openssh unix dev - Jun 2019 - Shutdown in Seccomp Filter

Hi!

I was looking at the openssh seccomp filter and I was curious why is
shutdown is allowed in the whitelist?

I've been doing an analysis on the openssh code and the callpaths I find
which call shutdown have the form:

main->do_authenticated->server_loop2->channel_after_select->channel_handler->channel_post_mux_client->read_mux->chan_read_failed->chan_shutdown_read->shutdown

However, isn't do_authenticated handled in the parent process which
isn't
sandboxed? I might be gravely mistaken here so my apologies if I'm wrong.

Regards,
Shankara Pailoor

On Mon, Jun 10, 2019 at 07:48:03AM -0700, shankarapailoor .
wrote:
> I was looking at the openssh seccomp filter and I was curious why is
> shutdown is allowed in the whitelist?
> 
> I've been doing an analysis on the openssh code and the callpaths I
find
> which call shutdown have the form:
> 
>
main->do_authenticated->server_loop2->channel_after_select->channel_handler->channel_post_mux_client->read_mux->chan_read_failed->chan_shutdown_read->shutdown
> 
> However, isn't do_authenticated handled in the parent process which
isn't
> sandboxed? I might be gravely mistaken here so my apologies if I'm
wrong.
It was originally added here:

 
https://anongit.mindrot.org/openssh.git/commit/?id=7e5cec6070673e9f9785ffc749837ada22fbe99f

... but then that shutdown call was removed here:

 
https://anongit.mindrot.org/openssh.git/commit/?id=dc5dc45662773c0f7745c29cf77ae2d52723e55e

... so it does indeed seem possible that it's no longer needed, though I
imagine it'd need some testing.

-- 
Colin Watson                                       [cjwatson at debian.org]