Bug 2419 - SECCOMP filter does not accept getpgid syscall
Summary: SECCOMP filter does not accept getpgid syscall
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 6.8p1
Hardware: Other Linux
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_6_9
  Show dependency treegraph
 
Reported: 2015-06-29 23:11 AEST by Jakub Jelen
Modified: 2016-08-02 10:41 AEST (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jakub Jelen 2015-06-29 23:11:44 AEST
Based on question on serverfault [1] I found out that there is syscall getpgid issued after LoginGraceTime. This doesn't show up when using our packaged version of openssh, since the condition [2] is probably optimized out by compiler (can't judge if the optimization is correct).

The solution is again white-list this syscall or optimize out this condition as the compiler does it. I'm not sure if the condition has some use here.

Backtrace from GDB (line numbers differ a bit from upstream sources):
#0  grace_alarm_handler (sig=14) at ../openssh-6.8p1/sshd.c:380
#1  <signal handler called>
#2  0xb7fd9be8 in ?? ()
#3  0x080baaef in ssh_dispatch_run (ssh=0x8153780, mode=0, done=0x8151660, ctxt=0x8151660)
    at ../openssh-6.8p1/dispatch.c:101
#4  0x080bac86 in ssh_dispatch_run_fatal (ssh=0x8153780, mode=0, done=0x8151660, ctxt=0x8151660)
    at ../openssh-6.8p1/dispatch.c:140
#5  0x08065103 in do_authentication2 (authctxt=0x8151660) at ../openssh-6.8p1/auth2.c:175
#6  0x08053cea in main (ac=4, av=0x814e3f8) at ../openssh-6.8p1/sshd.c:2314


[1] http://serverfault.com/questions/697497/strange-seccomp-entries-for-sshd-in-audit-log/701889#701889
[2] https://github.com/openssh/openssh-portable/blob/51a1c2115265c6e80ede8a5c9dccada9aeed7143/sshd.c#L368
Comment 1 Damien Miller 2015-06-30 08:29:04 AEST
Thanks, it looks like the systrace sandbox is missing it too.
Comment 2 Damien Miller 2015-07-17 12:18:21 AEST
This was fixed in openssh-6.9
Comment 3 Damien Miller 2016-08-02 10:41:48 AEST
Close all resolved bugs after 7.3p1 release