Deny socketcall in seccomp filter on ppc64le.

OpenSSL is using socket() calls (in FIPS mode) when handling ECDSA keys in privsep child. The socket() syscall is already denied in the seccomp filter, but in ppc64le kernel, it is implemented using socketcall() syscall, which is not denied yet (only SYS_SHUTDOWN is allowed) and therefore fails hard. Patch from jjelen at redhat.com.
author: Darren Tucker <dtucker@zip.com.au> 2017-04-24 19:40:31 +1000
committer: Darren Tucker <dtucker@zip.com.au> 2017-04-24 19:40:31 +1000
commit: 8b0eee148f7cf8b248c30d1bae57300f2cc5aafd (patch)
tree: 43f03a9987bea9971dbcbf81ad4666ab35e9427f /sandbox-seccomp-filter.c
parent: f8500b2be599053daa05248a86a743232ec6a536 (diff)
download: openssh-git-8b0eee148f7cf8b248c30d1bae57300f2cc5aafd.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 2831e9d1..200932a8 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -225,6 +225,7 @@ static const struct sock_filter preauth_insns[] = {
 #endif
 #ifdef __NR_socketcall
 	SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
+	SC_DENY(__NR_ssocketcall, EACCES),
 #endif
 #if defined(__NR_ioctl) && defined(__s390__)
 	/* Allow ioctls for ICA crypto card on s390 */
author	Darren Tucker <dtucker@zip.com.au>	2017-04-24 19:40:31 +1000
committer	Darren Tucker <dtucker@zip.com.au>	2017-04-24 19:40:31 +1000
commit	8b0eee148f7cf8b248c30d1bae57300f2cc5aafd (patch)
tree	43f03a9987bea9971dbcbf81ad4666ab35e9427f /sandbox-seccomp-filter.c
parent	f8500b2be599053daa05248a86a743232ec6a536 (diff)
download	openssh-git-8b0eee148f7cf8b248c30d1bae57300f2cc5aafd.tar.gz