Can I configure openssh with --sandbox=seccomp_filter and have it still run on older kernels with sandboxing via rlimit? I'm asking from a linux distro packaging point of view. Does --sandbox=seccomp_filter keep the rlimit sandbox? It looks to me as if I can only link in one of the sandbox plugins. An openssh build with seccomp_filter enabled will probably have no sandbox at all on linux < 3.5. Is that correct? Would it start up linux 3.4 or 3.2 at all?
On Wed, 25 Jul 2012, Carsten Mattner wrote:> Can I configure openssh with --sandbox=seccomp_filter and have it still run > on older kernels with sandboxing via rlimit? I'm asking from a linux > distro packaging > point of view. Does --sandbox=seccomp_filter keep the rlimit sandbox? > It looks to > me as if I can only link in one of the sandbox plugins. > > An openssh build with seccomp_filter enabled will probably have no sandbox > at all on linux < 3.5. Is that correct? Would it start up linux 3.4 or > 3.2 at all?HEAD will fallback to the rlimit pseudo-sandbox if seccomp was enabled at compile-time but is not available at runtime. openssh-6.0 will fatal() for these cases. -d
On Thu, Jul 26, 2012 at 1:57 PM, Damien Miller <djm at mindrot.org> wrote:> On Thu, 26 Jul 2012, Carsten Mattner wrote: > >> > HEAD will fallback to the rlimit pseudo-sandbox if seccomp was enabled at >> > compile-time but is not available at runtime. openssh-6.0 will fatal() for >> > these cases. >> >> That sounds good. Is it available in a single commit I could backport >> until the next release? Is it correct that November 2012 is the >> release date for 6.1? > > It will probably be sooner than that. Perhaps late this month even. > > http://hg.mindrot.org/openssh/raw-rev/d8de6b1ebec9 should be all you > need.Any new on the 6.1 release? Also when running ./configure with a sufficient linux kernel and headers will the autoconf script default to the seccomp sandbox?
On Mon, 20 Aug 2012, Carsten Mattner wrote:> On Thu, Jul 26, 2012 at 1:57 PM, Damien Miller <djm at mindrot.org> wrote: > > On Thu, 26 Jul 2012, Carsten Mattner wrote: > > > >> > HEAD will fallback to the rlimit pseudo-sandbox if seccomp was enabled at > >> > compile-time but is not available at runtime. openssh-6.0 will fatal() for > >> > these cases. > >> > >> That sounds good. Is it available in a single commit I could backport > >> until the next release? Is it correct that November 2012 is the > >> release date for 6.1? > > > > It will probably be sooner than that. Perhaps late this month even. > > > > http://hg.mindrot.org/openssh/raw-rev/d8de6b1ebec9 should be all you > > need. > > Any new on the 6.1 release?within days> Also when running ./configure with a sufficient linux kernel and headers > will the autoconf script default to the seccomp sandbox?Yes -d