[Bug 3858] An inquire regarding sandbox-seccomp
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Sep 2 09:10:46 AEST 2025
https://bugzilla.mindrot.org/show_bug.cgi?id=3858
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Group|Portable OpenSSH |
--- Comment #3 from Damien Miller <djm at mindrot.org> ---
(In reply to 1280196358 from comment #2)
> 1) Why does accessing these files cause the sshd-auth process to be
> killed?
The syscalls you listed above *do not* cause sshd-auth to be killed.
They are just blocked (will return errno=EACCESS) when they are
attempted.
Broadly, the seccomp sandbox does this:
1. block, with EACCESS, some syscalls
2. allow another set of syscalls
3. A final default block, with process termination, all other syscalls.
Basically, if the syscall doesn't appear in one of the first two lists
then any attempt to use it will kill sshd-auth.
The ones you initially listed are in the first set.
> 2) Non-fatally denied refers to the denial of these syscalls will
> not cause fatal problems to the Linux system or the sshd-auth
> process,
> or it is necessary to deny these syscalls to avoid causing fatal
> problems?
If the syscall is attempted that his the final block-everything rule,
then the kernel will kill the sshd-auth process.
I hope this helps!
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list