[Bug 3855] sshd-auth sandbox limitations

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Sep 2 14:25:11 AEST 2025 

https://bugzilla.mindrot.org/show_bug.cgi?id=3855

--- Comment #9 from Adrian Jarc <adrian.jarc at aviatnet.com> ---
(In reply to Damien Miller from comment #8)
> Please don't paste logs in the comment box, it makes bugs hard to
> read. Use the attachment feature instead.
> 
> I don't see a sandbox violation there. If I had to guess what's
> happening I'd say that WolfSSL is attempting open(/dev/urandom),
> soft-failing with errno==EACCESS because of
> https://github.com/openssh/openssh-portable/blob/master/sandbox-
> seccomp-filter.c#L259 and returning a failure that terminates the
> sshd-auth process.
> 
> Reiterating your options:
> 
> 1. Ask the WolfSSL developers if you can get it to prepare for
> sandboxing before the sandbox is applied. In other libraries, this
> usually means making some API call that loads a seed or opens a file
> descriptor before the sandbox makes such things impossible.
> 
> 2. Get WolfSSL to use getrandom() instead of open(/dev/urandom). It
> looks like there is already support in the library for this:
> https://github.com/wolfSSL/wolfssl/blob/v5.6.4-stable/wolfcrypt/src/
> random.c#L3595-L3624
> 
> 3. Change the sandbox to allow the open syscall. This would
> significantly weaken the sandbox as it can't be done selectively
> per-path, which is why we don't do it in OpenSSH. Practically, this
> means replacing "SC_DENY(__NR_open, EACCES)," with
> "SC_ALLOW(__NR_open),"

I apologise for attaching full logs in comment box, I have completely
missed the add attachment option. Will keep in mind if there will be a
next time.

Since the whole purpose of writing this to you, was to avoid lowering
security of sandbox, I will try to avoid the 3. option. So I have
written to wolfSSL about options 1. and 2.. Hopefully I will get a
reply soon.

I wrote to you, because ever since finding out what issue happens with
wolfSSL they have become silent. Now that you have helped me find some
additional possible solutions, I have written to them again and am
waiting for a reply.

I am leaving this issue open until I get some reply from wolfSSL. I
will close it after they respond.


Thank you for your help. You have been very helpful.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list