[openssh-commits] [openssh] 01/01: Deny (non-fatal) ipc in preauth privsep child.
git+noreply at mindrot.org
git+noreply at mindrot.org
Wed Jan 8 21:48:48 AEDT 2020
This is an automated email from the git hooks/post-receive script.
dtucker pushed a commit to branch V_8_1
in repository openssh.
commit fbe37c90602fa2d0d7b5f05868d6886b1e216e65
Author: Jeremy Drake <github at jdrake.com>
Date: Fri Oct 11 18:31:05 2019 -0700
Deny (non-fatal) ipc in preauth privsep child.
As noted in openssh/openssh-portable#149, i386 does not have have
_NR_shmget etc. Instead, it has a single ipc syscall (see man 2 ipc,
https://linux.die.net/man/2/ipc). Add this syscall, if present, to the
list of syscalls that seccomp will deny non-fatally.
---
sandbox-seccomp-filter.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 999c46c9..0914e48b 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -177,6 +177,9 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_shmdt
SC_DENY(__NR_shmdt, EACCES),
#endif
+#ifdef __NR_ipc
+ SC_DENY(__NR_ipc, EACCES),
+#endif
/* Syscalls to permit */
#ifdef __NR_brk
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list