[PATCH] seccomp: allow the getrandom system call.

Damien Miller djm at mindrot.org
Thu Feb 12 21:45:21 AEDT 2015

On Wed, 11 Feb 2015, Dmitry V. Levin wrote:

> On Wed, Feb 11, 2015 at 02:46:50PM -0300, Cristian Rodr?guez wrote:
> > *SSL libraries or the C library may/will require it.
> In what circumstances do they need it?
> Do they need it with GRND_RANDOM bit set?
> Note that this system call equivalents to opening (with subsequent
> reading) of /dev/random and /dev/urandom, which is not allowed by this
> seccomp filter.

IMO they shouldn't need it - we take care to prime both the arc4random
and libcrypto pools before sandboxing.

I don't mind adding it though, and don't think it hurts.


More information about the openssh-unix-dev mailing list