From 3d2c14680b9ace9f33813e1799bf4e7e0b510ffc Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Apr 11 2016 14:14:25 +0000
Subject: Soft-deny socket() syscall in seccomp sandbox (#1324493)


 * Used for  ecdh-sha2-nistp*  key exchange methods in FIPS mode

---

diff --git a/openssh-7.2p1-fips.patch b/openssh-7.2p1-fips.patch
index 1baeba7..068f7ec 100644
--- a/openssh-7.2p1-fips.patch
+++ b/openssh-7.2p1-fips.patch
@@ -704,3 +704,18 @@ index 7efe312..bcf2ae1 100644
  #define	KEX_FIPS_ENCRYPT \
  	"aes128-ctr,aes192-ctr,aes256-ctr," \
  	"aes128-cbc,3des-cbc," \
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index a3975eb..5224084 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -112,6 +112,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_open
+ 	SC_DENY(open, EACCES),
+ #endif
++#ifdef __NR_socket
++	SC_DENY(socket, EACCES),
++#endif
+ #ifdef __NR_openat
+ 	SC_DENY(openat, EACCES),
+ #endif
+