From a0433a7096b7f1f5d7332b04fa83660b3208ab1d Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 6 Jul 2012 10:27:10 +1000 Subject: [PATCH] - (djm) [sandbox-seccomp-filter.c] fallback to rlimit if seccomp filter is not available. Allows use of sshd compiled on host with a filter-capable kernel on hosts that lack the support. bz#2011 ok dtucker@ --- ChangeLog | 5 +++++ sandbox-seccomp-filter.c | 12 +++++++++--- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index b19f41cf6..771ba79c2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20120706 + - (djm) [sandbox-seccomp-filter.c] fallback to rlimit if seccomp filter is + not available. Allows use of sshd compiled on host with a filter-capable + kernel on hosts that lack the support. bz#2011 ok dtucker@ + 20120704 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] Add setlinebuf for platforms that don't have it. "looks good" tim@ diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 686812957..ef2b13c4f 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -179,6 +179,7 @@ void ssh_sandbox_child(struct ssh_sandbox *box) { struct rlimit rl_zero; + int nnp_failed = 0; /* Set rlimits for completeness if possible. */ rl_zero.rlim_cur = rl_zero.rlim_max = 0; @@ -197,13 +198,18 @@ ssh_sandbox_child(struct ssh_sandbox *box) #endif /* SANDBOX_SECCOMP_FILTER_DEBUG */ debug3("%s: setting PR_SET_NO_NEW_PRIVS", __func__); - if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) - fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s", + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) { + debug("%s: prctl(PR_SET_NO_NEW_PRIVS): %s", __func__, strerror(errno)); + nnp_failed = 1; + } debug3("%s: attaching seccomp filter program", __func__); if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &preauth_program) == -1) - fatal("%s: prctl(PR_SET_SECCOMP): %s", + debug("%s: prctl(PR_SET_SECCOMP): %s", __func__, strerror(errno)); + else if (nnp_failed) + fatal("%s: SECCOMP_MODE_FILTER activated but " + "PR_SET_NO_NEW_PRIVS failed", __func__); } void