Several syscalls are missing in file 5.33. Fix it by pulling in four upstream patches.
Signed-off-by: Clemens Gruber <clemens.gru...@pqgruber.com> --- ...s-newfstatat-is-used-for-stat-ing-th.patch | 56 +++++++++++++++++++ ...s-add-more-syscalls-for-32-bit-linux.patch | 42 ++++++++++++++ .../0003-one-more-syscall-for-32-bits.patch | 29 ++++++++++ .../0004-Fix-pasto-Clemens-Gruber.patch | 30 ++++++++++ patches/file-5.33/series | 8 +++ 5 files changed, 165 insertions(+) create mode 100644 patches/file-5.33/0001-add-more-syscalls-newfstatat-is-used-for-stat-ing-th.patch create mode 100644 patches/file-5.33/0002-PR-5-tobias-add-more-syscalls-for-32-bit-linux.patch create mode 100644 patches/file-5.33/0003-one-more-syscall-for-32-bits.patch create mode 100644 patches/file-5.33/0004-Fix-pasto-Clemens-Gruber.patch create mode 100644 patches/file-5.33/series diff --git a/patches/file-5.33/0001-add-more-syscalls-newfstatat-is-used-for-stat-ing-th.patch b/patches/file-5.33/0001-add-more-syscalls-newfstatat-is-used-for-stat-ing-th.patch new file mode 100644 index 000000000..e2f59686d --- /dev/null +++ b/patches/file-5.33/0001-add-more-syscalls-newfstatat-is-used-for-stat-ing-th.patch @@ -0,0 +1,56 @@ +From: Christos Zoulas <chris...@zoulas.com> +Date: Sun, 6 May 2018 16:36:41 +0000 +Subject: [PATCH] add more syscalls; newfstatat is used for stat'ing the magic + file, getdents64 is used for getting the magic entries during compilation. + +--- + src/seccomp.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/src/seccomp.c b/src/seccomp.c +index 7c8a31443b43..481a5624784c 100644 +--- a/src/seccomp.c ++++ b/src/seccomp.c +@@ -27,7 +27,7 @@ + #include "file.h" + + #ifndef lint +-FILE_RCSID("@(#)$File: seccomp.c,v 1.2 2017/11/04 01:14:25 christos Exp $") ++FILE_RCSID("@(#)$File: seccomp.c,v 1.3 2018/05/06 16:36:41 christos Exp $") + #endif /* lint */ + + #if HAVE_LIBSECCOMP +@@ -59,12 +59,7 @@ enable_sandbox_basic(void) + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) + return -1; + +-#if 0 +- // prevent escape via ptrace +- prctl(PR_SET_DUMPABLE, 0); +-#endif +- +- if (prctl (PR_SET_DUMPABLE, 0, 0, 0, 0) == -1) ++ if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1) + return -1; + + // initialize the filter +@@ -171,6 +166,9 @@ enable_sandbox_full(void) + ALLOW_RULE(fcntl); + ALLOW_RULE(fstat); + ALLOW_RULE(getdents); ++#ifdef __NR_getdents64 ++ ALLOW_RULE(getdents64); ++#endif + ALLOW_RULE(ioctl); + ALLOW_RULE(lseek); + ALLOW_RULE(lstat); +@@ -178,6 +176,9 @@ enable_sandbox_full(void) + ALLOW_RULE(mprotect); + ALLOW_RULE(mremap); + ALLOW_RULE(munmap); ++#ifdef __NR_newfstatat ++ ALLOW_RULE(newfstatat); ++#endif + ALLOW_RULE(open); + ALLOW_RULE(openat); + ALLOW_RULE(pread64); diff --git a/patches/file-5.33/0002-PR-5-tobias-add-more-syscalls-for-32-bit-linux.patch b/patches/file-5.33/0002-PR-5-tobias-add-more-syscalls-for-32-bit-linux.patch new file mode 100644 index 000000000..08e178a8d --- /dev/null +++ b/patches/file-5.33/0002-PR-5-tobias-add-more-syscalls-for-32-bit-linux.patch @@ -0,0 +1,42 @@ +From: Christos Zoulas <chris...@zoulas.com> +Date: Sat, 23 Jun 2018 16:09:11 +0000 +Subject: [PATCH] PR/5: tobias: add more syscalls for 32 bit linux + +--- + src/seccomp.