commit: 519f07f7f3bdb29382a0f1491f6fce0a07bbc4fc
Author: Sergei Trofimovich <slyfox <AT> gentoo <DOT> org>
AuthorDate: Mon Jan 14 22:35:29 2019 +0000
Commit: Sergei Trofimovich <slyfox <AT> gentoo <DOT> org>
CommitDate: Mon Jan 14 22:35:29 2019 +0000
URL: https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=519f07f7
security.c: whitelist ipc() syscall for fakeroot on ppc64 and friends
On amd64 and friends msgget() and similar syscalls are standalone syscalls.
On i386 and friends msgget() is a subcall of ipc() syscall.
This makes fakechroot break 'scanelf' as:
$ LANG=C fakeroot scanelf -t /bin/bash
/usr/bin/fakeroot: line 178: 6820 Bad system call (core dumped)
The change whitelists ipc() call which allows all sysv syscalls, namely:
- semop, semget, semctl, semtimedop
- msgsnd, msgrcv, msgget, msgctl
- shmat, shmdt, shmget, shmctl
Reported-and-fixed-by: Samuel Holland
Bug: https://bugs.gentoo.org/675378
Signed-off-by: Sergei Trofimovich <slyfox <AT> gentoo.org>
security.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/security.c b/security.c
index a86f375..78e04d4 100644
--- a/security.c
+++ b/security.c
@@ -162,6 +162,12 @@ static void pax_seccomp_init(bool allow_forking)
SCMP_SYS(msgsnd),
SCMP_SYS(semget),
SCMP_SYS(semop),
+ /*
+ * Some targets like ppc and i386 implement the above
+ * syscall as subcalls via ipc() syscall.
+ * https://bugs.gentoo.org/675378
+ */
+ SCMP_SYS(ipc),
};
int fork_syscalls[] = {
SCMP_SYS(clone),
