[Bug 2590] Seccomp filter for missing architectures
https://bugzilla.mindrot.org/show_bug.cgi?id=2590 Damien Miller changed: What|Removed |Added Status|RESOLVED|CLOSED --- Comment #12 from Damien Miller --- closing resolved bugs as of 8.6p1 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2590] Seccomp filter for missing architectures
https://bugzilla.mindrot.org/show_bug.cgi?id=2590 --- Comment #11 from Darren Tucker--- (In reply to Darren Tucker from comment #10) > There's a github pull request > (https://github.com/openssh/openssh-portable/pull/71) that looks > like it might fix this. Can you confirm? Merged that pull request, if that doesn't fix it please reopen. Thanks. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2590] Seccomp filter for missing architectures
https://bugzilla.mindrot.org/show_bug.cgi?id=2590 Darren Tuckerchanged: What|Removed |Added Resolution|--- |FIXED Blocks||2782 Status|REOPENED|RESOLVED Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2782 [Bug 2782] Tracking bug for OpenSSH 7.7 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2590] Seccomp filter for missing architectures
https://bugzilla.mindrot.org/show_bug.cgi?id=2590 --- Comment #10 from Darren Tucker--- There's a github pull request (https://github.com/openssh/openssh-portable/pull/71) that looks like it might fix this. Can you confirm? Thanks. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2590] Seccomp filter for missing architectures
https://bugzilla.mindrot.org/show_bug.cgi?id=2590 Damien Millerchanged: What|Removed |Added Blocks|2543| Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2543 [Bug 2543] Tracking bug for OpenSSH 7.3 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2590] Seccomp filter for missing architectures
https://bugzilla.mindrot.org/show_bug.cgi?id=2590 --- Comment #6 from Joshua Kinard--- (In reply to Darren Tucker from comment #5) > (In reply to Joshua Kinard from comment #3) > > > > I hate to reopen, but I found a corner case for MIPS broken by the > > MIPS whitelist. Specifically, the proposed whitelist does not > > account for MIPS N32 ABI (under mips64). > > > > Specifically: > > + mips64-*) > > + seccomp_audit_arch=AUDIT_ARCH_MIPS64 > > > > There needs to be another hook to somehow detect N32 and then set > > either AUDIT_ARCH_MIPS64 (big-endian) or AUDIT_ARCH_MIPSEL64N32 > > (little-endian). > > what does configure.guess report on such systems? If that's not a > reliable indicator, what is? mips64-* && AC_CHECK_SIZEOF([int], > [4]) ? config.guess reports back "mips64-unknown-linux-gnu", which is my system CHOST value (Gentoo, SGI Octane). It does the same in an O32 chroot, so this might be unreliable. O32 Linux userlands require a CHOST of "mips-unknown-linux-gnu", even when run under a mips64 kernel. Per the MIPS N32 handbook, you can tell O32/N32 apart from N64 (full 64-bit) by checking the size of a pointer, which should be 8 bytes on N64. But it'll be 4 bytes under both O32/N32, so this approach won't work either. Is it possible to have configure compile a test binary using the provided C compiler and flags, then check the file magic of the output binary? That's a definitive way to differ between all three ABI's (and may even be applicable for multilib setups). I scanned briefly through the autoconf manual, but I don't see a built-in check for this. O32 /bin/cat: /bin/cat: ELF 32-bit MSB executable, MIPS, MIPS-IV version 1 (SYSV), dynamically linked, interpreter /lib/ld.so.1, for GNU/Linux 2.6.32, stripped N32 /bin/cat: /bin/cat: ELF 32-bit MSB executable, MIPS, N32 MIPS-IV version 1 (SYSV), dynamically linked, interpreter /lib32/ld.so.1, for GNU/Linux 2.6.32, stripped So a check for the presence of "N32" in file's output would be enough to detect between O32 and N32. Should you ever get around to supporting X32 on the Intel/AMD platforms, this same situation is bound to come up again. X32 either copies, or was inspired by, N32 and so they aim to achieve similar goals. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2590] Seccomp filter for missing architectures
https://bugzilla.mindrot.org/show_bug.cgi?id=2590 Darren Tuckerchanged: What|Removed |Added CC||dtuc...@zip.com.au --- Comment #5 from Darren Tucker --- (In reply to Joshua Kinard from comment #3) > > I hate to reopen, but I found a corner case for MIPS broken by the > MIPS whitelist. Specifically, the proposed whitelist does not > account for MIPS N32 ABI (under mips64). > > Specifically: > + mips64-*) > + seccomp_audit_arch=AUDIT_ARCH_MIPS64 > > There needs to be another hook to somehow detect N32 and then set > either AUDIT_ARCH_MIPS64 (big-endian) or AUDIT_ARCH_MIPSEL64N32 > (little-endian). what does configure.guess report on such systems? If that's not a reliable indicator, what is? mips64-* && AC_CHECK_SIZEOF([int], [4]) ? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2590] Seccomp filter for missing architectures
https://bugzilla.mindrot.org/show_bug.cgi?id=2590 Joshua Kinardchanged: What|Removed |Added Status|CLOSED |REOPENED Resolution|FIXED |--- CC||ku...@gentoo.org --- Comment #3 from Joshua Kinard --- (In reply to Damien Miller from comment #1) > Patch applied - thank-you very much for doing the testing for these. > This will be in the openssh-7.3 release. I hate to reopen, but I found a corner case for MIPS broken by the MIPS whitelist. Specifically, the proposed whitelist does not account for MIPS N32 ABI (under mips64). Specifically: + mips64-*) + seccomp_audit_arch=AUDIT_ARCH_MIPS64 There needs to be another hook to somehow detect N32 and then set either AUDIT_ARCH_MIPS64 (big-endian) or AUDIT_ARCH_MIPSEL64N32 (little-endian). I believe there's a known/defined CHOST tuple to specify an N32 userland, but it's not common, so CHOST seems to be unreliable to detect this. I am not sure of another reasonable way to do so right now. Without this fix, on mips64/N32 platforms, "UsePrivilegeSeparation sandbox" will fail and not allow a client to connect. Per strace: [pid 1883] prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0 [pid 1883] prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, {len=57, filter=0x565f3920}) = 0 [pid 1883] write(3, "\0\0\3|\10\24\270\256hb<\257-\30\216\214L\301\35\230\10\233\0\0\0\324curve2"..., 896 [pid 1883] --- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP, si_call_addr=NULL, si_syscall=__NR_write, si_arch=AUDIT_ARCH_MIPS64N32} --- [pid 1883] <... write resumed> ) = -1 ERRNO_6001 (Unknown error 6001) [pid 1883] --- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP, si_call_addr=NULL, si_syscall=__NR_write, si_arch=AUDIT_ARCH_MIPS64N32} --- [pid 1882] <... poll resumed> )= 2 ([{fd=6, revents=POLLIN|POLLHUP}, {fd=7, revents=POLLHUP}]) [pid 1883] +++ killed by SIGSYS +++ [pid 1882] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=1883, si_uid=22, si_status=SIGSYS, si_utime=0, si_stime=0} --- [pid 1882] read(7, "", 4) = 0 [pid 1882] close(7)= 0 [pid 1882] poll([{fd=6, events=POLLIN}], 1, -1) = 1 ([{fd=6, revents=POLLIN|POLLHUP}]) [pid 1882] read(6, "", 4) = 0 [pid 1882] kill(1883, SIGKILL) = 0 [pid 1882] exit_group(255) = ? [pid 1882] +++ exited with 255 +++ Switching to "UsePrivilegeSeparation yes" is a workaround, but seems suboptimal. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs