summaryrefslogtreecommitdiff
path: root/sandbox-seccomp-filter.c
diff options
context:
space:
mode:
authorDarren Tucker <dtucker@zip.com.au>2017-04-24 19:40:31 +1000
committerDarren Tucker <dtucker@zip.com.au>2017-04-24 19:40:31 +1000
commit8b0eee148f7cf8b248c30d1bae57300f2cc5aafd (patch)
tree43f03a9987bea9971dbcbf81ad4666ab35e9427f /sandbox-seccomp-filter.c
parentf8500b2be599053daa05248a86a743232ec6a536 (diff)
Deny socketcall in seccomp filter on ppc64le.
OpenSSL is using socket() calls (in FIPS mode) when handling ECDSA keys in privsep child. The socket() syscall is already denied in the seccomp filter, but in ppc64le kernel, it is implemented using socketcall() syscall, which is not denied yet (only SYS_SHUTDOWN is allowed) and therefore fails hard. Patch from jjelen at redhat.com.
Diffstat (limited to 'sandbox-seccomp-filter.c')
-rw-r--r--sandbox-seccomp-filter.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 2831e9d10..200932a8c 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -225,6 +225,7 @@ static const struct sock_filter preauth_insns[] = {
225#endif 225#endif
226#ifdef __NR_socketcall 226#ifdef __NR_socketcall
227 SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN), 227 SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
228 SC_DENY(__NR_ssocketcall, EACCES),
228#endif 229#endif
229#if defined(__NR_ioctl) && defined(__s390__) 230#if defined(__NR_ioctl) && defined(__s390__)
230 /* Allow ioctls for ICA crypto card on s390 */ 231 /* Allow ioctls for ICA crypto card on s390 */