search for: e_afalg

...*/ SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK), This satisfies the sandbox. Looking at OpenSSL's code, I think the rule could possibly be restricted further to require the 2nd argument to NR_socket to be SOCK_SEQPACKET? Line 453 at https://github.com/openssl/openssl/blob/master/engines/e_afalg.c is what I based that on after reversing SSH's initial fail for a sysreq call 281 back to socket on armel. I've rebuilt OpenSSH 9.9p1 from Debian Testing with this addition. That plus setting up afalg in openssl.cnf to only do ciphers and not hashes, and preferencing aes256-cbc in my ssh_...