https://bugzilla.mindrot.org/show_bug.cgi?id=3478
Bug ID: 3478 Summary: Default "kill" action of seccomp sandbox is fragile Product: Portable OpenSSH Version: v9.0p1 Hardware: All URL: https://bugs.debian.org/991936 OS: Linux Status: NEW Severity: normal Priority: P5 Component: sshd Assignee: unassigned-b...@mindrot.org Reporter: cjwat...@debian.org Created attachment 3615 --> https://bugzilla.mindrot.org/attachment.cgi?id=3615&action=edit Change seccomp sandbox default action to ENOSYS >From time to time, glibc changes its syscall wrappers to make use of new Linux kernel facilities. The strategy it uses for this is often to try more recently-introduced syscalls, but fall back to older ones if it gets ENOSYS, allowing it to cope gracefully with running on older kernel versions. Unlike (as I understand it) OpenBSD's pledge(2), sandboxing using Linux's seccomp inherently violates the abstraction layer of C library calls to at least some extent, forcing programs that use it to keep track of changes to the C library. While OpenSSH has been doing a reasonable job at keeping up with this, it's fragile and typically reactive; I've had to update OpenSSH in Debian stable releases in the past to keep up with new kernels, or sometimes edge cases on less widely-used architectures. (In the linked bug, Julian also points out that it can cause issues when running older userspace versions in containers or similar on top of newer host kernels, as you might expect from this class of problem.) I would like sshd to be less fragile here. The attached patch is one possible suggestion for making this less of a problem in future. It passes the regression tests here, but is otherwise definitely in the nature of an RFC. -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs