openssh bugs - Jun 2015 - [Bug 2419] New: SECCOMP filter does not accept getpgid syscall

https://bugzilla.mindrot.org/show_bug.cgi?id=2419

            Bug ID: 2419
           Summary: SECCOMP filter does not accept getpgid syscall
           Product: Portable OpenSSH
           Version: 6.8p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jjelen at redhat.com

Based on question on serverfault [1] I found out that there is syscall
getpgid issued after LoginGraceTime. This doesn't show up when using
our packaged version of openssh, since the condition [2] is probably
optimized out by compiler (can't judge if the optimization is correct).

The solution is again white-list this syscall or optimize out this
condition as the compiler does it. I'm not sure if the condition has
some use here.

Backtrace from GDB (line numbers differ a bit from upstream sources):
#0  grace_alarm_handler (sig=14) at ../openssh-6.8p1/sshd.c:380
#1  <signal handler called>
#2  0xb7fd9be8 in ?? ()
#3  0x080baaef in ssh_dispatch_run (ssh=0x8153780, mode=0,
done=0x8151660, ctxt=0x8151660)
    at ../openssh-6.8p1/dispatch.c:101
#4  0x080bac86 in ssh_dispatch_run_fatal (ssh=0x8153780, mode=0,
done=0x8151660, ctxt=0x8151660)
    at ../openssh-6.8p1/dispatch.c:140
#5  0x08065103 in do_authentication2 (authctxt=0x8151660) at
../openssh-6.8p1/auth2.c:175
#6  0x08053cea in main (ac=4, av=0x814e3f8) at
../openssh-6.8p1/sshd.c:2314


[1]
http://serverfault.com/questions/697497/strange-seccomp-entries-for-sshd-in-audit-log/701889#701889
[2]
https://github.com/openssh/openssh-portable/blob/51a1c2115265c6e80ede8a5c9dccada9aeed7143/sshd.c#L368

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2419

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Thanks, it looks like the systrace sandbox is missing it too.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2419

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2360
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
This was fixed in openssh-6.9

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2419

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after 7.3p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.