seccomp: fix build failure due to missing syscalls
This commit is contained in:
Kamil Dudka
parent
c6fd8ab78c
commit
fc77f1885e
53
file-5.33-seccomp.patch
Normal file
53
file-5.33-seccomp.patch
Normal file
@ -0,0 +1,53 @@
|
||||
From 4ae8a24b5ccbee904875a10b7b2301369080a88d Mon Sep 17 00:00:00 2001
|
||||
From: Christos Zoulas <christos@zoulas.com>
|
||||
Date: Sun, 6 May 2018 16:36:41 +0000
|
||||
Subject: [PATCH] add more syscalls; newfstatat is used for stat'ing the magic
|
||||
file, getdents64 is used for getting the magic entries during compilation.
|
||||
|
||||
Upstream-commit: aeddbff330fad0edff2ab4b02dbf0863cd593c3c
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
src/seccomp.c | 15 ++++++++-------
|
||||
1 file changed, 8 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/seccomp.c b/src/seccomp.c
|
||||
index 7c8a3144..481a5624 100644
|
||||
--- a/src/seccomp.c
|
||||
+++ b/src/seccomp.c
|
||||
@@ -59,12 +59,7 @@ enable_sandbox_basic(void)
|
||||
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
|
||||
return -1;
|
||||
|
||||
-#if 0
|
||||
- // prevent escape via ptrace
|
||||
- prctl(PR_SET_DUMPABLE, 0);
|
||||
-#endif
|
||||
-
|
||||
- if (prctl (PR_SET_DUMPABLE, 0, 0, 0, 0) == -1)
|
||||
+ if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1)
|
||||
return -1;
|
||||
|
||||
// initialize the filter
|
||||
@@ -171,6 +166,9 @@ enable_sandbox_full(void)
|
||||
ALLOW_RULE(fcntl);
|
||||
ALLOW_RULE(fstat);
|
||||
ALLOW_RULE(getdents);
|
||||
+#ifdef __NR_getdents64
|
||||
+ ALLOW_RULE(getdents64);
|
||||
+#endif
|
||||
ALLOW_RULE(ioctl);
|
||||
ALLOW_RULE(lseek);
|
||||
ALLOW_RULE(lstat);
|
||||
@@ -178,6 +176,9 @@ enable_sandbox_full(void)
|
||||
ALLOW_RULE(mprotect);
|
||||
ALLOW_RULE(mremap);
|
||||
ALLOW_RULE(munmap);
|
||||
+#ifdef __NR_newfstatat
|
||||
+ ALLOW_RULE(newfstatat);
|
||||
+#endif
|
||||
ALLOW_RULE(open);
|
||||
ALLOW_RULE(openat);
|
||||
ALLOW_RULE(pread64);
|
||||
--
|
||||
2.17.0
|
||||
|
||||
@ -15,7 +15,7 @@
|
||||
Summary: A utility for determining file types
|
||||
Name: file
|
||||
Version: 5.33
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: BSD
|
||||
Group: Applications/File
|
||||
Source0: ftp://ftp.astron.com/pub/file/file-%{version}.tar.gz
|
||||
@ -29,6 +29,7 @@ Patch2: file-5.04-volume_key.patch
|
||||
|
||||
# picked from upstream
|
||||
Patch3: file-5.33-gif.patch
|
||||
Patch4: file-5.33-seccomp.patch
|
||||
|
||||
URL: http://www.darwinsys.com/file/
|
||||
Requires: file-libs = %{version}-%{release}
|
||||
@ -200,6 +201,9 @@ cd %{py3dir}
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue May 22 2018 Kamil Dudka <kdudka@redhat.com> - 5.33-4
|
||||
- seccomp: fix build failure due to missing syscalls
|
||||
|
||||
* Mon Apr 30 2018 Miro Hrončok <mhroncok@redhat.com> - 5.33-3
|
||||
- Update Python macros to new packaging standards
|
||||
(See https://fedoraproject.org/wiki/Changes/Avoid_usr_bin_python_in_RPM_Build)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user