forked from rpms/openssh
		
	Add AArch64 support for seccomp_filter sandbox (#1195065)
This commit is contained in:
		
							parent
							
								
									e0f867b153
								
							
						
					
					
						commit
						6656486e18
					
				
							
								
								
									
										50
									
								
								openssh-6.7p1-seccomp-aarch64.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										50
									
								
								openssh-6.7p1-seccomp-aarch64.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,50 @@ | ||||
| --- a/configure.ac
 | ||||
| +++ b/configure.ac
 | ||||
| @@ -764,9 +764,12 @@ main() { if (NSVersionOfRunTimeLibrary("
 | ||||
|  	i*86-*) | ||||
|  		seccomp_audit_arch=AUDIT_ARCH_I386 | ||||
|  		;; | ||||
| -        arm*-*)
 | ||||
| +	aarch64*-*)
 | ||||
| +		seccomp_audit_arch=AUDIT_ARCH_AARCH64
 | ||||
| +		;;
 | ||||
| +	arm*-*)
 | ||||
|  		seccomp_audit_arch=AUDIT_ARCH_ARM | ||||
| -                ;;
 | ||||
| +		;;
 | ||||
|  	esac | ||||
|  	if test "x$seccomp_audit_arch" != "x" ; then | ||||
|  		AC_MSG_RESULT(["$seccomp_audit_arch"]) | ||||
| diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
 | ||||
| index 095b04a..59c3682 100644
 | ||||
| --- a/sandbox-seccomp-filter.c
 | ||||
| +++ b/sandbox-seccomp-filter.c
 | ||||
| @@ -90,8 +90,10 @@ static const struct sock_filter preauth_insns[] = {
 | ||||
|  	/* Load the syscall number for checking. */ | ||||
|  	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, | ||||
|  		offsetof(struct seccomp_data, nr)), | ||||
| -	SC_DENY(open, EACCES),
 | ||||
| +	SC_DENY(openat, EACCES), /* no open() on AArch64 */
 | ||||
| +#ifdef __NR_stat
 | ||||
|  	SC_DENY(stat, EACCES), | ||||
| +#endif
 | ||||
|  	SC_ALLOW(getpid), | ||||
|  	SC_ALLOW(gettimeofday), | ||||
|  	SC_ALLOW(clock_gettime), | ||||
| @@ -111,12 +113,16 @@ static const struct sock_filter preauth_insns[] = {
 | ||||
|  	SC_ALLOW(shutdown), | ||||
|  #endif | ||||
|  	SC_ALLOW(brk), | ||||
| +#ifdef __NR_poll /* Not available on AArch64 */
 | ||||
|  	SC_ALLOW(poll), | ||||
| +#endif
 | ||||
|  #ifdef __NR__newselect | ||||
|  	SC_ALLOW(_newselect), | ||||
|  #else | ||||
| +#ifdef __NR_select /* Not available on AArch64 */
 | ||||
|  	SC_ALLOW(select), | ||||
|  #endif | ||||
| +#endif
 | ||||
|  	SC_ALLOW(madvise), | ||||
|  #ifdef __NR_mmap2 /* EABI ARM only has mmap2() */ | ||||
|  	SC_ALLOW(mmap2), | ||||
| @ -215,6 +215,8 @@ Patch921: openssh-6.7p1-debian-restore-tcp-wrappers.patch | ||||
| Patch922: openssh-6.7p1-sshdT-output.patch | ||||
| # fix ssh-copy-id on non-sh shells (#1045191) | ||||
| Patch923: openssh-6.7p1-fix-ssh-copy-id-on-non-sh-shell.patch | ||||
| # AArch64 has seccomp support since 3.19 kernel (#1195065) | ||||
| Patch924: openssh-6.7p1-seccomp-aarch64.patch | ||||
| 
 | ||||
| 
 | ||||
| License: BSD | ||||
| @ -434,6 +436,7 @@ popd | ||||
| %patch921 -p1 -b .tcp_wrappers | ||||
| %patch922 -p1 -b .sshdt | ||||
| %patch923 -p1 -b .ssh-copy-id | ||||
| %patch924 -p1 -b .seccomp | ||||
| 
 | ||||
| %patch200 -p1 -b .audit | ||||
| %patch700 -p1 -b .fips | ||||
| @ -509,7 +512,7 @@ fi | ||||
| %endif | ||||
| %if %{WITH_SELINUX} | ||||
| 	--with-selinux --with-audit=linux \ | ||||
| %ifarch %{ix86} x86_64 %{arm} | ||||
| %ifarch %{ix86} x86_64 %{arm} aarch64 | ||||
| 	--with-sandbox=seccomp_filter \ | ||||
| %else | ||||
| 	--with-sandbox=rlimit \ | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user