SwordArMor-gentoo-overlay/net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch

32 lines
977 B
Diff

From 3ef92a657444f172b61f92d5da66d94fa8265602 Mon Sep 17 00:00:00 2001
From: Lonnie Abelbeck <lonnie@abelbeck.com>
Date: Tue, 1 Oct 2019 09:05:09 -0500
Subject: [PATCH] Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child.
New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and shmdt
in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox.
---
sandbox-seccomp-filter.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 840c5232b..39dc289e3 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -168,6 +168,15 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_stat64
SC_DENY(__NR_stat64, EACCES),
#endif
+#ifdef __NR_shmget
+ SC_DENY(__NR_shmget, EACCES),
+#endif
+#ifdef __NR_shmat
+ SC_DENY(__NR_shmat, EACCES),
+#endif
+#ifdef __NR_shmdt
+ SC_DENY(__NR_shmdt, EACCES),
+#endif
/* Syscalls to permit */
#ifdef __NR_brk