On Wed, Feb 11, 2015 at 02:46:50PM -0300, Cristian Rodríguez wrote: > *SSL libraries or the C library may/will require it. In what circumstances do they need it? Do they need it with GRND_RANDOM bit set? Note that this system call equivalents to opening (with subsequent reading) of /dev/random and /dev/urandom, which is not allowed by this seccomp filter. > --- a/sandbox-seccomp-filter.c > +++ b/sandbox-seccomp-filter.c > @@ -129,6 +129,9 @@ static const struct sock_filter preauth_insns[] = { > #else > SC_ALLOW(sigprocmask), > #endif > +#ifdef __NR_getrandom > + SC_ALLOW(getrandom), > +#endif > BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), > }; > -- ldv
Attachment:
pgpSZOXWf82nm.pgp
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev