Enable seccomp sandboxing after resolving problems with audit patch (#1062953)

2015-02-11 10:29:14 +01:00 · 2015-02-11 10:29:14 +01:00 · 0a4ac4f4d3
commit 0a4ac4f4d3
parent b552eb6714
2 changed files with 14 additions and 5 deletions
--- a/openssh-6.7p1-audit.patch
+++ b/openssh-6.7p1-audit.patch
@ -2373,3 +2373,17 @@ index 4554b09..226a494 100644
 int	 sshkey_is_cert(const struct sshkey *);
 int	 sshkey_type_is_cert(int);
 int	 sshkey_type_plain(int);
+
+diff -U3 openssh-6.6p1/sandbox-seccomp-filter.c openssh-6.6p1.seccomp/sandbox-seccomp-filter.c
+--- openssh-6.6p1/sandbox-seccomp-filter.c	2014-02-06 01:17:50.000000000 +0100
+++ openssh-6.6p1.seccomp/sandbox-seccomp-filter.c	2015-02-11 09:07:10.885000000 +0100
+@@ -95,6 +95,9 @@
+ #ifdef __NR_time /* not defined on EABI ARM */
+ 	SC_ALLOW(time),
+ #endif
+#ifdef SSH_AUDIT_EVENTS
+	SC_ALLOW(getuid),
+#endif
+ 	SC_ALLOW(read),
+ 	SC_ALLOW(write),
+ 	SC_ALLOW(close),
--- a/openssh.spec
+++ b/openssh.spec
@ -506,12 +506,7 @@ fi
 %endif
 %if %{WITH_SELINUX}
 	--with-selinux --with-audit=linux \
-%if 0
-#seccomp_filter cannot be build right now
 	--with-sandbox=seccomp_filter \
-%else
-	--with-sandbox=rlimit \
-%endif
 %endif
 %if %{kerberos5}
 	--with-kerberos5${krb5_prefix:+=${krb5_prefix}} \