[openssh with openssl cryptodev engine] sshd killed by seccomp filter
LABBE Corentin
clabbe.montjoie at gmail.com
Thu Feb 26 00:09:18 AEDT 2015
Hello
I have a server with an hardware crypto accelator.
For giving userspace access to it I use the cryptodev module (http://cryptodev-linux.org/)
I have also the cryptodev engine compiled in openssl.
When I modprobe the cryptodev module, I cannot login with ssh on the server.
The symptom can be found with dmesg:
audit: type=1326 audit(1424784807.257:3): auid=4294967295 uid=22 gid=22 ses=4294967295 pid=17725 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=40000028 syscall=54 compat=0 ip=0xb6be809c code=0x0
sshd is killed by SIGSYS, because it try to use the ioctl call which is forbiden by the seccomp filter.
If you check the openssl engine code, it use ioctl on /dev/crypto.
The following patch solve the issue:
--- sandbox-seccomp-filter.c.old 2015-02-24 14:52:01.000000000 +0100
+++ sandbox-seccomp-filter.c 2015-02-24 15:45:08.000000000 +0100
@@ -98,6 +98,7 @@
#ifdef __NR_time /* not defined on EABI ARM */
SC_ALLOW(time),
#endif
+ SC_ALLOW(ioctl),
SC_ALLOW(read),
SC_ALLOW(write),
SC_ALLOW(close),
Thanks
More information about the openssh-unix-dev
mailing list