Soft-deny socket() syscall in seccomp sandbox (#1324493)

* Used for  ecdh-sha2-nistp*  key exchange methods in FIPS mode
This commit is contained in:
Jakub Jelen 2016-04-11 16:11:59 +02:00
parent 0509c6c977
commit 3d2c14680b

View File

@ -704,3 +704,18 @@ index 7efe312..bcf2ae1 100644
#define KEX_FIPS_ENCRYPT \ #define KEX_FIPS_ENCRYPT \
"aes128-ctr,aes192-ctr,aes256-ctr," \ "aes128-ctr,aes192-ctr,aes256-ctr," \
"aes128-cbc,3des-cbc," \ "aes128-cbc,3des-cbc," \
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index a3975eb..5224084 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -112,6 +112,9 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_open
SC_DENY(open, EACCES),
#endif
+#ifdef __NR_socket
+ SC_DENY(socket, EACCES),
+#endif
#ifdef __NR_openat
SC_DENY(openat, EACCES),
#endif