https://bugzilla.mindrot.org/show_bug.cgi?id=3855
--- Comment #9 from Adrian Jarc <[email protected]> --- (In reply to Damien Miller from comment #8) > Please don't paste logs in the comment box, it makes bugs hard to > read. Use the attachment feature instead. > > I don't see a sandbox violation there. If I had to guess what's > happening I'd say that WolfSSL is attempting open(/dev/urandom), > soft-failing with errno==EACCESS because of > https://github.com/openssh/openssh-portable/blob/master/sandbox- > seccomp-filter.c#L259 and returning a failure that terminates the > sshd-auth process. > > Reiterating your options: > > 1. Ask the WolfSSL developers if you can get it to prepare for > sandboxing before the sandbox is applied. In other libraries, this > usually means making some API call that loads a seed or opens a file > descriptor before the sandbox makes such things impossible. > > 2. Get WolfSSL to use getrandom() instead of open(/dev/urandom). It > looks like there is already support in the library for this: > https://github.com/wolfSSL/wolfssl/blob/v5.6.4-stable/wolfcrypt/src/ > random.c#L3595-L3624 > > 3. Change the sandbox to allow the open syscall. This would > significantly weaken the sandbox as it can't be done selectively > per-path, which is why we don't do it in OpenSSH. Practically, this > means replacing "SC_DENY(__NR_open, EACCES)," with > "SC_ALLOW(__NR_open)," I apologise for attaching full logs in comment box, I have completely missed the add attachment option. Will keep in mind if there will be a next time. Since the whole purpose of writing this to you, was to avoid lowering security of sandbox, I will try to avoid the 3. option. So I have written to wolfSSL about options 1. and 2.. Hopefully I will get a reply soon. I wrote to you, because ever since finding out what issue happens with wolfSSL they have become silent. Now that you have helped me find some additional possible solutions, I have written to them again and am waiting for a reply. I am leaving this issue open until I get some reply from wolfSSL. I will close it after they respond. Thank you for your help. You have been very helpful. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
