[Buildroot] [PATCH] package/openssh: allow sandboxing to be disabled as workaround for seccomp issues
Peter Korsgaard
peter at korsgaard.com
Sun Sep 18 13:30:49 UTC 2022
As explained in bug #14796, there are situations where the seccomp based
sandboxing in openssh can get confused, leading to connection issues.
As explained by Thomas in the bug report:
glibc does not care about the kernel headers when deciding whether to try
the clock_gettime64() syscall or not: it always use it, and if that fails at
runtime, it falls back to clock_gettime(). This is how glibc ends up using
clock_gettime64() even if your kernel does not support it.
On the other hand, the OpenSSL seccomp code relies on kernel headers to decide
whether the clock_gettime64() syscall should be in the allowed list of syscalls
or not.
So when you are in a situation where glibc is recent, but your kernel is
older, you get into precisely the problem you have: glibc tries to use
clock_gettime64, but OpenSSH seccomp configuration prevents that, which does
not allow glibc to gracefully fallback to clock_gettime (as seccomp is
configured to kill the process on filter violations).
As a workaround, add a _OPENSSH_SANDBOX option (defaulting to y) to decide
if sandboxing should be used or not.
Fixes (works around) #14796
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
---
package/openssh/Config.in | 8 ++++++++
package/openssh/openssh.mk | 1 +
2 files changed, 9 insertions(+)
diff --git a/package/openssh/Config.in b/package/openssh/Config.in
index cc5998742e..08d3c7d391 100644
--- a/package/openssh/Config.in
+++ b/package/openssh/Config.in
@@ -31,4 +31,12 @@ config BR2_PACKAGE_OPENSSH_KEY_UTILS
help
Key utilities: ssh-keygen, ssh-keyscan.
+config BR2_PACKAGE_OPENSSH_SANDBOX
+ bool "use sandboxing"
+ default y
+ help
+ Use sandboxing for extra privilege protection of processes.
+
+ This is normally preferable, but may cause seccomp problems
+ for certain combinations of C libraries and kernel versions.
endif
diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
index 63a28f3af5..9fab2c9038 100644
--- a/package/openssh/openssh.mk
+++ b/package/openssh/openssh.mk
@@ -24,6 +24,7 @@ OPENSSH_CPE_ID_VENDOR = openbsd
OPENSSH_CONF_OPTS = \
--sysconfdir=/etc/ssh \
--with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \
+ $(if $(BR2_PACKAGE_OPENSSH_SANDBOX),--with-sandbox,--without-sandbox) \
--disable-lastlog \
--disable-utmp \
--disable-utmpx \
--
2.30.2
More information about the buildroot
mailing list