forked from pool/vsftpd
861f8bae8f
* whitelist /dev/log related socket syscall OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=51
31 lines
1.1 KiB
Diff
31 lines
1.1 KiB
Diff
From: mvyskocil@suse.com
|
|
Subject: enable /dev/log related socket call
|
|
|
|
Linux-PAM try to open /dev/log, but as socket is not enabled in seccomp
|
|
sandbox, daemon is killed by SIGSYS. Because the attempt is made by process
|
|
with RLIMIT_NOFILE, the correct fix would be to test if we can open a new fd in
|
|
pam. Anyway I would say the risc is small, and other socket syscalls are disabled.
|
|
|
|
Fixes: https://bugzilla.novell.com/show_bug.cgi?id=786024
|
|
|
|
Index: vsftpd-3.0.2/seccompsandbox.c
|
|
===================================================================
|
|
--- vsftpd-3.0.2.orig/seccompsandbox.c
|
|
+++ vsftpd-3.0.2/seccompsandbox.c
|
|
@@ -353,6 +353,15 @@ seccomp_sandbox_setup_prelogin(const str
|
|
{
|
|
allow_nr_1_arg_match(__NR_recvmsg, 3, 0);
|
|
}
|
|
+
|
|
+ //this is very probably an attempt to open /dev/log
|
|
+ //it fails because process cannot open any file, so it might be safe
|
|
+ //socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = -1 EMFILE (Too many open files)
|
|
+ allow_nr_3_arg_match(__NR_socket,
|
|
+ 1, PF_FILE,
|
|
+ 2, SOCK_DGRAM | SOCK_CLOEXEC,
|
|
+ 3, 0);
|
|
+
|
|
}
|
|
|
|
void
|