[openssh-commits] [openssh] branch master updated: seccomp sandbox: allow riscv_hwprobe syscall if present

[git+noreply at mindrot.org]

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

The following commit(s) were added to refs/heads/master by this push:
     new fd7d4b2b5 seccomp sandbox: allow riscv_hwprobe syscall if present
fd7d4b2b5 is described below

commit fd7d4b2b52deaf296b06d78b85c97fdae31912e8
Author: Icenowy Zheng <uwu at icenowy.me>
AuthorDate: Sun Mar 22 15:13:31 2026 +0800

    seccomp sandbox: allow riscv_hwprobe syscall if present
    
    The development branch of zlib-ng now contains code for utilizing
    riscv_hwprobe syscall to retrieve availability information for several
    RISC-V extensions (and accelerate deflate algorithm with them).
    
    As the seccomp sandbox of OpenSSH will raise SIGSYS for filtered out
    syscalls, this will abruptly terminate the process when the
    riscv_hwprobe syscall is tried.
    
    Put it into the allowlist to prevent process termination. As all
    syscalls here are guarded by #ifdef's, the same will be done for
    riscv_hwprobe, and thus on non-RISC-V builds nothing will happen.
    
    Signed-off-by: Icenowy Zheng <uwu at icenowy.me>
---
 sandbox-seccomp-filter.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index b3da8d587..7b2444930 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -405,6 +405,9 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR_read
 	SC_ALLOW(__NR_read),
 #endif
+#ifdef __NR_riscv_hwprobe
+	SC_ALLOW(__NR_riscv_hwprobe),
+#endif
 #ifdef __NR_rt_sigprocmask
 	SC_ALLOW(__NR_rt_sigprocmask),
 #endif

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.