1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
From 9a13c2bd472786472360f1a6465d8a808f6b8311 Mon Sep 17 00:00:00 2001
From: Stephen L Arnold <nerdboy@gentoo.org>
Date: Thu, 2 Dec 2021 20:16:18 -0800
Subject: [PATCH] ntpd/ntp_sandbox.c: seccomp rollup patch for arm, arm64,
riscv, all
* add renameat2, move newfstatat and faccessat, remove arch dups
* rollup previous patches, remove cruft
* includes riscv fixes, previous bugs:
https://bugs.gentoo.org/705128
https://bugs.gentoo.org/786228
https://bugs.gentoo.org/823692
https://gitlab.com/NTPsec/ntpsec/-/merge_requests/1247
https://gitlab.com/NTPsec/ntpsec/-/issues/713
Signed-off-by: Stephen L Arnold <nerdboy@gentoo.org>
---
ntpd/ntp_sandbox.c | 27 +++++++++++++++++++--------
1 file changed, 19 insertions(+), 8 deletions(-)
diff --git a/ntpd/ntp_sandbox.c b/ntpd/ntp_sandbox.c
index e66faaa8c..04eaa003a 100644
--- a/ntpd/ntp_sandbox.c
+++ b/ntpd/ntp_sandbox.c
@@ -306,8 +306,8 @@ int scmp_sc[] = {
#endif
#endif /* ENABLE_EARLY_DROPROOT */
- SCMP_SYS(accept),
- SCMP_SYS(access),
+ SCMP_SYS(accept),
+ SCMP_SYS(access),
SCMP_SYS(adjtimex),
SCMP_SYS(bind),
SCMP_SYS(brk),
@@ -319,6 +319,9 @@ int scmp_sc[] = {
SCMP_SYS(connect),
SCMP_SYS(exit),
SCMP_SYS(exit_group),
+#ifdef __NR_faccessat
+ SCMP_SYS(faccessat), /* riscv and aarch64 */
+#endif
SCMP_SYS(fcntl),
SCMP_SYS(fstat),
SCMP_SYS(fsync),
@@ -349,11 +352,13 @@ int scmp_sc[] = {
SCMP_SYS(lseek),
SCMP_SYS(membarrier), /* Needed on Alpine 3.11.3 */
SCMP_SYS(munmap),
+ SCMP_SYS(newfstatat), /* riscv and aarch64 */
SCMP_SYS(open),
#ifdef __NR_openat
SCMP_SYS(openat), /* SUSE */
#endif
SCMP_SYS(poll),
+ SCMP_SYS(pread64),
SCMP_SYS(pselect6),
SCMP_SYS(read),
SCMP_SYS(recvfrom), /* Comment this out for testing.
@@ -362,6 +367,9 @@ int scmp_sc[] = {
*/
SCMP_SYS(recvmsg),
SCMP_SYS(rename),
+#ifdef __NR_renameat2
+ SCMP_SYS(renameat2), /* riscv */
+#endif
SCMP_SYS(rt_sigaction),
SCMP_SYS(rt_sigprocmask),
SCMP_SYS(rt_sigreturn),
@@ -401,6 +409,7 @@ int scmp_sc[] = {
* rather than generate a trap.
*/
SCMP_SYS(clone), /* threads */
+ SCMP_SYS(clone3),
SCMP_SYS(kill), /* generate signal */
SCMP_SYS(madvise),
SCMP_SYS(mprotect),
@@ -415,9 +424,9 @@ int scmp_sc[] = {
SCMP_SYS(nanosleep),
#endif
#ifdef CLOCK_SHM
- SCMP_SYS(shmget),
- SCMP_SYS(shmat),
- SCMP_SYS(shmdt),
+ SCMP_SYS(shmget),
+ SCMP_SYS(shmat),
+ SCMP_SYS(shmdt),
#endif
SCMP_SYS(fcntl64),
@@ -450,10 +459,9 @@ int scmp_sc[] = {
SCMP_SYS(mmap),
#endif
#if defined(__aarch64__)
- SCMP_SYS(faccessat),
- SCMP_SYS(newfstatat),
- SCMP_SYS(renameat),
SCMP_SYS(linkat),
+ SCMP_SYS(renameat),
+ SCMP_SYS(syscall),
SCMP_SYS(unlinkat),
#endif
#if defined(__i386__) || defined(__arm__) || defined(__powerpc__)
@@ -463,6 +471,9 @@ int scmp_sc[] = {
SCMP_SYS(send),
SCMP_SYS(stat64),
#endif
+#if defined(__arm__)
+ SCMP_SYS(statx),
+#endif
};
{
for (unsigned int i = 0; i < COUNTOF(scmp_sc); i++) {
--
2.32.0
|