[ptxdist] [PATCH 2/2] file: add upstream seccomp patches

Clemens Gruber Wed, 27 Jun 2018 08:25:22 -0700

Several syscalls are missing in file 5.33. Fix it by pulling in four
upstream patches.


Signed-off-by: Clemens Gruber <clemens.gru...@pqgruber.com>
---
 ...s-newfstatat-is-used-for-stat-ing-th.patch | 56 +++++++++++++++++++
 ...s-add-more-syscalls-for-32-bit-linux.patch | 42 ++++++++++++++
 .../0003-one-more-syscall-for-32-bits.patch   | 29 ++++++++++
 .../0004-Fix-pasto-Clemens-Gruber.patch       | 30 ++++++++++
 patches/file-5.33/series                      |  8 +++
 5 files changed, 165 insertions(+)
 create mode 100644 
patches/file-5.33/0001-add-more-syscalls-newfstatat-is-used-for-stat-ing-th.patch
 create mode 100644 
patches/file-5.33/0002-PR-5-tobias-add-more-syscalls-for-32-bit-linux.patch
 create mode 100644 patches/file-5.33/0003-one-more-syscall-for-32-bits.patch
 create mode 100644 patches/file-5.33/0004-Fix-pasto-Clemens-Gruber.patch
 create mode 100644 patches/file-5.33/series

diff --git 
a/patches/file-5.33/0001-add-more-syscalls-newfstatat-is-used-for-stat-ing-th.patch
 
