f204766b8f
As explained in bug #14796, there are situations where the seccomp based sandboxing in openssh can get confused, leading to connection issues. As explained by Thomas in the bug report: glibc does not care about the kernel headers when deciding whether to try the clock_gettime64() syscall or not: it always use it, and if that fails at runtime, it falls back to clock_gettime(). This is how glibc ends up using clock_gettime64() even if your kernel does not support it. On the other hand, the OpenSSL seccomp code relies on kernel headers to decide whether the clock_gettime64() syscall should be in the allowed list of syscalls or not. So when you are in a situation where glibc is recent, but your kernel is older, you get into precisely the problem you have: glibc tries to use clock_gettime64, but OpenSSH seccomp configuration prevents that, which does not allow glibc to gracefully fallback to clock_gettime (as seccomp is configured to kill the process on filter violations). As a workaround, add a _OPENSSH_SANDBOX option (defaulting to y) to decide if sandboxing should be used or not. --with-sandbox expects the type of sandboxing to use, and if not specified, will use the first one available in a list: pledge, systrace, darwin, seccomp, capsicum, rlimit. On Linux, only seccomp and rlimit are available, and rlimit probably does not bring much security-wise, so in all practical matters, on Linux, sandboxing uses seccomp or there is no sandboxing, so let's just disable sandboxing when we do not want to use seccomp, and let configure detect seccomp when we request sandboxing. Fixes (works around) #14796 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> [yann.morin.1998@free.fr: add § about sandboxing types] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> |
||
|---|---|---|
| arch | ||
| board | ||
| boot | ||
| configs | ||
| docs | ||
| fs | ||
| linux | ||
| package | ||
| support | ||
| system | ||
| toolchain | ||
| utils | ||
| .clang-format | ||
| .defconfig | ||
| .flake8 | ||
| .gitignore | ||
| .gitlab-ci.yml | ||
| .shellcheckrc | ||
| CHANGES | ||
| Config.in | ||
| Config.in.legacy | ||
| COPYING | ||
| DEVELOPERS | ||
| Makefile | ||
| Makefile.legacy | ||
| README | ||
Buildroot is a simple, efficient and easy-to-use tool to generate embedded Linux systems through cross-compilation. The documentation can be found in docs/manual. You can generate a text document with 'make manual-text' and read output/docs/manual/manual.text. Online documentation can be found at http://buildroot.org/docs.html To build and use the buildroot stuff, do the following: 1) run 'make menuconfig' 2) select the target architecture and the packages you wish to compile 3) run 'make' 4) wait while it compiles 5) find the kernel, bootloader, root filesystem, etc. in output/images You do not need to be root to build or run buildroot. Have fun! Buildroot comes with a basic configuration for a number of boards. Run 'make list-defconfigs' to view the list of provided configurations. Please feed suggestions, bug reports, insults, and bribes back to the buildroot mailing list: buildroot@buildroot.org You can also find us on #buildroot on OFTC IRC. If you would like to contribute patches, please read https://buildroot.org/manual.html#submitting-patches