kcgi: fix seccomp sandbox
This commit is contained in:
parent
388f6d8994
commit
8608a017a9
3 changed files with 88 additions and 23 deletions
|
@ -1,22 +0,0 @@
|
|||
--- sandbox-seccomp-filter.c.orig
|
||||
+++ sandbox-seccomp-filter.c
|
||||
@@ -106,7 +106,9 @@
|
||||
SC_ALLOW(recvmsg),
|
||||
#endif
|
||||
SC_ALLOW(read),
|
||||
+ SC_ALLOW(readv),
|
||||
SC_ALLOW(write),
|
||||
+ SC_ALLOW(writev),
|
||||
SC_ALLOW(close),
|
||||
#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */
|
||||
SC_ALLOW(shutdown),
|
||||
@@ -158,7 +160,9 @@
|
||||
SC_ALLOW(time),
|
||||
#endif
|
||||
SC_ALLOW(read),
|
||||
+ SC_ALLOW(readv),
|
||||
SC_ALLOW(write),
|
||||
+ SC_ALLOW(writev),
|
||||
SC_ALLOW(close),
|
||||
#ifdef __NR_fcntl64 /* only noted on arm */
|
||||
SC_ALLOW(fcntl64),
|
73
srcpkgs/kcgi/patches/sandbox.patch
Normal file
73
srcpkgs/kcgi/patches/sandbox.patch
Normal file
|
@ -0,0 +1,73 @@
|
|||
--- sandbox-seccomp-filter.c.orig
|
||||
+++ sandbox-seccomp-filter.c
|
||||
@@ -85,7 +85,9 @@
|
||||
/* Load the syscall number for checking. */
|
||||
BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
|
||||
offsetof(struct seccomp_data, nr)),
|
||||
+#ifdef __NR_open /* not defined on AARCH64 */
|
||||
SC_DENY(open, EACCES),
|
||||
+#endif
|
||||
SC_ALLOW(getpid),
|
||||
SC_ALLOW(gettimeofday),
|
||||
SC_ALLOW(clock_gettime),
|
||||
@@ -106,18 +108,24 @@
|
||||
SC_ALLOW(recvmsg),
|
||||
#endif
|
||||
SC_ALLOW(read),
|
||||
+ SC_ALLOW(readv),
|
||||
SC_ALLOW(write),
|
||||
+ SC_ALLOW(writev),
|
||||
SC_ALLOW(close),
|
||||
#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */
|
||||
SC_ALLOW(shutdown),
|
||||
#endif
|
||||
SC_ALLOW(brk),
|
||||
+#ifdef __NR_poll /* not defined on AARCH64 */
|
||||
SC_ALLOW(poll),
|
||||
+#endif
|
||||
#ifdef __NR__newselect
|
||||
SC_ALLOW(_newselect),
|
||||
#else
|
||||
+#ifdef __NR_select /* not defined on AARCH64 */
|
||||
SC_ALLOW(select),
|
||||
#endif
|
||||
+#endif
|
||||
SC_ALLOW(madvise),
|
||||
#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
|
||||
SC_ALLOW(mmap2),
|
||||
@@ -150,7 +158,9 @@
|
||||
/* Load the syscall number for checking. */
|
||||
BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
|
||||
offsetof(struct seccomp_data, nr)),
|
||||
+#ifdef __NR_open /* not defined on AARCH64 */
|
||||
SC_DENY(open, EACCES),
|
||||
+#endif
|
||||
SC_ALLOW(getpid),
|
||||
SC_ALLOW(gettimeofday),
|
||||
SC_ALLOW(clock_gettime),
|
||||
@@ -158,7 +168,9 @@
|
||||
SC_ALLOW(time),
|
||||
#endif
|
||||
SC_ALLOW(read),
|
||||
+ SC_ALLOW(readv),
|
||||
SC_ALLOW(write),
|
||||
+ SC_ALLOW(writev),
|
||||
SC_ALLOW(close),
|
||||
#ifdef __NR_fcntl64 /* only noted on arm */
|
||||
SC_ALLOW(fcntl64),
|
||||
@@ -167,11 +179,15 @@
|
||||
SC_ALLOW(shutdown),
|
||||
#endif
|
||||
SC_ALLOW(brk),
|
||||
+#ifdef __NR_poll /* not defined on AARCH64 */
|
||||
SC_ALLOW(poll),
|
||||
+#endif
|
||||
#ifdef __NR__newselect
|
||||
SC_ALLOW(_newselect),
|
||||
#else
|
||||
+#ifdef __NR_select /* not defined on AARCH64 */
|
||||
SC_ALLOW(select),
|
||||
+#endif
|
||||
#endif
|
||||
SC_ALLOW(madvise),
|
||||
#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
|
|
@ -1,7 +1,7 @@
|
|||
# Template file for 'kcgi'
|
||||
pkgname=kcgi
|
||||
version=0.10.8
|
||||
revision=1
|
||||
revision=2
|
||||
build_style=configure
|
||||
configure_args="PREFIX=/usr MANDIR=/usr/share/man SBINDIR=/usr/bin"
|
||||
make_check_target="regress"
|
||||
|
@ -13,6 +13,20 @@ homepage="http://kristaps.bsd.lv/kcgi/"
|
|||
distfiles="http://kristaps.bsd.lv/kcgi/snapshots/kcgi-${version}.tgz"
|
||||
checksum=878c8134d48a3048ea0bc28315fe95698fb9c764023d9244610d7e481ef3734c
|
||||
|
||||
post_configure() {
|
||||
local suffix
|
||||
case "${XBPS_TARGET_MACHINE}" in
|
||||
i686*) suffix="X86" ;;
|
||||
x86_64*) suffix="X86_64" ;;
|
||||
arm*) suffix="ARM" ;;
|
||||
aarch64*) suffix="AARCH64" ;;
|
||||
esac
|
||||
echo "suffix $suffix <<<<<" >&2
|
||||
[ -z "$suffix" ] \
|
||||
&& sed -i "/AUDIT_ARCH_X86_64/d" config.h \
|
||||
|| sed -i "s/AUDIT_ARCH_X86_64/AUDIT_ARCH_${suffix}/" config.h
|
||||
}
|
||||
|
||||
post_install() {
|
||||
sed -n '2,16p' kcgi.c > LICENSE
|
||||
vlicense LICENSE
|
||||
|
|
Loading…
Reference in a new issue