Hi OpenSSH devs,
I noticed that openssh 7.1 does not work when compiled with dietlibc. It
does build properly, and sshd runs and accepts connections, but every
connection attempt immediately fails.
The root cause is that dietlibc implements some OpenBSD interfaces
(getentropy and arc4random) so openssh can use the new getrandom syscall
that Linux provices. OpenSSH configure detects those APIs and uses them,
but the seccomp filter sandbox code does not yet allow the getrandom
syscall.
Here's the trivial patch that makes it work:
diff -ur openssh-7.1p1/sandbox-seccomp-filter.c
openssh-7.1p1-fefe/sandbox-seccomp-filter.c
--- openssh-7.1p1/sandbox-seccomp-filter.c 2015-08-21 06:49:03.000000000 +0200
+++ openssh-7.1p1-fefe/sandbox-seccomp-filter.c 2015-09-09 14:51:04.071681323
+0200
@@ -198,6 +198,9 @@
#ifdef __NR_socketcall
SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
#endif
+#ifdef __NR_getrandom
+ SC_ALLOW(getrandom),
+#endif
/* Default deny */
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
Since this syscall will also be needed when the compat code for glibc is
updated, I see no obvious downside in applying this patch now.
Thanks,
Felix