[PATCH 0/2] sandbox-seccomp-filter: logging and cleanup fixes

Damien Miller djm at mindrot.org
Mon May 25 12:29:56 AEST 2026 

On Sun, 24 May 2026, manfred.kaiser at ssh-mitm.at wrote:

> Dear OpenSSH developers,
> 
> the following two patches fix a logging issue and remove a duplicate
> syscall entry in sandbox-seccomp-filter.c.
> 
> Patch 1 replaces debug() with error() when prctl(PR_SET_SECCOMP) fails.
> With debug(), a failure would go unnoticed in normal operation, which is
> a security concern as the seccomp sandbox would silently be inactive.
> 
> Patch 2 removes a duplicate SC_ALLOW(__NR_clock_gettime64) block that
> is already covered at line 297.

Thanks, I'll go ahead and merge the 2nd patch.

Instead of the first one, it's probably better to just terminate if
seccomp fails. The old behaviour dates to when seccomp was new and
not universally supported, but these days Linux systems without it
should be rare. Those that need to run sshd without seccomp can use
the configure-time --with-sandbox=rlimit|none options

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 7b2444930..0c0ed5bc6 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -538,7 +538,6 @@ void
 ssh_sandbox_child(struct ssh_sandbox *box)
 {
 	struct rlimit rl_zero, rl_one = {.rlim_cur = 1, .rlim_max = 1};
-	int nnp_failed = 0;
 
 	/* Set rlimits for completeness if possible. */
 	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
@@ -561,18 +560,11 @@ ssh_sandbox_child(struct ssh_sandbox *box)
 #endif /* SANDBOX_SECCOMP_FILTER_DEBUG */
 
 	debug3_f("setting PR_SET_NO_NEW_PRIVS");
-	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) {
-		debug("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
-		    __func__, strerror(errno));
-		nnp_failed = 1;
-	}
+	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
+		fatal_f("prctl(PR_SET_NO_NEW_PRIVS): %s", strerror(errno));
 	debug3_f("attaching seccomp filter program");
 	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &preauth_program) == -1)
-		debug("%s: prctl(PR_SET_SECCOMP): %s",
-		    __func__, strerror(errno));
-	else if (nnp_failed)
-		fatal("%s: SECCOMP_MODE_FILTER activated but "
-		    "PR_SET_NO_NEW_PRIVS failed", __func__);
+		fatal_f("prctl(PR_SET_SECCOMP): %s", strerror(errno));
 }
 
 #endif /* SANDBOX_SECCOMP_FILTER */

More information about the openssh-unix-dev mailing list