tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child. 

New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and shmdt
in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox.
This commit is contained in:
Lonnie Abelbeck 2019-10-01 09:05:09 -05:00 committed by Damien Miller
parent edd1d3a626
commit 3ef92a6574
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
sandbox-seccomp-filter.c
View File

@ -168,6 +168,15 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_stat64 #ifdef __NR_stat64
SC_DENY(__NR_stat64, EACCES), SC_DENY(__NR_stat64, EACCES),
#endif #endif
#ifdef __NR_shmget
SC_DENY(__NR_shmget, EACCES),
#endif
#ifdef __NR_shmat
SC_DENY(__NR_shmat, EACCES),
#endif
#ifdef __NR_shmdt
SC_DENY(__NR_shmdt, EACCES),
#endif
/* Syscalls to permit */ /* Syscalls to permit */
#ifdef __NR_brk #ifdef __NR_brk