[Bug 2142] openssh sandboxing using libseccomp
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Aug 4 15:40:38 AEST 2015
https://bugzilla.mindrot.org/show_bug.cgi?id=2142
--- Comment #8 from Mike Frysinger <vapier at gentoo.org> ---
Comment on attachment 2563
--> https://bugzilla.mindrot.org/attachment.cgi?id=2563
libseccomp patch v2
>+static int
>+seccomp_add_secondary_archs(scmp_filter_ctx *c)
>+{
>+#if defined(__i386__) || defined(__x86_64__)
>+ int r;
>+ r = seccomp_arch_add(c, SCMP_ARCH_X86);
>+ if (r < 0 && r != -EEXIST)
>+ return r;
>+ r = seccomp_arch_add(c, SCMP_ARCH_X86_64);
>+ if (r < 0 && r != -EEXIST)
>+ return r;
>+ r = seccomp_arch_add(c, SCMP_ARCH_X32);
>+ if (r < 0 && r != -EEXIST)
>+ return r;
>+#endif
>+ return 0;
>+}
i don't think this is correct. there's no reason to permit alternative
ABIs from the one you're currently executing as. x86/32bit should only
permit the X86 ABI, x86_64/64bit should only permit the X86_64 ABI, and
x86_64/32bit should only permit the X32 ABI.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list