[Bug 2590] Seccomp filter for missing architectures
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Tue Aug 16 22:45:20 AEST 2016
https://bugzilla.mindrot.org/show_bug.cgi?id=2590
Joshua Kinard <kumba at gentoo.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|CLOSED |REOPENED
Resolution|FIXED |---
CC| |kumba at gentoo.org
--- Comment #3 from Joshua Kinard <kumba at gentoo.org> ---
(In reply to Damien Miller from comment #1)
> Patch applied - thank-you very much for doing the testing for these.
> This will be in the openssh-7.3 release.
I hate to reopen, but I found a corner case for MIPS broken by the MIPS
whitelist. Specifically, the proposed whitelist does not account for
MIPS N32 ABI (under mips64).
Specifically:
+ mips64-*)
+ seccomp_audit_arch=AUDIT_ARCH_MIPS64
There needs to be another hook to somehow detect N32 and then set
either AUDIT_ARCH_MIPS64 (big-endian) or AUDIT_ARCH_MIPSEL64N32
(little-endian).
I believe there's a known/defined CHOST tuple to specify an N32
userland, but it's not common, so CHOST seems to be unreliable to
detect this. I am not sure of another reasonable way to do so right
now.
Without this fix, on mips64/N32 platforms, "UsePrivilegeSeparation
sandbox" will fail and not allow a client to connect. Per strace:
[pid 1883] prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0
[pid 1883] prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, {len=57,
filter=0x565f3920}) = 0
[pid 1883] write(3,
"\0\0\3|\10\24\270\256hb<\257-\30\216\214L\301\35\230\10\233\0\0\0\324curve2"...,
896 <unfinished ...>
[pid 1883] --- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP,
si_call_addr=NULL, si_syscall=__NR_write, si_arch=AUDIT_ARCH_MIPS64N32}
---
[pid 1883] <... write resumed> ) = -1 ERRNO_6001 (Unknown error
6001)
[pid 1883] --- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP,
si_call_addr=NULL, si_syscall=__NR_write, si_arch=AUDIT_ARCH_MIPS64N32}
---
[pid 1882] <... poll resumed> ) = 2 ([{fd=6,
revents=POLLIN|POLLHUP}, {fd=7, revents=POLLHUP}])
[pid 1883] +++ killed by SIGSYS +++
[pid 1882] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED,
si_pid=1883, si_uid=22, si_status=SIGSYS, si_utime=0, si_stime=0} ---
[pid 1882] read(7, "", 4) = 0
[pid 1882] close(7) = 0
[pid 1882] poll([{fd=6, events=POLLIN}], 1, -1) = 1 ([{fd=6,
revents=POLLIN|POLLHUP}])
[pid 1882] read(6, "", 4) = 0
[pid 1882] kill(1883, SIGKILL) = 0
[pid 1882] exit_group(255) = ?
[pid 1882] +++ exited with 255 +++
Switching to "UsePrivilegeSeparation yes" is a workaround, but seems
suboptimal.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list