seccomp: Allow clock_nanosleep() and variants

author: Colin Watson <cjwatson@debian.org> 2020-01-11 23:27:21 +0000
committer: Colin Watson <cjwatson@debian.org> 2020-01-11 23:32:15 +0000
commit: 284dd49ce99669f2e70bc09eebf6ca685f3b9f58 (patch)
tree: 5c19258ba8dd622de983dd6859c30979a4404d51 /debian
parent: 9b883ccc74051774aada4c048cb60edb4208f9c7 (diff)
parent: 93e9440bae1818746e0cc7f2543001db9d0ea1ea (diff)
6 files changed, 102 insertions, 2 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index ae884c895..c1b3b255f 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-df3ad29af495185aa9b051028ae94b965a4b1659
+93e9440bae1818746e0cc7f2543001db9d0ea1ea
-df3ad29af495185aa9b051028ae94b965a4b1659
+93e9440bae1818746e0cc7f2543001db9d0ea1ea
 4213eec74e74de6310c27a40c3e9759a08a73996
 4213eec74e74de6310c27a40c3e9759a08a73996
 openssh_8.1p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 1c08e2cbb..60660a0d3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+openssh (1:8.1p1-5) UNRELEASED; urgency=medium
+  * Apply upstream patches to allow clock_nanosleep() and variants in the
+    seccomp sandbox, fixing failures with glibc 2.31.
+ -- Colin Watson <cjwatson@debian.org>  Sat, 11 Jan 2020 23:27:35 +0000
 openssh (1:8.1p1-4) unstable; urgency=medium
  * Apply upstream patch to stop using 2020 as a future date in regress
diff --git a/debian/patches/sandbox-seccomp-clock_gettime64.patch b/debian/patches/sandbox-seccomp-clock_gettime64.patch
new file mode 100644
index 000000000..ad0d647a2
--- /dev/null
+++ b/debian/patches/sandbox-seccomp-clock_gettime64.patch
@@ -0,0 +1,30 @@
+From 93e9440bae1818746e0cc7f2543001db9d0ea1ea Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Tue, 7 Jan 2020 16:26:45 -0800
+Subject: seccomp: Allow clock_gettime64() in sandbox.
+This helps sshd accept connections on mips platforms with
+upcoming glibc ( 2.31 )
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=b110cefdfbf5a20f49b774a55062d6ded2fb6e22
+Last-Update: 2020-01-11
+Patch-Name: sandbox-seccomp-clock_gettime64.patch
+---
+ sandbox-seccomp-filter.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 3ef30c9d5..999c46c9f 100644
+--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
+@@ -248,6 +248,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_clock_nanosleep_time64
+        SC_ALLOW(__NR_clock_nanosleep_time64),
+ #endif
+#ifdef __NR_clock_gettime64
+       SC_ALLOW(__NR_clock_gettime64),
+#endif
+ #ifdef __NR__newselect
+        SC_ALLOW(__NR__newselect),
+ #endif
diff --git a/debian/patches/sandbox-seccomp-clock_nanosleep.patch b/debian/patches/sandbox-seccomp-clock_nanosleep.patch
new file mode 100644
index 000000000..ccf9d0b09
--- /dev/null
+++ b/debian/patches/sandbox-seccomp-clock_nanosleep.patch
@@ -0,0 +1,31 @@
+From c80d266f4aed7224261b192b8e31ac87dc070cba Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Wed, 13 Nov 2019 23:19:35 +1100
+Subject: seccomp: Allow clock_nanosleep() in sandbox.
+seccomp: Allow clock_nanosleep() to make OpenSSH working with latest
+glibc.  Patch from Jakub Jelen <jjelen@redhat.com> via bz #3093.
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=b1c82f4b8adf3f42476d8a1f292df33fb7aa1a56
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=546274a6f89489d2e6be8a8b62f2bb63c87a61fd
+Last-Update: 2020-01-11
+Patch-Name: sandbox-seccomp-clock_nanosleep.patch
+---
+ sandbox-seccomp-filter.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index b5cda70bb..be2397671 100644
+--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
+@@ -242,6 +242,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_nanosleep
+        SC_ALLOW(__NR_nanosleep),
+ #endif
+#ifdef __NR_clock_nanosleep
+       SC_ALLOW(__NR_clock_nanosleep),
+#endif
+ #ifdef __NR__newselect
+        SC_ALLOW(__NR__newselect),
+ #endif
diff --git a/debian/patches/sandbox-seccomp-clock_nanosleep_time64.patch b/debian/patches/sandbox-seccomp-clock_nanosleep_time64.patch
new file mode 100644
index 000000000..8825d569d
--- /dev/null
+++ b/debian/patches/sandbox-seccomp-clock_nanosleep_time64.patch
@@ -0,0 +1,29 @@
+From c80c5e338c19964755f277b54b390016f5c829a4 Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Mon, 16 Dec 2019 13:55:56 +1100
+Subject: Allow clock_nanosleep_time64 in seccomp sandbox.
+Needed on Linux ARM.  bz#3100, patch from jjelen@redhat.com.
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5af6fd5461bb709304e6979c8b7856c7af921c9e
+Last-Update: 2020-01-11
+Patch-Name: sandbox-seccomp-clock_nanosleep_time64.patch
+---
+ sandbox-seccomp-filter.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index be2397671..3ef30c9d5 100644
+--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
+@@ -245,6 +245,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_clock_nanosleep
+        SC_ALLOW(__NR_clock_nanosleep),
+ #endif
+#ifdef __NR_clock_nanosleep_time64
+       SC_ALLOW(__NR_clock_nanosleep_time64),
+#endif
+ #ifdef __NR__newselect
+        SC_ALLOW(__NR__newselect),
+ #endif
diff --git a/debian/patches/series b/debian/patches/series
index 19a6569b8..8dbd1355a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -24,3 +24,6 @@ restore-authorized_keys2.patch
 conch-old-privkey-format.patch
 revert-ipqos-defaults.patch
 regress-2020.patch
+sandbox-seccomp-clock_nanosleep.patch
+sandbox-seccomp-clock_nanosleep_time64.patch
+sandbox-seccomp-clock_gettime64.patch
author	Colin Watson <cjwatson@debian.org>	2020-01-11 23:27:21 +0000
committer	Colin Watson <cjwatson@debian.org>	2020-01-11 23:32:15 +0000
commit	284dd49ce99669f2e70bc09eebf6ca685f3b9f58 (patch)
tree	5c19258ba8dd622de983dd6859c30979a4404d51 /debian
parent	9b883ccc74051774aada4c048cb60edb4208f9c7 (diff)
parent	93e9440bae1818746e0cc7f2543001db9d0ea1ea (diff)

