Overview

File 0003-seccomp-shm-get-at-dt-now-have-their-own-numbers-eve.patch of Package systemd.16035

From 029d0cc0864bda8228b0c193fae89fd720826b2d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Fri, 15 Mar 2019 11:57:49 +0100
Subject: [PATCH 3/3] seccomp: shm{get,at,dt} now have their own numbers
 everywhere

E.g. on i686:

(previously)
arch x86: SCMP_SYS(mmap) = 90
arch x86: SCMP_SYS(mmap2) = 192
arch x86: SCMP_SYS(shmat) = -221
arch x86: SCMP_SYS(shmat) = -221
arch x86: SCMP_SYS(shmdt) = -222

(now)
arch x86: SCMP_SYS(mmap) = 90
arch x86: SCMP_SYS(mmap2) = 192
arch x86: SCMP_SYS(shmat) = 397
arch x86: SCMP_SYS(shmat) = 397
arch x86: SCMP_SYS(shmdt) = 398

The relevant commit seems to be
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0d6040d46817.

(cherry picked from commit e55bdf9b6c5f72475b258a7a4585a0480551cb60)

[fbui: fixes bsc#1173422]

[fbui: later commit 67fb5f338fad added support to block shmat syscall on x86
       but it was basically reverted by commit bed4668d1daeb6...  therefore
       let's only cherry pick this patch alone to fix the build failure on
       architectures which defines a separate syscall but use a
       multiplexer. This effectively means shmat is ignored and not blocked on
       x86 and ppc.]
---
 src/shared/seccomp-util.c | 5 -----
 src/test/test-seccomp.c   | 9 +++++++++
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 7a2da0dd92..74094029ca 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -1191,14 +1191,9 @@ static int add_seccomp_syscall_filter(scmp_filter_ctx seccomp,
 assert_cc(SCMP_SYS(shmget) > 0);
 assert_cc(SCMP_SYS(shmat) > 0);
 assert_cc(SCMP_SYS(shmdt) > 0);
-#elif defined(__i386__) || defined(__powerpc64__)
-assert_cc(SCMP_SYS(shmget) < 0);
-assert_cc(SCMP_SYS(shmat) < 0);
-assert_cc(SCMP_SYS(shmdt) < 0);
 #endif
 
 int seccomp_memory_deny_write_execute(void) {
-
         uint32_t arch;
         int r;
 
diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
index 7a951aec62..c2aa72ea3f 100644
--- a/src/test/test-seccomp.c
+++ b/src/test/test-seccomp.c
@@ -480,9 +480,18 @@ static void test_memory_deny_write_execute_mmap(void) {
 static void test_memory_deny_write_execute_shmat(void) {
         int shmid;
         pid_t pid;
+        uint32_t arch;
 
         log_info("/* %s */", __func__);
 
+        SECCOMP_FOREACH_LOCAL_ARCH(arch) {
+                log_debug("arch %s: SCMP_SYS(mmap) = %d", seccomp_arch_to_string(arch), SCMP_SYS(mmap));
+                log_debug("arch %s: SCMP_SYS(mmap2) = %d", seccomp_arch_to_string(arch), SCMP_SYS(mmap2));
+                log_debug("arch %s: SCMP_SYS(shmget) = %d", seccomp_arch_to_string(arch), SCMP_SYS(shmget));
+                log_debug("arch %s: SCMP_SYS(shmat) = %d", seccomp_arch_to_string(arch), SCMP_SYS(shmat));
+                log_debug("arch %s: SCMP_SYS(shmdt) = %d", seccomp_arch_to_string(arch), SCMP_SYS(shmdt));
+        }
+
         if (!is_seccomp_available()) {
                 log_notice("Seccomp not available, skipping %s", __func__);
                 return;
-- 
2.26.2
openSUSE Build Service is sponsored by
Places