https://bugzilla.mindrot.org/show_bug.cgi?id=3855
--- Comment #5 from Adrian Jarc <[email protected]> --- (In reply to Damien Miller from comment #3) > Some other alternatives: > > 1. Ask the WolfSSL developers if there is any way to get the library > to preopen the file descriptors before the sandbox is applied. > 2. Soft-deny all __NR_open syscalls in the sandbox. This will case > open() to faill with an error but won't result in a process-killing > sandbox violation. You'd need to get a guarantee from the WolfSSL > developers that their library will perform safely in this situation. If WolfSSL changes how that works, their wolfCrypt module won't be FIPS certified anymore, and that does not help. So this is not an option. As for 2. point, can we get some pointers as how we could do that? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
