Make closefrom() ignore softlinks to the /dev/ devices on s390

This commit is contained in:
Jakub Jelen 2016-07-18 12:26:15 +02:00
parent a49441fa52
commit 9864973c69
2 changed files with 55 additions and 0 deletions

View File

@ -0,0 +1,52 @@
Zseries only: Leave the hardware filedescriptors open.
All filedescriptors above 2 are getting closed when a new
sshd process to handle a new client connection is
spawned. As the process also chroot into an empty filesystem
without any device nodes, there is no chance to reopen the
files. This patch filters out the reqired fds in the
closefrom function so these are skipped in the close loop.
Author: Harald Freudenberger <freude@de.ibm.com>
---
openbsd-compat/bsd-closefrom.c | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
--- a/openbsd-compat/bsd-closefrom.c
+++ b/openbsd-compat/bsd-closefrom.c
@@ -82,7 +82,33 @@ closefrom(int lowfd)
fd = strtol(dent->d_name, &endp, 10);
if (dent->d_name != endp && *endp == '\0' &&
fd >= 0 && fd < INT_MAX && fd >= lowfd && fd != dirfd(dirp))
+#ifdef __s390__
+ {
+ /*
+ * the filedescriptors used to communicate with
+ * the device drivers to provide hardware support
+ * should survive. HF <freude@de.ibm.com>
+ */
+ char fpath[PATH_MAX], lpath[PATH_MAX];
+ len = snprintf(fpath, sizeof(fpath), "%s/%s",
+ fdpath, dent->d_name);
+ if (len > 0 && (size_t)len <= sizeof(fpath)) {
+ len = readlink(fpath, lpath, sizeof(lpath));
+ if (len > 0) {
+ lpath[len] = 0;
+ if (strstr(lpath, "dev/z90crypt")
+ || strstr(lpath, "dev/zcrypt")
+ || strstr(lpath, "dev/prandom")
+ || strstr(lpath, "dev/shm/icastats"))
+ fd = -1;
+ }
+ }
+ if (fd >= 0)
+ (void) close((int) fd);
+ }
+#else
(void) close((int) fd);
+#endif
}
(void) closedir(dirp);
} else

View File

@ -236,6 +236,8 @@ Patch936: openssh-7.1p1-iutf8.patch
Patch937: openssh-7.2p2-CVE-2015-8325.patch Patch937: openssh-7.2p2-CVE-2015-8325.patch
# Regression in certificate based authentication (#1333498) # Regression in certificate based authentication (#1333498)
Patch938: openssh-7.2p2-certificats-regress.patch Patch938: openssh-7.2p2-certificats-regress.patch
# make s390 use /dev/ crypto devices -- ignore closefrom
Patch939: openssh-7.2p2-s390-closefrom.patch
License: BSD License: BSD
@ -473,6 +475,7 @@ popd
%patch936 -p1 -b .iutf8 %patch936 -p1 -b .iutf8
%patch937 -p1 -b .pam_uselogin_cve %patch937 -p1 -b .pam_uselogin_cve
%patch938 -p1 -b .certificates %patch938 -p1 -b .certificates
%patch939 -p1 -b .s390-dev
%patch200 -p1 -b .audit %patch200 -p1 -b .audit
%patch201 -p1 -b .audit-race %patch201 -p1 -b .audit-race