- (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to

remind myself to add sandbox violation logging via the log socket.
author: djm <djm> 2014-03-17 03:45:56 +0000
committer: djm <djm> 2014-03-17 03:45:56 +0000
commit: 78fc5299dc46e6fde67a2528bd94a883dc084efc (patch)
tree: a7388aea7a42536f06755828bdb21a42d7ffe8af
parent: cb3cc7b28a43b04fccd7dafc893d3fe731fb9662 (diff)
download: openssh-78fc5299dc46e6fde67a2528bd94a883dc084efc.tar.gz
2 files changed, 7 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 50008708..4e6b8b2d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+20140317
+ - (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to
+   remind myself to add sandbox violation logging via the log socket.
+
 20140314
  - (tim) [opensshd.init.in] Add support for ed25519
 
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index c0c17c2f..c2be0069 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -25,6 +25,8 @@
  */
 /* #define SANDBOX_SECCOMP_FILTER_DEBUG 1 */
 
+/* XXX it should be possible to do logging via the log socket safely */
+
 #ifdef SANDBOX_SECCOMP_FILTER_DEBUG
 /* Use the kernel headers in case of an older toolchain. */
 # include <asm/siginfo.h>
@@ -89,6 +91,7 @@ static const struct sock_filter preauth_insns[] = {
 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
 		offsetof(struct seccomp_data, nr)),
 	SC_DENY(open, EACCES),
+	SC_DENY(stat, EACCES),
 	SC_ALLOW(getpid),
 	SC_ALLOW(gettimeofday),
 	SC_ALLOW(clock_gettime),
author	djm <djm>	2014-03-17 03:45:56 +0000
committer	djm <djm>	2014-03-17 03:45:56 +0000
commit	78fc5299dc46e6fde67a2528bd94a883dc084efc (patch)
tree	a7388aea7a42536f06755828bdb21a42d7ffe8af
parent	cb3cc7b28a43b04fccd7dafc893d3fe731fb9662 (diff)
download	openssh-78fc5299dc46e6fde67a2528bd94a883dc084efc.tar.gz