b/patches/file-5.33/0001-add-more-syscalls-newfstatat-is-used-for-stat-ing-th.patch
new file mode 100644
index 000000000..e2f59686d
--- /dev/null
+++ 
b/patches/file-5.33/0001-add-more-syscalls-newfstatat-is-used-for-stat-ing-th.patch
@@ -0,0 +1,56 @@
+From: Christos Zoulas <chris...@zoulas.com>
+Date: Sun, 6 May 2018 16:36:41 +0000
+Subject: [PATCH] add more syscalls; newfstatat is used for stat'ing the magic
+ file, getdents64 is used for getting the magic entries during compilation.
+
+---
+ src/seccomp.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/src/seccomp.c b/src/seccomp.c
+index 7c8a31443b43..481a5624784c 100644
+--- a/src/seccomp.c
++++ b/src/seccomp.c
+@@ -27,7 +27,7 @@
+ #include "file.h"
+ 
+ #ifndef       lint
+-FILE_RCSID("@(#)$File: seccomp.c,v 1.2 2017/11/04 01:14:25 christos Exp $")
++FILE_RCSID("@(#)$File: seccomp.c,v 1.3 2018/05/06 16:36:41 christos Exp $")
+ #endif        /* lint */
+ 
+ #if HAVE_LIBSECCOMP
+@@ -59,12 +59,7 @@ enable_sandbox_basic(void)
+       if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
+               return -1;
+ 
+-#if 0
+-      // prevent escape via ptrace
+-      prctl(PR_SET_DUMPABLE, 0);
+-#endif
+-
+-      if (prctl (PR_SET_DUMPABLE, 0, 0, 0, 0) == -1)
++      if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1)
+               return -1;
+ 
+       // initialize the filter
+@@ -171,6 +166,9 @@ enable_sandbox_full(void)
+       ALLOW_RULE(fcntl);  
+       ALLOW_RULE(fstat);
+       ALLOW_RULE(getdents);
++#ifdef __NR_getdents64
++      ALLOW_RULE(getdents64);
++#endif
+       ALLOW_RULE(ioctl);
+       ALLOW_RULE(lseek);
+       ALLOW_RULE(lstat);
+@@ -178,6 +176,9 @@ enable_sandbox_full(void)
+       ALLOW_RULE(mprotect);
+       ALLOW_RULE(mremap);
+       ALLOW_RULE(munmap);
++#ifdef __NR_newfstatat
++      ALLOW_RULE(newfstatat);
++#endif
+       ALLOW_RULE(open);
+       ALLOW_RULE(openat);
+       ALLOW_RULE(pread64);
diff --git 
a/patches/file-5.33/0002-PR-5-tobias-add-more-syscalls-for-32-bit-linux.patch 
b/patches/file-5.33/0002-PR-5-tobias-add-more-syscalls-for-32-bit-linux.patch
new file mode 100644
index 000000000..08e178a8d
--- /dev/null
+++ 
b/patches/file-5.33/0002-PR-5-tobias-add-more-syscalls-for-32-bit-linux.patch
@@ -0,0 +1,42 @@
+From: Christos Zoulas <chris...@zoulas.com>
+Date: Sat, 23 Jun 2018 16:09:11 +0000
+Subject: [PATCH] PR/5: tobias: add more syscalls for 32 bit linux
+
+---
+ src/seccomp.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/seccomp.c b/src/seccomp.c
+index 481a5624784c..51cf71c4ef6d 100644
+--- a/src/seccomp.c
++++ b/src/seccomp.c
+@@ -27,7 +27,7 @@
+ #include "file.h"
+ 
+ #ifndef       lint
+-FILE_RCSID("@(#)$File: seccomp.c,v 1.3 2018/05/06 16:36:41 christos Exp $")
++FILE_RCSID("@(#)$File: seccomp.c,v 1.4 2018/06/23 16:09:11 christos Exp $")
+ #endif        /* lint */
+ 
+ #if HAVE_LIBSECCOMP
+@@ -164,15 +164,20 @@ enable_sandbox_full(void)
+       ALLOW_RULE(exit);
+       ALLOW_RULE(exit_group);
+       ALLOW_RULE(fcntl);  
++      ALLOW_RULE(fcntl64);  
+       ALLOW_RULE(fstat);
++      ALLOW_RULE(fcntl64);  
+       ALLOW_RULE(getdents);
+ #ifdef __NR_getdents64
+       ALLOW_RULE(getdents64);
+ #endif
+       ALLOW_RULE(ioctl);
+       ALLOW_RULE(lseek);
++      ALLOW_RULE(_llseek);
+       ALLOW_RULE(lstat);
++      ALLOW_RULE(lstat64);
+       ALLOW_RULE(mmap);
++      ALLOW_RULE(mmap2);
+       ALLOW_RULE(mprotect);
+       ALLOW_RULE(mremap);
+       ALLOW_RULE(munmap);
diff --git a/patches/file-5.33/0003-one-more-syscall-for-32-bits.patch 
b/patches/file-5.33/0003-one-more-syscall-for-32-bits.patch
new file mode 100644
index 000000000..d45cfdac7
--- /dev/null
+++ b/patches/file-5.33/0003-one-more-syscall-for-32-bits.patch
@@ -0,0 +1,29 @@
+From: Christos Zoulas <chris...@zoulas.com>
+Date: Sat, 23 Jun 2018 16:19:02 +0000
+Subject: [PATCH] one more syscall for 32 bits
+
+---
+ src/seccomp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/seccomp.c b/src/seccomp.c
+index 51cf71c4ef6d..6da7d658deb9 100644
+--- a/src/seccomp.c
++++ b/src/seccomp.c
+@@ -27,7 +27,7 @@
+ #include "file.h"
+ 
+ #ifndef       lint
+-FILE_RCSID("@(#)$File: seccomp.c,v 1.4 2018/06/23 16:09:11 christos Exp $")
++FILE_RCSID("@(#)$File: seccomp.c,v 1.5 2018/06/23 16:19:02 christos Exp $")
+ #endif        /* lint */
+ 
+ #if HAVE_LIBSECCOMP
+@@ -194,6 +194,7 @@ enable_sandbox_full(void)
+       ALLOW_RULE(rt_sigreturn);
+       ALLOW_RULE(select);
+       ALLOW_RULE(stat);
++      ALLOW_RULE(stat64);
+       ALLOW_RULE(sysinfo);
+       ALLOW_RULE(unlink);
+       ALLOW_RULE(write);
diff --git a/patches/file-5.33/0004-Fix-pasto-Clemens-Gruber.patch 
b/patches/file-5.33/0004-Fix-pasto-Clemens-Gruber.patch
new file mode 100644
index 000000000..83bdf6d08
--- /dev/null
+++ b/patches/file-5.33/0004-Fix-pasto-Clemens-Gruber.patch
@@ -0,0 +1,30 @@
+From: Christos Zoulas <chris...@zoulas.com>
+Date: Tue, 26 Jun 2018 20:29:29 +0000
+Subject: [PATCH] Fix pasto (Clemens Gruber)
+
+---
+ src/seccomp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/seccomp.c b/src/seccomp.c
+index 6da7d658deb9..a5abb4a159f9 100644
+--- a/src/seccomp.c
++++ b/src/seccomp.c
+@@ -27,7 +27,7 @@
+ #include "file.h"
+ 
+ #ifndef       lint
+-FILE_RCSID("@(#)$File: seccomp.c,v 1.5 2018/06/23 16:19:02 christos Exp $")
++FILE_RCSID("@(#)$File: seccomp.c,v 1.6 2018/06/26 20:29:29 christos Exp $")
+ #endif        /* lint */
+ 
+ #if HAVE_LIBSECCOMP
+@@ -166,7 +166,7 @@ enable_sandbox_full(void)
+       ALLOW_RULE(fcntl);  
+       ALLOW_RULE(fcntl64);  
+       ALLOW_RULE(fstat);
+-      ALLOW_RULE(fcntl64);  
++      ALLOW_RULE(fstat64);  
+       ALLOW_RULE(getdents);
+ #ifdef __NR_getdents64
+       ALLOW_RULE(getdents64);
diff --git a/patches/file-5.33/series b/patches/file-5.33/series
new file mode 100644
index 000000000..7d191a433
--- /dev/null
+++ b/patches/file-5.33/series
@@ -0,0 +1,8 @@
+# generated by git-ptx-patches
+#tag:base --start-number 1
+#tag:upstream --start-number 1
+0001-add-more-syscalls-newfstatat-is-used-for-stat-ing-th.patch
+0002-PR-5-tobias-add-more-syscalls-for-32-bit-linux.patch
+0003-one-more-syscall-for-32-bits.patch
+0004-Fix-pasto-Clemens-Gruber.patch
+# 2af12a2494048da781590d463137b3ca  - git-ptx-patches magic
-- 
2.18.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH 2/2] file: add upstream seccomp patches

Reply via email to