Re: [PATCH] seccomp: allow the getrandom system call.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Wed, Feb 11, 2015 at 02:46:50PM -0300, Cristian Rodríguez wrote:
> *SSL libraries or the C library may/will require it.

In what circumstances do they need it?
Do they need it with GRND_RANDOM bit set?

Note that this system call equivalents to opening (with subsequent
reading) of /dev/random and /dev/urandom, which is not allowed by this
seccomp filter.

> --- a/sandbox-seccomp-filter.c
> +++ b/sandbox-seccomp-filter.c
> @@ -129,6 +129,9 @@ static const struct sock_filter preauth_insns[] = {
>  #else
>  	SC_ALLOW(sigprocmask),
>  #endif
> +#ifdef __NR_getrandom
> +	SC_ALLOW(getrandom),
> +#endif
>  	BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
>  };
>  

-- 
ldv

Attachment: pgpSZOXWf82nm.pgp
Description: PGP signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux