diff --git a/openssh-8.1p1-seccomp-nanosleep.patch b/openssh-8.1p1-seccomp-nanosleep.patch new file mode 100644 index 0000000..eb629bc --- /dev/null +++ b/openssh-8.1p1-seccomp-nanosleep.patch @@ -0,0 +1,21 @@ +commit 7e929163ed40f9ce90060a3ca6df558c3d901379 +Author: Jakub Jelen +Date: Wed Nov 13 12:57:05 2019 +0100 + + seccomp: Allow clock_nanosleep() to make OpenSSH working with latest glibc + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index b5cda70b..be239767 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -242,6 +242,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_nanosleep + SC_ALLOW(__NR_nanosleep), + #endif ++#ifdef __NR_clock_nanosleep ++ SC_ALLOW(__NR_clock_nanosleep), ++#endif + #ifdef __NR__newselect + SC_ALLOW(__NR__newselect), + #endif + diff --git a/openssh.spec b/openssh.spec index 8f10cc3..10d005a 100644 --- a/openssh.spec +++ b/openssh.spec @@ -210,6 +210,8 @@ Patch962: openssh-8.0p1-crypto-policies.patch Patch963: openssh-8.0p1-openssl-evp.patch # Use OpenSSL KDF (#1631761) Patch964: openssh-8.0p1-openssl-kdf.patch +# Unbreak seccomp filter with latest glibc (#1771946) +Patch965: openssh-8.1p1-seccomp-nanosleep.patch License: BSD Requires: /sbin/nologin @@ -410,6 +412,7 @@ popd %patch962 -p1 -b .crypto-policies %patch963 -p1 -b .openssl-evp %patch964 -p1 -b .openssl-kdf +%patch965 -p1 -b .seccomp-nanosleep %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race