Cristian RodrÃguez
2015-Feb-11 17:46 UTC
[PATCH] seccomp: allow the getrandom system call.
*SSL libraries or the C library may/will require it. --- sandbox-seccomp-filter.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index b6f6258..846bc08 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -129,6 +129,9 @@ static const struct sock_filter preauth_insns[] = { #else SC_ALLOW(sigprocmask), #endif +#ifdef __NR_getrandom + SC_ALLOW(getrandom), +#endif BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), }; -- 2.2.2
On Wed, Feb 11, 2015 at 02:46:50PM -0300, Cristian Rodr?guez wrote:> *SSL libraries or the C library may/will require it.In what circumstances do they need it? Do they need it with GRND_RANDOM bit set? Note that this system call equivalents to opening (with subsequent reading) of /dev/random and /dev/urandom, which is not allowed by this seccomp filter.> --- a/sandbox-seccomp-filter.c > +++ b/sandbox-seccomp-filter.c > @@ -129,6 +129,9 @@ static const struct sock_filter preauth_insns[] = { > #else > SC_ALLOW(sigprocmask), > #endif > +#ifdef __NR_getrandom > + SC_ALLOW(getrandom), > +#endif > BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), > }; >-- ldv -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 181 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150211/422353d8/attachment.bin>
On Wed, 11 Feb 2015, Dmitry V. Levin wrote:> On Wed, Feb 11, 2015 at 02:46:50PM -0300, Cristian Rodr?guez wrote: > > *SSL libraries or the C library may/will require it. > > In what circumstances do they need it? > Do they need it with GRND_RANDOM bit set? > > Note that this system call equivalents to opening (with subsequent > reading) of /dev/random and /dev/urandom, which is not allowed by this > seccomp filter.IMO they shouldn't need it - we take care to prime both the arc4random and libcrypto pools before sandboxing. I don't mind adding it though, and don't think it hurts. -d
Seemingly Similar Threads
- [PATCH] Enable specific ioctl calls for ICA crypto card (s390)
- [PATCH] Enable specific ioctl calls for ICA crypto card (s390)
- [PATCH 0/3] Allow syscalls for openssl engines
- [PATCH] Enable specific ioctl calls for ICA crypto card (s390)
- [openssh with openssl cryptodev engine] sshd killed by seccomp filter