diff options
| author | Darren Tucker <dtucker@dtucker.net> | 2021-03-12 05:58:57 +0100 |
|---|---|---|
| committer | Darren Tucker <dtucker@dtucker.net> | 2021-03-12 05:58:57 +0100 |
| commit | 82fef71e20ffef425b932bec26f5bc46aa1ed41c (patch) | |
| tree | e4fac8479c0cf528f670783a19b9e25a8830e5c0 /sandbox-seccomp-filter.c | |
| parent | Move generic includes outside of ifdef. (diff) | |
| download | openssh-82fef71e20ffef425b932bec26f5bc46aa1ed41c.tar.xz openssh-82fef71e20ffef425b932bec26f5bc46aa1ed41c.zip | |
Allow (but return EACCES) fstatat64 in sandbox.
This is apparently used in some configurations of OpenSSL when glibc
has getrandom(). bz#3276, patch from Kris Karas, ok djm@
Diffstat (limited to 'sandbox-seccomp-filter.c')
| -rw-r--r-- | sandbox-seccomp-filter.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index d8dc7120b..7981c84ad 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -154,6 +154,9 @@ static const struct sock_filter preauth_insns[] = { #ifdef __NR_fstat64 SC_DENY(__NR_fstat64, EACCES), #endif +#ifdef __NR_fstatat64 + SC_DENY(__NR_fstatat64, EACCES), +#endif #ifdef __NR_open SC_DENY(__NR_open, EACCES), #endif |