mirror of git://anongit.mindrot.org/openssh.git
- (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to
remind myself to add sandbox violation logging via the log socket.
This commit is contained in:
Damien Miller
parent
9c36698ca2
commit
48abc47e60
|
|
@ -1,3 +1,7 @@
|
||||||
|
20140317
|
||||||
|
- (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to
|
||||||
|
remind myself to add sandbox violation logging via the log socket.
|
||||||
|
|
||||||
20140314
|
20140314
|
||||||
- (tim) [opensshd.init.in] Add support for ed25519
|
- (tim) [opensshd.init.in] Add support for ed25519
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -25,6 +25,8 @@
|
||||||
*/
|
*/
|
||||||
/* #define SANDBOX_SECCOMP_FILTER_DEBUG 1 */
|
/* #define SANDBOX_SECCOMP_FILTER_DEBUG 1 */
|
||||||
|
|
||||||
|
/* XXX it should be possible to do logging via the log socket safely */
|
||||||
|
|
||||||
#ifdef SANDBOX_SECCOMP_FILTER_DEBUG
|
#ifdef SANDBOX_SECCOMP_FILTER_DEBUG
|
||||||
/* Use the kernel headers in case of an older toolchain. */
|
/* Use the kernel headers in case of an older toolchain. */
|
||||||
# include <asm/siginfo.h>
|
# include <asm/siginfo.h>
|
||||||
|
|
@ -89,6 +91,7 @@ static const struct sock_filter preauth_insns[] = {
|
||||||
BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
|
BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
|
||||||
offsetof(struct seccomp_data, nr)),
|
offsetof(struct seccomp_data, nr)),
|
||||||
SC_DENY(open, EACCES),
|
SC_DENY(open, EACCES),
|
||||||
|
SC_DENY(stat, EACCES),
|
||||||
SC_ALLOW(getpid),
|
SC_ALLOW(getpid),
|
||||||
SC_ALLOW(gettimeofday),
|
SC_ALLOW(gettimeofday),
|
||||||
SC_ALLOW(clock_gettime),
|
SC_ALLOW(clock_gettime),
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue