Deny (non-fatal) ipc in preauth privsep child

Closes: #946242
author: Colin Watson <cjwatson@debian.org> 2020-01-11 23:34:11 +0000
committer: Colin Watson <cjwatson@debian.org> 2020-01-11 23:35:35 +0000
commit: 1e27566efe47a292e9401251f6b27a5eac1a63b1 (patch)
tree: b8fc96b1b82a9236bb9447e2fae012abbaa00fda
parent: 284dd49ce99669f2e70bc09eebf6ca685f3b9f58 (diff)
parent: 489e04f2c23327dd95981327d8757144a4e574af (diff)
5 files changed, 42 insertions, 2 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index c1b3b255f..824b73ce4 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-93e9440bae1818746e0cc7f2543001db9d0ea1ea
+489e04f2c23327dd95981327d8757144a4e574af
-93e9440bae1818746e0cc7f2543001db9d0ea1ea
+489e04f2c23327dd95981327d8757144a4e574af
 4213eec74e74de6310c27a40c3e9759a08a73996
 4213eec74e74de6310c27a40c3e9759a08a73996
 openssh_8.1p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 60660a0d3..9dd91de32 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,9 @@ openssh (1:8.1p1-5) UNRELEASED; urgency=medium
  * Apply upstream patches to allow clock_nanosleep() and variants in the
    seccomp sandbox, fixing failures with glibc 2.31.
+  * Apply upstream patch to deny (non-fatally) ipc in the seccomp sandbox,
+    fixing failures with OpenSSL 1.1.1d and Linux < 3.19 on some
+    architectures (closes: #946242).
 -- Colin Watson <cjwatson@debian.org>  Sat, 11 Jan 2020 23:27:35 +0000
diff --git a/debian/patches/sandbox-seccomp-ipc.patch b/debian/patches/sandbox-seccomp-ipc.patch
new file mode 100644
index 000000000..cbeb6613d
--- /dev/null
+++ b/debian/patches/sandbox-seccomp-ipc.patch
@@ -0,0 +1,33 @@
+From 489e04f2c23327dd95981327d8757144a4e574af Mon Sep 17 00:00:00 2001
+From: Jeremy Drake <github@jdrake.com>
+Date: Fri, 11 Oct 2019 18:31:05 -0700
+Subject: Deny (non-fatal) ipc in preauth privsep child.
+As noted in openssh/openssh-portable#149, i386 does not have have
+_NR_shmget etc.  Instead, it has a single ipc syscall (see man 2 ipc,
+https://linux.die.net/man/2/ipc).  Add this syscall, if present, to the
+list of syscalls that seccomp will deny non-fatally.
+Bug-Debian: https://bugs.debian.org/946242
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=30f704ebc0e9e32b3d12f5d9e8c1b705fdde2c89
+Last-Update: 2020-01-11
+Patch-Name: sandbox-seccomp-ipc.patch
+---
+ sandbox-seccomp-filter.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 999c46c9f..0914e48ba 100644
+--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
+@@ -177,6 +177,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_shmdt
+        SC_DENY(__NR_shmdt, EACCES),
+ #endif
+#ifdef __NR_ipc
+       SC_DENY(__NR_ipc, EACCES),
+#endif
+ 
+        /* Syscalls to permit */
+ #ifdef __NR_brk
diff --git a/debian/patches/series b/debian/patches/series
index 8dbd1355a..59c651095 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -27,3 +27,4 @@ regress-2020.patch
 sandbox-seccomp-clock_nanosleep.patch
 sandbox-seccomp-clock_nanosleep_time64.patch
 sandbox-seccomp-clock_gettime64.patch
+sandbox-seccomp-ipc.patch
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 999c46c9f..0914e48ba 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -177,6 +177,9 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR_shmdt
        SC_DENY(__NR_shmdt, EACCES),
 #endif
+#ifdef __NR_ipc
+        SC_DENY(__NR_ipc, EACCES),
+#endif
        /* Syscalls to permit */
 #ifdef __NR_brk
author	Colin Watson <cjwatson@debian.org>	2020-01-11 23:34:11 +0000
committer	Colin Watson <cjwatson@debian.org>	2020-01-11 23:35:35 +0000
commit	1e27566efe47a292e9401251f6b27a5eac1a63b1 (patch)
tree	b8fc96b1b82a9236bb9447e2fae012abbaa00fda
parent	284dd49ce99669f2e70bc09eebf6ca685f3b9f58 (diff)
parent	489e04f2c23327dd95981327d8757144a4e574af (diff)

