summaryrefslogtreecommitdiff
path: root/debian/patches/sandbox-seccomp-ipc.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/sandbox-seccomp-ipc.patch')
-rw-r--r--debian/patches/sandbox-seccomp-ipc.patch33
1 files changed, 0 insertions, 33 deletions
diff --git a/debian/patches/sandbox-seccomp-ipc.patch b/debian/patches/sandbox-seccomp-ipc.patch
deleted file mode 100644
index c84290726..000000000
--- a/debian/patches/sandbox-seccomp-ipc.patch
+++ /dev/null
@@ -1,33 +0,0 @@
1From 2e128b223e8e73ace57a0726130bfbcf920d0f9e Mon Sep 17 00:00:00 2001
2From: Jeremy Drake <github@jdrake.com>
3Date: Fri, 11 Oct 2019 18:31:05 -0700
4Subject: Deny (non-fatal) ipc in preauth privsep child.
5
6As noted in openssh/openssh-portable#149, i386 does not have have
7_NR_shmget etc. Instead, it has a single ipc syscall (see man 2 ipc,
8https://linux.die.net/man/2/ipc). Add this syscall, if present, to the
9list of syscalls that seccomp will deny non-fatally.
10
11Bug-Debian: https://bugs.debian.org/946242
12Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=30f704ebc0e9e32b3d12f5d9e8c1b705fdde2c89
13Last-Update: 2020-01-11
14
15Patch-Name: sandbox-seccomp-ipc.patch
16---
17 sandbox-seccomp-filter.c | 3 +++
18 1 file changed, 3 insertions(+)
19
20diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
21index 999c46c9f..0914e48ba 100644
22--- a/sandbox-seccomp-filter.c
23+++ b/sandbox-seccomp-filter.c
24@@ -177,6 +177,9 @@ static const struct sock_filter preauth_insns[] = {
25 #ifdef __NR_shmdt
26 SC_DENY(__NR_shmdt, EACCES),
27 #endif
28+#ifdef __NR_ipc
29+ SC_DENY(__NR_ipc, EACCES),
30+#endif
31
32 /* Syscalls to permit */
33 #ifdef __NR_brk