On Sun, 30 Jun 2019, shankarapailoor . wrote: > Hi! > > I'm investigating the seccomp filter in openssh and I wanted to know > whether the following system calls should be added to the filter: I don't think so - AFAIK all of those only happen in the unsandboxed monitor process. > 1. getgroups > - > do_authentication2->dispatch_run_fatal->sshpkt_fatal->logdie->cleanup_exit->do_cleanup->temporarily_use_uid->getgroups > 2. setgroups > - > do_authentication2->ssh_dispatch_run_fatal->sshpkt_fatal->logdie->cleanup_exit->do_cleanup->temporarily_use_uid->initgroups->setgroups > 3. unlink > - > do_authentication2->ssh_dispatch_run_fatal->sshpkt_fatal->logdie->cleanup_exit->do_cleanup->auth_sock_cleanup_proc->unlink > 4. rmdir > - > do_authentication2->ssh_dispatch_run_fatal->sshpkt_fatal->logide->cleanup_exit->do_cleanup->auth_sock_cleanup_proc->rmdir > > Below each system call is a call path that seems feasible. My apologies for > any inconvenience. > > Regards, > Shankara Pailoor > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev