Bug#991936: openssh-server: seccomp filter defaults to SIGSYS, could break any libc or kernel upgrade

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#991936: openssh-server: seccomp filter defaults to SIGSYS, could break any libc or kernel upgrade
From: Julian Andres Klode <jak@debian.org>
Date: Fri, 6 Aug 2021 11:29:15 +0200
Message-id: <[🔎] 20210806112422.GA3689864@debian.org>
Reply-to: Julian Andres Klode <jak@debian.org>, 991936@bugs.debian.org

Package: openssh-server
Version: 1:8.4p1-5ubuntu2
Severity: serious
X-Debbugs-Cc: jak@debian.org

seccomp filters are currently setup to kill the process

    #define SECCOMP_FILTER_FAIL SECCOMP_RET_KILL

    /* Default deny */
        BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),

this means every new libc or kernel release can cause openssh
to break, requiring breaks from them on openssh, which does not
scale, and is currently breaking SSH during upgrades.

This also means openssh might fail to work inside containers
because the host kernel is newer.

The default policy needs to be changed to return ENOSYS instead,
such that libc can fallback to other syscalls for its wrappers.
With the caveat that umask is a bit broken, if you don't want to
allow it, block it explicitly with RET_KILL:

https://bugzilla.mozilla.org/show_bug.cgi?id=1724098

This should be fixed for bullseye+1, and fixed in a point release
IMO, it might be a tad too late right now for the release itself.

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en

Reply to:

Prev by Date: Bug#991797: the distributed ssh_config
Next by Date: Processed (with 1 error): bullseye-ignore
Previous by thread: Bug#991797: the distributed ssh_config
Next by thread: Processed (with 1 error): bullseye-ignore
Index(es):
- Date
- Thread