-
-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
seccomp-bpf filter violation in sshd #97
Comments
I think this is a violation of their seccomp-bpf filter, which doesn't whitelist mprotect. It will need to be addressed like the man-db issue. |
You can see in https://github.com/openssh/openssh-portable/blob/master/sandbox-seccomp-filter.c that mprotect is not whitelisted. |
That was a quick response! :) |
The same problem with https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=0951f82c611c4a3c14271b0fa9c4919c84b7afe7 It would technically be possible for hardened_malloc to use mmap with MAP_FIXED instead of mprotect to unprotect slabs, metadata and the non-guard portion of large allocations. However, |
Someone already opened a pull request: |
Fixed upstream in openssh/openssh-portable@f6906f9. |
It would be good if someone could keep an eye on this and let me know when it's available in a release. |
If I'm not mistaken, it looks like it's available in OpenSSH 8.1. |
Thanks. |
OpenSSH feature request: test compatibility with hardened memory allocator Hardened Malloc |
After enabling the preload of the libhardened_malloc.so, I'm not able to login any more via SSH. This is the case for a system running the Fedora 30 with all the latest updates as well as RHEL 7.7 with all the latest updates.
What I've done:
I looked through the logs after a failed login and could find something in /var/log/audit/audit.log on the server's side.
Please help.
Must be caused by libhardened_malloc.so because removing it from /etc/ld.so.preload fixes the problem.
The text was updated successfully, but these errors were encountered: