From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 86F18138334 for ; Mon, 14 Jan 2019 22:53:38 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 581B0E0A10; Mon, 14 Jan 2019 22:53:37 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 313B3E0A10 for ; Mon, 14 Jan 2019 22:53:36 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 36E9D335D03 for ; Mon, 14 Jan 2019 22:53:35 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 2692B455 for ; Mon, 14 Jan 2019 22:53:33 +0000 (UTC) From: "Sergei Trofimovich" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sergei Trofimovich" Message-ID: <1547505329.519f07f7f3bdb29382a0f1491f6fce0a07bbc4fc.slyfox@gentoo> Subject: [gentoo-commits] proj/pax-utils:master commit in: / X-VCS-Repository: proj/pax-utils X-VCS-Files: security.c X-VCS-Directories: / X-VCS-Committer: slyfox X-VCS-Committer-Name: Sergei Trofimovich X-VCS-Revision: 519f07f7f3bdb29382a0f1491f6fce0a07bbc4fc X-VCS-Branch: master Date: Mon, 14 Jan 2019 22:53:33 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: f5a53353-921d-4231-b176-8b61133fa623 X-Archives-Hash: 16893cac895cd4c8c43de29e278698b2 commit: 519f07f7f3bdb29382a0f1491f6fce0a07bbc4fc Author: Sergei Trofimovich gentoo org> AuthorDate: Mon Jan 14 22:35:29 2019 +0000 Commit: Sergei Trofimovich gentoo org> CommitDate: Mon Jan 14 22:35:29 2019 +0000 URL: https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=519f07f7 security.c: whitelist ipc() syscall for fakeroot on ppc64 and friends On amd64 and friends msgget() and similar syscalls are standalone syscalls. On i386 and friends msgget() is a subcall of ipc() syscall. This makes fakechroot break 'scanelf' as: $ LANG=C fakeroot scanelf -t /bin/bash /usr/bin/fakeroot: line 178: 6820 Bad system call (core dumped) The change whitelists ipc() call which allows all sysv syscalls, namely: - semop, semget, semctl, semtimedop - msgsnd, msgrcv, msgget, msgctl - shmat, shmdt, shmget, shmctl Reported-and-fixed-by: Samuel Holland Bug: https://bugs.gentoo.org/675378 Signed-off-by: Sergei Trofimovich gentoo.org> security.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/security.c b/security.c index a86f375..78e04d4 100644 --- a/security.c +++ b/security.c @@ -162,6 +162,12 @@ static void pax_seccomp_init(bool allow_forking) SCMP_SYS(msgsnd), SCMP_SYS(semget), SCMP_SYS(semop), + /* + * Some targets like ppc and i386 implement the above + * syscall as subcalls via ipc() syscall. + * https://bugs.gentoo.org/675378 + */ + SCMP_SYS(ipc), }; int fork_syscalls[] = { SCMP_SYS(clone),