Allow nanosleep in preauth privsep child.

The new timing attack mitigation code uses nanosleep in the preauth codepath, allow in sandbox.
author: Darren Tucker <dtucker@dtucker.net> 2018-04-13 08:06:29 +0200
committer: Darren Tucker <dtucker@dtucker.net> 2018-04-13 08:06:29 +0200
commit: 0e73428038d5ecfa5d2a28cff26661502a7aff4e (patch)
tree: c54abba8e6f44872dacff95d8fa201223ff07515 /sandbox-seccomp-filter.c
parent: upstream: Defend against user enumeration timing attacks. This (diff)
download: openssh-0e73428038d5ecfa5d2a28cff26661502a7aff4e.tar.xz
openssh-0e73428038d5ecfa5d2a28cff26661502a7aff4e.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index ca75cc719..a189b2fb5 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -193,6 +193,9 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR_munmap
 	SC_ALLOW(__NR_munmap),
 #endif
+#ifdef __NR_nanosleep
+	SC_ALLOW(__NR_nanosleep),
+#endif
 #ifdef __NR__newselect
 	SC_ALLOW(__NR__newselect),
 #endif
author	Darren Tucker <dtucker@dtucker.net>	2018-04-13 08:06:29 +0200
committer	Darren Tucker <dtucker@dtucker.net>	2018-04-13 08:06:29 +0200
commit	0e73428038d5ecfa5d2a28cff26661502a7aff4e (patch)
tree	c54abba8e6f44872dacff95d8fa201223ff07515 /sandbox-seccomp-filter.c
parent	upstream: Defend against user enumeration timing attacks. This (diff)
download	openssh-0e73428038d5ecfa5d2a28cff26661502a7aff4e.tar.xz openssh-0e73428038d5ecfa5d2a28cff26661502a7aff4e.zip