From: Peter Seiderer <ps.report@gmx.net>
To: Arnout Vandecappelle <arnout@mind.be>
Cc: John Keeping <john@metanate.com>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH] package/openssh: backport upstream fix for 32-bit
Date: Fri, 11 Mar 2022 08:24:13 +0100 [thread overview]
Message-ID: <20220311082413.4bfe7465@gmx.net> (raw)
In-Reply-To: <c5548e2e-8cd5-141e-3f8a-060127e43540@mind.be>
Hello Arnout,
On Thu, 10 Mar 2022 22:03:23 +0100, Arnout Vandecappelle <arnout@mind.be> wrote:
> On 10/03/2022 21:38, Peter Seiderer wrote:
> > Hello John,
> >
> > thanks for the patch, some minor nitpicks...
> >
> > Better patch subject would be:
> >
> > package/openssh: add upstream patch to add seccomp ppoll_time64 support
>
> Applied to master with this changed.
>
> >
> > On Thu, 10 Mar 2022 14:03:50 +0000, John Keeping <john@metanate.com> wrote:
> >
> >> sshd is broken on 32-bit systems because ppoll_time64 is used by the
> >> application although it is not allowed by the seccomp filter.
> >>
> >> Apply the upstream patch to fix this.
> >
> > Better:
> >
> > -add upstream patch ([1] to add seccomp ppoll_time64 support
>
> Since the subject now already says that it adds seccomp ppoll_time64 support,
> this is redundant. Since I'm lazy :-), I didn't change this.
>
> >
> > [1] https://github.com/openssh/openssh-portable/commit/284b6e5394652d519e31782e3b3cdfd7b21d1a81.patch
>
> There's already a reference to the upstream commit in the patch itself, so
> this is not really needed.
>
> >
> >>
> >> Signed-off-by: John Keeping <john@metanate.com>
> >> ---
> >> ...llow-ppoll_time64-in-seccomp-sandbox.patch | 31 +++++++++++++++++++
> >> 1 file changed, 31 insertions(+)
> >> create mode 100644 package/openssh/0001-Allow-ppoll_time64-in-seccomp-sandbox.patch
> >>
> >> diff --git a/package/openssh/0001-Allow-ppoll_time64-in-seccomp-sandbox.patch b/package/openssh/0001-Allow-ppoll_time64-in-seccomp-sandbox.patch
> >> new file mode 100644
> >> index 0000000000..34b309bd9a
> >> --- /dev/null
> >> +++ b/package/openssh/0001-Allow-ppoll_time64-in-seccomp-sandbox.patch
> >> @@ -0,0 +1,31 @@
> >> +From 284b6e5394652d519e31782e3b3cdfd7b21d1a81 Mon Sep 17 00:00:00 2001
> >> +From: Darren Tucker <dtucker@dtucker.net>
> >> +Date: Sat, 26 Feb 2022 14:06:14 +1100
> >> +Subject: [PATCH] Allow ppoll_time64 in seccomp sandbox.
> >> +
> >> +Should fix sandbox violations on (some? at least i386 and armhf) 32bit
> >> +Linux platforms. Patch from chutzpahu at gentoo.org and cjwatson at
> >> +debian.org via bz#3396.
> >> +
> >
> > Missing:
> >
> > [Upstream: https://github.com/openssh/openssh-portable/commit/284b6e5394652d519e31782e3b3cdfd7b21d1a81.patch]
>
> Except for the signoff, the patch is literally the upstream patch, including
> the sha1 in the From line. So an upstream reference is not really needed. Still,
> it's useful so I overcame my laziness and added it.
But the sha1 alone does not tell to which git repo it belongs to, but the explicit
upstream link does (and has the nice effect to gain a one-click link to the
corresponding patch/merge-request etc.) and is a prominent remainder in case
of package version bump where the patch comes from...
Regards,
Peter
>
> Regards,
> Arnout
>
>
> >> +Signed-off-by: John Keeping <john@metanate.com>
> >> +---
> >> + sandbox-seccomp-filter.c | 3 +++
> >> + 1 file changed, 3 insertions(+)
> >> +
> >> +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
> >> +index 2e065ba3..4ce80cb2 100644
> >> +--- a/sandbox-seccomp-filter.c
> >> ++++ b/sandbox-seccomp-filter.c
> >> +@@ -276,6 +276,9 @@ static const struct sock_filter preauth_insns[] = {
> >> + #ifdef __NR_ppoll
> >> + SC_ALLOW(__NR_ppoll),
> >> + #endif
> >> ++#ifdef __NR_ppoll_time64
> >> ++ SC_ALLOW(__NR_ppoll_time64),
> >> ++#endif
> >> + #ifdef __NR_poll
> >> + SC_ALLOW(__NR_poll),
> >> + #endif
> >> +--
> >> +2.35.1
> >> +
> >
> > With this fixed you can add my
> >
> > Reviewed-by: Peter Seiderer <ps.report@gmx.net>
> >
> > Regards,
> > Peter
> >
> > _______________________________________________
> > buildroot mailing list
> > buildroot@buildroot.org
> > https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2022-03-11 7:24 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-10 14:03 [Buildroot] [PATCH] package/openssh: backport upstream fix for 32-bit John Keeping
2022-03-10 20:38 ` Peter Seiderer
2022-03-10 21:03 ` Arnout Vandecappelle
2022-03-11 7:24 ` Peter Seiderer [this message]
2022-03-12 16:00 ` Arnout Vandecappelle
2022-03-12 16:24 ` Yann E. MORIN
2022-03-18 8:42 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220311082413.4bfe7465@gmx.net \
--to=ps.report@gmx.net \
--cc=arnout@mind.be \
--cc=buildroot@buildroot.org \
--cc=john@metanate.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox