Attachment 2159 Details for Bug 2004 – seccomp-fallback.diff

[patch] seccomp-fallback.diff

seccomp-fallback.diff (text/plain), 1.33 KB, created by Damien Miller on 2012-06-01 10:39:15 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Damien Miller

Created: 2012-06-01 10:39:15 AEST

Size: 1.33 KB

patch

obsolete

>Index: sandbox-seccomp-filter.c
>===================================================================
>RCS file: /var/cvs/openssh/sandbox-seccomp-filter.c,v
>retrieving revision 1.1
>diff -u -p -r1.1 sandbox-seccomp-filter.c
>--- sandbox-seccomp-filter.c	4 Apr 2012 01:27:57 -0000	1.1
>+++ sandbox-seccomp-filter.c	1 Jun 2012 00:31:33 -0000
>@@ -179,6 +179,7 @@ void
> ssh_sandbox_child(struct ssh_sandbox *box)
> {
> 	struct rlimit rl_zero;
>+	int nnp_failed = 0;
> 
> 	/* Set rlimits for completeness if possible. */
> 	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
>@@ -197,13 +198,18 @@ ssh_sandbox_child(struct ssh_sandbox *bo
> #endif /* SANDBOX_SECCOMP_FILTER_DEBUG */
> 
> 	debug3("%s: setting PR_SET_NO_NEW_PRIVS", __func__);
>-	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
>-		fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
>+	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) {
>+		verbose("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
> 		      __func__, strerror(errno));
>+		nnp_failed = 1;
>+	}
> 	debug3("%s: attaching seccomp filter program", __func__);
> 	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &preauth_program) == -1)
>-		fatal("%s: prctl(PR_SET_SECCOMP): %s",
>+		verbose("%s: prctl(PR_SET_SECCOMP): %s",
> 		      __func__, strerror(errno));
>+	else if (nnp_failed)
>+		fatal("%s: SECCOMP_MODE_FILTER activated but "
>+		    "PR_SET_NO_NEW_PRIVS failed", __func__);
> }
> 
> void

Actions: View | Diff

Attachments on bug 2004: 2149 | 2159