Possibly Missing Syscalls from Seccomp Filter
Damien Miller
djm at mindrot.org
Mon Jul 1 09:32:23 AEST 2019
On Sun, 30 Jun 2019, shankarapailoor . wrote:
> Hi!
>
> I'm investigating the seccomp filter in openssh and I wanted to know
> whether the following system calls should be added to the filter:
I don't think so - AFAIK all of those only happen in the unsandboxed
monitor process.
> 1. getgroups
> -
> do_authentication2->dispatch_run_fatal->sshpkt_fatal->logdie->cleanup_exit->do_cleanup->temporarily_use_uid->getgroups
> 2. setgroups
> -
> do_authentication2->ssh_dispatch_run_fatal->sshpkt_fatal->logdie->cleanup_exit->do_cleanup->temporarily_use_uid->initgroups->setgroups
> 3. unlink
> -
> do_authentication2->ssh_dispatch_run_fatal->sshpkt_fatal->logdie->cleanup_exit->do_cleanup->auth_sock_cleanup_proc->unlink
> 4. rmdir
> -
> do_authentication2->ssh_dispatch_run_fatal->sshpkt_fatal->logide->cleanup_exit->do_cleanup->auth_sock_cleanup_proc->rmdir
>
> Below each system call is a call path that seems feasible. My apologies for
> any inconvenience.
>
> Regards,
> Shankara Pailoor
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list