Carsten Mattner carstenmattner at
Thu Jul 26 21:50:41 EST 2012

On Thu, Jul 26, 2012 at 1:26 AM, Damien Miller <djm at> wrote:
> On Wed, 25 Jul 2012, Carsten Mattner wrote:
>> Can I configure openssh with --sandbox=seccomp_filter and have it
>> still run on older kernels with sandboxing via rlimit? I'm asking
>> from a linux distro packaging point of view. Does
>> --sandbox=seccomp_filter keep the rlimit sandbox? It looks to me as
>> if I can only link in one of the sandbox plugins.
>> An openssh build with seccomp_filter enabled will probably have no
>> sandbox at all on linux < 3.5. Is that correct? Would it start up
>> linux 3.4 or 3.2 at all?
> HEAD will fallback to the rlimit pseudo-sandbox if seccomp was enabled at
> compile-time but is not available at runtime. openssh-6.0 will fatal() for
> these cases.

That sounds good. Is it available in a single commit I could backport
until the next release? Is it correct that November 2012 is the
release date for 6.1?

More information about the openssh-unix-dev mailing list