| 1 |
commit: 519f07f7f3bdb29382a0f1491f6fce0a07bbc4fc |
| 2 |
Author: Sergei Trofimovich <slyfox <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Mon Jan 14 22:35:29 2019 +0000 |
| 4 |
Commit: Sergei Trofimovich <slyfox <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Mon Jan 14 22:35:29 2019 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=519f07f7 |
| 7 |
|
| 8 |
security.c: whitelist ipc() syscall for fakeroot on ppc64 and friends |
| 9 |
|
| 10 |
On amd64 and friends msgget() and similar syscalls are standalone syscalls. |
| 11 |
On i386 and friends msgget() is a subcall of ipc() syscall. |
| 12 |
|
| 13 |
This makes fakechroot break 'scanelf' as: |
| 14 |
$ LANG=C fakeroot scanelf -t /bin/bash |
| 15 |
/usr/bin/fakeroot: line 178: 6820 Bad system call (core dumped) |
| 16 |
|
| 17 |
The change whitelists ipc() call which allows all sysv syscalls, namely: |
| 18 |
- semop, semget, semctl, semtimedop |
| 19 |
- msgsnd, msgrcv, msgget, msgctl |
| 20 |
- shmat, shmdt, shmget, shmctl |
| 21 |
|
| 22 |
Reported-and-fixed-by: Samuel Holland |
| 23 |
Bug: https://bugs.gentoo.org/675378 |
| 24 |
Signed-off-by: Sergei Trofimovich <slyfox <AT> gentoo.org> |
| 25 |
|
| 26 |
security.c | 6 ++++++ |
| 27 |
1 file changed, 6 insertions(+) |
| 28 |
|
| 29 |
diff --git a/security.c b/security.c |
| 30 |
index a86f375..78e04d4 100644 |
| 31 |
--- a/security.c |
| 32 |
+++ b/security.c |
| 33 |
@@ -162,6 +162,12 @@ static void pax_seccomp_init(bool allow_forking) |
| 34 |
SCMP_SYS(msgsnd), |
| 35 |
SCMP_SYS(semget), |
| 36 |
SCMP_SYS(semop), |
| 37 |
+ /* |
| 38 |
+ * Some targets like ppc and i386 implement the above |
| 39 |
+ * syscall as subcalls via ipc() syscall. |
| 40 |
+ * https://bugs.gentoo.org/675378 |
| 41 |
+ */ |
| 42 |
+ SCMP_SYS(ipc), |
| 43 |
}; |
| 44 |
int fork_syscalls[] = { |
| 45 |
SCMP_SYS(clone), |
Archives