From: Marcin Krol Date: Wed, 29 Aug 2018 10:00:02 +0000 (+0000) Subject: - updated 7.8p1, partial PLD merge X-Git-Url: https://git.tld-linux.org/?a=commitdiff_plain;h=3e28016f46df89af7ad695fb15877f748f6c2712;p=packages%2Fopenssh.git - updated 7.8p1, partial PLD merge --- diff --git a/libseccomp-sandbox.patch b/libseccomp-sandbox.patch deleted file mode 100644 index e701b2c..0000000 --- a/libseccomp-sandbox.patch +++ /dev/null @@ -1,239 +0,0 @@ -https://bugzilla.mindrot.org/show_bug.cgi?id=2142 - ---- a/Makefile.in -+++ a/Makefile.in -@@ -112,7 +112,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw - loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ - sftp-server.o sftp-common.o \ - sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ -- sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \ -+ sandbox-seccomp-filter.o sandbox-libseccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \ - sandbox-solaris.o - - MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out ---- a/configure.ac -+++ a/configure.ac -@@ -2867,11 +2867,22 @@ else - fi - AC_SUBST([SSH_PRIVSEP_USER]) - -+AC_CHECK_DECL([SCMP_ARCH_NATIVE], [have_libseccomp_filter=1], , [ -+ #include -+ #include -+]) -+if test "x$have_libseccomp_filter" = "x1" ; then -+ AC_CHECK_LIB([seccomp], [seccomp_init], -+ [LIBS="$LIBS -lseccomp"], -+ [have_libseccomp_filter=0]) -+fi -+ - if test "x$have_linux_no_new_privs" = "x1" ; then - AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [ - #include - #include - ]) -+ - fi - if test "x$have_seccomp_filter" = "x1" ; then - AC_MSG_CHECKING([kernel for seccomp_filter support]) -@@ -2898,7 +2909,7 @@ fi - # Decide which sandbox style to use - sandbox_arg="" - AC_ARG_WITH([sandbox], -- [ --with-sandbox=style Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)], -+ [ --with-sandbox=style Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, libseccomp_filter, systrace, pledge)], - [ - if test "x$withval" = "xyes" ; then - sandbox_arg="" -@@ -3008,6 +3019,13 @@ elif test "x$sandbox_arg" = "xdarwin" || \ - AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function]) - SANDBOX_STYLE="darwin" - AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)]) -+elif test "x$sandbox_arg" = "xlibseccomp_filter" || \ -+ ( test -z "$sandbox_arg" && \ -+ test "x$have_libseccomp_filter" = "x1" ) ; then -+ test "x$have_libseccomp_filter" != "x1" && \ -+ AC_MSG_ERROR([libseccomp_filter sandbox not supported on $host]) -+ SANDBOX_STYLE="libseccomp_filter" -+ AC_DEFINE([SANDBOX_LIBSECCOMP_FILTER], [1], [Sandbox using libseccomp filter]) - elif test "x$sandbox_arg" = "xseccomp_filter" || \ - ( test -z "$sandbox_arg" && \ - test "x$have_seccomp_filter" = "x1" && \ ---- a/sandbox-libseccomp-filter.c -+++ a/sandbox-libseccomp-filter.c -@@ -0,0 +1,175 @@ -+/* -+ * Copyright (c) 2012 Will Drewry -+ * -+ * Permission to use, copy, modify, and distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+#include "includes.h" -+ -+#ifdef SANDBOX_LIBSECCOMP_FILTER -+ -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include /* for offsetof */ -+#include -+#include -+#include -+#include -+ -+#include "log.h" -+#include "ssh-sandbox.h" -+#include "xmalloc.h" -+ -+struct ssh_sandbox { -+ pid_t child_pid; -+}; -+ -+struct ssh_sandbox * -+ssh_sandbox_init(struct monitor *monitor) -+{ -+ struct ssh_sandbox *box; -+ -+ /* -+ * Strictly, we don't need to maintain any state here but we need -+ * to