Add AArch64 support for seccomp_filter sandbox (#1195065)
This commit is contained in:
Marcin Juszkiewicz
Jakub Jelen
parent
e0f867b153
commit
6656486e18
50
openssh-6.7p1-seccomp-aarch64.patch
Normal file
50
openssh-6.7p1-seccomp-aarch64.patch
Normal file
@ -0,0 +1,50 @@
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -764,9 +764,12 @@ main() { if (NSVersionOfRunTimeLibrary("
|
||||
i*86-*)
|
||||
seccomp_audit_arch=AUDIT_ARCH_I386
|
||||
;;
|
||||
- arm*-*)
|
||||
+ aarch64*-*)
|
||||
+ seccomp_audit_arch=AUDIT_ARCH_AARCH64
|
||||
+ ;;
|
||||
+ arm*-*)
|
||||
seccomp_audit_arch=AUDIT_ARCH_ARM
|
||||
- ;;
|
||||
+ ;;
|
||||
esac
|
||||
if test "x$seccomp_audit_arch" != "x" ; then
|
||||
AC_MSG_RESULT(["$seccomp_audit_arch"])
|
||||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
||||
index 095b04a..59c3682 100644
|
||||
--- a/sandbox-seccomp-filter.c
|
||||
+++ b/sandbox-seccomp-filter.c
|
||||
@@ -90,8 +90,10 @@ static const struct sock_filter preauth_insns[] = {
|
||||
/* Load the syscall number for checking. */
|
||||
BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
|
||||
offsetof(struct seccomp_data, nr)),
|
||||
- SC_DENY(open, EACCES),
|
||||
+ SC_DENY(openat, EACCES), /* no open() on AArch64 */
|
||||
+#ifdef __NR_stat
|
||||
SC_DENY(stat, EACCES),
|
||||
+#endif
|
||||
SC_ALLOW(getpid),
|
||||
SC_ALLOW(gettimeofday),
|
||||
SC_ALLOW(clock_gettime),
|
||||
@@ -111,12 +113,16 @@ static const struct sock_filter preauth_insns[] = {
|
||||
SC_ALLOW(shutdown),
|
||||
#endif
|
||||
SC_ALLOW(brk),
|
||||
+#ifdef __NR_poll /* Not available on AArch64 */
|
||||
SC_ALLOW(poll),
|
||||
+#endif
|
||||
#ifdef __NR__newselect
|
||||
SC_ALLOW(_newselect),
|
||||
#else
|
||||
+#ifdef __NR_select /* Not available on AArch64 */
|
||||
SC_ALLOW(select),
|
||||
#endif
|
||||
+#endif
|
||||
SC_ALLOW(madvise),
|
||||
#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
|
||||
SC_ALLOW(mmap2),
|
||||
@ -215,6 +215,8 @@ Patch921: openssh-6.7p1-debian-restore-tcp-wrappers.patch
|
||||
Patch922: openssh-6.7p1-sshdT-output.patch
|
||||
# fix ssh-copy-id on non-sh shells (#1045191)
|
||||
Patch923: openssh-6.7p1-fix-ssh-copy-id-on-non-sh-shell.patch
|
||||
# AArch64 has seccomp support since 3.19 kernel (#1195065)
|
||||
Patch924: openssh-6.7p1-seccomp-aarch64.patch
|
||||
|
||||
|
||||
License: BSD
|
||||
@ -434,6 +436,7 @@ popd
|
||||
%patch921 -p1 -b .tcp_wrappers
|
||||
%patch922 -p1 -b .sshdt
|
||||
%patch923 -p1 -b .ssh-copy-id
|
||||
%patch924 -p1 -b .seccomp
|
||||
|
||||
%patch200 -p1 -b .audit
|
||||
%patch700 -p1 -b .fips
|
||||
@ -509,7 +512,7 @@ fi
|
||||
%endif
|
||||
%if %{WITH_SELINUX}
|
||||
--with-selinux --with-audit=linux \
|
||||
%ifarch %{ix86} x86_64 %{arm}
|
||||
%ifarch %{ix86} x86_64 %{arm} aarch64
|
||||
--with-sandbox=seccomp_filter \
|
||||
%else
|
||||
--with-sandbox=rlimit \
|
||||
|
||||
Loading…
Reference in New Issue
Block a user