ+BPF_K;
+   p_filter->jt = 1;
--- a/vsftpd.changes
+++ b/vsftpd.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Dec  3 11:20:20 UTC 2020 - Ismail Dönmez <idonmez@suse.com>
+
+- Add seccomp-fixes.patch to allow getdents64 syscall in seccomp
+  sandbox, fixes bsc#1179553
+  Also in the same patch, fix the architecture offset from 4 to 5,
+  this change was documented in https://lore.kernel.org/patchwork/patch/554803/
+
 -------------------------------------------------------------------
 Fri Nov 13 09:49:06 AM UTC 2020 - psimons@suse.com

--- a/vsftpd.spec
+++ b/vsftpd.spec
@ -87,6 +87,8 @@ Patch32:        vsftpd-support-dsa-only-setups.patch
 Patch33:        vsftpd-avoid-bogus-ssl-write.patch
 Patch34:        0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch
 Patch35:        0001-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
+# PATCH-FIX-UPSTREAM https://bugzilla.suse.com/show_bug.cgi?id=1179553
+Patch36:        seccomp-fixes.patch
 BuildRequires:  libcap-devel
 BuildRequires:  libopenssl-devel
 BuildRequires:  pam-devel
@ -154,6 +156,7 @@ tests.
 %patch33 -p1
 %patch34 -p1
 %patch35 -p1
+%patch36 -p1

 %build
 %define seccomp_opts -D_GNU_SOURCE -DUSE_SECCOMP