1 |
commit: 519f07f7f3bdb29382a0f1491f6fce0a07bbc4fc |
2 |
Author: Sergei Trofimovich <slyfox <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Jan 14 22:35:29 2019 +0000 |
4 |
Commit: Sergei Trofimovich <slyfox <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Jan 14 22:35:29 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=519f07f7 |
7 |
|
8 |
security.c: whitelist ipc() syscall for fakeroot on ppc64 and friends |
9 |
|
10 |
On amd64 and friends msgget() and similar syscalls are standalone syscalls. |
11 |
On i386 and friends msgget() is a subcall of ipc() syscall. |
12 |
|
13 |
This makes fakechroot break 'scanelf' as: |
14 |
$ LANG=C fakeroot scanelf -t /bin/bash |
15 |
/usr/bin/fakeroot: line 178: 6820 Bad system call (core dumped) |
16 |
|
17 |
The change whitelists ipc() call which allows all sysv syscalls, namely: |
18 |
- semop, semget, semctl, semtimedop |
19 |
- msgsnd, msgrcv, msgget, msgctl |
20 |
- shmat, shmdt, shmget, shmctl |
21 |
|
22 |
Reported-and-fixed-by: Samuel Holland |
23 |
Bug: https://bugs.gentoo.org/675378 |
24 |
Signed-off-by: Sergei Trofimovich <slyfox <AT> gentoo.org> |
25 |
|
26 |
security.c | 6 ++++++ |
27 |
1 file changed, 6 insertions(+) |
28 |
|
29 |
diff --git a/security.c b/security.c |
30 |
index a86f375..78e04d4 100644 |
31 |
--- a/security.c |
32 |
+++ b/security.c |
33 |
@@ -162,6 +162,12 @@ static void pax_seccomp_init(bool allow_forking) |
34 |
SCMP_SYS(msgsnd), |
35 |
SCMP_SYS(semget), |
36 |
SCMP_SYS(semop), |
37 |
+ /* |
38 |
+ * Some targets like ppc and i386 implement the above |
39 |
+ * syscall as subcalls via ipc() syscall. |
40 |
+ * https://bugs.gentoo.org/675378 |
41 |
+ */ |
42 |
+ SCMP_SYS(ipc), |
43 |
}; |
44 |
int fork_syscalls[] = { |
45 |
SCMP_SYS(clone), |