Allow socketcall(SYS_SHUTDOWN) for net_child on ix86 architecture

2015-06-24 10:38:35 +02:00 · 2015-06-24 10:38:35 +02:00 · 252221e6a1
commit 252221e6a1
parent b59dd83265
1 changed files with 36 additions and 0 deletions
--- a/openssh-6.7p1-seccomp-aarch64.patch
+++ b/openssh-6.7p1-seccomp-aarch64.patch
@ -21,6 +21,32 @@ diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
 index 095b04a..52f6810 100644
 --- a/sandbox-seccomp-filter.c
 +++ b/sandbox-seccomp-filter.c
+@@ -43,6 +43,7 @@
+ #include <sys/resource.h>
+ #include <sys/prctl.h>
+ 
+#include <linux/net.h>
+ #include <linux/audit.h>
+ #include <linux/filter.h>
+ #include <linux/seccomp.h>
+@@ -80,6 +81,17 @@
+ 	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
+ 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
+ 
+#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 3), \
+	/* load first syscall argument */ \
+	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
+	    offsetof(struct seccomp_data, args[(_arg_nr)])), \
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \
+	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
+	/* reload syscall number; all rules expect it in accumulator */ \
+	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
+		offsetof(struct seccomp_data, nr))
+
+ /* Syscall filtering set for preauth. */
+ static const struct sock_filter preauth_insns[] = {
+ 	/* Ensure the syscall arch convention is as expected. */
@@ -90,8 +90,23 @@ static const struct sock_filter preauth_insns[] = {
 	/* Load the syscall number for checking. */
 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
@ -66,3 +92,13 @@ index 095b04a..52f6810 100644
 	SC_ALLOW(madvise),
 #ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
 	SC_ALLOW(mmap2),
+@@ -154,6 +157,9 @@ static const struct sock_filter preauth_insns[] = {
+ #else
+ 	SC_ALLOW(sigprocmask),
+ #endif
+#ifdef __NR_socketcall
+	SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
+#endif
+ 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
+ };
+