Damien Miller djm at
Thu Jul 26 09:26:12 EST 2012

On Wed, 25 Jul 2012, Carsten Mattner wrote:

> Can I configure openssh with --sandbox=seccomp_filter and have it still run
> on older kernels with sandboxing via rlimit? I'm asking from a linux
> distro packaging
> point of view. Does --sandbox=seccomp_filter keep the rlimit sandbox?
> It looks to
> me as if I can only link in one of the sandbox plugins.
> An openssh build with seccomp_filter enabled will probably have no sandbox
> at all on linux < 3.5. Is that correct? Would it start up linux 3.4 or
> 3.2 at all?

HEAD will fallback to the rlimit pseudo-sandbox if seccomp was enabled at
compile-time but is not available at runtime. openssh-6.0 will fatal() for
these cases.


More information about the openssh-unix-dev mailing list