Displaying 20 results from an estimated 10000 matches similar to: "[Bug 1940] Selinux based sandbox"
2015 May 25
0
[Bug 1940] Selinux based sandbox
https://bugzilla.mindrot.org/show_bug.cgi?id=1940
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|2360 |
--- Comment #17 from Damien Miller <djm at mindrot.org> ---
I'm not sure we want this - everyone is
2017 Apr 24
2
seccomp filter for ppc64le in FIPS mode
Hello all,
OpenSSL is using socket() calls (in FIPS mode) when handling ECDSA keys
in privsep child. The socket() syscall is already denied in the seccomp
filter, but in ppc64le kernel, it is implemented using socketcall()
syscall, which is not denied yet (only SYS_SHUTDOWN is allowed) and
therefore fails hard.
See attached patch with proposed patch (deny is intentionally after
allowing the
2017 Mar 14
2
[PATCH] Enable specific ioctl calls for ICA crypto card (s390)
I've committed this diff. Please test and confirm that it works ok.
(If not, then I've botched the macro fixes in the previous commit)
Thanks,
Damien Miller
On Tue, 14 Mar 2017, Damien Miller wrote:
> ok, with the fixes for the seccomp-bpf sandbox that I just committed
> the diff reduces to.
>
> IMO this is scoped narrowly enough to go in.
>
> -d
>
> diff
2013 May 17
19
[Bug 2107] New: seccomp sandbox breaks GSSAPI
https://bugzilla.mindrot.org/show_bug.cgi?id=2107
Bug ID: 2107
Summary: seccomp sandbox breaks GSSAPI
Classification: Unclassified
Product: Portable OpenSSH
Version: 6.2p1
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Kerberos support
2019 Oct 09
0
Announce: OpenSSH 8.1 released
OpenSSH 8.1 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested
2023 Dec 15
0
[PATCH] Allow MAP_NORESERVE in sandbox seccomp filter maps
While debugging Scudo on ChromeOS, we found that the no reserve mode
immediately crashed `sshd`. We tracked it down to the
sandbox-seccomp-filter.
Being able to mmap with MAP_NORESERVE is useful (if not necessary) for
some overcommitting allocators.
During mmap calls, the flag MAP_NORESERVE is used by some allocators
such as LLVM's Scudo for layout optimisation. This causes the sandbox
2019 Oct 01
9
Call for testing: OpenSSH 8.1
Hi,
OpenSSH 8.1p1 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This is a bugfix release.
Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/
The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html
Portable OpenSSH is also available via git using the
instructions at
2015 Jan 08
0
[Bug 1768] scp: wrong error message when destination directory ends with a slash and is missing
https://bugzilla.mindrot.org/show_bug.cgi?id=1768
Jakub Jelen <jjelen at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jjelen at redhat.com
--- Comment #2 from Jakub Jelen <jjelen at redhat.com> ---
Created attachment 2523
2015 Feb 12
0
[Bug 1844] Explicit file permissions enhancement to sftp-server
https://bugzilla.mindrot.org/show_bug.cgi?id=1844
Jakub Jelen <jjelen at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jjelen at redhat.com
--- Comment #3 from Jakub Jelen <jjelen at redhat.com> ---
Created attachment 2547
2015 Mar 26
0
[Bug 1878] error message in key_perm_ok should be firmer
https://bugzilla.mindrot.org/show_bug.cgi?id=1878
Jakub Jelen <jjelen at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|CLOSED |REOPENED
CC| |jjelen at redhat.com
Resolution|FIXED
2015 Jun 10
0
[Bug 1585] Allow an `Include' option which reads another config file in place and does not error out when `Include' file not readable
https://bugzilla.mindrot.org/show_bug.cgi?id=1585
Jakub Jelen <jjelen at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jjelen at redhat.com
--- Comment #20 from Jakub Jelen <jjelen at redhat.com> ---
Created attachment 2647
2015 Jul 15
0
[Bug 1278] CYGWIN controlMaster connections don't work.
https://bugzilla.mindrot.org/show_bug.cgi?id=1278
Jakub Jelen <jjelen at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|WONTFIX |---
Status|CLOSED |REOPENED
CC| |jjelen
2015 Sep 23
0
[Bug 1773] PKCS#11 authentication fails with "xmalloc: zero size" for some certificates.
https://bugzilla.mindrot.org/show_bug.cgi?id=1773
Jakub Jelen <jjelen at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jjelen at redhat.com
--- Comment #5 from Jakub Jelen <jjelen at redhat.com> ---
This is related to the bug
2016 Mar 04
0
[Bug 1402] Support auditing through Linux Audit subsystem
https://bugzilla.mindrot.org/show_bug.cgi?id=1402
Jakub Jelen <jjelen at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2085|0 |1
is obsolete| |
Attachment #2086|0 |1
is
2016 Jun 03
0
[Bug 1644] Allow ip options except source routing
https://bugzilla.mindrot.org/show_bug.cgi?id=1644
Jakub Jelen <jjelen at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1693|0 |1
is obsolete| |
CC| |jjelen at
2017 Feb 13
2
[PATCH] Enable specific ioctl calls for ICA crypto card (s390)
This patch enables specific ioctl calls for ICA crypto card on s390
platform. Without this patch, users using the IBMCA engine are not able
to perform ssh login as the filter blocks the communication with the
crypto card.
Signed-off-by: Harald Freudenberger <freude at linux.vnet.ibm.com>
Signed-off-by: Eduardo Barretto <ebarretto at linux.vnet.ibm.com>
---
sandbox-seccomp-filter.c |
2015 Mar 05
31
[Bug 2361] New: seccomp filter (not only) for aarch64
https://bugzilla.mindrot.org/show_bug.cgi?id=2361
Bug ID: 2361
Summary: seccomp filter (not only) for aarch64
Product: Portable OpenSSH
Version: 6.7p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at
2015 Dec 04
2
OpenSSH FIPS 140-2 support using OpenSSL FIPS modules?
Thanks Jakub.
How does this patch match the OpenSSH source version? Does the patch only
applicable to OpenSSH version 6.6.1, or does other version available as
well?
Thanks.
On Fri, Dec 4, 2015 at 4:26 AM, Jakub Jelen <jjelen at redhat.com> wrote:
>
> On 12/04/2015 03:26 AM, security veteran wrote:
>
>> 3. Is there a way to re-compile OpenSSH by turning on/off some flags
2015 Jan 12
0
[Bug 1768] scp: wrong error message when destination directory ends with a slash and is missing
https://bugzilla.mindrot.org/show_bug.cgi?id=1768
Jakub Jelen <jjelen at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2523|0 |1
is obsolete| |
--- Comment #4 from Jakub Jelen <jjelen at redhat.com> ---
2016 Sep 08
0
[Bug 1844] Explicit file permissions enhancement to sftp-server
https://bugzilla.mindrot.org/show_bug.cgi?id=1844
Jakub Jelen <jjelen at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2547|0 |1
is obsolete| |
--- Comment #4 from Jakub Jelen <jjelen at redhat.com> ---