https://bugzilla.mindrot.org/show_bug.cgi?id=3430
Darren Tucker <dtucker@dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker@dtucker.net
--- Comment #1 from Darren Tucker <dtucker@dtucker.net> ---
I don't follow your description of what's happening. The sandbox code
has this (and has had since about 8.6p1, see bz#3093):
#ifdef __NR_clock_gettime64
SC_ALLOW(__NR_clock_gettime64),
#endif
(In reply to Lacky from comment #0)
[...]
> OpenSSH in source code tries to figure which syscalls are supported
> by kernel and only supported syscalls are added as an allowed in
> seccomp
That's not an accurate description. It allows any of the syscalls in
its list for which there is a definition, regardless of whether or not
it's supported by the currently running kernel.
If you build an sshd against and older set of headers that does not
define __NR_clock_gettime64 then it will not be included, but that's
because sshd has no way of knowing about it or what the syscall number
is at compile time. I could imagine this biting you if you installed a
new libc.so without recompiling sshd with the new headers.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
Darren Tucker <dtucker@dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker@dtucker.net
--- Comment #1 from Darren Tucker <dtucker@dtucker.net> ---
I don't follow your description of what's happening. The sandbox code
has this (and has had since about 8.6p1, see bz#3093):
#ifdef __NR_clock_gettime64
SC_ALLOW(__NR_clock_gettime64),
#endif
(In reply to Lacky from comment #0)
[...]
> OpenSSH in source code tries to figure which syscalls are supported
> by kernel and only supported syscalls are added as an allowed in
> seccomp
That's not an accurate description. It allows any of the syscalls in
its list for which there is a definition, regardless of whether or not
it's supported by the currently running kernel.
If you build an sshd against and older set of headers that does not
define __NR_clock_gettime64 then it will not be included, but that's
because sshd has no way of knowing about it or what the syscall number
is at compile time. I could imagine this biting you if you installed a
new libc.so without recompiling sshd with the new headers.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs