summaryrefslogtreecommitdiff
path: root/sandbox-seccomp-filter.c
diff options
context:
space:
mode:
authorLonnie Abelbeck <lonnie@abelbeck.com>2019-10-01 09:05:09 -0500
committerColin Watson <cjwatson@debian.org>2019-10-05 22:27:29 +0100
commitceefaa8ee80b63c0890d24c42369dc51880f53ea (patch)
treeeac314168a375a66700ad5024f8b3d324243a925 /sandbox-seccomp-filter.c
parent61d2706623ed144ee9cbd212d13eeba202a7ce26 (diff)
Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child.
New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and shmdt in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox. Bug: https://github.com/openssh/openssh-portable/pull/149 Bug-Debian: https://bugs.debian.org/941663 Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=3ef92a657444f172b61f92d5da66d94fa8265602 Last-Update: 2019-10-05 Patch-Name: seccomp-handle-shm.patch
Diffstat (limited to 'sandbox-seccomp-filter.c')
-rw-r--r--sandbox-seccomp-filter.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index ef4de8c65..e8f31555e 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -149,6 +149,15 @@ static const struct sock_filter preauth_insns[] = {
149#ifdef __NR_stat64 149#ifdef __NR_stat64
150 SC_DENY(__NR_stat64, EACCES), 150 SC_DENY(__NR_stat64, EACCES),
151#endif 151#endif
152#ifdef __NR_shmget
153 SC_DENY(__NR_shmget, EACCES),
154#endif
155#ifdef __NR_shmat
156 SC_DENY(__NR_shmat, EACCES),
157#endif
158#ifdef __NR_shmdt
159 SC_DENY(__NR_shmdt, EACCES),
160#endif
152 161
153 /* Syscalls to permit */ 162 /* Syscalls to permit */
154#ifdef __NR_brk 163#ifdef __NR_brk