diff options
| author |   Sergei Trofimovich <slyfox@gentoo.org> | 2019-01-14 22:35:29 +0000 |
|---|---|---|
| committer | Sergei Trofimovich <slyfox@gentoo.org> | 2019-01-14 22:35:29 +0000 |
| commit | 519f07f7f3bdb29382a0f1491f6fce0a07bbc4fc (patch) | |
| tree | 9ea85396e7acd5bd7088fe12e7eea4e068211439 | |
| parent | lddtree.py: use errno properly (diff) | |
| download | pax-utils-519f07f7f3bdb29382a0f1491f6fce0a07bbc4fc.tar.gz pax-utils-519f07f7f3bdb29382a0f1491f6fce0a07bbc4fc.tar.bz2 pax-utils-519f07f7f3bdb29382a0f1491f6fce0a07bbc4fc.zip | |
security.c: whitelist ipc() syscall for fakeroot on ppc64 and friendsv1.2.4
On amd64 and friends msgget() and similar syscalls are standalone syscalls.
On i386 and friends msgget() is a subcall of ipc() syscall.
This makes fakechroot break 'scanelf' as:
$ LANG=C fakeroot scanelf -t /bin/bash
/usr/bin/fakeroot: line 178: 6820 Bad system call (core dumped)
The change whitelists ipc() call which allows all sysv syscalls, namely:
- semop, semget, semctl, semtimedop
- msgsnd, msgrcv, msgget, msgctl
- shmat, shmdt, shmget, shmctl
Reported-and-fixed-by: Samuel Holland
Bug: https://bugs.gentoo.org/675378
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
| -rw-r--r-- | security.c | 6 |
1 files changed, 6 insertions, 0 deletions
@@ -162,6 +162,12 @@ static void pax_seccomp_init(bool allow_forking) SCMP_SYS(msgsnd), SCMP_SYS(semget), SCMP_SYS(semop), + /* + * Some targets like ppc and i386 implement the above + * syscall as subcalls via ipc() syscall. + * https://bugs.gentoo.org/675378 + */ + SCMP_SYS(ipc), }; int fork_syscalls[] = { SCMP_SYS(clone), |