[Bug 3855] sshd-auth sandbox limitations
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Sep 2 09:40:28 AEST 2025
https://bugzilla.mindrot.org/show_bug.cgi?id=3855
--- Comment #8 from Damien Miller <djm at mindrot.org> ---
Please don't paste logs in the comment box, it makes bugs hard to read.
Use the attachment feature instead.
I don't see a sandbox violation there. If I had to guess what's
happening I'd say that WolfSSL is attempting open(/dev/urandom),
soft-failing with errno==EACCESS because of
https://github.com/openssh/openssh-portable/blob/master/sandbox-seccomp-filter.c#L259
and returning a failure that terminates the sshd-auth process.
Reiterating your options:
1. Ask the WolfSSL developers if you can get it to prepare for
sandboxing before the sandbox is applied. In other libraries, this
usually means making some API call that loads a seed or opens a file
descriptor before the sandbox makes such things impossible.
2. Get WolfSSL to use getrandom() instead of open(/dev/urandom). It
looks like there is already support in the library for this:
https://github.com/wolfSSL/wolfssl/blob/v5.6.4-stable/wolfcrypt/src/random.c#L3595-L3624
3. Change the sandbox to allow the open syscall. This would
significantly weaken the sandbox as it can't be done selectively
per-path, which is why we don't do it in OpenSSH. Practically, this
means replacing "SC_DENY(__NR_open, EACCES)," with
"SC_ALLOW(__NR_open),"
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list