DWS/chrony
1
0
Fork 0
mirror of https://gitlab.com/chrony/chrony.git synced 2025-12-04 09:05:06 -05:00
Code Issues Packages Projects Releases Wiki Activity

sys_linux: fix seccomp filter for BINDTODEVICE option

Browse Source 
The BINDTODEVICE socket option is the first option in the seccomp filter
setting a string instead of int. Remove the length check from the
setsockopt rules to allow a device name longer than 3 characters.

This was reported in Debian bug #995207.

Fixes: b9f5ce83b0 ("sys_linux: allow BINDTODEVICE option in seccomp filter")
This commit is contained in:
Miroslav Lichvar
2021-10-06 10:02:34 +02:00
parent 76a905d652
commit 29d7d3176d
1 changed files with 2 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
sys_linux.c
View File

@@ -739,10 +739,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
/* Allow selected socket options */ /* Allow selected socket options */
for (i = 0; i < sizeof (socket_options) / sizeof (*socket_options); i++) { for (i = 0; i < sizeof (socket_options) / sizeof (*socket_options); i++) {
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 3, if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 2,
SCMP_A1(SCMP_CMP_EQ, socket_options[i][0]), SCMP_A1(SCMP_CMP_EQ, socket_options[i][0]),
SCMP_A2(SCMP_CMP_EQ, socket_options[i][1]), SCMP_A2(SCMP_CMP_EQ, socket_options[i][1])))
SCMP_A4(SCMP_CMP_LE, sizeof (int))) < 0)
goto add_failed; goto add_failed;
} }