[openssh-commits] [openssh] 01/06: handle futex_time64 properly in seccomp sandbox

[git+noreply at mindrot.org]

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit a00f5b02e171bc6d6fb130050afb7a08f5ece1d8
Author: Damien Miller <djm at mindrot.org>
AuthorDate: Mon Aug 18 13:44:53 2025 +1000

    handle futex_time64 properly in seccomp sandbox
    
    Previously we only allowed __NR_futex, but some 32-bit systems
    apparently support __NR_futex_time64. We had support for this
    in the sandbox, but because of a macro error only __NR_futex was
    allowlisted.
    
    ok dtucker@
---
 sandbox-seccomp-filter.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index b31062c2b..827cb61ee 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -180,12 +180,12 @@
 
 /* Use this for both __NR_futex and __NR_futex_time64 */
 # define SC_FUTEX(_nr) \
-	SC_ALLOW_FUTEX_OP(__NR_futex, FUTEX_WAIT), \
-	SC_ALLOW_FUTEX_OP(__NR_futex, FUTEX_WAIT_BITSET), \
-	SC_ALLOW_FUTEX_OP(__NR_futex, FUTEX_WAKE), \
-	SC_ALLOW_FUTEX_OP(__NR_futex, FUTEX_WAKE_BITSET), \
-	SC_ALLOW_FUTEX_OP(__NR_futex, FUTEX_REQUEUE), \
-	SC_ALLOW_FUTEX_OP(__NR_futex, FUTEX_CMP_REQUEUE)
+	SC_ALLOW_FUTEX_OP(_nr, FUTEX_WAIT), \
+	SC_ALLOW_FUTEX_OP(_nr, FUTEX_WAIT_BITSET), \
+	SC_ALLOW_FUTEX_OP(_nr, FUTEX_WAKE), \
+	SC_ALLOW_FUTEX_OP(_nr, FUTEX_WAKE_BITSET), \
+	SC_ALLOW_FUTEX_OP(_nr, FUTEX_REQUEUE), \
+	SC_ALLOW_FUTEX_OP(_nr, FUTEX_CMP_REQUEUE)
 #endif /* __NR_futex || __NR_futex_time64 */
 
 #if defined(__NR_mmap) || defined(__NR_mmap2)

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.