Deny (non-fatal) ipc in preauth privsep child.V_8_1

As noted in openssh/openssh-portable#149, i386 does not have have _NR_shmget etc. Instead, it has a single ipc syscall (see man 2 ipc, https://linux.die.net/man/2/ipc). Add this syscall, if present, to the list of syscalls that seccomp will deny non-fatally.
author: Jeremy Drake <github@jdrake.com> 2019-10-11 18:31:05 -0700
committer: Darren Tucker <dtucker@dtucker.net> 2020-01-08 21:48:37 +1100
commit: fbe37c90602fa2d0d7b5f05868d6886b1e216e65 (patch)
tree: cd5535a3f2eef0a28ba81a1ba4951cfa763f3b2f
parent: a991cc5ed5a7c455fefe909a30cf082011ef5dff (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 999c46c9..0914e48b 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -177,6 +177,9 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR_shmdt
 	SC_DENY(__NR_shmdt, EACCES),
 #endif
+#ifdef __NR_ipc
+	SC_DENY(__NR_ipc, EACCES),
+#endif
 
 	/* Syscalls to permit */
 #ifdef __NR_brk
author	Jeremy Drake <github@jdrake.com>	2019-10-11 18:31:05 -0700
committer	Darren Tucker <dtucker@dtucker.net>	2020-01-08 21:48:37 +1100
commit	fbe37c90602fa2d0d7b5f05868d6886b1e216e65 (patch)
tree	cd5535a3f2eef0a28ba81a1ba4951cfa763f3b2f
parent	a991cc5ed5a7c455fefe909a30cf082011ef5dff (diff)