seccomp_filter
Carsten Mattner
carstenmattner at gmail.com
Thu Jul 26 21:50:41 EST 2012
On Thu, Jul 26, 2012 at 1:26 AM, Damien Miller <djm at mindrot.org> wrote:
>
>
> On Wed, 25 Jul 2012, Carsten Mattner wrote:
>
>> Can I configure openssh with --sandbox=seccomp_filter and have it
>> still run on older kernels with sandboxing via rlimit? I'm asking
>> from a linux distro packaging point of view. Does
>> --sandbox=seccomp_filter keep the rlimit sandbox? It looks to me as
>> if I can only link in one of the sandbox plugins.
>>
>> An openssh build with seccomp_filter enabled will probably have no
>> sandbox at all on linux < 3.5. Is that correct? Would it start up
>> linux 3.4 or 3.2 at all?
>
> HEAD will fallback to the rlimit pseudo-sandbox if seccomp was enabled at
> compile-time but is not available at runtime. openssh-6.0 will fatal() for
> these cases.
That sounds good. Is it available in a single commit I could backport
until the next release? Is it correct that November 2012 is the
release date for 6.1?
More information about the openssh-unix-dev
mailing list