diff options
Diffstat (limited to 'debian/patches/sandbox-seccomp-ipc.patch')
-rw-r--r-- | debian/patches/sandbox-seccomp-ipc.patch | 33 |
1 files changed, 0 insertions, 33 deletions
diff --git a/debian/patches/sandbox-seccomp-ipc.patch b/debian/patches/sandbox-seccomp-ipc.patch deleted file mode 100644 index c84290726..000000000 --- a/debian/patches/sandbox-seccomp-ipc.patch +++ /dev/null | |||
@@ -1,33 +0,0 @@ | |||
1 | From 2e128b223e8e73ace57a0726130bfbcf920d0f9e Mon Sep 17 00:00:00 2001 | ||
2 | From: Jeremy Drake <github@jdrake.com> | ||
3 | Date: Fri, 11 Oct 2019 18:31:05 -0700 | ||
4 | Subject: Deny (non-fatal) ipc in preauth privsep child. | ||
5 | |||
6 | As noted in openssh/openssh-portable#149, i386 does not have have | ||
7 | _NR_shmget etc. Instead, it has a single ipc syscall (see man 2 ipc, | ||
8 | https://linux.die.net/man/2/ipc). Add this syscall, if present, to the | ||
9 | list of syscalls that seccomp will deny non-fatally. | ||
10 | |||
11 | Bug-Debian: https://bugs.debian.org/946242 | ||
12 | Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=30f704ebc0e9e32b3d12f5d9e8c1b705fdde2c89 | ||
13 | Last-Update: 2020-01-11 | ||
14 | |||
15 | Patch-Name: sandbox-seccomp-ipc.patch | ||
16 | --- | ||
17 | sandbox-seccomp-filter.c | 3 +++ | ||
18 | 1 file changed, 3 insertions(+) | ||
19 | |||
20 | diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c | ||
21 | index 999c46c9f..0914e48ba 100644 | ||
22 | --- a/sandbox-seccomp-filter.c | ||
23 | +++ b/sandbox-seccomp-filter.c | ||
24 | @@ -177,6 +177,9 @@ static const struct sock_filter preauth_insns[] = { | ||
25 | #ifdef __NR_shmdt | ||
26 | SC_DENY(__NR_shmdt, EACCES), | ||
27 | #endif | ||
28 | +#ifdef __NR_ipc | ||
29 | + SC_DENY(__NR_ipc, EACCES), | ||
30 | +#endif | ||
31 | |||
32 | /* Syscalls to permit */ | ||
33 | #ifdef __NR_brk | ||