|
@@ -0,0 +1,47 @@
|
|
|
+Subject: Allow only the ioctls we use (Shankara Pailoor)
|
|
|
+Origin: FILE5_37-29-gfa46ca9d <https://github.com/file/file/commit/FILE5_37-29-gfa46ca9d>
|
|
|
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
|
|
|
+Date: Fri Jun 21 16:44:23 2019 +0000
|
|
|
+
|
|
|
+--- a/src/seccomp.c
|
|
|
++++ b/src/seccomp.c
|
|
|
+@@ -33,6 +33,7 @@
|
|
|
+ #if HAVE_LIBSECCOMP
|
|
|
+ #include <seccomp.h> /* libseccomp */
|
|
|
+ #include <sys/prctl.h> /* prctl */
|
|
|
++#include <sys/ioctl.h>
|
|
|
+ #include <sys/socket.h>
|
|
|
+ #include <fcntl.h>
|
|
|
+ #include <stdlib.h>
|
|
|
+@@ -49,8 +50,14 @@
|
|
|
+ goto out; \
|
|
|
+ while (/*CONSTCOND*/0)
|
|
|
+
|
|
|
+-static scmp_filter_ctx ctx;
|
|
|
++#define ALLOW_IOCTL_RULE(param) \
|
|
|
++ do \
|
|
|
++ if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1, \
|
|
|
++ SCMP_CMP(1, SCMP_CMP_EQ, param)) == -1) \
|
|
|
++ goto out; \
|
|
|
++ while (/*CONSTCOND*/0)
|
|
|
+
|
|
|
++static scmp_filter_ctx ctx;
|
|
|
+
|
|
|
+ int
|
|
|
+ enable_sandbox_basic(void)
|
|
|
+@@ -171,7 +178,14 @@
|
|
|
+ #ifdef __NR_getdents64
|
|
|
+ ALLOW_RULE(getdents64);
|
|
|
+ #endif
|
|
|
+- ALLOW_RULE(ioctl);
|
|
|
++#ifdef FIONREAD
|
|
|
++ // called in src/compress.c under sread
|
|
|
++ ALLOW_IOCTL_RULE(FIONREAD);
|
|
|
++#endif
|
|
|
++#ifdef TIOCGWINSZ
|
|
|
++ // musl libc may call ioctl TIOCGWINSZ when calling stdout
|
|
|
++ ALLOW_IOCTL_RULE(TIOCGWINSZ);
|
|
|
++#endif
|
|
|
+ ALLOW_RULE(lseek);
|
|
|
+ ALLOW_RULE(_llseek);
|
|
|
+ ALLOW_RULE(lstat);
|