From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 5E71213989D for ; Wed, 26 Aug 2015 06:29:39 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D8133E0853; Wed, 26 Aug 2015 06:29:33 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 85F40E0853 for ; Wed, 26 Aug 2015 06:29:32 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 6EFAA340B30 for ; Wed, 26 Aug 2015 06:29:31 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 17CA615B for ; Wed, 26 Aug 2015 06:29:27 +0000 (UTC) From: "Mike Frysinger" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Mike Frysinger" Message-ID: <1440570447.c39a557a2b53f6fea61117d9b0d90ea51a738d6b.vapier@gentoo> Subject: [gentoo-commits] proj/pax-utils:master commit in: / X-VCS-Repository: proj/pax-utils X-VCS-Files: security.c X-VCS-Directories: / X-VCS-Committer: vapier X-VCS-Committer-Name: Mike Frysinger X-VCS-Revision: c39a557a2b53f6fea61117d9b0d90ea51a738d6b X-VCS-Branch: master Date: Wed, 26 Aug 2015 06:29:27 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: d2a3cc22-dae6-49c0-ac14-620cecd4dbd7 X-Archives-Hash: 8cb6e7f59a821ba2b267b0b8d925d8fb commit: c39a557a2b53f6fea61117d9b0d90ea51a738d6b Author: Mike Frysinger gentoo org> AuthorDate: Wed Aug 26 06:27:27 2015 +0000 Commit: Mike Frysinger gentoo org> CommitDate: Wed Aug 26 06:27:27 2015 +0000 URL: https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=c39a557a security: whitelist fakeroot syscalls Until we get a bit more dynamic here, whitelist the IPC syscalls that fakeroot uses since it is available via portage FEATURES. URL: https://bugs.gentoo.org/558482 security.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/security.c b/security.c index a62c798..1fa64a0 100644 --- a/security.c +++ b/security.c @@ -122,6 +122,13 @@ static void pax_seccomp_init(bool allow_forking) /* Syscalls listed because of sandbox. */ SCMP_SYS(readlink), + + /* Syscalls listed because of fakeroot. */ + SCMP_SYS(msgget), + SCMP_SYS(msgrcv), + SCMP_SYS(msgsnd), + SCMP_SYS(semget), + SCMP_SYS(semop), }; int fork_syscalls[] = { SCMP_SYS(clone),