return non-NULL to satisfy the API. -+ */ -+ debug3("%s: preparing libseccomp filter sandbox", __func__); -+ box = xcalloc(1, sizeof(*box)); -+ box->child_pid = 0; -+ -+ return box; -+} -+ -+static int -+seccomp_add_secondary_archs(scmp_filter_ctx *c) -+{ -+#if defined(__i386__) || defined(__x86_64__) -+ int r; -+ r = seccomp_arch_add(c, SCMP_ARCH_X86); -+ if (r < 0 && r != -EEXIST) -+ return r; -+ r = seccomp_arch_add(c, SCMP_ARCH_X86_64); -+ if (r < 0 && r != -EEXIST) -+ return r; -+ r = seccomp_arch_add(c, SCMP_ARCH_X32); -+ if (r < 0 && r != -EEXIST) -+ return r; -+#endif -+ return 0; -+} -+ -+struct scmp_action_def { -+ uint32_t action; -+ int syscall; -+}; -+ -+static const struct scmp_action_def preauth_insns[] = { -+ {SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open)}, -+ {SCMP_ACT_ERRNO(EACCES), SCMP_SYS(stat)}, -+ {SCMP_ACT_ALLOW, SCMP_SYS(getpid)}, -+ {SCMP_ACT_ALLOW, SCMP_SYS(getpid)}, -+ {SCMP_ACT_ALLOW, SCMP_SYS(gettimeofday)}, -+ {SCMP_ACT_ALLOW, SCMP_SYS(clock_gettime)}, -+#ifdef __NR_time /* not defined on EABI ARM */ -+ {SCMP_ACT_ALLOW, SCMP_SYS(time)}, -+#endif -+ {SCMP_ACT_ALLOW, SCMP_SYS(read)}, -+ {SCMP_ACT_ALLOW, SCMP_SYS(write)}, -+ {SCMP_ACT_ALLOW, SCMP_SYS(close)}, -+#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */ -+ {SCMP_ACT_ALLOW, SCMP_SYS(shutdown)}, -+#endif -+ {SCMP_ACT_ALLOW, SCMP_SYS(brk)}, -+ {SCMP_ACT_ALLOW, SCMP_SYS(poll)}, -+#ifdef __NR__newselect -+ {SCMP_ACT_ALLOW, SCMP_SYS(_newselect)}, -+#endif -+ {SCMP_ACT_ALLOW, SCMP_SYS(select)}, -+ {SCMP_ACT_ALLOW, SCMP_SYS(madvise)}, -+#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */ -+ {SCMP_ACT_ALLOW, SCMP_SYS(mmap2)}, -+#endif -+#ifdef __NR_mmap -+ {SCMP_ACT_ALLOW, SCMP_SYS(mmap)}, -+#endif -+#ifdef __dietlibc__ -+ {SCMP_ACT_ALLOW, SCMP_SYS(mremap)}, -+ {SCMP_ACT_ALLOW, SCMP_SYS(exit)}, -+#endif -+ {SCMP_ACT_ALLOW, SCMP_SYS(munmap)}, -+ {SCMP_ACT_ALLOW, SCMP_SYS(exit_group)}, -+#ifdef __NR_rt_sigprocmask -+ {SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask)}, -+#else -+ {SCMP_ACT_ALLOW, SCMP_SYS(sigprocmask)}, -+#endif -+ {0, 0} -+}; -+ -+ -+void -+ssh_sandbox_child(struct ssh_sandbox *box) -+{ -+ scmp_filter_ctx *seccomp; -+ struct rlimit rl_zero; -+ const struct scmp_action_def *insn; -+ int r; -+ -+ /* Set rlimits for completeness if possible. */ -+ rl_zero.rlim_cur = rl_zero.rlim_max = 0; -+ if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) -+ fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", -+ __func__, strerror(errno)); -+ if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) -+ fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", -+ __func__, strerror(errno)); -+ if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1) -+ fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", -+ __func__, strerror(errno)); -+ -+ seccomp = seccomp_init(SCMP_ACT_KILL); -+ if (!seccomp) -+ fatal("%s:libseccomp activation failed", __func__); -+ if (seccomp_add_secondary_archs(seccomp)) -+ fatal("%s:libseccomp secondary arch setup failed", __func__); -+ -+ for (insn = preauth_insns; insn->action; insn++) { -+ if (seccomp_rule_add(seccomp, insn->action, insn->syscall, 0) < 0) -+ fatal("%s:libseccomp rule failed", __func__); -+ } -+ -+ if ((r = seccomp_load(seccomp)) < 0) -+ fatal("%s:libseccomp unable to load filter %d", __func__, r); -+ -+ seccomp_release(seccomp); -+} -+ -+void -+ssh_sandbox_parent_finish(struct ssh_sandbox *box) -+{ -+ free(box); -+ debug3("%s: finished", __func__); -+} -+ -+void -+ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) -+{ -+ box->child_pid = child_pid; -+} -+ -+#endif /* SANDBOX_LIBSECCOMP_FILTER */ diff --git a/openssh-chroot.patch b/openssh-chroot.patch index 828de68..64ea0ca 100644 --- a/openssh-chroot.patch +++ b/openssh-chroot.patch @@ -64,10 +64,10 @@ * poke the client this often to --- openssh-7.2p1/session.c.orig 2016-03-05 10:24:44.227756638 +0100 +++ openssh-7.2p1/session.c 2016-03-05 10:24:50.237756386 +0100 -@@ -1492,6 +1492,10 @@ do_setusercontext(struct passwd *pw) +@@ -1381,6 +1381,10 @@ void do_setusercontext(struct passwd *pw) { - char *chroot_path, *tmp; + char uidstr[32], *chroot_path, *tmp; +#ifdef CHROOT + char *user_dir; + char *new_root; diff --git a/openssh-kuserok.patch b/openssh-kuserok.patch index 077484c..8b3773d 100644 --- a/openssh-kuserok.patch +++ b/openssh-kuserok.patch @@ -1,6 +1,6 @@ -diff -urpa openssh-7.7p1.orig/auth-krb5.c openssh-7.7p1/auth-krb5.c ---- openssh-7.7p1.orig/auth-krb5.c 2018-04-02 05:38:28.000000000 +0000 -+++ openssh-7.7p1/auth-krb5.c 2018-04-09 14:22:27.146431415 +0000 +diff -urpa openssh-7.8p1.orig/auth-krb5.c openssh-7.8p1/auth-krb5.c +--- openssh-7.8p1.orig/auth-krb5.c 2018-08-23 05:41:42.000000000 +0000 ++++ openssh-7.8p1/auth-krb5.c 2018-08-29 09:55:47.547970289 +0000 @@ -54,6 +54,20 @@ extern ServerOptions options; @@ -31,10 +31,10 @@ diff -urpa openssh-7.7p1.orig/auth-krb5.c openssh-7.7p1/auth-krb5.c authctxt->pw->pw_name)) { problem = -1; goto out; -diff -urpa openssh-7.7p1.orig/gss-serv-krb5.c openssh-7.7p1/gss-serv-krb5.c ---- openssh-7.7p1.orig/gss-serv-krb5.c 2018-04-02 05:38:28.000000000 +0000 -+++ openssh-7.7p1/gss-serv-krb5.c 2018-04-09 14:22:27.146431415 +0000 -@@ -57,6 +57,7 @@ extern ServerOptions options; +diff -urpa openssh-7.8p1.orig/gss-serv-krb5.c openssh-7.8p1/gss-serv-krb5.c +--- openssh-7.8p1.orig/gss-serv-krb5.c 2018-08-23 05:41:42.000000000 +0000 ++++ openssh-7.8p1/gss-serv-krb5.c 2018-08-29 09:55:47.547970289 +0000 +@@ -56,6 +56,7 @@ extern ServerOptions options; #endif static krb5_context krb_context = NULL; @@ -42,7 +42,7 @@ diff -urpa openssh-7.7p1.orig/gss-serv-krb5.c openssh-7.7p1/gss-serv-krb5.c /* Initialise the krb5 library, for the stuff that GSSAPI won't do */ -@@ -99,7 +100,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client +@@ -98,7 +99,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client krb5_free_error_message(krb_context, errmsg); return 0; } @@ -51,18 +51,18 @@ diff -urpa openssh-7.7p1.orig/gss-serv-krb5.c openssh-7.7p1/gss-serv-krb5.c retval = 1; logit("Authorized to %s, krb5 principal %s (krb5_kuserok)", name, (char *)client->displayname.value); -diff -urpa openssh-7.7p1.orig/servconf.c openssh-7.7p1/servconf.c ---- openssh-7.7p1.orig/servconf.c 2018-04-09 14:19:20.369433518 +0000 -+++ openssh-7.7p1/servconf.c 2018-04-09 14:23:35.581430645 +0000 -@@ -162,6 +162,7 @@ initialize_server_options(ServerOptions - options->num_accept_env = 0; +diff -urpa openssh-7.8p1.orig/servconf.c openssh-7.8p1/servconf.c +--- openssh-7.8p1.orig/servconf.c 2018-08-29 09:49:04.830974823 +0000 ++++ openssh-7.8p1/servconf.c 2018-08-29 09:57:22.452969220 +0000 +@@ -166,6 +166,7 @@ initialize_server_options(ServerOptions options->permit_tun = -1; options->permitted_opens = NULL; + options->permitted_listens = NULL; + options->use_kuserok = -1; options->adm_forced_command = NULL; options->chroot_directory = NULL; options->authorized_keys_command = NULL; -@@ -429,6 +430,8 @@ fill_default_server_options(ServerOption +@@ -449,6 +450,8 @@ fill_default_server_options(ServerOption options->num_auth_methods = 0; } @@ -71,7 +71,7 @@ diff -urpa openssh-7.7p1.orig/servconf.c openssh-7.7p1/servconf.c #ifndef HAVE_MMAP if (use_privsep && options->compression == 1) { error("This platform does not support both privilege " -@@ -451,7 +454,7 @@ typedef enum { +@@ -471,7 +474,7 @@ typedef enum { sPermitRootLogin, sLogFacility, sLogLevel, sRhostsRSAAuthentication, sRSAAuthentication, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, @@ -80,7 +80,7 @@ diff -urpa openssh-7.7p1.orig/servconf.c openssh-7.7p1/servconf.c sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sAddressFamily, sPrintMotd, sPrintLastLog, sIgnoreRhosts, -@@ -535,11 +538,13 @@ static struct { +@@ -555,11 +558,13 @@ static struct { #else { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif @@ -94,18 +94,18 @@ diff -urpa openssh-7.7p1.orig/servconf.c openssh-7.7p1/servconf.c #endif { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, -@@ -1815,6 +1820,10 @@ process_server_config_line(ServerOptions - *activep = value; +@@ -1958,6 +1963,10 @@ process_server_config_line(ServerOptions + } break; + case sKerberosUseKuserok: + intptr = &options->use_kuserok; + goto parse_flag; + - case sPermitOpen: - arg = strdelim(&cp); - if (!arg || *arg == '\0') -@@ -2193,6 +2202,7 @@ copy_set_server_options(ServerOptions *d + case sForceCommand: + if (cp == NULL || *cp == '\0') + fatal("%.200s line %d: Missing argument.", filename, +@@ -2302,6 +2311,7 @@ copy_set_server_options(ServerOptions *d M_CP_INTOPT(rekey_limit); M_CP_INTOPT(rekey_interval); M_CP_INTOPT(log_level); @@ -113,7 +113,7 @@ diff -urpa openssh-7.7p1.orig/servconf.c openssh-7.7p1/servconf.c /* * The bind_mask is a mode_t that may be unsigned, so we can't use -@@ -2498,6 +2508,7 @@ dump_config(ServerOptions *o) +@@ -2595,6 +2605,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info); @@ -121,20 +121,20 @@ diff -urpa openssh-7.7p1.orig/servconf.c openssh-7.7p1/servconf.c /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); -diff -urpa openssh-7.7p1.orig/servconf.h openssh-7.7p1/servconf.h ---- openssh-7.7p1.orig/servconf.h 2018-04-09 14:18:20.148434196 +0000 -+++ openssh-7.7p1/servconf.h 2018-04-09 14:22:27.147431415 +0000 -@@ -191,6 +191,7 @@ typedef struct { - char **permitted_opens; - u_int num_permitted_opens; /* May also be one of PERMITOPEN_* */ +diff -urpa openssh-7.8p1.orig/servconf.h openssh-7.8p1/servconf.h +--- openssh-7.8p1.orig/servconf.h 2018-08-29 09:49:04.827974823 +0000 ++++ openssh-7.8p1/servconf.h 2018-08-29 09:55:47.548970289 +0000 +@@ -190,6 +190,7 @@ typedef struct { + char **permitted_listens; /* May also be one of PERMITOPEN_* */ + u_int num_permitted_listens; + int use_kuserok; char *chroot_directory; char *revoked_keys_file; char *trusted_user_ca_keys; -diff -urpa openssh-7.7p1.orig/sshd_config openssh-7.7p1/sshd_config ---- openssh-7.7p1.orig/sshd_config 2018-04-09 14:18:20.149434196 +0000 -+++ openssh-7.7p1/sshd_config 2018-04-09 14:22:27.147431415 +0000 +diff -urpa openssh-7.8p1.orig/sshd_config openssh-7.8p1/sshd_config +--- openssh-7.8p1.orig/sshd_config 2018-08-29 09:49:04.827974823 +0000 ++++ openssh-7.8p1/sshd_config 2018-08-29 09:55:47.548970289 +0000 @@ -68,6 +68,7 @@ AuthorizedKeysFile .ssh/authorized_keys #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes @@ -143,10 +143,10 @@ diff -urpa openssh-7.7p1.orig/sshd_config openssh-7.7p1/sshd_config # GSSAPI options #GSSAPIAuthentication no -diff -urpa openssh-7.7p1.orig/sshd_config.5 openssh-7.7p1/sshd_config.5 ---- openssh-7.7p1.orig/sshd_config.5 2018-04-09 14:18:20.149434196 +0000 -+++ openssh-7.7p1/sshd_config.5 2018-04-09 14:22:27.148431415 +0000 -@@ -856,6 +856,10 @@ Specifies whether to automatically destr +diff -urpa openssh-7.8p1.orig/sshd_config.5 openssh-7.8p1/sshd_config.5 +--- openssh-7.8p1.orig/sshd_config.5 2018-08-29 09:49:04.828974823 +0000 ++++ openssh-7.8p1/sshd_config.5 2018-08-29 09:55:47.549970289 +0000 +@@ -861,6 +861,10 @@ Specifies whether to automatically destr file on logout. The default is .Cm yes . @@ -157,7 +157,7 @@ diff -urpa openssh-7.7p1.orig/sshd_config.5 openssh-7.7p1/sshd_config.5 .It Cm KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. -@@ -1119,6 +1123,7 @@ Available keywords are +@@ -1124,6 +1128,7 @@ Available keywords are .Cm KbdInteractiveAuthentication , .Cm KerberosAuthentication , .Cm LogLevel , diff --git a/openssh-ldap.patch b/openssh-ldap.patch index 3626558..2920eab 100644 --- a/openssh-ldap.patch +++ b/openssh-ldap.patch @@ -1778,8 +1778,8 @@ diff -up openssh-6.2p1/ldap-helper.c.ldap openssh-6.2p1/ldap-helper.c +} + +/* Ugly hack */ -+void *buffer_get_string(Buffer *b, u_int *l) { return NULL; } -+void buffer_put_string(Buffer *b, const void *f, u_int l) {} ++void *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; } ++void buffer_put_string(struct sshbuf *b, const void *f, u_int l) {} + diff -up openssh-6.2p1/ldap-helper.h.ldap openssh-6.2p1/ldap-helper.h --- openssh-6.2p1/ldap-helper.h.ldap 2013-03-25 21:27:15.892248097 +0100 diff --git a/openssh.spec b/openssh.spec index bbb3755..d01f748 100644 --- a/openssh.spec +++ b/openssh.spec @@ -42,13 +42,13 @@ Summary(pt_BR.UTF-8): Implementação livre do SSH Summary(ru.UTF-8): OpenSSH - свободная реализация протокола Secure Shell (SSH) Summary(uk.UTF-8): OpenSSH - вільна реалізація протоколу Secure Shell (SSH) Name: openssh -Version: 7.7p1 -Release: 2 +Version: 7.8p1 +Release: 1 Epoch: 2 License: BSD Group: Applications/Networking Source0: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz -# Source0-md5: 68ba883aff6958297432e5877e9a0fe2 +# Source0-md5: ce1d090fa6239fd38eb989d5e983b074 Source1: http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2 # Source1-md5: 66943d481cc422512b537bcc2c7400d1 Source2: %{name}d.init @@ -76,7 +76,6 @@ Patch12: %{name}-vulnkey-compat.patch Patch13: %{name}-kuserok.patch Patch14: %{name}-bind.patch Patch15: %{name}-disable_ldap.patch -Patch16: libseccomp-sandbox.patch URL: http://www.openssh.com/portable.html BuildRequires: %{__perl} %{?with_audit:BuildRequires: audit-libs-devel} @@ -536,7 +535,6 @@ openldap-a. %patch13 -p1 %patch14 -p1 %{!?with_ldap:%patch15 -p1} -%{?with_libseccomp:%patch16 -p1} # hack since arc4random from openbsd-compat needs symbols from libssh and vice versa sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh -lopenbsd-compat#g' Makefile* @@ -572,7 +570,7 @@ CPPFLAGS="%{rpmcppflags} -DCHROOT -std=gnu99" --with-privsep-path=%{_privsepdir} \ --with-privsep-user=sshd \ %{?with_selinux:--with-selinux} \ - --with-sandbox=%{sandbox} \ + --with-sandbox=seccomp_filter \ --with-xauth=%{_bindir}/xauth echo '#define LOGIN_PROGRAM "/bin/login"' >>config.h