[Buildroot] [PATCH] package/openssh: allow sandboxing to be disabled as workaround for seccomp issues

Peter Korsgaard peter at korsgaard.com
Sun Sep 18 15:45:41 UTC 2022 

>>>>> "Yann" == Yann E MORIN <yann.morin.1998 at free.fr> writes:

 > Peter, All,
 > On 2022-09-18 15:30 +0200, Peter Korsgaard spake thusly:
 >> As explained in bug #14796, there are situations where the seccomp based
 >> sandboxing in openssh can get confused, leading to connection issues.
 > [--SNIP--]
 >> As a workaround, add a _OPENSSH_SANDBOX option (defaulting to y) to decide
 >> if sandboxing should be used or not.
 > [--SNIP--]
 >> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
 >> index 63a28f3af5..9fab2c9038 100644
 >> --- a/package/openssh/openssh.mk
 >> +++ b/package/openssh/openssh.mk
 >> @@ -24,6 +24,7 @@ OPENSSH_CPE_ID_VENDOR = openbsd
 >> OPENSSH_CONF_OPTS = \
 >> --sysconfdir=/etc/ssh \
 >> --with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \
 >> +	$(if $(BR2_PACKAGE_OPENSSH_SANDBOX),--with-sandbox,--without-sandbox) \

 > --with-sandbox expects an argument that specifies what type of sandbox
 > to use:

 >     --with-sandbox=style Specify privilege separation sandbox (no,
 >                          capsicum, darwin, rlimit, seccomp_filter,
 >                          systrace, pledge)

 > If we just pass --with-sandbox without a value, configure will try to
 > look for a list of available sabdboxing mechanisms, and use the first it
 > finds:

 >     https://github.com/openssh/openssh-portable/blob/1875042c52a3b950ae5963c9ca3774a4cc7f0380/configure.ac#L3642

Yes, exactly, --with-sandbox is use-the-best-available-sandbox option
(E.G. the default, so if --with-sandbox / --without-sandbox is not used).

 > All that is before looks like it is BSD-only: pledge and systrace, or
 > darwin. But then, after seccomp, there is also capsicum and rlimit.
 > Capsicum on linux does not exist, and rlimit is probably does not bring
 > much security-wise...

 > So, in all practical matters, on Linux, sandboxing uses seccomp
 > filtering, or there is no sandboxing.

 > I've added a blurb to explain the above, and applied to master, thanks.

Great, thanks.

 > Note that it looks like we can disable seccomp with:

 >     ac_cv_have_decl_SECCOMP_MODE_FILTER=no

That is also an option, but given that this no-sandbox thing is really
special in the first case (and arguably because of a bug in glibc and/or
how seccomp works), I think just having a way to disable it is good
enough (tm).

-- 
Bye, Peter Korsgaard

More information about the buildroot mailing list