| Summary: | SECCOMP filter does not accept getpgid syscall | ||
|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Jakub Jelen <jjelen> |
| Component: | sshd | Assignee: | Assigned to nobody <unassigned-bugs> |
| Status: | CLOSED FIXED | ||
| Severity: | enhancement | CC: | djm |
| Priority: | P5 | ||
| Version: | 6.8p1 | ||
| Hardware: | Other | ||
| OS: | Linux | ||
| Bug Depends on: | |||
| Bug Blocks: | 2360 | ||
Thanks, it looks like the systrace sandbox is missing it too. This was fixed in openssh-6.9 Close all resolved bugs after 7.3p1 release |
Based on question on serverfault [1] I found out that there is syscall getpgid issued after LoginGraceTime. This doesn't show up when using our packaged version of openssh, since the condition [2] is probably optimized out by compiler (can't judge if the optimization is correct). The solution is again white-list this syscall or optimize out this condition as the compiler does it. I'm not sure if the condition has some use here. Backtrace from GDB (line numbers differ a bit from upstream sources): #0 grace_alarm_handler (sig=14) at ../openssh-6.8p1/sshd.c:380 #1 <signal handler called> #2 0xb7fd9be8 in ?? () #3 0x080baaef in ssh_dispatch_run (ssh=0x8153780, mode=0, done=0x8151660, ctxt=0x8151660) at ../openssh-6.8p1/dispatch.c:101 #4 0x080bac86 in ssh_dispatch_run_fatal (ssh=0x8153780, mode=0, done=0x8151660, ctxt=0x8151660) at ../openssh-6.8p1/dispatch.c:140 #5 0x08065103 in do_authentication2 (authctxt=0x8151660) at ../openssh-6.8p1/auth2.c:175 #6 0x08053cea in main (ac=4, av=0x814e3f8) at ../openssh-6.8p1/sshd.c:2314 [1] http://serverfault.com/questions/697497/strange-seccomp-entries-for-sshd-in-audit-log/701889#701889 [2] https://github.com/openssh/openssh-portable/blob/51a1c2115265c6e80ede8a5c9dccada9aeed7143/sshd.c#L368