seccomp-bpf filter violation in sshd #97
Comments
|
I think this is a violation of their seccomp-bpf filter, which doesn't whitelist mprotect. It will need to be addressed like the man-db issue. |
thestinger
changed the title
|
You can see in https://github.com/openssh/openssh-portable/blob/master/sandbox-seccomp-filter.c that mprotect is not whitelisted. |
|
That was a quick response! :) |
|
The same problem with https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=0951f82c611c4a3c14271b0fa9c4919c84b7afe7 It would technically be possible for hardened_malloc to use mmap with MAP_FIXED instead of mprotect to unprotect slabs, metadata and the non-guard portion of large allocations. However, |
|
Someone already opened a pull request: |
|
Fixed upstream in openssh/openssh-portable@f6906f9. |
|
It would be good if someone could keep an eye on this and let me know when it's available in a release. |
|
If I'm not mistaken, it looks like it's available in OpenSSH 8.1. |
|
Thanks. |
|
OpenSSH feature request: test compatibility with hardened memory allocator Hardened Malloc |
After enabling the preload of the libhardened_malloc.so, I'm not able to login any more via SSH. This is the case for a system running the Fedora 30 with all the latest updates as well as RHEL 7.7 with all the latest updates.
What I've done:
I looked through the logs after a failed login and could find something in /var/log/audit/audit.log on the server's side.
Please help.
Must be caused by libhardened_malloc.so because removing it from /etc/ld.so.preload fixes the problem.
The text was updated successfully, but these errors were encountered: