Displaying 7 results from an estimated 7 matches for "ksbxprofilepurecomputation".
2015 Jun 02
3
[Bug 2407] New: OpenSSH uses deprecated APIs on MacOS
https://bugzilla.mindrot.org/show_bug.cgi?id=2407
Bug ID: 2407
Summary: OpenSSH uses deprecated APIs on MacOS
Product: Portable OpenSSH
Version: -current
Hardware: All
OS: Mac OS X
Status: NEW
Severity: normal
Priority: P5
Component: Miscellaneous
Assignee: unassigned-bugs at
2011 Jun 23
1
sandbox for OS X
...It's a bit disappointing that the OS X developers chose such as
namespace-polluting header and function names "sandbox.h",
"sandbox_init()", etc. It already forced me to rename a header in
OpenSSH.
Anyway, the OS X sandbox uses the strictest of the canned policies:
"kSBXProfilePureComputation". It passes regress tests and seems to
deny calls to fork() as expected. Barring objections, I'll commit
this soon - please test.
Anyone want to write a FreeBSD capsicum sandbox while I sleep?
Take a look at one of the existing sandbox-*c for the API, it's
pretty trivial...
-d
Index...
2011 Sep 06
2
Announce: OpenSSH 5.9 released
...ls is supplied. Any syscall not
on the list results in SIGKILL being sent to the privsep child. Note
that this requires a kernel with the new SYSTR_POLICY_KILL option
(only OpenBSD has this mode at present).
The seatbelt sandbox uses OS X/Darwin sandbox(7) facilities with a
strict (kSBXProfilePureComputation) policy that disables access to
filesystem and network resources.
The rlimit sandbox is a fallback choice for platforms that don't
support a better one; it uses setrlimit() to reset the hard-limit
of file descriptors and processes to zero, which should prevent
the privsep child...
2011 Sep 06
2
Announce: OpenSSH 5.9 released
...ls is supplied. Any syscall not
on the list results in SIGKILL being sent to the privsep child. Note
that this requires a kernel with the new SYSTR_POLICY_KILL option
(only OpenBSD has this mode at present).
The seatbelt sandbox uses OS X/Darwin sandbox(7) facilities with a
strict (kSBXProfilePureComputation) policy that disables access to
filesystem and network resources.
The rlimit sandbox is a fallback choice for platforms that don't
support a better one; it uses setrlimit() to reset the hard-limit
of file descriptors and processes to zero, which should prevent
the privsep child...
2014 Aug 18
15
Call for testing: OpenSSH 6.7
Hi,
OpenSSH 6.7 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This is a big release
containing a number of features, a lot of internal refactoring and some
potentially-incompatible changes.
Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/
The OpenBSD version is available in CVS HEAD:
2011 Aug 14
10
Call for testing: OpenSSH-5.9
...ls is supplied. Any syscall not
on the list results in SIGKILL being sent to the privsep child. Note
that this requires a kernel with the new SYSTR_POLICY_KILL option
(only OpenBSD has this mode at present).
The seatbelt sandbox uses OS X/Darwin sandbox(7) facilities with a
strict (kSBXProfilePureComputation) policy that disables access to
filesystem and network resources.
The rlimit sandbox is a fallback choice for platforms that don't
support a better one; it uses setrlimit() to reset the hard-limit
of file descriptors and processes to zero, which should prevent
the privsep child...
2011 Aug 17
1
openssh-unix-dev Digest, Vol 100, Issue 3
...call not
> on the list results in SIGKILL being sent to the privsep child. Note
> that this requires a kernel with the new SYSTR_POLICY_KILL option
> (only OpenBSD has this mode at present).
>
> The seatbelt sandbox uses OS X/Darwin sandbox(7) facilities with a
> strict (kSBXProfilePureComputation) policy that disables access to
> filesystem and network resources.
>
> The rlimit sandbox is a fallback choice for platforms that don't
> support a better one; it uses setrlimit() to reset the hard-limit
> of file descriptors and processes to zero, which should prevent
&...