49cb564d14
* par is kept at -Np0 ```sh git grep -l '^patch_args=-Np0' "srcpkgs/$1*/template" | while read template; do for p in ${template%/template}/patches/*; do sed -i ' \,^[+-][+-][+-] /dev/null,b /^[*-]\+ [0-9]\+\(,[0-9]\+\)\? [*-]\+$/b s,^[*][*][*] ,&a/, /^--- /{ s,\(^--- \)\(./\)*,\1a/, s,[.-][Oo][Rr][Ii][Gg]\([ /]\),\1, s/[.-][Oo][Rr][Ii][Gg]$// s/[.]patched[.]\([^.]\)/.\1/ h } /^+++ -/{ g s/^--- a/+++ b/ b } s,\(^+++ \)\(./\)*,\1b/, ' "$p" done sed -i '/^patch_args=/d' $template done ```
48 lines
1.3 KiB
Diff
48 lines
1.3 KiB
Diff
# upstream: yes
|
|
# https://github.com/proot-me/proot/pull/203
|
|
|
|
# adapted to fit proot's old release
|
|
|
|
From 2e796c5a0ed3c04d0816405422c8d6a25eccf5c2 Mon Sep 17 00:00:00 2001
|
|
From: Michal Bednarski <bednarski.michal2@gmail.com>
|
|
Date: Thu, 5 Sep 2019 15:19:08 +0200
|
|
Subject: [PATCH] Prevent tracees from becoming undumpable
|
|
|
|
--- a/src/syscall/enter.c
|
|
+++ b/src/syscall/enter.c
|
|
@@ -26,7 +26,8 @@
|
|
#include <linux/net.h> /* SYS_*, */
|
|
#include <fcntl.h> /* AT_FDCWD, */
|
|
#include <limits.h> /* PATH_MAX, */
|
|
-
|
|
+#include <string.h> /* strcpy */
|
|
+#include <sys/prctl.h> /* PR_SET_DUMPABLE */
|
|
#include "syscall/syscall.h"
|
|
#include "syscall/sysnum.h"
|
|
#include "syscall/socket.h"
|
|
@@ -563,6 +564,15 @@
|
|
|
|
status = translate_path2(tracee, newdirfd, newpath, SYSARG_3, SYMLINK);
|
|
break;
|
|
+
|
|
+ case PR_prctl:
|
|
+ /* Prevent tracees from setting dumpable flag.
|
|
+ * (Otherwise it could break tracee memory access) */
|
|
+ if (peek_reg(tracee, CURRENT, SYSARG_1) == PR_SET_DUMPABLE) {
|
|
+ set_sysnum(tracee, PR_void);
|
|
+ status = 0;
|
|
+ }
|
|
+ break;
|
|
}
|
|
|
|
end:
|
|
--- a/src/syscall/seccomp.c
|
|
+++ b/src/syscall/seccomp.c
|
|
@@ -377,6 +377,7 @@
|
|
{ PR_open, 0 },
|
|
{ PR_openat, 0 },
|
|
{ PR_pivot_root, 0 },
|
|
+ { PR_prctl, 0 },
|
|
{ PR_ptrace, FILTER_SYSEXIT },
|
|
{ PR_readlink, FILTER_SYSEXIT },
|
|
{ PR_readlinkat, FILTER_SYSEXIT },
|