diff --git a/debian/.git-dpm b/debian/.git-dpm index ae884c895..c1b3b255f 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1	# see git-dpm(1) from git-dpm package	1	# see git-dpm(1) from git-dpm package
2	df3ad29af495185aa9b051028ae94b965a4b1659	2	93e9440bae1818746e0cc7f2543001db9d0ea1ea
3	df3ad29af495185aa9b051028ae94b965a4b1659	3	93e9440bae1818746e0cc7f2543001db9d0ea1ea
4	4213eec74e74de6310c27a40c3e9759a08a73996	4	4213eec74e74de6310c27a40c3e9759a08a73996
5	4213eec74e74de6310c27a40c3e9759a08a73996	5	4213eec74e74de6310c27a40c3e9759a08a73996
6	openssh_8.1p1.orig.tar.gz	6	openssh_8.1p1.orig.tar.gz


diff --git a/debian/changelog b/debian/changelog index 1c08e2cbb..60660a0d3 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -1,3 +1,10 @@
		1	openssh (1:8.1p1-5) UNRELEASED; urgency=medium
		2
		3	* Apply upstream patches to allow clock_nanosleep() and variants in the
		4	seccomp sandbox, fixing failures with glibc 2.31.
		5
		6	-- Colin Watson <cjwatson@debian.org> Sat, 11 Jan 2020 23:27:35 +0000
		7
1	openssh (1:8.1p1-4) unstable; urgency=medium	8	openssh (1:8.1p1-4) unstable; urgency=medium
2		9
3	* Apply upstream patch to stop using 2020 as a future date in regress	10	* Apply upstream patch to stop using 2020 as a future date in regress


diff --git a/debian/patches/sandbox-seccomp-clock_gettime64.patch b/debian/patches/sandbox-seccomp-clock_gettime64.patch new file mode 100644 index 000000000..ad0d647a2 --- /dev/null +++ b/debian/patches/sandbox-seccomp-clock_gettime64.patch
@@ -0,0 +1,30 @@
		1	From 93e9440bae1818746e0cc7f2543001db9d0ea1ea Mon Sep 17 00:00:00 2001
		2	From: Khem Raj <raj.khem@gmail.com>
		3	Date: Tue, 7 Jan 2020 16:26:45 -0800
		4	Subject: seccomp: Allow clock_gettime64() in sandbox.
		5
		6	This helps sshd accept connections on mips platforms with
		7	upcoming glibc ( 2.31 )
		8
		9	Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=b110cefdfbf5a20f49b774a55062d6ded2fb6e22
		10	Last-Update: 2020-01-11
		11
		12	Patch-Name: sandbox-seccomp-clock_gettime64.patch
		13	---
		14	sandbox-seccomp-filter.c \| 3 +++
		15	1 file changed, 3 insertions(+)
		16
		17	diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
		18	index 3ef30c9d5..999c46c9f 100644
		19	--- a/sandbox-seccomp-filter.c
		20	+++ b/sandbox-seccomp-filter.c
		21	@@ -248,6 +248,9 @@ static const struct sock_filter preauth_insns[] = {
		22	#ifdef __NR_clock_nanosleep_time64
		23	SC_ALLOW(__NR_clock_nanosleep_time64),
		24	#endif
		25	+#ifdef __NR_clock_gettime64
		26	+ SC_ALLOW(__NR_clock_gettime64),
		27	+#endif
		28	#ifdef __NR__newselect
		29	SC_ALLOW(__NR__newselect),
		30	#endif


