diff options
3 files changed, 47 insertions, 44 deletions
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-syscalls-in-the-seccomp-sandbox.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-syscalls-in-the-seccomp-sandbox.patch new file mode 100644 index 0000000000..7573c967fa --- /dev/null +++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-syscalls-in-the-seccomp-sandbox.patch | |||
| @@ -0,0 +1,46 @@ | |||
| 1 | From dd353303f62d1dfe32cb000e482616b021708fbe Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Mingli Yu <mingli.yu@windriver.com> | ||
| 3 | Date: Thu, 29 Nov 2018 00:47:34 -0800 | ||
| 4 | Subject: [PATCH] vsftpd: allow syscalls in the seccomp sandbox | ||
| 5 | |||
| 6 | * Allow sysinfo() and getdents64 in the seccomp | ||
| 7 | sandbox otherwise comes below OOPS: priv_sock_get_cmd | ||
| 8 | as the syscall sysinfo() and getdents64 not allowed | ||
| 9 | |||
| 10 | root@qemux86-64:~# tnftp 192.168.1.1 | ||
| 11 | Connected to 192.168.1.1. | ||
| 12 | 220 (vsFTPd 3.0.3) | ||
| 13 | Name (192.168.1.1:root): anonymous | ||
| 14 | 331 Please specify the password. | ||
| 15 | Password: | ||
| 16 | 230 Login successful. | ||
| 17 | Remote system type is UNIX. | ||
| 18 | Using binary mode to transfer files. | ||
| 19 | ftp> prompt | ||
| 20 | Interactive mode off. | ||
| 21 | ftp> mget small* | ||
| 22 | OOPS: priv_sock_get_cmd | ||
| 23 | |||
| 24 | Upstream-Status: Pending | ||
| 25 | |||
| 26 | Signed-off-by: Mingli Yu <mingli.yu@windriver.com> | ||
| 27 | --- | ||
| 28 | seccompsandbox.c | 2 ++ | ||
| 29 | 1 file changed, 2 insertions(+) | ||
| 30 | |||
| 31 | diff --git a/seccompsandbox.c b/seccompsandbox.c | ||
| 32 | index 2c350a9..377c50e 100644 | ||
| 33 | --- a/seccompsandbox.c | ||
| 34 | +++ b/seccompsandbox.c | ||
| 35 | @@ -409,6 +409,8 @@ seccomp_sandbox_setup_postlogin(const struct vsf_session* p_sess) | ||
| 36 | allow_nr(__NR_getcwd); | ||
| 37 | allow_nr(__NR_chdir); | ||
| 38 | allow_nr(__NR_getdents); | ||
| 39 | + allow_nr(__NR_getdents64); | ||
| 40 | + allow_nr(__NR_sysinfo); | ||
| 41 | /* Misc */ | ||
| 42 | allow_nr(__NR_umask); | ||
| 43 | |||
| 44 | -- | ||
| 45 | 2.17.1 | ||
| 46 | |||
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-sysinfo-in-the-seccomp-sandbox.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-sysinfo-in-the-seccomp-sandbox.patch deleted file mode 100644 index c6c0f80a19..0000000000 --- a/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-sysinfo-in-the-seccomp-sandbox.patch +++ /dev/null | |||
| @@ -1,43 +0,0 @@ | |||
| 1 | From 9c4826c19f04da533886209361a2caddf582d65c Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Mingli Yu <Mingli.Yu@windriver.com> | ||
| 3 | Date: Tue, 6 Sep 2016 17:17:44 +0800 | ||
| 4 | Subject: [PATCH] vsftpd: allow sysinfo() in the seccomp sandbox | ||
| 5 | |||
| 6 | Upstream-Status: Pending | ||
| 7 | |||
| 8 | * Allow sysinfo() in the seccomp sandbox otherwise | ||
| 9 | comes below OOPS: priv_sock_get_cmd as the syscall | ||
| 10 | sysinfo() not allowed | ||
| 11 | |||
| 12 | tnftp 192.168.1.1 | ||
| 13 | Connected to 192.168.1.1. | ||
| 14 | 220 (vsFTPd 3.0.3) | ||
| 15 | Name (192.168.1.1:root): anonymous | ||
| 16 | 331 Please specify the password. | ||
| 17 | Password: | ||
| 18 | 230 Login successful. | ||
| 19 | Remote system type is UNIX. | ||
| 20 | Using binary mode to transfer files. | ||
| 21 | ftp> prompt | ||
| 22 | Interactive mode off. | ||
| 23 | ftp> mget small* | ||
| 24 | OOPS: priv_sock_get_cmd | ||
| 25 | |||
| 26 | Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> | ||
| 27 | |||
| 28 | --- | ||
| 29 | seccompsandbox.c | 1 + | ||
| 30 | 1 file changed, 1 insertion(+) | ||
| 31 | |||
| 32 | diff --git a/seccompsandbox.c b/seccompsandbox.c | ||
| 33 | index 2c350a9..67d9ca5 100644 | ||
| 34 | --- a/seccompsandbox.c | ||
| 35 | +++ b/seccompsandbox.c | ||
| 36 | @@ -409,6 +409,7 @@ seccomp_sandbox_setup_postlogin(const struct vsf_session* p_sess) | ||
| 37 | allow_nr(__NR_getcwd); | ||
| 38 | allow_nr(__NR_chdir); | ||
| 39 | allow_nr(__NR_getdents); | ||
| 40 | + allow_nr(__NR_sysinfo); | ||
| 41 | /* Misc */ | ||
| 42 | allow_nr(__NR_umask); | ||
| 43 | |||
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.3.bb b/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.3.bb index 2e3e0e8843..df0d7f4551 100644 --- a/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.3.bb +++ b/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.3.bb | |||
| @@ -18,7 +18,7 @@ SRC_URI = "https://security.appspot.com/downloads/vsftpd-${PV}.tar.gz \ | |||
| 18 | file://volatiles.99_vsftpd \ | 18 | file://volatiles.99_vsftpd \ |
| 19 | file://vsftpd.service \ | 19 | file://vsftpd.service \ |
| 20 | file://vsftpd-2.1.0-filter.patch \ | 20 | file://vsftpd-2.1.0-filter.patch \ |
| 21 | file://0001-vsftpd-allow-sysinfo-in-the-seccomp-sandbox.patch \ | 21 | file://0001-vsftpd-allow-syscalls-in-the-seccomp-sandbox.patch \ |
| 22 | ${@bb.utils.contains('PACKAGECONFIG', 'tcp-wrappers', 'file://vsftpd-tcp_wrappers-support.patch', '', d)} \ | 22 | ${@bb.utils.contains('PACKAGECONFIG', 'tcp-wrappers', 'file://vsftpd-tcp_wrappers-support.patch', '', d)} \ |
| 23 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '', '${NOPAM_SRC}', d)} \ | 23 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '', '${NOPAM_SRC}', d)} \ |
| 24 | file://0001-sysdeputil.c-Fix-with-musl-which-does-not-have-utmpx.patch \ | 24 | file://0001-sysdeputil.c-Fix-with-musl-which-does-not-have-utmpx.patch \ |