From 9778a15fa6dbdac6a95bf15865c2688b4bd6944e Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Thu, 18 Nov 2021 10:16:55 +1100
Subject: adjust seccomp filter for select->poll conversion

Needed to add ppoll syscall but also to relax the fallback rlimit
sandbox. Linux poll() fails with EINVAL if npfds > RLIMIT_NOFILE,
so we have to allow a single fd in the rlimit.
---
 sandbox-seccomp-filter.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'sandbox-seccomp-filter.c')

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 798b24bd..f5e46280 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -270,6 +270,9 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR__newselect
 	SC_ALLOW(__NR__newselect),
 #endif
+#ifdef __NR_ppoll
+	SC_ALLOW(__NR_ppoll),
+#endif
 #ifdef __NR_poll
 	SC_ALLOW(__NR_poll),
 #endif
@@ -391,7 +394,7 @@ ssh_sandbox_child_debugging(void)
 void
 ssh_sandbox_child(struct ssh_sandbox *box)
 {
-	struct rlimit rl_zero;
+	struct rlimit rl_zero, rl_one = {.rlim_cur = 1, .rlim_max = 1};
 	int nnp_failed = 0;
 
 	/* Set rlimits for completeness if possible. */
@@ -399,7 +402,11 @@ ssh_sandbox_child(struct ssh_sandbox *box)
 	if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
 		fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
 			__func__, strerror(errno));
-	if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
+	/*
+	 * Cannot use zero for nfds, because poll(2) will fail with
+	 * errno=EINVAL if npfds>RLIMIT_NOFILE.
+	 */
+	if (setrlimit(RLIMIT_NOFILE, &rl_one) == -1)
 		fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
 			__func__, strerror(errno));
 	if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)
-- 
cgit v1.2.1