net-misc/openssh-contrib/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 23b40b643..d93a357c6 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -257,6 +257,15 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR_statx
 	SC_DENY(__NR_statx, EACCES),
 #endif
+#ifdef __NR_shmget
+	SC_DENY(__NR_shmget, EACCES),
+#endif
+#ifdef __NR_shmat
+	SC_DENY(__NR_shmat, EACCES),
+#endif
+#ifdef __NR_shmdt
+	SC_DENY(__NR_shmdt, EACCES),
+#endif
 
 	/* Syscalls to permit */
 #ifdef __NR_brk