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/seccomp.c b/src/seccomp.c +index 481a5624784c..51cf71c4ef6d 100644 +--- a/src/seccomp.c ++++ b/src/seccomp.c +@@ -27,7 +27,7 @@ + #include "file.h" + + #ifndef lint +-FILE_RCSID("@(#)$File: seccomp.c,v 1.3 2018/05/06 16:36:41 christos Exp $") ++FILE_RCSID("@(#)$File: seccomp.c,v 1.4 2018/06/23 16:09:11 christos Exp $") + #endif /* lint */ + + #if HAVE_LIBSECCOMP +@@ -164,15 +164,20 @@ enable_sandbox_full(void) + ALLOW_RULE(exit); + ALLOW_RULE(exit_group); + ALLOW_RULE(fcntl); ++ ALLOW_RULE(fcntl64); + ALLOW_RULE(fstat); ++ ALLOW_RULE(fcntl64); + ALLOW_RULE(getdents); + #ifdef __NR_getdents64 + ALLOW_RULE(getdents64); + #endif + ALLOW_RULE(ioctl); + ALLOW_RULE(lseek); ++ ALLOW_RULE(_llseek); + ALLOW_RULE(lstat); ++ ALLOW_RULE(lstat64); + ALLOW_RULE(mmap); ++ ALLOW_RULE(mmap2); + ALLOW_RULE(mprotect); + ALLOW_RULE(mremap); + ALLOW_RULE(munmap); diff --git a/patches/file-5.33/0003-one-more-syscall-for-32-bits.patch b/patches/file-5.33/0003-one-more-syscall-for-32-bits.patch new file mode 100644 index 000000000..d45cfdac7 --- /dev/null +++ b/patches/file-5.33/0003-one-more-syscall-for-32-bits.patch @@ -0,0 +1,29 @@ +From: Christos Zoulas <chris...@zoulas.com> +Date: Sat, 23 Jun 2018 16:19:02 +0000 +Subject: [PATCH] one more syscall for 32 bits + +--- + src/seccomp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/seccomp.c b/src/seccomp.c +index 51cf71c4ef6d..6da7d658deb9 100644 +--- a/src/seccomp.c ++++ b/src/seccomp.c +@@ -27,7 +27,7 @@ + #include "file.h" + + #ifndef lint +-FILE_RCSID("@(#)$File: seccomp.c,v 1.4 2018/06/23 16:09:11 christos Exp $") ++FILE_RCSID("@(#)$File: seccomp.c,v 1.5 2018/06/23 16:19:02 christos Exp $") + #endif /* lint */ + + #if HAVE_LIBSECCOMP +@@ -194,6 +194,7 @@ enable_sandbox_full(void) + ALLOW_RULE(rt_sigreturn); + ALLOW_RULE(select); + ALLOW_RULE(stat); ++ ALLOW_RULE(stat64); + ALLOW_RULE(sysinfo); + ALLOW_RULE(unlink); + ALLOW_RULE(write); diff --git a/patches/file-5.33/0004-Fix-pasto-Clemens-Gruber.patch b/patches/file-5.33/0004-Fix-pasto-Clemens-Gruber.patch new file mode 100644 index 000000000..83bdf6d08 --- /dev/null +++ b/patches/file-5.33/0004-Fix-pasto-Clemens-Gruber.patch @@ -0,0 +1,30 @@ +From: Christos Zoulas <chris...@zoulas.com> +Date: Tue, 26 Jun 2018 20:29:29 +0000 +Subject: [PATCH] Fix pasto (Clemens Gruber) + +--- + src/seccomp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/seccomp.c b/src/seccomp.c +index 6da7d658deb9..a5abb4a159f9 100644 +--- a/src/seccomp.c ++++ b/src/seccomp.c +@@ -27,7 +27,7 @@ + #include "file.h" + + #ifndef lint +-FILE_RCSID("@(#)$File: seccomp.c,v 1.5 2018/06/23 16:19:02 christos Exp $") ++FILE_RCSID("@(#)$File: seccomp.c,v 1.6 2018/06/26 20:29:29 christos Exp $") + #endif /* lint */ + + #if HAVE_LIBSECCOMP +@@ -166,7 +166,7 @@ enable_sandbox_full(void) + ALLOW_RULE(fcntl); + ALLOW_RULE(fcntl64); + ALLOW_RULE(fstat); +- ALLOW_RULE(fcntl64); ++ ALLOW_RULE(fstat64); + ALLOW_RULE(getdents); + #ifdef __NR_getdents64 + ALLOW_RULE(getdents64); diff --git a/patches/file-5.33/series b/patches/file-5.33/series new file mode 100644 index 000000000..7d191a433 --- /dev/null +++ b/patches/file-5.33/series @@ -0,0 +1,8 @@ +# generated by git-ptx-patches +#tag:base --start-number 1 +#tag:upstream --start-number 1 +0001-add-more-syscalls-newfstatat-is-used-for-stat-ing-th.patch +0002-PR-5-tobias-add-more-syscalls-for-32-bit-linux.patch +0003-one-more-syscall-for-32-bits.patch +0004-Fix-pasto-Clemens-Gruber.patch +# 2af12a2494048da781590d463137b3ca - git-ptx-patches magic -- 2.18.0 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de