[openssh-commits] [openssh] 01/01: Deny lstat syscalls in seccomp sandbox
git+noreply at mindrot.org
git+noreply at mindrot.org
Fri May 20 09:57:52 AEST 2016
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit f64062b1f74ad5ee20a8a49aab2732efd0f7ce30
Author: Damien Miller <djm at mindrot.org>
Date: Fri May 20 09:56:53 2016 +1000
Deny lstat syscalls in seccomp sandbox
Avoids sandbox violations for some krb/gssapi libraries.
---
sandbox-seccomp-filter.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index d132e26..2e1ed2c 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -103,6 +103,12 @@ static const struct sock_filter preauth_insns[] = {
offsetof(struct seccomp_data, nr)),
/* Syscalls to non-fatally deny */
+#ifdef __NR_lstat
+ SC_DENY(lstat, EACCES),
+#endif
+#ifdef __NR_lstat64
+ SC_DENY(lstat64, EACCES),
+#endif
#ifdef __NR_fstat
SC_DENY(fstat, EACCES),
#endif
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list