diff --git a/debian/.git-dpm b/debian/.git-dpm index c1b3b255f..824b73ce4 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1	# see git-dpm(1) from git-dpm package	1	# see git-dpm(1) from git-dpm package
2	93e9440bae1818746e0cc7f2543001db9d0ea1ea	2	489e04f2c23327dd95981327d8757144a4e574af
3	93e9440bae1818746e0cc7f2543001db9d0ea1ea	3	489e04f2c23327dd95981327d8757144a4e574af
4	4213eec74e74de6310c27a40c3e9759a08a73996	4	4213eec74e74de6310c27a40c3e9759a08a73996
5	4213eec74e74de6310c27a40c3e9759a08a73996	5	4213eec74e74de6310c27a40c3e9759a08a73996
6	openssh_8.1p1.orig.tar.gz	6	openssh_8.1p1.orig.tar.gz


diff --git a/debian/changelog b/debian/changelog index 60660a0d3..9dd91de32 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -2,6 +2,9 @@ openssh (1:8.1p1-5) UNRELEASED; urgency=medium
2		2
3	* Apply upstream patches to allow clock_nanosleep() and variants in the	3	* Apply upstream patches to allow clock_nanosleep() and variants in the
4	seccomp sandbox, fixing failures with glibc 2.31.	4	seccomp sandbox, fixing failures with glibc 2.31.
		5	* Apply upstream patch to deny (non-fatally) ipc in the seccomp sandbox,
		6	fixing failures with OpenSSL 1.1.1d and Linux < 3.19 on some
		7	architectures (closes: #946242).
5		8
6	-- Colin Watson <cjwatson@debian.org> Sat, 11 Jan 2020 23:27:35 +0000	9	-- Colin Watson <cjwatson@debian.org> Sat, 11 Jan 2020 23:27:35 +0000
7		10


diff --git a/debian/patches/sandbox-seccomp-ipc.patch b/debian/patches/sandbox-seccomp-ipc.patch new file mode 100644 index 000000000..cbeb6613d --- /dev/null +++ b/debian/patches/sandbox-seccomp-ipc.patch
@@ -0,0 +1,33 @@
		1	From 489e04f2c23327dd95981327d8757144a4e574af Mon Sep 17 00:00:00 2001
		2	From: Jeremy Drake <github@jdrake.com>
		3	Date: Fri, 11 Oct 2019 18:31:05 -0700
		4	Subject: Deny (non-fatal) ipc in preauth privsep child.
		5
		6	As noted in openssh/openssh-portable#149, i386 does not have have
		7	_NR_shmget etc. Instead, it has a single ipc syscall (see man 2 ipc,
		8	https://linux.die.net/man/2/ipc). Add this syscall, if present, to the
		9	list of syscalls that seccomp will deny non-fatally.
		10
		11	Bug-Debian: https://bugs.debian.org/946242
		12	Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=30f704ebc0e9e32b3d12f5d9e8c1b705fdde2c89
		13	Last-Update: 2020-01-11
		14
		15	Patch-Name: sandbox-seccomp-ipc.patch
		16	---
		17	sandbox-seccomp-filter.c \| 3 +++
		18	1 file changed, 3 insertions(+)
		19
		20	diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
		21	index 999c46c9f..0914e48ba 100644
		22	--- a/sandbox-seccomp-filter.c
		23	+++ b/sandbox-seccomp-filter.c
		24	@@ -177,6 +177,9 @@ static const struct sock_filter preauth_insns[] = {
		25	#ifdef __NR_shmdt
		26	SC_DENY(__NR_shmdt, EACCES),
		27	#endif
		28	+#ifdef __NR_ipc
		29	+ SC_DENY(__NR_ipc, EACCES),
		30	+#endif
		31
		32	/* Syscalls to permit */
		33	#ifdef __NR_brk


diff --git a/debian/patches/series b/debian/patches/series index 8dbd1355a..59c651095 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -27,3 +27,4 @@ regress-2020.patch
27	sandbox-seccomp-clock_nanosleep.patch	27	sandbox-seccomp-clock_nanosleep.patch
28	sandbox-seccomp-clock_nanosleep_time64.patch	28	sandbox-seccomp-clock_nanosleep_time64.patch
29	sandbox-seccomp-clock_gettime64.patch	29	sandbox-seccomp-clock_gettime64.patch
		30	sandbox-seccomp-ipc.patch


diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 999c46c9f..0914e48ba 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c
@@ -177,6 +177,9 @@ static const struct sock_filter preauth_insns[] = {
177	#ifdef __NR_shmdt	177	#ifdef __NR_shmdt
178	SC_DENY(__NR_shmdt, EACCES),	178	SC_DENY(__NR_shmdt, EACCES),
179	#endif	179	#endif
		180	#ifdef __NR_ipc
		181	SC_DENY(__NR_ipc, EACCES),
		182	#endif
180		183
181	/* Syscalls to permit */	184	/* Syscalls to permit */
182	#ifdef __NR_brk	185	#ifdef __NR_brk