[openssh with openssl cryptodev engine] sshd killed by seccomp filter

LABBE Corentin clabbe.montjoie at gmail.com
Thu Feb 26 00:09:18 AEDT 2015


I have a server with an hardware crypto accelator.
For giving userspace access to it I use the cryptodev module (http://cryptodev-linux.org/)
I have also the cryptodev engine compiled in openssl.

When I modprobe the cryptodev module, I cannot login with ssh on the server.

The symptom can be found with dmesg:
audit: type=1326 audit(1424784807.257:3): auid=4294967295 uid=22 gid=22 ses=4294967295 pid=17725 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=40000028 syscall=54 compat=0 ip=0xb6be809c code=0x0

sshd is killed by SIGSYS, because it try to use the ioctl call which is forbiden by the seccomp filter.
If you check the openssl engine code, it use ioctl on /dev/crypto.

The following patch solve the issue:
--- sandbox-seccomp-filter.c.old	2015-02-24 14:52:01.000000000 +0100
+++ sandbox-seccomp-filter.c	2015-02-24 15:45:08.000000000 +0100
@@ -98,6 +98,7 @@
 #ifdef __NR_time /* not defined on EABI ARM */
+	SC_ALLOW(ioctl),


More information about the openssh-unix-dev mailing list