From 861f8bae8f5a07a01a24a5cf1d7d62d4c2db5dc4a99c5ee6bd7c49e9a9c1d367 Mon Sep 17 00:00:00 2001
From: Michal Vyskocil <michal.vyskocil@gmail.com>
Date: Thu, 28 Feb 2013 13:31:50 +0000
Subject: [PATCH] - add vsftpd-allow-dev-log-socket.patch (bnc#786024)   *
 whitelist /dev/log related socket syscall

OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=51
---
 vsftpd-allow-dev-log-socket.patch | 30 ++++++++++++++++++++++++++++++
 vsftpd.changes                    |  6 ++++++
 vsftpd.spec                       |  4 +++-
 3 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 vsftpd-allow-dev-log-socket.patch

diff --git a/vsftpd-allow-dev-log-socket.patch b/vsftpd-allow-dev-log-socket.patch
new file mode 100644
index 0000000..2af01d1
--- /dev/null
+++ b/vsftpd-allow-dev-log-socket.patch
@@ -0,0 +1,30 @@
+From: mvyskocil@suse.com
+Subject: enable /dev/log related socket call
+
+Linux-PAM try to open /dev/log, but as socket is not enabled in seccomp
+sandbox, daemon is killed by SIGSYS. Because the attempt is made by process
+with RLIMIT_NOFILE, the correct fix would be to test if we can open a new fd in
+pam. Anyway I would say the risc is small, and other socket syscalls are disabled.
+
+Fixes: https://bugzilla.novell.com/show_bug.cgi?id=786024
+
+Index: vsftpd-3.0.2/seccompsandbox.c
+===================================================================
+--- vsftpd-3.0.2.orig/seccompsandbox.c
++++ vsftpd-3.0.2/seccompsandbox.c
+@@ -353,6 +353,15 @@ seccomp_sandbox_setup_prelogin(const str
+   {
+     allow_nr_1_arg_match(__NR_recvmsg, 3, 0);
+   }
++
++  //this is very probably an attempt to open /dev/log
++  //it fails because process cannot open any file, so it might be safe
++  //socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = -1 EMFILE (Too many open files)
++  allow_nr_3_arg_match(__NR_socket,
++                       1, PF_FILE,
++                       2, SOCK_DGRAM | SOCK_CLOEXEC,
++                       3, 0);
++
+ }
+ 
+ void
diff --git a/vsftpd.changes b/vsftpd.changes
index eed44d7..0beb6dd 100644
--- a/vsftpd.changes
+++ b/vsftpd.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Feb 28 13:30:07 UTC 2013 - mvyskocil@suse.com
+
+- add vsftpd-allow-dev-log-socket.patch (bnc#786024)
+  * whitelist /dev/log related socket syscall
+
 -------------------------------------------------------------------
 Tue Nov 20 17:19:03 CET 2012 - sbrabec@suse.cz
 
diff --git a/vsftpd.spec b/vsftpd.spec
index 6c29f54..a718419 100644
--- a/vsftpd.spec
+++ b/vsftpd.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package vsftpd
 #
-# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -54,6 +54,7 @@ Patch8:         vsftpd-2.0.5-utf8-log-names.patch
 Patch9:         vsftpd-2.3.5-conf.patch
 Patch10:        vsftpd-3.0.0_gnu_source_defines.patch
 Patch11:        vsftpd-3.0.0-optional-seccomp.patch
+Patch12:        vsftpd-allow-dev-log-socket.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Provides:       ftp-server
 PreReq:         %insserv_prereq /usr/sbin/useradd
@@ -84,6 +85,7 @@ tests.
 %patch9
 %patch10 -p1
 %patch11 -p1
+%patch12 -p1
 
 %build
 %define seccomp_opts %{nil}