Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
seccomp: make socket() fail with -ENOSYS
At least Debian's glibc tries to make use of nscd by default leading to the getpwuid() / getpwnam() calls in pspax trying to open up a local connection to /var/run/nscd/socket. Neither socket() nor connect() are allowed by the seccomp policy, leading to unavoidable killing of the process: $ pspax USER PID PAX MAPS ETYPE NAME CAPS ATTR Bad system call (core dumped) $ strace pspax |& tail -3 newfstatat(4, "stat", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 41 +++ killed by SIGSYS (core dumped) +++ Fix this by making socket() fail with -ENOSYS instead: $ strace -e trace=socket ./build/pspax >/dev/null socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = -1 ENOSYS (Function not implemented) socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = -1 ENOSYS (Function not implemented) +++ exited with 0 +++ Signed-off-by: Mathias Krause <minipli@grsecurity.net> Signed-off-by: Mike Gilbert <floppym@gentoo.org>
- Loading branch information