This is an automated email from the git hooks/post-receive script.
dtucker pushed a commit to branch master
in repository openssh.
commit 8b0eee148f7cf8b248c30d1bae57300f2cc5aafd
Author: Darren Tucker <dtucker@zip.com.au>
Date: Mon Apr 24 19:40:31 2017 +1000
Deny socketcall in seccomp filter on ppc64le.
OpenSSL is using socket() calls (in FIPS mode) when handling ECDSA keys
in privsep child. The socket() syscall is already denied in the seccomp
filter, but in ppc64le kernel, it is implemented using socketcall()
syscall, which is not denied yet (only SYS_SHUTDOWN is allowed) and
therefore fails hard.
Patch from jjelen at redhat.com.
---
sandbox-seccomp-filter.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 2831e9d1..200932a8 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -225,6 +225,7 @@ static const struct sock_filter preauth_insns[] = {
#endif
#ifdef __NR_socketcall
SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
+ SC_DENY(__NR_ssocketcall, EACCES),
#endif
#if defined(__NR_ioctl) && defined(__s390__)
/* Allow ioctls for ICA crypto card on s390 */
--
To stop receiving notification emails like this one, please contact
djm@mindrot.org.
_______________________________________________
openssh-commits mailing list
openssh-commits@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-commits
dtucker pushed a commit to branch master
in repository openssh.
commit 8b0eee148f7cf8b248c30d1bae57300f2cc5aafd
Author: Darren Tucker <dtucker@zip.com.au>
Date: Mon Apr 24 19:40:31 2017 +1000
Deny socketcall in seccomp filter on ppc64le.
OpenSSL is using socket() calls (in FIPS mode) when handling ECDSA keys
in privsep child. The socket() syscall is already denied in the seccomp
filter, but in ppc64le kernel, it is implemented using socketcall()
syscall, which is not denied yet (only SYS_SHUTDOWN is allowed) and
therefore fails hard.
Patch from jjelen at redhat.com.
---
sandbox-seccomp-filter.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 2831e9d1..200932a8 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -225,6 +225,7 @@ static const struct sock_filter preauth_insns[] = {
#endif
#ifdef __NR_socketcall
SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
+ SC_DENY(__NR_ssocketcall, EACCES),
#endif
#if defined(__NR_ioctl) && defined(__s390__)
/* Allow ioctls for ICA crypto card on s390 */
--
To stop receiving notification emails like this one, please contact
djm@mindrot.org.
_______________________________________________
openssh-commits mailing list
openssh-commits@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-commits