[openssh-commits] [openssh] 01/01: Improve seccomp compat on older systems.

git+noreply at mindrot.org git+noreply at mindrot.org
Sat Feb 11 12:35:09 AEDT 2023 

This is an automated email from the git hooks/post-receive script.

dtucker pushed a commit to branch master
in repository openssh.

commit d9685121ff6d57b8797411f3cb123884a4b96e30
Author: Darren Tucker <dtucker at dtucker.net>
Date:   Sat Feb 11 12:32:19 2023 +1100

    Improve seccomp compat on older systems.
    
    Check if flags to mmap and madvise are defined before using them.
    Should fix problems building on older Linux systems that don't have
    these.  bz#3537, with & ok djm at .
---
 sandbox-seccomp-filter.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 78c26623..23b40b64 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -189,10 +189,14 @@
 #endif /* __NR_futex || __NR_futex_time64 */
 
 #if defined(__NR_mmap) || defined(__NR_mmap2)
+# ifdef MAP_FIXED_NOREPLACE
+#  define SC_MMAP_FLAGS MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED|MAP_FIXED_NOREPLACE
+# else
+#  define SC_MMAP_FLAGS MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED
+# endif /* MAP_FIXED_NOREPLACE */
 /* Use this for both __NR_mmap and __NR_mmap2 variants */
 # define SC_MMAP(_nr) \
-	SC_DENY_UNLESS_ARG_MASK(_nr, 3, \
-	    MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED|MAP_FIXED_NOREPLACE, EINVAL), \
+	SC_DENY_UNLESS_ARG_MASK(_nr, 3, SC_MMAP_FLAGS, EINVAL), \
 	SC_ALLOW_ARG_MASK(_nr, 2, PROT_READ|PROT_WRITE|PROT_NONE)
 #endif /* __NR_mmap || __NR_mmap2 */
 
@@ -308,11 +312,21 @@ static const struct sock_filter preauth_insns[] = {
 #endif
 #ifdef __NR_madvise
 	SC_ALLOW_ARG(__NR_madvise, 2, MADV_NORMAL),
+# ifdef MADV_FREE
 	SC_ALLOW_ARG(__NR_madvise, 2, MADV_FREE),
+# endif
+# ifdef MADV_DONTNEED
 	SC_ALLOW_ARG(__NR_madvise, 2, MADV_DONTNEED),
+# endif
+# ifdef MADV_DONTFORK
 	SC_ALLOW_ARG(__NR_madvise, 2, MADV_DONTFORK),
+# endif
+# ifdef MADV_DONTDUMP
 	SC_ALLOW_ARG(__NR_madvise, 2, MADV_DONTDUMP),
+# endif
+# ifdef MADV_WIPEONFORK
 	SC_ALLOW_ARG(__NR_madvise, 2, MADV_WIPEONFORK),
+# endif
 	SC_DENY(__NR_madvise, EINVAL),
 #endif
 #ifdef __NR_mmap

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list