search for: ksbxprofilepurecomputation

Displaying 7 results from an estimated 7 matches for "ksbxprofilepurecomputation".

2015 Jun 02
3
[Bug 2407] New: OpenSSH uses deprecated APIs on MacOS
https://bugzilla.mindrot.org/show_bug.cgi?id=2407 Bug ID: 2407 Summary: OpenSSH uses deprecated APIs on MacOS Product: Portable OpenSSH Version: -current Hardware: All OS: Mac OS X Status: NEW Severity: normal Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at
2011 Jun 23
1
sandbox for OS X
...It's a bit disappointing that the OS X developers chose such as namespace-polluting header and function names "sandbox.h", "sandbox_init()", etc. It already forced me to rename a header in OpenSSH. Anyway, the OS X sandbox uses the strictest of the canned policies: "kSBXProfilePureComputation". It passes regress tests and seems to deny calls to fork() as expected. Barring objections, I'll commit this soon - please test. Anyone want to write a FreeBSD capsicum sandbox while I sleep? Take a look at one of the existing sandbox-*c for the API, it's pretty trivial... -d Index...
2011 Sep 06
2
Announce: OpenSSH 5.9 released
...ls is supplied. Any syscall not on the list results in SIGKILL being sent to the privsep child. Note that this requires a kernel with the new SYSTR_POLICY_KILL option (only OpenBSD has this mode at present). The seatbelt sandbox uses OS X/Darwin sandbox(7) facilities with a strict (kSBXProfilePureComputation) policy that disables access to filesystem and network resources. The rlimit sandbox is a fallback choice for platforms that don't support a better one; it uses setrlimit() to reset the hard-limit of file descriptors and processes to zero, which should prevent the privsep child...
2011 Sep 06
2
Announce: OpenSSH 5.9 released
...ls is supplied. Any syscall not on the list results in SIGKILL being sent to the privsep child. Note that this requires a kernel with the new SYSTR_POLICY_KILL option (only OpenBSD has this mode at present). The seatbelt sandbox uses OS X/Darwin sandbox(7) facilities with a strict (kSBXProfilePureComputation) policy that disables access to filesystem and network resources. The rlimit sandbox is a fallback choice for platforms that don't support a better one; it uses setrlimit() to reset the hard-limit of file descriptors and processes to zero, which should prevent the privsep child...
2014 Aug 18
15
Call for testing: OpenSSH 6.7
Hi, OpenSSH 6.7 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a big release containing a number of features, a lot of internal refactoring and some potentially-incompatible changes. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD:
2011 Aug 14
10
Call for testing: OpenSSH-5.9
...ls is supplied. Any syscall not on the list results in SIGKILL being sent to the privsep child. Note that this requires a kernel with the new SYSTR_POLICY_KILL option (only OpenBSD has this mode at present). The seatbelt sandbox uses OS X/Darwin sandbox(7) facilities with a strict (kSBXProfilePureComputation) policy that disables access to filesystem and network resources. The rlimit sandbox is a fallback choice for platforms that don't support a better one; it uses setrlimit() to reset the hard-limit of file descriptors and processes to zero, which should prevent the privsep child...
2011 Aug 17
1
openssh-unix-dev Digest, Vol 100, Issue 3
...call not > on the list results in SIGKILL being sent to the privsep child. Note > that this requires a kernel with the new SYSTR_POLICY_KILL option > (only OpenBSD has this mode at present). > > The seatbelt sandbox uses OS X/Darwin sandbox(7) facilities with a > strict (kSBXProfilePureComputation) policy that disables access to > filesystem and network resources. > > The rlimit sandbox is a fallback choice for platforms that don't > support a better one; it uses setrlimit() to reset the hard-limit > of file descriptors and processes to zero, which should prevent &...