[Buildroot] [PATCH] package/openssh: allow sandboxing to be disabled as workaround for seccomp issues
Peter Korsgaard
peter at korsgaard.com
Sun Sep 18 15:45:41 UTC 2022
>>>>> "Yann" == Yann E MORIN <yann.morin.1998 at free.fr> writes:
> Peter, All,
> On 2022-09-18 15:30 +0200, Peter Korsgaard spake thusly:
>> As explained in bug #14796, there are situations where the seccomp based
>> sandboxing in openssh can get confused, leading to connection issues.
> [--SNIP--]
>> As a workaround, add a _OPENSSH_SANDBOX option (defaulting to y) to decide
>> if sandboxing should be used or not.
> [--SNIP--]
>> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
>> index 63a28f3af5..9fab2c9038 100644
>> --- a/package/openssh/openssh.mk
>> +++ b/package/openssh/openssh.mk
>> @@ -24,6 +24,7 @@ OPENSSH_CPE_ID_VENDOR = openbsd
>> OPENSSH_CONF_OPTS = \
>> --sysconfdir=/etc/ssh \
>> --with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \
>> + $(if $(BR2_PACKAGE_OPENSSH_SANDBOX),--with-sandbox,--without-sandbox) \
> --with-sandbox expects an argument that specifies what type of sandbox
> to use:
> --with-sandbox=style Specify privilege separation sandbox (no,
> capsicum, darwin, rlimit, seccomp_filter,
> systrace, pledge)
> If we just pass --with-sandbox without a value, configure will try to
> look for a list of available sabdboxing mechanisms, and use the first it
> finds:
> https://github.com/openssh/openssh-portable/blob/1875042c52a3b950ae5963c9ca3774a4cc7f0380/configure.ac#L3642
Yes, exactly, --with-sandbox is use-the-best-available-sandbox option
(E.G. the default, so if --with-sandbox / --without-sandbox is not used).
> All that is before looks like it is BSD-only: pledge and systrace, or
> darwin. But then, after seccomp, there is also capsicum and rlimit.
> Capsicum on linux does not exist, and rlimit is probably does not bring
> much security-wise...
> So, in all practical matters, on Linux, sandboxing uses seccomp
> filtering, or there is no sandboxing.
> I've added a blurb to explain the above, and applied to master, thanks.
Great, thanks.
> Note that it looks like we can disable seccomp with:
> ac_cv_have_decl_SECCOMP_MODE_FILTER=no
That is also an option, but given that this no-sandbox thing is really
special in the first case (and arguably because of a bug in glibc and/or
how seccomp works), I think just having a way to disable it is good
enough (tm).
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list