Unbreak seccomp filter with latest glibc (#1771946)

2019-11-14 09:18:41 +01:00 · 2019-11-14 09:18:41 +01:00 · 6a2fce44b5
commit 6a2fce44b5
parent 36fef5669a
2 changed files with 24 additions and 0 deletions
--- a/openssh-8.1p1-seccomp-nanosleep.patch
+++ b/openssh-8.1p1-seccomp-nanosleep.patch
@ -0,0 +1,21 @@
+commit 7e929163ed40f9ce90060a3ca6df558c3d901379
+Author: Jakub Jelen <jjelen@redhat.com>
+Date:   Wed Nov 13 12:57:05 2019 +0100
+
+    seccomp: Allow clock_nanosleep() to make OpenSSH working with latest glibc
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index b5cda70b..be239767 100644
+--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
+@@ -242,6 +242,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_nanosleep
+ 	SC_ALLOW(__NR_nanosleep),
+ #endif
+#ifdef __NR_clock_nanosleep
+	SC_ALLOW(__NR_clock_nanosleep),
+#endif
+ #ifdef __NR__newselect
+ 	SC_ALLOW(__NR__newselect),
+ #endif
+
--- a/openssh.spec
+++ b/openssh.spec
@ -210,6 +210,8 @@ Patch962: openssh-8.0p1-crypto-policies.patch
 Patch963: openssh-8.0p1-openssl-evp.patch
 # Use OpenSSL KDF (#1631761)
 Patch964: openssh-8.0p1-openssl-kdf.patch
+# Unbreak seccomp filter with latest glibc (#1771946)
+Patch965: openssh-8.1p1-seccomp-nanosleep.patch

 License: BSD
 Requires: /sbin/nologin
@ -410,6 +412,7 @@ popd
 %patch962 -p1 -b .crypto-policies
 %patch963 -p1 -b .openssl-evp
 %patch964 -p1 -b .openssl-kdf
+%patch965 -p1 -b .seccomp-nanosleep

 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race