adjust seccomp filter for select->poll conversion

Needed to add ppoll syscall but also to relax the fallback rlimit sandbox. Linux poll() fails with EINVAL if npfds > RLIMIT_NOFILE, so we have to allow a single fd in the rlimit.
2021-11-18 10:16:55 +11:00 · 2021-11-18 10:16:55 +11:00 · 9778a15fa6
parent fcd8d895bb
commit 9778a15fa6
1 changed files with 9 additions and 2 deletions
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@ -270,6 +270,9 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR__newselect
 	SC_ALLOW(__NR__newselect),
 #endif
+#ifdef __NR_ppoll
+	SC_ALLOW(__NR_ppoll),
+#endif
 #ifdef __NR_poll
 	SC_ALLOW(__NR_poll),
 #endif
@ -391,7 +394,7 @@ ssh_sandbox_child_debugging(void)
 void
 ssh_sandbox_child(struct ssh_sandbox *box)
 {
-	struct rlimit rl_zero;
+	struct rlimit rl_zero, rl_one = {.rlim_cur = 1, .rlim_max = 1};
 	int nnp_failed = 0;

 	/* Set rlimits for completeness if possible. */
@ -399,7 +402,11 @@ ssh_sandbox_child(struct ssh_sandbox *box)
 	if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
 		fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
 			__func__, strerror(errno));
-	if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
+	/*
+	 * Cannot use zero for nfds, because poll(2) will fail with
+	 * errno=EINVAL if npfds>RLIMIT_NOFILE.
+	 */
+	if (setrlimit(RLIMIT_NOFILE, &rl_one) == -1)
 		fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
 			__func__, strerror(errno));
 	if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)