summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2020-01-11 23:34:11 +0000
committerColin Watson <cjwatson@debian.org>2020-01-11 23:35:35 +0000
commit1e27566efe47a292e9401251f6b27a5eac1a63b1 (patch)
treeb8fc96b1b82a9236bb9447e2fae012abbaa00fda
parent284dd49ce99669f2e70bc09eebf6ca685f3b9f58 (diff)
parent489e04f2c23327dd95981327d8757144a4e574af (diff)
Deny (non-fatal) ipc in preauth privsep child
Closes: #946242
-rw-r--r--debian/.git-dpm4
-rw-r--r--debian/changelog3
-rw-r--r--debian/patches/sandbox-seccomp-ipc.patch33
-rw-r--r--debian/patches/series1
-rw-r--r--sandbox-seccomp-filter.c3
5 files changed, 42 insertions, 2 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index c1b3b255f..824b73ce4 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1# see git-dpm(1) from git-dpm package 1# see git-dpm(1) from git-dpm package
293e9440bae1818746e0cc7f2543001db9d0ea1ea 2489e04f2c23327dd95981327d8757144a4e574af
393e9440bae1818746e0cc7f2543001db9d0ea1ea 3489e04f2c23327dd95981327d8757144a4e574af
44213eec74e74de6310c27a40c3e9759a08a73996 44213eec74e74de6310c27a40c3e9759a08a73996
54213eec74e74de6310c27a40c3e9759a08a73996 54213eec74e74de6310c27a40c3e9759a08a73996
6openssh_8.1p1.orig.tar.gz 6openssh_8.1p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 60660a0d3..9dd91de32 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,9 @@ openssh (1:8.1p1-5) UNRELEASED; urgency=medium
2 2
3 * Apply upstream patches to allow clock_nanosleep() and variants in the 3 * Apply upstream patches to allow clock_nanosleep() and variants in the
4 seccomp sandbox, fixing failures with glibc 2.31. 4 seccomp sandbox, fixing failures with glibc 2.31.
5 * Apply upstream patch to deny (non-fatally) ipc in the seccomp sandbox,
6 fixing failures with OpenSSL 1.1.1d and Linux < 3.19 on some
7 architectures (closes: #946242).
5 8
6 -- Colin Watson <cjwatson@debian.org> Sat, 11 Jan 2020 23:27:35 +0000 9 -- Colin Watson <cjwatson@debian.org> Sat, 11 Jan 2020 23:27:35 +0000
7 10
diff --git a/debian/patches/sandbox-seccomp-ipc.patch b/debian/patches/sandbox-seccomp-ipc.patch
new file mode 100644
index 000000000..cbeb6613d
--- /dev/null
+++ b/debian/patches/sandbox-seccomp-ipc.patch
@@ -0,0 +1,33 @@
1From 489e04f2c23327dd95981327d8757144a4e574af Mon Sep 17 00:00:00 2001
2From: Jeremy Drake <github@jdrake.com>
3Date: Fri, 11 Oct 2019 18:31:05 -0700
4Subject: Deny (non-fatal) ipc in preauth privsep child.
5
6As noted in openssh/openssh-portable#149, i386 does not have have
7_NR_shmget etc. Instead, it has a single ipc syscall (see man 2 ipc,
8https://linux.die.net/man/2/ipc). Add this syscall, if present, to the
9list of syscalls that seccomp will deny non-fatally.
10
11Bug-Debian: https://bugs.debian.org/946242
12Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=30f704ebc0e9e32b3d12f5d9e8c1b705fdde2c89
13Last-Update: 2020-01-11
14
15Patch-Name: sandbox-seccomp-ipc.patch
16---
17 sandbox-seccomp-filter.c | 3 +++
18 1 file changed, 3 insertions(+)
19
20diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
21index 999c46c9f..0914e48ba 100644
22--- a/sandbox-seccomp-filter.c
23+++ b/sandbox-seccomp-filter.c
24@@ -177,6 +177,9 @@ static const struct sock_filter preauth_insns[] = {
25 #ifdef __NR_shmdt
26 SC_DENY(__NR_shmdt, EACCES),
27 #endif
28+#ifdef __NR_ipc
29+ SC_DENY(__NR_ipc, EACCES),
30+#endif
31
32 /* Syscalls to permit */
33 #ifdef __NR_brk
diff --git a/debian/patches/series b/debian/patches/series
index 8dbd1355a..59c651095 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -27,3 +27,4 @@ regress-2020.patch
27sandbox-seccomp-clock_nanosleep.patch 27sandbox-seccomp-clock_nanosleep.patch
28sandbox-seccomp-clock_nanosleep_time64.patch 28sandbox-seccomp-clock_nanosleep_time64.patch
29sandbox-seccomp-clock_gettime64.patch 29sandbox-seccomp-clock_gettime64.patch
30sandbox-seccomp-ipc.patch
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 999c46c9f..0914e48ba 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -177,6 +177,9 @@ static const struct sock_filter preauth_insns[] = {
177#ifdef __NR_shmdt 177#ifdef __NR_shmdt
178 SC_DENY(__NR_shmdt, EACCES), 178 SC_DENY(__NR_shmdt, EACCES),
179#endif 179#endif
180#ifdef __NR_ipc
181 SC_DENY(__NR_ipc, EACCES),
182#endif
180 183
181 /* Syscalls to permit */ 184 /* Syscalls to permit */
182#ifdef __NR_brk 185#ifdef __NR_brk