[PATCH] seccomp: allow the getrandom system call.
Damien Miller
djm at mindrot.org
Thu Feb 12 21:45:21 AEDT 2015
On Wed, 11 Feb 2015, Dmitry V. Levin wrote:
> On Wed, Feb 11, 2015 at 02:46:50PM -0300, Cristian Rodr?guez wrote:
> > *SSL libraries or the C library may/will require it.
>
> In what circumstances do they need it?
> Do they need it with GRND_RANDOM bit set?
>
> Note that this system call equivalents to opening (with subsequent
> reading) of /dev/random and /dev/urandom, which is not allowed by this
> seccomp filter.
IMO they shouldn't need it - we take care to prime both the arc4random
and libcrypto pools before sandboxing.
I don't mind adding it though, and don't think it hurts.
-d
More information about the openssh-unix-dev
mailing list