OpenSSH 7.1p1 dietlibc (and future glibc) patch

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi OpenSSH devs,

I noticed that openssh 7.1 does not work when compiled with dietlibc. It
does build properly, and sshd runs and accepts connections, but every
connection attempt immediately fails.

The root cause is that dietlibc implements some OpenBSD interfaces
(getentropy and arc4random) so openssh can use the new getrandom syscall
that Linux provices. OpenSSH configure detects those APIs and uses them,
but the seccomp filter sandbox code does not yet allow the getrandom
syscall.

Here's the trivial patch that makes it work:


diff -ur openssh-7.1p1/sandbox-seccomp-filter.c openssh-7.1p1-fefe/sandbox-seccomp-filter.c
--- openssh-7.1p1/sandbox-seccomp-filter.c	2015-08-21 06:49:03.000000000 +0200
+++ openssh-7.1p1-fefe/sandbox-seccomp-filter.c	2015-09-09 14:51:04.071681323 +0200
@@ -198,6 +198,9 @@
 #ifdef __NR_socketcall
 	SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
 #endif
+#ifdef __NR_getrandom
+	SC_ALLOW(getrandom),
+#endif
 
 	/* Default deny */
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),


Since this syscall will also be needed when the compat code for glibc is
updated, I see no obvious downside in applying this patch now.

Thanks,

Felix
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux