[Bug 2107] New: seccomp sandbox breaks GSSAPI

[bugzilla-daemon at mindrot.org]

https://bugzilla.mindrot.org/show_bug.cgi?id=2107

            Bug ID: 2107
           Summary: seccomp sandbox breaks GSSAPI
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 6.2p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Kerberos support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: cjwatson at debian.org

Created attachment 2273
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2273&action=edit
Handle ssh_gssapi_supported_oids in monitor for seccomp sandbox
compatibility

One of my test installations happens to have "GSSAPIAuthentication
yes", and this breaks with the seccomp sandbox.  Initially I assumed
this was specific to Simon Wilkinson's GSSAPI key exchange patch (which
I apply in Debian), but on further investigation I found that that just
causes the failure to happen earlier.  Specifically, the regression
test included in the patch I'm attaching to this bug fails if applied
in isolation.

The syscalls that are denied are, on Linux/i386, futex and stat64. 
These are used by gss_indicate_mechs, called by
ssh_gssapi_supported_oids.  futex probably doesn't matter much, but I'm
not happy about opening up stat and friends, so I think it makes more
sense to add a monitor protocol command for this function so that the
sandboxed network child doesn't have to call it directly.  Would you
consider something like the attached patch, implementing this?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.