diff options
| author | Mingli Yu <mingli.yu@windriver.com> | 2018-11-29 01:25:56 -0800 |
|---|---|---|
| committer | Khem Raj <raj.khem@gmail.com> | 2018-11-29 18:44:56 -0800 |
| commit | 4224a09efdec7b502f5278a16b40f009c38bea67 (patch) | |
| tree | bce606ccd848d65e3e0b4fc7e0469208622b33c8 | |
| parent | 35249c87b5acd824d251e1d774bbd195be828505 (diff) | |
| download | meta-openembedded-4224a09efdec7b502f5278a16b40f009c38bea67.tar.gz | |
vsftpd: allow getdents64 in the seccomp sandbox
seccomp is activated by default in vsftpd and
this has caused compatibility issues with some
kernel versions. This was fixed as one can see
as https://bugzilla.redhat.com/show_bug.cgi?id=845980,
but can still cause issues with newer kernels with
kernel 4.18+.
And there is even a patch 0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch
in fedora[https://dl.fedoraproject.org/pub/fedora/linux/releases/29/Everything/source/tree/Packages/v/vsftpd-3.0.3-28.fc29.src.rpm]
turning off seccomp sandbox for vsftpd by default
as below which means fedora doesn't limit the syscall
any more by default.
[snip]
- tunable_seccomp_sandbox = 1;
+ tunable_seccomp_sandbox = 0;
tunable_allow_writeable_chroot = 0;
tunable_accept_timeout = 60;
[snip]
Refresh 0001-vsftpd-allow-sysinfo-in-the-seccomp-sandbox.patch
to allow one more syscall getdents64 in the
seccomp sandbox apart from the previous one in
below commit:
fbffcf3f3 vsftpd: allow sysinfo() in the seccomp sandbox
before this patch:
root@qemux86-64:~# tnftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 3.0.3)
Name (127.0.0.1:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||8352|)
150 Here comes the directory listing.
500 OOPS: priv_sock_get_cmd
ftp>
after this patch:
root@qemux86-64:~# tnftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 3.0.3)
Name (127.0.0.1:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||22610|)
150 Here comes the directory listing.
226 Directory send OK.
ftp>
Reference: https://wiki.archlinux.org/index.php/Very_Secure_FTP_Daemon#vsftpd:_Error_500_with_kernel_4.18+
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
3 files changed, 47 insertions, 44 deletions
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-syscalls-in-the-seccomp-sandbox.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-syscalls-in-the-seccomp-sandbox.patch new file mode 100644 index 000000000..7573c967f --- /dev/null +++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-syscalls-in-the-seccomp-sandbox.patch | |||
| @@ -0,0 +1,46 @@ | |||
| 1 | From dd353303f62d1dfe32cb000e482616b021708fbe Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Mingli Yu <mingli.yu@windriver.com> | ||
| 3 | Date: Thu, 29 Nov 2018 00:47:34 -0800 | ||
| 4 | Subject: [PATCH] vsftpd: allow syscalls in the seccomp sandbox | ||
| 5 | |||
| 6 | * Allow sysinfo() and getdents64 in the seccomp | ||
| 7 | sandbox otherwise comes below OOPS: priv_sock_get_cmd | ||
| 8 | as the syscall sysinfo() and getdents64 not allowed | ||
| 9 | |||
| 10 | root@qemux86-64:~# tnftp 192.168.1.1 | ||
| 11 | Connected to 192.168.1.1. | ||
| 12 | 220 (vsFTPd 3.0.3) | ||
| 13 | Name (192.168.1.1:root): anonymous | ||
| 14 | 331 Please specify the password. | ||
| 15 | Password: | ||
| 16 | 230 Login successful. | ||
| 17 | Remote system type is UNIX. | ||
| 18 | Using binary mode to transfer files. | ||
| 19 | ftp> prompt | ||
| 20 | Interactive mode off. | ||
| 21 | ftp> mget small* | ||
| 22 | OOPS: priv_sock_get_cmd | ||
| 23 | |||
| 24 | Upstream-Status: Pending | ||
| 25 | |||
| 26 | Signed-off-by: Mingli Yu <mingli.yu@windriver.com> | ||
| 27 | --- | ||
| 28 | seccompsandbox.c | 2 ++ | ||
| 29 | 1 file changed, 2 insertions(+) | ||
| 30 | |||
| 31 | diff --git a/seccompsandbox.c b/seccompsandbox.c | ||
| 32 | index 2c350a9..377c50e 100644 | ||
