From 578818509d8ae3c1afad7e0f113699030253506d Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Tue, 22 Dec 2020 16:29:33 +0800 Subject: dhcpcd: fix SECCOMP for i386 The dhcpcd doesn't work on Intel 32bit platform. Backport a patch to fix the issue. (From OE-Core rev: e8b03a8e3a6748374340d45ce39e922eee6817e3) Signed-off-by: Yi Zhao Signed-off-by: Richard Purdie --- meta/recipes-connectivity/dhcpcd/dhcpcd_9.3.4.bb | 1 + ...-Linux-i386-for-SECCOMP-as-it-just-uses-s.patch | 57 ++++++++++++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 meta/recipes-connectivity/dhcpcd/files/0001-privsep-Fix-Linux-i386-for-SECCOMP-as-it-just-uses-s.patch (limited to 'meta/recipes-connectivity') diff --git a/meta/recipes-connectivity/dhcpcd/dhcpcd_9.3.4.bb b/meta/recipes-connectivity/dhcpcd/dhcpcd_9.3.4.bb index cd81f17773..69a07760b4 100644 --- a/meta/recipes-connectivity/dhcpcd/dhcpcd_9.3.4.bb +++ b/meta/recipes-connectivity/dhcpcd/dhcpcd_9.3.4.bb @@ -14,6 +14,7 @@ UPSTREAM_CHECK_URI = "https://roy.marples.name/downloads/dhcpcd/" SRC_URI = "https://roy.marples.name/downloads/${BPN}/${BPN}-${PV}.tar.xz \ file://0001-remove-INCLUDEDIR-to-prevent-build-issues.patch \ file://0001-Linux-Fix-privsep-build-by-including-sys-termios.h-f.patch \ + file://0001-privsep-Fix-Linux-i386-for-SECCOMP-as-it-just-uses-s.patch \ file://dhcpcd.service \ file://dhcpcd@.service \ " diff --git a/meta/recipes-connectivity/dhcpcd/files/0001-privsep-Fix-Linux-i386-for-SECCOMP-as-it-just-uses-s.patch b/meta/recipes-connectivity/dhcpcd/files/0001-privsep-Fix-Linux-i386-for-SECCOMP-as-it-just-uses-s.patch new file mode 100644 index 0000000000..b79d5f04ce --- /dev/null +++ b/meta/recipes-connectivity/dhcpcd/files/0001-privsep-Fix-Linux-i386-for-SECCOMP-as-it-just-uses-s.patch @@ -0,0 +1,57 @@ +From 12cdb2be46e25e1ab99df18324b787ad8749dff7 Mon Sep 17 00:00:00 2001 +From: Roy Marples +Date: Sat, 12 Dec 2020 22:12:54 +0000 +Subject: [PATCH] privsep: Fix Linux i386 for SECCOMP as it just uses + socketcall + +Rather than accept(2), recv(2), etc..... which is horrible! + +Thanks to Steve Hirsch for testing. + +Upstream-Status: Backport +[https://roy.marples.name/cgit/dhcpcd.git/commit/?id=12cdb2be46e25e1ab99df18324b787ad8749dff7] + +Signed-off-by: Yi Zhao +--- + src/privsep-linux.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/src/privsep-linux.c b/src/privsep-linux.c +index 050a30cf..d31d720d 100644 +--- a/src/privsep-linux.c ++++ b/src/privsep-linux.c +@@ -34,6 +34,7 @@ + + #include + #include ++#include + #include + #include + +@@ -311,6 +312,23 @@ static struct sock_filter ps_seccomp_filter[] = { + #ifdef __NR_sendto + SECCOMP_ALLOW(__NR_sendto), + #endif ++#ifdef __NR_socketcall ++ /* i386 needs this and demonstrates why SECCOMP ++ * is poor compared to OpenBSD pledge(2) and FreeBSD capsicum(4) ++ * as this is soooo tied to the kernel API which changes per arch ++ * and likely libc as well. */ ++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_ACCEPT), ++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_ACCEPT4), ++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_LISTEN), ++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_GETSOCKOPT), /* overflow */ ++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECV), ++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECVFROM), ++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECVMSG), ++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SEND), ++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SENDMSG), ++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SENDTO), ++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN), ++#endif + #ifdef __NR_shutdown + SECCOMP_ALLOW(__NR_shutdown), + #endif +-- +2.25.1 + -- cgit v1.2.3-54-g00ecf