[PATCH] seccomp: allow the getrandom system call.
Dmitry V. Levin
ldv at altlinux.org
Thu Feb 12 06:08:12 AEDT 2015
On Wed, Feb 11, 2015 at 02:46:50PM -0300, Cristian Rodríguez wrote:
> *SSL libraries or the C library may/will require it.
In what circumstances do they need it?
Do they need it with GRND_RANDOM bit set?
Note that this system call equivalents to opening (with subsequent
reading) of /dev/random and /dev/urandom, which is not allowed by this
seccomp filter.
> --- a/sandbox-seccomp-filter.c
> +++ b/sandbox-seccomp-filter.c
> @@ -129,6 +129,9 @@ static const struct sock_filter preauth_insns[] = {
> #else
> SC_ALLOW(sigprocmask),
> #endif
> +#ifdef __NR_getrandom
> + SC_ALLOW(getrandom),
> +#endif
> BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
> };
>
--
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150211/422353d8/attachment.bin>
More information about the openssh-unix-dev
mailing list