From 475ab6e41e22080cd5463f53405800617a61f0e1731ef2c2883df77d1fa8405c Mon Sep 17 00:00:00 2001
From: Dirk Mueller <dmueller@suse.com>
Date: Sat, 16 Jan 2021 15:15:09 +0000
Subject: [PATCH] Accepting request 856827 from home:namtrac:branches:network

Copied from SLE counterpart.

- Add seccomp-fixes.patch to allow getdents64 syscall in seccomp
  sandbox, fixes bsc#1179553
  Also in the same patch, fix the architecture offset from 4 to 5,
  this change was documented in https://lore.kernel.org/patchwork/patch/554803/

OBS-URL: https://build.opensuse.org/request/show/856827
OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=147
---
 seccomp-fixes.patch | 51 +++++++++++++++++++++++++++++++++++++++++++++
 vsftpd.changes      |  8 +++++++
 vsftpd.spec         |  3 +++
 3 files changed, 62 insertions(+)
 create mode 100644 seccomp-fixes.patch

diff --git a/seccomp-fixes.patch b/seccomp-fixes.patch
new file mode 100644
index 0000000..1bc1225
--- /dev/null
+++ b/seccomp-fixes.patch
@@ -0,0 +1,51 @@
+Index: vsftpd-3.0.3/seccompsandbox.c
+===================================================================
+--- vsftpd-3.0.3.orig/seccompsandbox.c
++++ vsftpd-3.0.3/seccompsandbox.c
+@@ -18,6 +18,7 @@
+ #include "utility.h"
+ 
+ #include <errno.h>
++#include <stdio.h>
+ 
+ #include <netinet/in.h>
+ #include <netinet/tcp.h>
+@@ -60,6 +61,7 @@
+ 
+ #define kMaxSyscalls 100
+ 
++//#define DEBUG_SIGSYS
+ #ifdef DEBUG_SIGSYS
+ 
+ #include <signal.h>
+@@ -68,7 +70,10 @@
+ void
+ handle_sigsys(int sig)
+ {
+-  (void) sig;
++  char str[21];
++  snprintf(str, 21, "Rejected syscall %d", sig);
++
++  die(str);
+ }
+ #endif
+ 
+@@ -443,6 +448,7 @@ seccomp_sandbox_setup_postlogin(const st
+   allow_nr(__NR_getcwd);
+   allow_nr(__NR_chdir);
+   allow_nr(__NR_getdents);
++  allow_nr(__NR_getdents64);
+   /* Misc */
+   allow_nr(__NR_umask);
+ 
+@@ -579,8 +585,8 @@ seccomp_sandbox_lockdown()
+   p_filter->code = BPF_LD+BPF_W+BPF_ABS;
+   p_filter->jt = 0;
+   p_filter->jf = 0;
+-  /* Offset 4 for syscall architecture. */
+-  p_filter->k = 4;
++  /* Offset 5 for syscall architecture. */
++  p_filter->k = 5;
+   p_filter++;
+   p_filter->code = BPF_JMP+BPF_JEQ+BPF_K;
+   p_filter->jt = 1;
diff --git a/vsftpd.changes b/vsftpd.changes
index fb6ebc2..024e809 100644
--- a/vsftpd.changes
+++ b/vsftpd.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Dec  3 11:20:20 UTC 2020 - Ismail Dönmez <idonmez@suse.com>
+
+- Add seccomp-fixes.patch to allow getdents64 syscall in seccomp
+  sandbox, fixes bsc#1179553
+  Also in the same patch, fix the architecture offset from 4 to 5,
+  this change was documented in https://lore.kernel.org/patchwork/patch/554803/
+
 -------------------------------------------------------------------
 Fri Nov 13 09:49:06 AM UTC 2020 - psimons@suse.com
 
diff --git a/vsftpd.spec b/vsftpd.spec
index d2e2a79..4629ab4 100644
--- a/vsftpd.spec
+++ b/vsftpd.spec
@@ -87,6 +87,8 @@ Patch32:        vsftpd-support-dsa-only-setups.patch
 Patch33:        vsftpd-avoid-bogus-ssl-write.patch
 Patch34:        0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch
 Patch35:        0001-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
+# PATCH-FIX-UPSTREAM https://bugzilla.suse.com/show_bug.cgi?id=1179553
+Patch36:        seccomp-fixes.patch
 BuildRequires:  libcap-devel
 BuildRequires:  libopenssl-devel
 BuildRequires:  pam-devel
@@ -154,6 +156,7 @@ tests.
 %patch33 -p1
 %patch34 -p1
 %patch35 -p1
+%patch36 -p1
 
 %build
 %define seccomp_opts -D_GNU_SOURCE -DUSE_SECCOMP