- (djm) [sandbox-seccomp-filter.c] fallback to rlimit if seccomp filter is
not available. Allows use of sshd compiled on host with a filter-capable kernel on hosts that lack the support. bz#2011 ok dtucker@
This commit is contained in:
parent
34f702ae64
commit
a0433a7096
|
@ -1,3 +1,8 @@
|
|||
20120706
|
||||
- (djm) [sandbox-seccomp-filter.c] fallback to rlimit if seccomp filter is
|
||||
not available. Allows use of sshd compiled on host with a filter-capable
|
||||
kernel on hosts that lack the support. bz#2011 ok dtucker@
|
||||
|
||||
20120704
|
||||
- (dtucker) [configure.ac openbsd-compat/bsd-misc.h] Add setlinebuf for
|
||||
platforms that don't have it. "looks good" tim@
|
||||
|
|
|
@ -179,6 +179,7 @@ void
|
|||
ssh_sandbox_child(struct ssh_sandbox *box)
|
||||
{
|
||||
struct rlimit rl_zero;
|
||||
int nnp_failed = 0;
|
||||
|
||||
/* Set rlimits for completeness if possible. */
|
||||
rl_zero.rlim_cur = rl_zero.rlim_max = 0;
|
||||
|
@ -197,13 +198,18 @@ ssh_sandbox_child(struct ssh_sandbox *box)
|
|||
#endif /* SANDBOX_SECCOMP_FILTER_DEBUG */
|
||||
|
||||
debug3("%s: setting PR_SET_NO_NEW_PRIVS", __func__);
|
||||
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
|
||||
fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
|
||||
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) {
|
||||
debug("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
|
||||
__func__, strerror(errno));
|
||||
nnp_failed = 1;
|
||||
}
|
||||
debug3("%s: attaching seccomp filter program", __func__);
|
||||
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &preauth_program) == -1)
|
||||
fatal("%s: prctl(PR_SET_SECCOMP): %s",
|
||||
debug("%s: prctl(PR_SET_SECCOMP): %s",
|
||||
__func__, strerror(errno));
|
||||
else if (nnp_failed)
|
||||
fatal("%s: SECCOMP_MODE_FILTER activated but "
|
||||
"PR_SET_NO_NEW_PRIVS failed", __func__);
|
||||
}
|
||||
|
||||
void
|
||||
|
|
Loading…
Reference in New Issue