[openssh-commits] [openssh] 07/07: Make failure to set SECCOMP or NO_NEW_PRIVS fatal

[git+noreply at mindrot.org]

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 7ab700f1706b154d4bc5cf66e19c05be6d9b1fc1
Author: Damien Miller <djm at mindrot.org>
AuthorDate: Sat May 30 23:24:01 2026 +1000

    Make failure to set SECCOMP or NO_NEW_PRIVS fatal
    
    If your Linux system lacks support for these then please don't
    enable the seccomp sandbox.
    
    Prompted by manfred.kaiser at ssh-mitm.at
---
 sandbox-seccomp-filter.c | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 67a8a82aa..bf753eef2 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -535,7 +535,6 @@ void
 ssh_sandbox_child(struct ssh_sandbox *box)
 {
 	struct rlimit rl_zero, rl_one = {.rlim_cur = 1, .rlim_max = 1};
-	int nnp_failed = 0;
 
 	/* Set rlimits for completeness if possible. */
 	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
@@ -558,18 +557,11 @@ ssh_sandbox_child(struct ssh_sandbox *box)
 #endif /* SANDBOX_SECCOMP_FILTER_DEBUG */
 
 	debug3_f("setting PR_SET_NO_NEW_PRIVS");
-	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) {
-		debug("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
-		    __func__, strerror(errno));
-		nnp_failed = 1;
-	}
+	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
+		fatal_f("prctl(PR_SET_NO_NEW_PRIVS): %s", strerror(errno));
 	debug3_f("attaching seccomp filter program");
 	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &preauth_program) == -1)
-		debug("%s: prctl(PR_SET_SECCOMP): %s",
-		    __func__, strerror(errno));
-	else if (nnp_failed)
-		fatal("%s: SECCOMP_MODE_FILTER activated but "
-		    "PR_SET_NO_NEW_PRIVS failed", __func__);
+		fatal_f("prctl(PR_SET_SECCOMP): %s", strerror(errno));
 }
 
 #endif /* SANDBOX_SECCOMP_FILTER */

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.