[oe-commits] [meta-openembedded] 01/02: vsftpd: allow getdents64 in the seccomp sandbox

git at git.openembedded.org git at git.openembedded.org
Thu Nov 29 17:36:39 UTC 2018 

This is an automated email from the git hooks/post-receive script.

khem pushed a commit to branch master-next
in repository meta-openembedded.

commit be2444d6232ac7f9108b7805d099602866d78ecc
Author: Mingli Yu <mingli.yu at windriver.com>
AuthorDate: Thu Nov 29 01:25:56 2018 -0800

    vsftpd: allow getdents64 in the seccomp sandbox
    
    seccomp is activated by default in vsftpd and
    this has caused compatibility issues with some
    kernel versions. This was fixed as one can see
    as https://bugzilla.redhat.com/show_bug.cgi?id=845980,
    but can still cause issues with newer kernels with
    kernel 4.18+.
    
    And there is even a patch 0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch
    in fedora[https://dl.fedoraproject.org/pub/fedora/linux/releases/29/Everything/source/tree/Packages/v/vsftpd-3.0.3-28.fc29.src.rpm]
    turning off seccomp sandbox for vsftpd by default
    as below which means fedora doesn't limit the syscall
    any more by default.
    [snip]
     -  tunable_seccomp_sandbox = 1;
     +  tunable_seccomp_sandbox = 0;
       tunable_allow_writeable_chroot = 0;
    
       tunable_accept_timeout = 60;
    [snip]
    
    Refresh 0001-vsftpd-allow-sysinfo-in-the-seccomp-sandbox.patch
    to allow one more syscall getdents64 in the
    seccomp sandbox apart from the previous one in
    below commit:
    fbffcf3f3 vsftpd: allow sysinfo() in the seccomp sandbox
    
    before this patch:
    root at qemux86-64:~# tnftp 127.0.0.1
    Connected to 127.0.0.1.
    220 (vsFTPd 3.0.3)
    Name (127.0.0.1:root): anonymous
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> dir
    229 Entering Extended Passive Mode (|||8352|)
    150 Here comes the directory listing.
    500 OOPS: priv_sock_get_cmd
    ftp>
    
    after this patch:
    root at qemux86-64:~# tnftp 127.0.0.1
    Connected to 127.0.0.1.
    220 (vsFTPd 3.0.3)
    Name (127.0.0.1:root): anonymous
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> dir
    229 Entering Extended Passive Mode (|||22610|)
    150 Here comes the directory listing.
    226 Directory send OK.
    ftp>
    
    Reference: https://wiki.archlinux.org/index.php/Very_Secure_FTP_Daemon#vsftpd:_Error_500_with_kernel_4.18+
    
    Signed-off-by: Mingli Yu <mingli.yu at windriver.com>
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
---
 ...tpd-allow-syscalls-in-the-seccomp-sandbox.patch | 46 ++++++++++++++++++++++
 ...ftpd-allow-sysinfo-in-the-seccomp-sandbox.patch | 43 --------------------
 .../recipes-daemons/vsftpd/vsftpd_3.0.3.bb         |  2 +-
 3 files changed, 47 insertions(+), 44 deletions(-)

diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-syscalls-in-the-seccomp-sandbox.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-syscalls-in-the-seccomp-sandbox.patch
new file mode 100644
index 0000000..7573c96
--- /dev/null
+++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-syscalls-in-the-seccomp-sandbox.patch
@@ -0,0 +1,46 @@
+From dd353303f62d1dfe32cb000e482616b021708fbe Mon Sep 17 00:00:00 2001
+From: Mingli Yu <mingli.yu at windriver.com>
+Date: Thu, 29 Nov 2018 00:47:34 -0800
+Subject: [PATCH] vsftpd: allow syscalls in the seccomp sandbox
+
+* Allow sysinfo() and getdents64 in the seccomp
+  sandbox otherwise comes below OOPS: priv_sock_get_cmd
+  as the syscall sysinfo() and getdents64 not allowed
+
+root at qemux86-64:~# tnftp 192.168.1.1
+Connected to 192.168.1.1.
+220 (vsFTPd 3.0.3)
+Name (192.168.1.1:root): anonymous
+331 Please specify the password.
+Password:
+230 Login successful.
+Remote system type is UNIX.
+Using binary mode to transfer files.
+ftp> prompt
+Interactive mode off.
+ftp> mget small*
+OOPS: priv_sock_get_cmd
+
+Upstream-Status: Pending
+
+Signed-off-by: Mingli Yu <mingli.yu at windriver.com>
+---
+ seccompsandbox.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/seccompsandbox.c b/seccompsandbox.c
+index 2c350a9..377c50e 100644
+--- a/seccompsandbox.c
++++ b/seccompsandbox.c
+@@ -409,6 +409,8 @@ seccomp_sandbox_setup_postlogin(const struct vsf_session* p_sess)
+   allow_nr(__NR_getcwd);
+   allow_nr(__NR_chdir);
+   allow_nr(__NR_getdents);
++  allow_nr(__NR_getdents64);
++  allow_nr(__NR_sysinfo);
+   /* Misc */
+   allow_nr(__NR_umask);
+ 
+-- 
+2.17.1
+
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-sysinfo-in-the-seccomp-sandbox.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-sysinfo-in-the-seccomp-sandbox.patch
deleted file mode 100644
index c6c0f80..0000000
--- a/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-sysinfo-in-the-seccomp-sandbox.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 9c4826c19f04da533886209361a2caddf582d65c Mon Sep 17 00:00:00 2001
-From: Mingli Yu <Mingli.Yu at windriver.com>
-Date: Tue, 6 Sep 2016 17:17:44 +0800
-Subject: [PATCH] vsftpd: allow sysinfo() in the seccomp sandbox
-
-Upstream-Status: Pending
-
-* Allow sysinfo() in the seccomp sandbox otherwise
-  comes below OOPS: priv_sock_get_cmd as the syscall
-  sysinfo() not allowed
-
-tnftp 192.168.1.1
-Connected to 192.168.1.1.
-220 (vsFTPd 3.0.3)
-Name (192.168.1.1:root): anonymous
-331 Please specify the password.
-Password:
-230 Login successful.
-Remote system type is UNIX.
-Using binary mode to transfer files.
-ftp> prompt
-Interactive mode off.
-ftp> mget small*
-OOPS: priv_sock_get_cmd
-
-Signed-off-by: Mingli Yu <Mingli.Yu at windriver.com>
-
----
- seccompsandbox.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/seccompsandbox.c b/seccompsandbox.c
-index 2c350a9..67d9ca5 100644
---- a/seccompsandbox.c
-+++ b/seccompsandbox.c
-@@ -409,6 +409,7 @@ seccomp_sandbox_setup_postlogin(const struct vsf_session* p_sess)
-   allow_nr(__NR_getcwd);
-   allow_nr(__NR_chdir);
-   allow_nr(__NR_getdents);
-+  allow_nr(__NR_sysinfo);
-   /* Misc */
-   allow_nr(__NR_umask);
- 
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.3.bb b/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.3.bb
index 2e3e0e8..df0d7f4 100644
--- a/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.3.bb
+++ b/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.3.bb
@@ -18,7 +18,7 @@ SRC_URI = "https://security.appspot.com/downloads/vsftpd-${PV}.tar.gz \
            file://volatiles.99_vsftpd \
            file://vsftpd.service \
            file://vsftpd-2.1.0-filter.patch \
-           file://0001-vsftpd-allow-sysinfo-in-the-seccomp-sandbox.patch \
+           file://0001-vsftpd-allow-syscalls-in-the-seccomp-sandbox.patch \
            ${@bb.utils.contains('PACKAGECONFIG', 'tcp-wrappers', 'file://vsftpd-tcp_wrappers-support.patch', '', d)} \
            ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '', '${NOPAM_SRC}', d)} \
            file://0001-sysdeputil.c-Fix-with-musl-which-does-not-have-utmpx.patch \

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list