[Bug 2361] New: seccomp filter (not only) for aarch64
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Mar 6 03:10:19 AEDT 2015
https://bugzilla.mindrot.org/show_bug.cgi?id=2361
Bug ID: 2361
Summary: seccomp filter (not only) for aarch64
Product: Portable OpenSSH
Version: 6.7p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: jjelen at redhat.com
Created attachment 2561
--> https://bugzilla.mindrot.org/attachment.cgi?id=2561&action=edit
aarh64 patch
We started using seccomp filter in openssh and there appeared to some
problems with secondary architectures:
https://bugzilla.redhat.com/show_bug.cgi?id=1195065
Seccomp filter is available on aarch64 architecture, but openssh code
was not ready for it so I am providing here patch to make it working.
Changes and explanations:
* First of all we need to whitelist this architecture in configure.ac
* (also fixing some indentation inconsistency around arm)
* Then we need to adjust filter settings for syscalls denial
* (if syscall doesn't exist openssh will not build)
* open is not on aarch64, openat exists also on primary architectures
* stat is never used, x86_64 is using fstat, ix86 and arm is using
fstat64 and stat64 => whitelisting, aarch64 is using fstat and
newfstatat
* poll, select are not available on aarch64
* pselect6 is used instead of select
(see attached patch)
This patch was tested and is currently used in Fedora.
We plan to add support for other architectures sooner or later. Further
discussion welcome.
I'm also appending table with syscall names and numbers I collected
during my testing and which are mentioned in filter and differ across
architectures:
open stat select()
x86_64 open(2) fstat(5) select(23)
ix86 open(5) stat64(195) fstat64(197) _newselect(142)
arm open(5) stat64(195) fstat64(197) _newselect(142)
aarch64 openat(56) fstat(80) newfstatat(79) pselect6(72)
Feel free to commend or add more syscalls you are interested in.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list