diff options
| author |   Mingli Yu <Mingli.Yu@windriver.com> | 2016-09-08 13:58:15 +0800 |
|---|---|---|
| committer |   Joe MacDonald <joe_macdonald@mentor.com> | 2016-09-12 10:43:38 -0400 |
| commit | fbffcf3f3d3be732eae8884f835ecc1835d95271 (patch) | |
| tree | 99aa2fd1de8daeb26aa89b3cee288c795b283b69 /meta-networking/recipes-daemons | |
| parent | e4365a234e82e052415a374d970ca1bb9007b162 (diff) | |
| download | meta-openembedded-contrib-fbffcf3f3d3be732eae8884f835ecc1835d95271.tar.gz | |
vsftpd: allow sysinfo() in the seccomp sandbox
* Allow sysinfo() in the seccomp sandbox otherwise
comes below OOPS: priv_sock_get_cmd as the syscall
sysinfo() not allowed
tnftp 192.168.1.1
Connected to 192.168.1.1.
220 (vsFTPd 3.0.3)
Name (192.168.1.1:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> prompt
Interactive mode off.
ftp> mget small*
OOPS: priv_sock_get_cmd
* use "strace -ff /usr/sbin/vsftpd" to track in both
seccomp sandbox on and seccomp sandbox off (add
seccomp_sandbox=NO in /etc/vsftpd.conf) scenarios when
type the commands at ftp client as above, the ftp
connection at server side ends up each time with SIGSYS when
call sysinfo() syscall in seccomp sandbox on case,
so we need to add sysinfo() in the seccomp sandbox if
still use seccomp sandbox for vsftpd
* The issue still exists in other distribution, Please
check https://bugzilla.redhat.com/show_bug.cgi?id=845980 for details
And check ftp://195.220.108.108/linux/fedora/linux/updates/\
24/SRPMS/p/proftpd-1.3.5b-2.fc24.src.rpm for fedora, there
is even a patch vsftpd-3.0.2-seccomp.patch as below to turn off
seccomp sandbox for vsftpd by default which also means fedora
doesn't limit the syscall any more by default.
From dd86a1c28f11fa67b1263d5dc79fa9953629d30d Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Fri, 8 Apr 2016 15:03:16 +0200
Subject: [PATCH 1/7] vsftpd-3.0.2-seccomp
---
tunables.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tunables.c b/tunables.c
index 93f85b1..b024be4 100644
--- a/tunables.c
+++ b/tunables.c
@@ -232,7 +232,7 @@ tunables_load_defaults()
tunable_isolate_network = 1;
tunable_ftp_enable = 1;
tunable_http_enable = 0;
- tunable_seccomp_sandbox = 1;
+ tunable_seccomp_sandbox = 0;
tunable_allow_writeable_chroot = 0;
tunable_accept_timeout = 60;
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Diffstat (limited to 'meta-networking/recipes-daemons')
| -rw-r--r-- | meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-sysinfo-in-the-seccomp-sandbox.patch | 45 | ||||
| -rw-r--r-- | meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.3.bb | 1 |
2 files changed, 46 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-sysinfo-in-the-seccomp-sandbox.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-sysinfo-in-the-seccomp-sandbox.patch new file mode 100644 index 0000000000..7accbbc241 --- /dev/null +++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-sysinfo-in-the-seccomp-sandbox.patch @@ -0,0 +1,45 @@ +From 37cc924363515c8c309944c455bcbba7ddcc8eda Mon Sep 17 00:00:00 2001 +From: Mingli Yu <Mingli.Yu@windriver.com> +Date: Tue, 6 Sep 2016 17:17:44 +0800 +Subject: [PATCH] vsftpd: allow sysinfo() in the seccomp sandbox + +Upstream-Status: Pending + +* Allow sysinfo() in the seccomp sandbox otherwise + comes below OOPS: priv_sock_get_cmd as the syscall + sysinfo() not allowed + +tnftp 192.168.1.1 +Connected to 192.168.1.1. +220 (vsFTPd 3.0.3) +Name (192.168.1.1:root): anonymous +331 Please specify the password. +Password: +230 Login successful. +Remote system type is UNIX. +Using binary mode to transfer files. +ftp> prompt +Interactive mode off. +ftp> mget small* +OOPS: priv_sock_get_cmd + +Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> +--- + seccompsandbox.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/seccompsandbox.c b/seccompsandbox.c +index 2c350a9..67d9ca5 100644 +--- a/seccompsandbox.c ++++ b/seccompsandbox.c +@@ -409,6 +409,7 @@ seccomp_sandbox_setup_postlogin(const struct vsf_session* p_sess) + allow_nr(__NR_getcwd); + allow_nr(__NR_chdir); + allow_nr(__NR_getdents); ++ allow_nr(__NR_sysinfo); + /* Misc */ + allow_nr(__NR_umask); + +-- +2.8.1 + diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.3.bb b/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.3.bb index e398799fe9..3eaaa30b62 100644 --- a/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.3.bb +++ b/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.3.bb @@ -18,6 +18,7 @@ SRC_URI = "https://security.appspot.com/downloads/vsftpd-${PV}.tar.gz \ file://volatiles.99_vsftpd \ file://vsftpd.service \ file://vsftpd-2.1.0-filter.patch \ + file://0001-vsftpd-allow-sysinfo-in-the-seccomp-sandbox.patch \ " LIC_FILES_CHKSUM = "file://COPYING;md5=a6067ad950b28336613aed9dd47b1271 \ |