[Bug 2361] New: seccomp filter (not only) for aarch64

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Mar 6 03:10:19 AEDT 2015


            Bug ID: 2361
           Summary: seccomp filter (not only) for aarch64
           Product: Portable OpenSSH
           Version: 6.7p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jjelen at redhat.com

Created attachment 2561
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2561&action=edit
aarh64 patch

We started using seccomp filter in openssh and there appeared to some
problems with secondary architectures:

Seccomp filter is available on aarch64 architecture, but openssh code
was not ready for it so I am providing here patch to make it working.

Changes and explanations:
 * First of all we need to whitelist this architecture in configure.ac
  * (also fixing some indentation inconsistency around arm)
 * Then we need to adjust filter settings for syscalls denial
  * (if syscall doesn't exist openssh will not build)
  * open is not on aarch64, openat exists also on primary architectures
  * stat is never used, x86_64 is using fstat, ix86 and arm is using
fstat64 and stat64 => whitelisting, aarch64 is using fstat and
  * poll, select are not available on aarch64
  * pselect6 is used instead of select
 (see attached patch)

This patch was tested and is currently used in Fedora.
We plan to add support for other architectures sooner or later. Further
discussion welcome.

I'm also appending table with syscall names and numbers I collected
during my testing and which are mentioned in filter and differ across

          open       stat                       select()
x86_64   open(2)    fstat(5)                   select(23)
 ix86    open(5)    stat64(195)  fstat64(197)  _newselect(142)
 arm     open(5)    stat64(195)  fstat64(197)  _newselect(142)
aarch64  openat(56) fstat(80) newfstatat(79)   pselect6(72)

Feel free to commend or add more syscalls you are interested in.

You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list