[openssh] Enable seccomp sandboxing after resolving problems with audit patch (#1062953)
Jakub Jelen
jjelen at fedoraproject.org
Wed Feb 18 15:34:44 UTC 2015
commit 0a4ac4f4d3e3c0bb2dfbb421c384265a6bdd5c14
Author: Jakub Jelen <jjelen at redhat.com>
Date: Wed Feb 11 10:29:14 2015 +0100
Enable seccomp sandboxing after resolving problems with audit patch (#1062953)
openssh-6.7p1-audit.patch | 14 ++++++++++++++
openssh.spec | 5 -----
2 files changed, 14 insertions(+), 5 deletions(-)
---
diff --git a/openssh-6.7p1-audit.patch b/openssh-6.7p1-audit.patch
index b5c710b..292509d 100644
--- a/openssh-6.7p1-audit.patch
+++ b/openssh-6.7p1-audit.patch
@@ -2373,3 +2373,17 @@ index 4554b09..226a494 100644
int sshkey_is_cert(const struct sshkey *);
int sshkey_type_is_cert(int);
int sshkey_type_plain(int);
+
+diff -U3 openssh-6.6p1/sandbox-seccomp-filter.c openssh-6.6p1.seccomp/sandbox-seccomp-filter.c
+--- openssh-6.6p1/sandbox-seccomp-filter.c 2014-02-06 01:17:50.000000000 +0100
++++ openssh-6.6p1.seccomp/sandbox-seccomp-filter.c 2015-02-11 09:07:10.885000000 +0100
+@@ -95,6 +95,9 @@
+ #ifdef __NR_time /* not defined on EABI ARM */
+ SC_ALLOW(time),
+ #endif
++#ifdef SSH_AUDIT_EVENTS
++ SC_ALLOW(getuid),
++#endif
+ SC_ALLOW(read),
+ SC_ALLOW(write),
+ SC_ALLOW(close),
diff --git a/openssh.spec b/openssh.spec
index 9b000c3..7740c58 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -506,12 +506,7 @@ fi
%endif
%if %{WITH_SELINUX}
--with-selinux --with-audit=linux \
-%if 0
-#seccomp_filter cannot be build right now
--with-sandbox=seccomp_filter \
-%else
- --with-sandbox=rlimit \
-%endif
%endif
%if %{kerberos5}
--with-kerberos5${krb5_prefix:+=${krb5_prefix}} \
More information about the scm-commits
mailing list