Make closefrom() ignore softlinks to the /dev/ devices on s390
This commit is contained in:
parent
a49441fa52
commit
9864973c69
52
openssh-7.2p2-s390-closefrom.patch
Normal file
52
openssh-7.2p2-s390-closefrom.patch
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
Zseries only: Leave the hardware filedescriptors open.
|
||||||
|
|
||||||
|
All filedescriptors above 2 are getting closed when a new
|
||||||
|
sshd process to handle a new client connection is
|
||||||
|
spawned. As the process also chroot into an empty filesystem
|
||||||
|
without any device nodes, there is no chance to reopen the
|
||||||
|
files. This patch filters out the reqired fds in the
|
||||||
|
closefrom function so these are skipped in the close loop.
|
||||||
|
|
||||||
|
Author: Harald Freudenberger <freude@de.ibm.com>
|
||||||
|
|
||||||
|
---
|
||||||
|
openbsd-compat/bsd-closefrom.c | 26 ++++++++++++++++++++++++++
|
||||||
|
1 file changed, 26 insertions(+)
|
||||||
|
|
||||||
|
--- a/openbsd-compat/bsd-closefrom.c
|
||||||
|
+++ b/openbsd-compat/bsd-closefrom.c
|
||||||
|
@@ -82,7 +82,33 @@ closefrom(int lowfd)
|
||||||
|
fd = strtol(dent->d_name, &endp, 10);
|
||||||
|
if (dent->d_name != endp && *endp == '\0' &&
|
||||||
|
fd >= 0 && fd < INT_MAX && fd >= lowfd && fd != dirfd(dirp))
|
||||||
|
+#ifdef __s390__
|
||||||
|
+ {
|
||||||
|
+ /*
|
||||||
|
+ * the filedescriptors used to communicate with
|
||||||
|
+ * the device drivers to provide hardware support
|
||||||
|
+ * should survive. HF <freude@de.ibm.com>
|
||||||
|
+ */
|
||||||
|
+ char fpath[PATH_MAX], lpath[PATH_MAX];
|
||||||
|
+ len = snprintf(fpath, sizeof(fpath), "%s/%s",
|
||||||
|
+ fdpath, dent->d_name);
|
||||||
|
+ if (len > 0 && (size_t)len <= sizeof(fpath)) {
|
||||||
|
+ len = readlink(fpath, lpath, sizeof(lpath));
|
||||||
|
+ if (len > 0) {
|
||||||
|
+ lpath[len] = 0;
|
||||||
|
+ if (strstr(lpath, "dev/z90crypt")
|
||||||
|
+ || strstr(lpath, "dev/zcrypt")
|
||||||
|
+ || strstr(lpath, "dev/prandom")
|
||||||
|
+ || strstr(lpath, "dev/shm/icastats"))
|
||||||
|
+ fd = -1;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (fd >= 0)
|
||||||
|
+ (void) close((int) fd);
|
||||||
|
+ }
|
||||||
|
+#else
|
||||||
|
(void) close((int) fd);
|
||||||
|
+#endif
|
||||||
|
}
|
||||||
|
(void) closedir(dirp);
|
||||||
|
} else
|
||||||
|
|
@ -236,6 +236,8 @@ Patch936: openssh-7.1p1-iutf8.patch
|
|||||||
Patch937: openssh-7.2p2-CVE-2015-8325.patch
|
Patch937: openssh-7.2p2-CVE-2015-8325.patch
|
||||||
# Regression in certificate based authentication (#1333498)
|
# Regression in certificate based authentication (#1333498)
|
||||||
Patch938: openssh-7.2p2-certificats-regress.patch
|
Patch938: openssh-7.2p2-certificats-regress.patch
|
||||||
|
# make s390 use /dev/ crypto devices -- ignore closefrom
|
||||||
|
Patch939: openssh-7.2p2-s390-closefrom.patch
|
||||||
|
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
@ -473,6 +475,7 @@ popd
|
|||||||
%patch936 -p1 -b .iutf8
|
%patch936 -p1 -b .iutf8
|
||||||
%patch937 -p1 -b .pam_uselogin_cve
|
%patch937 -p1 -b .pam_uselogin_cve
|
||||||
%patch938 -p1 -b .certificates
|
%patch938 -p1 -b .certificates
|
||||||
|
%patch939 -p1 -b .s390-dev
|
||||||
|
|
||||||
%patch200 -p1 -b .audit
|
%patch200 -p1 -b .audit
|
||||||
%patch201 -p1 -b .audit-race
|
%patch201 -p1 -b .audit-race
|
||||||
|
Loading…
Reference in New Issue
Block a user