Bug 3093

Summary: Unbreak seccomp filter with latest glibc
Product: Portable OpenSSH Reporter: Jakub Jelen <jjelen>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: enhancement CC: djm, dtucker
Priority: P5 Keywords: patch
Version: 8.1p1   
Hardware: Other   
OS: Linux   
Bug Depends on:    
Bug Blocks: 3079    
Attachments:
Description Flags
proposed patch none

Description Jakub Jelen 2019-11-13 23:01:58 AEDT 
Created attachment 3339 [details]
proposed patch

The OpenSSH with latest Fedora fails to login users because of seccomp is killing it. This is caused by recent change in glibc and change of implementation of nanosleep, which is affecting privsep child. For more information, see the Fedora bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1771946

The attached patch should address this issue (I will give it some more testing).
Comment 1 Darren Tucker 2019-11-13 23:22:29 AEDT 
Applied, thanks.
Comment 2 Jakub Jelen 2020-02-03 10:53:58 AEDT 
It looks like there is one more syscall needed with the current glibc on ARM, which is clock_gettime64. Please, consider adding also this one. For more information, there is another red hat bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=1796267
Comment 3 Damien Miller 2020-02-03 19:41:36 AEDT 
Added - thanks
Comment 4 Damien Miller 2021-04-23 14:57:02 AEST 
closing resolved bugs as of 8.6p1 release