Soft-deny socket() syscall in seccomp sandbox (#1324493)

* Used for ecdh-sha2-nistp* key exchange methods in FIPS mode
2016-04-11 16:11:59 +02:00 · 2016-04-11 16:11:59 +02:00 · 3d2c14680b
commit 3d2c14680b
parent 0509c6c977
1 changed files with 15 additions and 0 deletions
--- a/openssh-7.2p1-fips.patch
+++ b/openssh-7.2p1-fips.patch
@ -704,3 +704,18 @@ index 7efe312..bcf2ae1 100644
 #define	KEX_FIPS_ENCRYPT \
 	"aes128-ctr,aes192-ctr,aes256-ctr," \
 	"aes128-cbc,3des-cbc," \
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index a3975eb..5224084 100644
+--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
+@@ -112,6 +112,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_open
+ 	SC_DENY(open, EACCES),
+ #endif
+#ifdef __NR_socket
+	SC_DENY(socket, EACCES),
+#endif
+ #ifdef __NR_openat
+ 	SC_DENY(openat, EACCES),
+ #endif
+