[oe-commits] [meta-openembedded] 08/13: vsftpd: allow getdents64 in the seccomp sandbox
git at git.openembedded.org
git at git.openembedded.org
Fri Nov 30 17:57:54 UTC 2018
This is an automated email from the git hooks/post-receive script.
khem pushed a commit to branch master-next
in repository meta-openembedded.
commit 4224a09efdec7b502f5278a16b40f009c38bea67
Author: Mingli Yu <mingli.yu at windriver.com>
AuthorDate: Thu Nov 29 01:25:56 2018 -0800
vsftpd: allow getdents64 in the seccomp sandbox
seccomp is activated by default in vsftpd and
this has caused compatibility issues with some
kernel versions. This was fixed as one can see
as https://bugzilla.redhat.com/show_bug.cgi?id=845980,
but can still cause issues with newer kernels with
kernel 4.18+.
And there is even a patch 0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch
in fedora[https://dl.fedoraproject.org/pub/fedora/linux/releases/29/Everything/source/tree/Packages/v/vsftpd-3.0.3-28.fc29.src.rpm]
turning off seccomp sandbox for vsftpd by default
as below which means fedora doesn't limit the syscall
any more by default.
[snip]
- tunable_seccomp_sandbox = 1;
+ tunable_seccomp_sandbox = 0;
tunable_allow_writeable_chroot = 0;
tunable_accept_timeout = 60;
[snip]
Refresh 0001-vsftpd-allow-sysinfo-in-the-seccomp-sandbox.patch
to allow one more syscall getdents64 in the
seccomp sandbox apart from the previous one in
below commit:
fbffcf3f3 vsftpd: allow sysinfo() in the seccomp sandbox
before this patch:
root at qemux86-64:~# tnftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 3.0.3)
Name (127.0.0.1:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||8352|)
150 Here comes the directory listing.
500 OOPS: priv_sock_get_cmd
ftp>
after this patch:
root at qemux86-64:~# tnftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 3.0.3)
Name (127.0.0.1:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||22610|)
150 Here comes the directory listing.
226 Directory send OK.
ftp>
Reference: https://wiki.archlinux.org/index.php/Very_Secure_FTP_Daemon#vsftpd:_Error_500_with_kernel_4.18+
Signed-off-by: Mingli Yu <mingli.yu at windriver.com>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
---
...tpd-allow-syscalls-in-the-seccomp-sandbox.patch | 46 ++++++++++++++++++++++
...ftpd-allow-sysinfo-in-the-seccomp-sandbox.patch | 43 --------------------
.../recipes-daemons/vsftpd/vsftpd_3.0.3.bb | 2 +-
3 files changed, 47 insertions(+), 44 deletions(-)
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-syscalls-in-the-seccomp-sandbox.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-syscalls-in-the-seccomp-sandbox.patch
new file mode 100644
index 0000000..7573c96
--- /dev/null
+++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-syscalls-in-the-seccomp-sandbox.patch
@@ -0,0 +1,46 @@
+From dd353303f62d1dfe32cb000e482616b021708fbe Mon Sep 17 00:00:00 2001
+From: Mingli Yu <mingli.yu at windriver.com>
+Date: Thu, 29 Nov 2018 00:47:34 -0800
+Subject: [PATCH] vsftpd: allow syscalls in the seccomp sandbox
+
+* Allow sysinfo() and getdents64 in the seccomp
+ sandbox otherwise comes below OOPS: priv_sock_get_cmd
+ as the syscall sysinfo() and getdents64 not allowed
+
+root at qemux86-64:~# tnftp 192.168.1.1
+Connected to 192.168.1.1.
+220 (vsFTPd 3.0.3)
+Name (192.168.1.1:root): anonymous
+331 Please specify the password.
+Password:
+230 Login successful.
+Remote system type is UNIX.
+Using binary mode to transfer files.
+ftp> prompt
+Interactive mode off.
+ftp> mget small*
+OOPS: priv_sock_get_cmd
+
+Upstream-Status: Pending
+
+Signed-off-by: Mingli Yu <mingli.yu at windriver.com>
+---
+ seccompsandbox.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/seccompsandbox.c b/seccompsandbox.c
+index 2c350a9..377c50e 100644
+--- a/seccompsandbox.c
++++ b/seccompsandbox.c
+@@ -409,6 +409,8 @@ seccomp_sandbox_setup_postlogin(const struct vsf_session* p_sess)
+ allow_nr(__NR_getcwd);
+ allow_nr(__NR_chdir);
+ allow_nr(__NR_getdents);
++ allow_nr(__NR_getdents64);
++ allow_nr(__NR_sysinfo);
+ /* Misc */
+ allow_nr(__NR_umask);
+
+--
+2.17.1
+
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-sysinfo-in-the-seccomp-sandbox.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-sysinfo-in-the-seccomp-sandbox.patch
deleted file mode 100644
index c6c0f80..0000000
--- a/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-sysinfo-in-the-seccomp-sandbox.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 9c4826c19f04da533886209361a2caddf582d65c Mon Sep 17 00:00:00 2001
-From: Mingli Yu <Mingli.Yu at windriver.com>
-Date: Tue, 6 Sep 2016 17:17:44 +0800
-Subject: [PATCH] vsftpd: allow sysinfo() in the seccomp sandbox
-
-Upstream-Status: Pending
-
-* Allow sysinfo() in the seccomp sandbox otherwise
- comes below OOPS: priv_sock_get_cmd as the syscall
- sysinfo() not allowed
-
-tnftp 192.168.1.1
-Connected to 192.168.1.1.
-220 (vsFTPd 3.0.3)
-Name (192.168.1.1:root): anonymous
-331 Please specify the password.
-Password:
-230 Login successful.
-Remote system type is UNIX.
-Using binary mode to transfer files.
-ftp> prompt
-Interactive mode off.
-ftp> mget small*
-OOPS: priv_sock_get_cmd
-
-Signed-off-by: Mingli Yu <Mingli.Yu at windriver.com>
-
----
- seccompsandbox.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/seccompsandbox.c b/seccompsandbox.c
-index 2c350a9..67d9ca5 100644
---- a/seccompsandbox.c
-+++ b/seccompsandbox.c
-@@ -409,6 +409,7 @@ seccomp_sandbox_setup_postlogin(const struct vsf_session* p_sess)
- allow_nr(__NR_getcwd);
- allow_nr(__NR_chdir);
- allow_nr(__NR_getdents);
-+ allow_nr(__NR_sysinfo);
- /* Misc */
- allow_nr(__NR_umask);
-
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.3.bb b/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.3.bb
index 2e3e0e8..df0d7f4 100644
--- a/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.3.bb
+++ b/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.3.bb
@@ -18,7 +18,7 @@ SRC_URI = "https://security.appspot.com/downloads/vsftpd-${PV}.tar.gz \
file://volatiles.99_vsftpd \
file://vsftpd.service \
file://vsftpd-2.1.0-filter.patch \
- file://0001-vsftpd-allow-sysinfo-in-the-seccomp-sandbox.patch \
+ file://0001-vsftpd-allow-syscalls-in-the-seccomp-sandbox.patch \
${@bb.utils.contains('PACKAGECONFIG', 'tcp-wrappers', 'file://vsftpd-tcp_wrappers-support.patch', '', d)} \
${@bb.utils.contains('DISTRO_FEATURES', 'pam', '', '${NOPAM_SRC}', d)} \
file://0001-sysdeputil.c-Fix-with-musl-which-does-not-have-utmpx.patch \
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list