| 33 | --- a/seccompsandbox.c | ||
| 34 | +++ b/seccompsandbox.c | ||
| 35 | @@ -409,6 +409,8 @@ seccomp_sandbox_setup_postlogin(const struct vsf_session* p_sess) | ||
| 36 | allow_nr(__NR_getcwd); | ||
| 37 | allow_nr(__NR_chdir); | ||
| 38 | allow_nr(__NR_getdents); | ||
| 39 | + allow_nr(__NR_getdents64); | ||
| 40 | + allow_nr(__NR_sysinfo); | ||
| 41 | /* Misc */ | ||
| 42 | allow_nr(__NR_umask); | ||
| 43 | |||
| 44 | -- | ||
| 45 | 2.17.1 | ||
| 46 | |||
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-sysinfo-in-the-seccomp-sandbox.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-sysinfo-in-the-seccomp-sandbox.patch deleted file mode 100644 index c6c0f80a1..000000000 --- a/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-sysinfo-in-the-seccomp-sandbox.patch +++ /dev/null | |||
| @@ -1,43 +0,0 @@ | |||
| 1 | From 9c4826c19f04da533886209361a2caddf582d65c Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Mingli Yu <Mingli.Yu@windriver.com> | ||
| 3 | Date: Tue, 6 Sep 2016 17:17:44 +0800 | ||
| 4 | Subject: [PATCH] vsftpd: allow sysinfo() in the seccomp sandbox | ||
| 5 | |||
| 6 | Upstream-Status: Pending | ||
| 7 | |||
| 8 | * Allow sysinfo() in the seccomp sandbox otherwise | ||
| 9 | comes below OOPS: priv_sock_get_cmd as the syscall | ||
| 10 | sysinfo() not allowed | ||
| 11 | |||
| 12 | tnftp 192.168.1.1 | ||
| 13 | Connected to 192.168.1.1. | ||
| 14 | 220 (vsFTPd 3.0.3) | ||
| 15 | Name (192.168.1.1:root): anonymous | ||
| 16 | 331 Please specify the password. | ||
| 17 | Password: | ||
| 18 | 230 Login successful. | ||
| 19 | Remote system type is UNIX. | ||
| 20 | Using binary mode to transfer files. | ||
| 21 | ftp> prompt | ||
| 22 | Interactive mode off. | ||
| 23 | ftp> mget small* | ||
| 24 | OOPS: priv_sock_get_cmd | ||
| 25 | |||
| 26 | Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> | ||
| 27 | |||
| 28 | --- | ||
| 29 | seccompsandbox.c | 1 + | ||
| 30 | 1 file changed, 1 insertion(+) | ||
| 31 | |||
| 32 | diff --git a/seccompsandbox.c b/seccompsandbox.c | ||
| 33 | index 2c350a9..67d9ca5 100644 | ||
| 34 | --- a/seccompsandbox.c | ||
| 35 | +++ b/seccompsandbox.c | ||
| 36 | @@ -409,6 +409,7 @@ seccomp_sandbox_setup_postlogin(const struct vsf_session* p_sess) | ||
| 37 | allow_nr(__NR_getcwd); | ||
| 38 | allow_nr(__NR_chdir); | ||
| 39 | allow_nr(__NR_getdents); | ||
| 40 | + allow_nr(__NR_sysinfo); | ||
| 41 | /* Misc */ | ||
| 42 | allow_nr(__NR_umask); | ||
| 43 | |||
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.3.bb b/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.3.bb index 2e3e0e884..df0d7f455 100644 --- a/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.3.bb +++ b/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.3.bb | |||
| @@ -18,7 +18,7 @@ SRC_URI = "https://security.appspot.com/downloads/vsftpd-${PV}.tar.gz \ | |||
| 18 | file://volatiles.99_vsftpd \ | 18 | file://volatiles.99_vsftpd \ |
| 19 | file://vsftpd.service \ | 19 | file://vsftpd.service \ |
| 20 | file://vsftpd-2.1.0-filter.patch \ | 20 | file://vsftpd-2.1.0-filter.patch \ |
| 21 | file://0001-vsftpd-allow-sysinfo-in-the-seccomp-sandbox.patch \ | 21 | file://0001-vsftpd-allow-syscalls-in-the-seccomp-sandbox.patch \ |
| 22 | ${@bb.utils.contains('PACKAGECONFIG', 'tcp-wrappers', 'file://vsftpd-tcp_wrappers-support.patch', '', d)} \ | 22 | ${@bb.utils.contains('PACKAGECONFIG', 'tcp-wrappers', 'file://vsftpd-tcp_wrappers-support.patch', '', d)} \ |
| 23 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '', '${NOPAM_SRC}', d)} \ | 23 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '', '${NOPAM_SRC}', d)} \ |
| 24 | file://0001-sysdeputil.c-Fix-with-musl-which-does-not-have-utmpx.patch \ | 24 | file://0001-sysdeputil.c-Fix-with-musl-which-does-not-have-utmpx.patch \ |