| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At least Debian's glibc tries to make use of nscd by default leading to
the getpwuid() / getpwnam() calls in pspax trying to open up a local
connection to /var/run/nscd/socket. Neither socket() nor connect() are
allowed by the seccomp policy, leading to unavoidable killing of the
process:
$ pspax
USER PID PAX MAPS ETYPE NAME CAPS ATTR
Bad system call (core dumped)
$ strace pspax |& tail -3
newfstatat(4, "stat", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 41
+++ killed by SIGSYS (core dumped) +++
Fix this by making socket() fail with -ENOSYS instead:
$ strace -e trace=socket ./build/pspax >/dev/null
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = -1 ENOSYS (Function not implemented)
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = -1 ENOSYS (Function not implemented)
+++ exited with 0 +++
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
I wasn't paying enough attention, it's better to just fold the needed
bits into porting.h.
This reverts commit ffedc60fa41d307bda28fd108e6ff1b8da1fc2ee.
This reverts commit f8287200aec0ca33ef07fafcdd5aef0aa6eb1306.
This reverts commit aa907a42d89ddfd5a7e64d8182a1da35277f2f6e.
Bug: https://github.com/gentoo/pax-utils/pull/11#issuecomment-1407566344
Signed-off-by: Sam James <sam@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Sam James <sam@gentoo.org>
|
| |
|
|
|
|
| |
Closes: https://bugs.gentoo.org/836735
Reviewed-by: Sam James <sam@gentoo.org>
Signed-off-by: WANG Xuerui <xen0n@gentoo.org>
|
| |
|
|
|
|
|
| |
This generates better code, although it doesn't super matter since
this is only used at build time.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
| |
Reported-by: Andreas K. Hüttel
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
glibc's sysdeps/mips/sgidefs.h unconditionally mips _ABI* enum values:
#define _ABIO32 1
#define _ABIN32 2
#define _ABI64 3
#define _ABIO64 4
This causes build failures on multiple definitions:
In file included from security.c:9:
seccomp-bpf.h:73:28: error: redefinition of 'seccomp_bpf_blks_base'
73 | static const unsigned char seccomp_bpf_blks_base[] = {
| ^~~~~~~~~~~~~~~~~~~~~
The fix is to test current ABI against _MIPS_SIM.
Fixed-by: Manuel Lauss
Bug: https://bugs.gentoo.org/795075
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
The original precompile work was done against an old version of
pax-utils and I forgot to resync the list before finalizing.
Restore all the syscalls that were in here before.
Bug: https://bugs.gentoo.org/783459
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
Since the bpf programs are the same across runs, generate it ahead of
time. This way we don't have to link against libseccomp and run the
library calls at runtime which helps cut out most overhead.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
Mathias Krause
Mike Frysinger
Sam James
WANG Xuerui
Sergei Trofimovich
GitWeb