[Bug 2142] openssh sandboxing using libseccomp

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Mar 7 01:26:00 AEDT 2015


https://bugzilla.mindrot.org/show_bug.cgi?id=2142

Steven Noonan <steven at uplinklabs.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |steven at uplinklabs.net
         Resolution|WONTFIX                     |---
             Status|RESOLVED                    |REOPENED

--- Comment #6 from Steven Noonan <steven at uplinklabs.net> ---
I'd like to reopen this because there's now a reason to implement this
change. A build of portable OpenSSH with the x32 ABI (gcc -mx32) on
x86_64 doesn't work correctly with the seccomp_filter sandbox.

With libseccomp I'm able to do seccomp_arch_add for SCMP_ARCH_X86_64
and SCMP_ARCH_X32 -- which is sufficient to unbreak things.

I'm attaching an updated patch which is a bit smaller and cleaner than
the previous version, and contains an array of syscall rules similar to
the one in sandbox-seccomp-filter.c. This reduces code size by a fair
amount.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list