Conversation

Daniel Micay

@DanielMicay

Since https://github.com/openssh/openssh-portable/blob/master/sandbox-seccomp-filter.c… doesn't whitelist mprotect, it's not compatible with OpenBSD malloc or hardened_malloc. I could technically use mmap with MAP_FIXED for instead of mprotect for the cases that happen after init (unprotecting slabs and metadata to allocate them)...

github.com

openssh-portable/sandbox-seccomp-filter.c at master · openssh/openssh-portable

Portable OpenSSH. Contribute to openssh/openssh-portable development by creating an account on GitHub.

5:21 PM · Aug 22, 2019·Twitter Web App

3

Likes

Yana

@sowelisuwi

·

Aug 22, 2019

Replying to

@DanielMicay

github.com

sandbox-seccomp-filter: allow mprotect syscall by sowelisuwi · Pull Request #142 · openssh/openss...

This allows to use portable OpenSSH with OpenBSD malloc and GrapheneOS hardened_malloc. See: https://github.com/openbsd/src/blob/df69c215c7c66baf660f3f65414fd34796c96152/lib/libc/stdlib/malloc.c#L...