Mailing List Archive

Shutdown in Seccomp Filter
Hi!

I was looking at the openssh seccomp filter and I was curious why is
shutdown is allowed in the whitelist?

I've been doing an analysis on the openssh code and the callpaths I find
which call shutdown have the form:

main->do_authenticated->server_loop2->channel_after_select->channel_handler->channel_post_mux_client->read_mux->chan_read_failed->chan_shutdown_read->shutdown

However, isn't do_authenticated handled in the parent process which isn't
sandboxed? I might be gravely mistaken here so my apologies if I'm wrong.

Regards,
Shankara Pailoor
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Shutdown in Seccomp Filter [ In reply to ]
On Mon, Jun 10, 2019 at 07:48:03AM -0700, shankarapailoor . wrote:
> I was looking at the openssh seccomp filter and I was curious why is
> shutdown is allowed in the whitelist?
>
> I've been doing an analysis on the openssh code and the callpaths I find
> which call shutdown have the form:
>
> main->do_authenticated->server_loop2->channel_after_select->channel_handler->channel_post_mux_client->read_mux->chan_read_failed->chan_shutdown_read->shutdown
>
> However, isn't do_authenticated handled in the parent process which isn't
> sandboxed? I might be gravely mistaken here so my apologies if I'm wrong.

It was originally added here:

https://anongit.mindrot.org/openssh.git/commit/?id=7e5cec6070673e9f9785ffc749837ada22fbe99f

... but then that shutdown call was removed here:

https://anongit.mindrot.org/openssh.git/commit/?id=dc5dc45662773c0f7745c29cf77ae2d52723e55e

... so it does indeed seem possible that it's no longer needed, though I
imagine it'd need some testing.

--
Colin Watson [cjwatson@debian.org]
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev