Bug 1777054 - login to ssh fails with seccomp denial
Summary: login to ssh fails with seccomp denial
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: rawhide
Hardware: arm
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Jakub Jelen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-11-26 20:25 UTC by Paul Whalen
Modified: 2019-11-27 19:27 UTC (History)
8 users (show)

Fixed In Version: openssh-8.1p1-3.fc32
Clone Of:
Environment:
Last Closed: 2019-11-27 12:03:26 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenSSH Project 3100 0 None None None 2019-11-27 10:17:49 UTC

Description Paul Whalen 2019-11-26 20:25:58 UTC 
Hitting this in Rawhide on armhfp when attempting to login to a newly installed system via ssh

ssh pwhalen@bpi
Connection closed by 192.168.0.55 port 22

On the remote host:

Nov 26 15:09:04 bpi audit[814]: CRYPTO_KEY_USER pid=814 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:87:a2:84:e2:65:bd:bd:60:be:81:83:af:6c:81:a2:00:1f:bc:d6:7d:8'
Nov 26 15:09:04 bpi audit[813]: CRYPTO_SESSION pid=813 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=aes256-gcm ksize=256 mac=<implicit> pfs=curve'
Nov 26 15:09:04 bpi audit[813]: CRYPTO_SESSION pid=813 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes256-gcm ksize=256 mac=<implicit> pfs=curve'

Nov 26 15:09:04 bpi audit[814]: SECCOMP auid=4294967295 uid=74 gid=74 ses=4294967295 subj=system_u:system_r:sshd_net_t:s0-s0:c0.c1023 pid=814 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=40000028 syscall=407 compat=0 ip=0xb68a9550 code=00
Nov 26 15:09:04 bpi audit[814]: ANOM_ABEND auid=4294967295 uid=74 gid=74 ses=4294967295 subj=system_u:system_r:sshd_net_t:s0-s0:c0.c1023 pid=814 comm="sshd" exe="/usr/sbin/sshd" sig=31 res=1

Nov 26 15:09:04 bpi audit[813]: USER_ERR pid=813 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=192.168.0.11 addr=192.168.0.11 ter'
Nov 26 15:09:04 bpi audit[813]: CRYPTO_KEY_USER pid=813 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:87:a2:84:e2:65:bd:bd:60:be:81:83:af:6c:81:a2:00:1f:bc:d6:7d:8'
Nov 26 15:09:04 bpi audit[813]: USER_LOGIN pid=813 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="pwhalen" exe="/usr/sbin/sshd" hostname=? addr=192.168.0.11 terminal=ssh res=failed'

[root@bpi ~]# rpm -q openssh libseccomp glibc
openssh-8.1p1-2.fc32.armv7hl
libseccomp-2.4.2-1.fc32.armv7hl
glibc-2.30.9000-19.fc32.armv7hl

This looks very similar to BZ#1771946 however the syscall(407) in this case is for clock_nanosleep_time64, but the result is the same.
Comment 1 Jakub Jelen 2019-11-27 10:17:49 UTC 
Thank you for the report. It looks like your architecture has different syscalls in the latest glibc. I will add also this one to the whitelist (and reported upstream).

If somebody (Florian?) can point out a good reference to add also other syscalls that are equivalent to the clock_nanosleep() on other architectures, it would be very helpful so we would not have to wait until it breaks there too.
Comment 2 Jakub Jelen 2019-11-27 12:03:26 UTC 
The issue should be addressed with the latest build:

https://koji.fedoraproject.org/koji/taskinfo?taskID=39374262
Comment 3 Paul Whalen 2019-11-27 19:27:18 UTC 
Thanks, confirmed working with openssh-8.1p1-3.fc32.armv7hl.
Note You need to log in before you can comment on or make changes to this bug.