[Bug 3855] sshd-auth sandbox limitations
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Aug 29 18:53:08 AEST 2025
https://bugzilla.mindrot.org/show_bug.cgi?id=3855
--- Comment #5 from Adrian Jarc <adrian.jarc at aviatnet.com> ---
(In reply to Damien Miller from comment #3)
> Some other alternatives:
>
> 1. Ask the WolfSSL developers if there is any way to get the library
> to preopen the file descriptors before the sandbox is applied.
> 2. Soft-deny all __NR_open syscalls in the sandbox. This will case
> open() to faill with an error but won't result in a process-killing
> sandbox violation. You'd need to get a guarantee from the WolfSSL
> developers that their library will perform safely in this situation.
If WolfSSL changes how that works, their wolfCrypt module won't be FIPS
certified anymore, and that does not help. So this is not an option.
As for 2. point, can we get some pointers as how we could do that?
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list