Mailing List Archive: OpenSSH: Dev

seccomp_filter

Index | Next | Previous | View Threaded

carstenmattner at gmail

Jul 25, 2012, 7:48 AM

Post #1 of 6 (420 views)
Permalink

seccomp_filter

Can I configure openssh with --sandbox=seccomp_filter and have it still run
on older kernels with sandboxing via rlimit? I'm asking from a linux
distro packaging
point of view. Does --sandbox=seccomp_filter keep the rlimit sandbox?
It looks to
me as if I can only link in one of the sandbox plugins.

An openssh build with seccomp_filter enabled will probably have no sandbox
at all on linux < 3.5. Is that correct? Would it start up linux 3.4 or
3.2 at all?
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

djm at mindrot

Jul 25, 2012, 4:26 PM

Post #2 of 6 (391 views)
Permalink

Re: seccomp_filter [In reply to]

On Wed, 25 Jul 2012, Carsten Mattner wrote:

> Can I configure openssh with --sandbox=seccomp_filter and have it still run
> on older kernels with sandboxing via rlimit? I'm asking from a linux
> distro packaging
> point of view. Does --sandbox=seccomp_filter keep the rlimit sandbox?
> It looks to
> me as if I can only link in one of the sandbox plugins.
>
> An openssh build with seccomp_filter enabled will probably have no sandbox
> at all on linux < 3.5. Is that correct? Would it start up linux 3.4 or
> 3.2 at all?

HEAD will fallback to the rlimit pseudo-sandbox if seccomp was enabled at
compile-time but is not available at runtime. openssh-6.0 will fatal() for
these cases.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

carstenmattner at gmail

Jul 26, 2012, 4:50 AM

Post #3 of 6 (399 views)
Permalink

Re: seccomp_filter [In reply to]

On Thu, Jul 26, 2012 at 1:26 AM, Damien Miller <djm [at] mindrot> wrote:
>
>
> On Wed, 25 Jul 2012, Carsten Mattner wrote:
>
>> Can I configure openssh with --sandbox=seccomp_filter and have it
>> still run on older kernels with sandboxing via rlimit? I'm asking
>> from a linux distro packaging point of view. Does
>> --sandbox=seccomp_filter keep the rlimit sandbox? It looks to me as
>> if I can only link in one of the sandbox plugins.
>>
>> An openssh build with seccomp_filter enabled will probably have no
>> sandbox at all on linux < 3.5. Is that correct? Would it start up
>> linux 3.4 or 3.2 at all?
>
> HEAD will fallback to the rlimit pseudo-sandbox if seccomp was enabled at
> compile-time but is not available at runtime. openssh-6.0 will fatal() for
> these cases.

That sounds good. Is it available in a single commit I could backport
until the next release? Is it correct that November 2012 is the
release date for 6.1?
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

djm at mindrot

Jul 26, 2012, 4:57 AM

Post #4 of 6 (393 views)
Permalink

Re: seccomp_filter [In reply to]

On Thu, 26 Jul 2012, Carsten Mattner wrote:

> > HEAD will fallback to the rlimit pseudo-sandbox if seccomp was enabled at
> > compile-time but is not available at runtime. openssh-6.0 will fatal() for
> > these cases.
>
> That sounds good. Is it available in a single commit I could backport
> until the next release? Is it correct that November 2012 is the
> release date for 6.1?

It will probably be sooner than that. Perhaps late this month even.

http://hg.mindrot.org/openssh/raw-rev/d8de6b1ebec9 should be all you
need.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

carstenmattner at gmail

Aug 20, 2012, 8:39 AM

Post #5 of 6 (328 views)
Permalink

Re: seccomp_filter [In reply to]

On Thu, Jul 26, 2012 at 1:57 PM, Damien Miller <djm [at] mindrot> wrote:
> On Thu, 26 Jul 2012, Carsten Mattner wrote:
>
>> > HEAD will fallback to the rlimit pseudo-sandbox if seccomp was enabled at
>> > compile-time but is not available at runtime. openssh-6.0 will fatal() for
>> > these cases.
>>
>> That sounds good. Is it available in a single commit I could backport
>> until the next release? Is it correct that November 2012 is the
>> release date for 6.1?
>
> It will probably be sooner than that. Perhaps late this month even.
>
> http://hg.mindrot.org/openssh/raw-rev/d8de6b1ebec9 should be all you
> need.

Any new on the 6.1 release?

Also when running ./configure with a sufficient linux kernel and headers
will the autoconf script default to the seccomp sandbox?
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

djm at mindrot

Aug 20, 2012, 3:59 PM

Post #6 of 6 (331 views)
Permalink

Re: seccomp_filter [In reply to]

On Mon, 20 Aug 2012, Carsten Mattner wrote:

> On Thu, Jul 26, 2012 at 1:57 PM, Damien Miller <djm [at] mindrot> wrote:
> > On Thu, 26 Jul 2012, Carsten Mattner wrote:
> >
> >> > HEAD will fallback to the rlimit pseudo-sandbox if seccomp was enabled at
> >> > compile-time but is not available at runtime. openssh-6.0 will fatal() for
> >> > these cases.
> >>
> >> That sounds good. Is it available in a single commit I could backport
> >> until the next release? Is it correct that November 2012 is the
> >> release date for 6.1?
> >
> > It will probably be sooner than that. Perhaps late this month even.
> >
> > http://hg.mindrot.org/openssh/raw-rev/d8de6b1ebec9 should be all you
> > need.
>
> Any new on the 6.1 release?

within days

> Also when running ./configure with a sufficient linux kernel and headers
> will the autoconf script default to the seccomp sandbox?

Yes

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads