diff options
author | Yi Zhao <yi.zhao@windriver.com> | 2020-12-22 16:29:33 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-12-24 08:25:10 +0000 |
commit | e8b03a8e3a6748374340d45ce39e922eee6817e3 (patch) | |
tree | 112f41583a64b38f8c2e5e6badaa53e6098f50af /meta/recipes-connectivity/dhcpcd/files | |
parent | eddbc1880231dd3839c635f688a2a46589fd1b51 (diff) | |
download | openembedded-core-contrib-e8b03a8e3a6748374340d45ce39e922eee6817e3.tar.gz |
dhcpcd: fix SECCOMP for i386
The dhcpcd doesn't work on Intel 32bit platform. Backport a patch to fix
the issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity/dhcpcd/files')
-rw-r--r-- | meta/recipes-connectivity/dhcpcd/files/0001-privsep-Fix-Linux-i386-for-SECCOMP-as-it-just-uses-s.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/dhcpcd/files/0001-privsep-Fix-Linux-i386-for-SECCOMP-as-it-just-uses-s.patch b/meta/recipes-connectivity/dhcpcd/files/0001-privsep-Fix-Linux-i386-for-SECCOMP-as-it-just-uses-s.patch new file mode 100644 index 0000000000..b79d5f04ce --- /dev/null +++ b/meta/recipes-connectivity/dhcpcd/files/0001-privsep-Fix-Linux-i386-for-SECCOMP-as-it-just-uses-s.patch @@ -0,0 +1,57 @@ +From 12cdb2be46e25e1ab99df18324b787ad8749dff7 Mon Sep 17 00:00:00 2001 +From: Roy Marples <roy@marples.name> +Date: Sat, 12 Dec 2020 22:12:54 +0000 +Subject: [PATCH] privsep: Fix Linux i386 for SECCOMP as it just uses + socketcall + +Rather than accept(2), recv(2), etc..... which is horrible! + +Thanks to Steve Hirsch <stevehirsch49@msn.com> for testing. + +Upstream-Status: Backport +[https://roy.marples.name/cgit/dhcpcd.git/commit/?id=12cdb2be46e25e1ab99df18324b787ad8749dff7] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + src/privsep-linux.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/src/privsep-linux.c b/src/privsep-linux.c +index 050a30cf..d31d720d 100644 +--- a/src/privsep-linux.c ++++ b/src/privsep-linux.c +@@ -34,6 +34,7 @@ + + #include <linux/audit.h> + #include <linux/filter.h> ++#include <linux/net.h> + #include <linux/seccomp.h> + #include <linux/sockios.h> + +@@ -311,6 +312,23 @@ static struct sock_filter ps_seccomp_filter[] = { + #ifdef __NR_sendto + SECCOMP_ALLOW(__NR_sendto), + #endif ++#ifdef __NR_socketcall ++ /* i386 needs this and demonstrates why SECCOMP ++ * is poor compared to OpenBSD pledge(2) and FreeBSD capsicum(4) ++ * as this is soooo tied to the kernel API which changes per arch ++ * and likely libc as well. */ ++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_ACCEPT), ++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_ACCEPT4), ++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_LISTEN), ++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_GETSOCKOPT), /* overflow */ ++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECV), ++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECVFROM), ++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECVMSG), ++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SEND), ++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SENDMSG), ++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SENDTO), ++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN), ++#endif + #ifdef __NR_shutdown + SECCOMP_ALLOW(__NR_shutdown), + #endif +-- +2.25.1 + |