search for: seccomp

*SSL libraries or the C library may/will require it. --- sandbox-seccomp-filter.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index b6f6258..846bc08 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -129,6 +129,9 @@ static const struct sock_filter preauth_insns[] = { #else SC_ALLOW(s...

I've committed this diff. Please test and confirm that it works ok. (If not, then I've botched the macro fixes in the previous commit) Thanks, Damien Miller On Tue, 14 Mar 2017, Damien Miller wrote: > ok, with the fixes for the seccomp-bpf sandbox that I just committed > the diff reduces to. > > IMO this is scoped narrowly enough to go in. > > -d > > diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c > index af5525ab..6ceee33f 100644 > --- a/sandbox-seccomp-filter.c > +++ b/sandbox-s...

This patchset allow syscalls (flock, ipc, getuid, geteuid and ioctl), so openssl engines, e.g. OpenSSL-ibmca and OpenSSL-ibmpkcs11, can work and communicate with the crypto cards during ssh login. 1. The flock and ipc are allowed only for s390 architecture. They are needed for openCryptoki project (PKCS#11 implementation), as the ibmpkcs11 engine makes use of openCryptoki. For more information,

While debugging Scudo on ChromeOS, we found that the no reserve mode immediately crashed `sshd`. We tracked it down to the sandbox-seccomp-filter. Being able to mmap with MAP_NORESERVE is useful (if not necessary) for some overcommitting allocators. During mmap calls, the flag MAP_NORESERVE is used by some allocators such as LLVM's Scudo for layout optimisation. This causes the sandbox seccomp filter for the client subprocess to...

...hout this patch, users using the IBMCA engine are not able to perform ssh login as the filter blocks the communication with the crypto card. Signed-off-by: Harald Freudenberger <freude at linux.vnet.ibm.com> Signed-off-by: Eduardo Barretto <ebarretto at linux.vnet.ibm.com> --- sandbox-seccomp-filter.c | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 2e1ed2c..264e146 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -59,6 +59,11 @@ #include <stdlib.h> #incl...

...mmunication with the >>> > crypto card. >>> > >>> > Signed-off-by: Harald Freudenberger <freude at linux.vnet.ibm.com> >>> > Signed-off-by: Eduardo Barretto <ebarretto at linux.vnet.ibm.com> >>> > --- >>> > sandbox-seccomp-filter.c | 24 +++++++++++++++++++++--- >>> > 1 file changed, 21 insertions(+), 3 deletions(-) >>> > >>> > diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c >>> > index 2e1ed2c..264e146 100644 >>> > --- a/sandbox-seccomp-fil...

...o perform ssh login as the filter blocks the communication with the > > crypto card. > > > > Signed-off-by: Harald Freudenberger <freude at linux.vnet.ibm.com> > > Signed-off-by: Eduardo Barretto <ebarretto at linux.vnet.ibm.com> > > --- > > sandbox-seccomp-filter.c | 24 +++++++++++++++++++++--- > > 1 file changed, 21 insertions(+), 3 deletions(-) > > > > diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c > > index 2e1ed2c..264e146 100644 > > --- a/sandbox-seccomp-filter.c > > +++ b/sandbox-seccomp-f...

https://bugzilla.mindrot.org/show_bug.cgi?id=2069 Bug ID: 2069 Summary: arm support for sandbox_seccomp_filter Classification: Unclassified Product: Portable OpenSSH Version: 6.1p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at m...

https://bugzilla.mindrot.org/show_bug.cgi?id=3085 Bug ID: 3085 Summary: seccomp issue after upgrading openssl Product: Portable OpenSSH Version: 8.1p1 Hardware: Other OS: Linux Status: NEW Severity: critical Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org...

...it: type=1326 audit(1424784807.257:3): auid=4294967295 uid=22 gid=22 ses=4294967295 pid=17725 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=40000028 syscall=54 compat=0 ip=0xb6be809c code=0x0 sshd is killed by SIGSYS, because it try to use the ioctl call which is forbiden by the seccomp filter. If you check the openssl engine code, it use ioctl on /dev/crypto. The following patch solve the issue: --- sandbox-seccomp-filter.c.old 2015-02-24 14:52:01.000000000 +0100 +++ sandbox-seccomp-filter.c 2015-02-24 15:45:08.000000000 +0100 @@ -98,6 +98,7 @@ #ifdef __NR_time /* not defined o...

Hi, I would like to contribute to dovecot by adding seccomp system call filtering. Is this something you would like to merge into the dovecot codebase? If so, I can put up a PR on github once I complete it. Thanks, Archana

Hi! I'm investigating the seccomp filter in openssh and I wanted to know whether the following system calls should be added to the filter: 1. getgroups - do_authentication2->dispatch_run_fatal->sshpkt_fatal->logdie->cleanup_exit->do_cleanup->temporarily_use_uid->getgroups 2. setgroups - do_authenticati...

https://bugzilla.mindrot.org/show_bug.cgi?id=2419 Bug ID: 2419 Summary: SECCOMP filter does not accept getpgid syscall Product: Portable OpenSSH Version: 6.8p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at mi...

Hello all, OpenSSL is using socket() calls (in FIPS mode) when handling ECDSA keys in privsep child. The socket() syscall is already denied in the seccomp filter, but in ppc64le kernel, it is implemented using socketcall() syscall, which is not denied yet (only SYS_SHUTDOWN is allowed) and therefore fails hard. See attached patch with proposed patch (deny is intentionally after allowing the SYS_SHUTDOWN). Can we have it fixed in OpenSSH portable...

On 06.10.2017 00:21, Phoenix Krypt wrote: > Hi, > > I would like to contribute to dovecot by adding seccomp system call > filtering. > > Is this something you would like to merge into the dovecot codebase? If so, > I can put up a PR on github once I complete it. > > Thanks, > Archana What would this achieve? Aki

Can I configure openssh with --sandbox=seccomp_filter and have it still run on older kernels with sandboxing via rlimit? I'm asking from a linux distro packaging point of view. Does --sandbox=seccomp_filter keep the rlimit sandbox? It looks to me as if I can only link in one of the sandbox plugins. An openssh build with seccomp_filter enab...

https://bugzilla.mindrot.org/show_bug.cgi?id=2011 --- Comment #8 from Petr Lautrbach <plautrba at redhat.com> --- Created attachment 2214 --> https://bugzilla.mindrot.org/attachment.cgi?id=2214&action=edit don't probe seccomp capability of running kernel in configure I'd like to add also possibility to build seccomp_filter sandbox on system with older kernel, E.g. Fedora build systems use buildroots with needed sources and headers, but system is run with older kernels. -- You are receiving this mail because: You...

https://bugzilla.mindrot.org/show_bug.cgi?id=2590 Bug ID: 2590 Summary: Seccomp filter for missing architectures Product: Portable OpenSSH Version: 7.2p1 Hardware: Other OS: Linux Status: NEW Keywords: patch Severity: enhancement Priority: P5 Component: sshd Assignee: u...

https://bugzilla.mindrot.org/show_bug.cgi?id=2361 Bug ID: 2361 Summary: seccomp filter (not only) for aarch64 Product: Portable OpenSSH Version: 6.7p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org...

https://bugzilla.mindrot.org/show_bug.cgi?id=2142 Bug ID: 2142 Summary: openssh sandboxing using libseccomp Product: Portable OpenSSH Version: -current Hardware: All OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: loganade...