diff --git a/debian/patches/sandbox-seccomp-clock_nanosleep.patch b/debian/patches/sandbox-seccomp-clock_nanosleep.patch new file mode 100644 index 000000000..ccf9d0b09 --- /dev/null +++ b/debian/patches/sandbox-seccomp-clock_nanosleep.patch
@@ -0,0 +1,31 @@
		1	From c80d266f4aed7224261b192b8e31ac87dc070cba Mon Sep 17 00:00:00 2001
		2	From: Darren Tucker <dtucker@dtucker.net>
		3	Date: Wed, 13 Nov 2019 23:19:35 +1100
		4	Subject: seccomp: Allow clock_nanosleep() in sandbox.
		5
		6	seccomp: Allow clock_nanosleep() to make OpenSSH working with latest
		7	glibc. Patch from Jakub Jelen <jjelen@redhat.com> via bz #3093.
		8
		9	Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=b1c82f4b8adf3f42476d8a1f292df33fb7aa1a56
		10	Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=546274a6f89489d2e6be8a8b62f2bb63c87a61fd
		11	Last-Update: 2020-01-11
		12
		13	Patch-Name: sandbox-seccomp-clock_nanosleep.patch
		14	---
		15	sandbox-seccomp-filter.c \| 3 +++
		16	1 file changed, 3 insertions(+)
		17
		18	diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
		19	index b5cda70bb..be2397671 100644
		20	--- a/sandbox-seccomp-filter.c
		21	+++ b/sandbox-seccomp-filter.c
		22	@@ -242,6 +242,9 @@ static const struct sock_filter preauth_insns[] = {
		23	#ifdef __NR_nanosleep
		24	SC_ALLOW(__NR_nanosleep),
		25	#endif
		26	+#ifdef __NR_clock_nanosleep
		27	+ SC_ALLOW(__NR_clock_nanosleep),
		28	+#endif
		29	#ifdef __NR__newselect
		30	SC_ALLOW(__NR__newselect),
		31	#endif


diff --git a/debian/patches/sandbox-seccomp-clock_nanosleep_time64.patch b/debian/patches/sandbox-seccomp-clock_nanosleep_time64.patch new file mode 100644 index 000000000..8825d569d --- /dev/null +++ b/debian/patches/sandbox-seccomp-clock_nanosleep_time64.patch
@@ -0,0 +1,29 @@
		1	From c80c5e338c19964755f277b54b390016f5c829a4 Mon Sep 17 00:00:00 2001
		2	From: Darren Tucker <dtucker@dtucker.net>
		3	Date: Mon, 16 Dec 2019 13:55:56 +1100
		4	Subject: Allow clock_nanosleep_time64 in seccomp sandbox.
		5
		6	Needed on Linux ARM. bz#3100, patch from jjelen@redhat.com.
		7
		8	Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5af6fd5461bb709304e6979c8b7856c7af921c9e
		9	Last-Update: 2020-01-11
		10
		11	Patch-Name: sandbox-seccomp-clock_nanosleep_time64.patch
		12	---
		13	sandbox-seccomp-filter.c \| 3 +++
		14	1 file changed, 3 insertions(+)
		15
		16	diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
		17	index be2397671..3ef30c9d5 100644
		18	--- a/sandbox-seccomp-filter.c
		19	+++ b/sandbox-seccomp-filter.c
		20	@@ -245,6 +245,9 @@ static const struct sock_filter preauth_insns[] = {
		21	#ifdef __NR_clock_nanosleep
		22	SC_ALLOW(__NR_clock_nanosleep),
		23	#endif
		24	+#ifdef __NR_clock_nanosleep_time64
		25	+ SC_ALLOW(__NR_clock_nanosleep_time64),
		26	+#endif
		27	#ifdef __NR__newselect
		28	SC_ALLOW(__NR__newselect),
		29	#endif


diff --git a/debian/patches/series b/debian/patches/series index 19a6569b8..8dbd1355a 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -24,3 +24,6 @@ restore-authorized_keys2.patch
24	conch-old-privkey-format.patch	24	conch-old-privkey-format.patch
25	revert-ipqos-defaults.patch	25	revert-ipqos-defaults.patch
26	regress-2020.patch	26	regress-2020.patch
		27	sandbox-seccomp-clock_nanosleep.patch
		28	sandbox-seccomp-clock_nanosleep_time64.patch
		29	sandbox-seccomp-clock_gettime64.patch