diff options
author | djm <djm> | 2014-03-17 03:45:56 +0000 |
---|---|---|
committer | djm <djm> | 2014-03-17 03:45:56 +0000 |
commit | 78fc5299dc46e6fde67a2528bd94a883dc084efc (patch) | |
tree | a7388aea7a42536f06755828bdb21a42d7ffe8af | |
parent | cb3cc7b28a43b04fccd7dafc893d3fe731fb9662 (diff) | |
download | openssh-78fc5299dc46e6fde67a2528bd94a883dc084efc.tar.gz |
- (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to
remind myself to add sandbox violation logging via the log socket.
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | sandbox-seccomp-filter.c | 3 |
2 files changed, 7 insertions, 0 deletions
@@ -1,3 +1,7 @@ +20140317 + - (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to + remind myself to add sandbox violation logging via the log socket. + 20140314 - (tim) [opensshd.init.in] Add support for ed25519 diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index c0c17c2f..c2be0069 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -25,6 +25,8 @@ */ /* #define SANDBOX_SECCOMP_FILTER_DEBUG 1 */ +/* XXX it should be possible to do logging via the log socket safely */ + #ifdef SANDBOX_SECCOMP_FILTER_DEBUG /* Use the kernel headers in case of an older toolchain. */ # include <asm/siginfo.h> @@ -89,6 +91,7 @@ static const struct sock_filter preauth_insns[] = { BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)), SC_DENY(open, EACCES), + SC_DENY(stat, EACCES), SC_ALLOW(getpid), SC_ALLOW(gettimeofday), SC_ALLOW(clock_gettime), |