Changes since OpenSSH 5.8 =========================
Introduce sandboxing of the pre-auth privsep child using an
optional sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that
enables mandatory restrictions on the syscalls the privsep child
can perform. This intention is to prevent a compromised privsep
child from being used to attack other hosts (by opening sockets and
proxying) or probing local kernel attack surface.
Three concrete sandbox implementation are provided (selected at
configure time): systrace, seatbelt and rlimit.
The systrace sandbox uses systrace(4) in unsupervised
"fast-path" mode, where a list of permitted syscalls is supplied.
Any syscall not on the list results in SIGKILL being sent to the
privsep child. Note that this requires a kernel with the new
SYSTR_POLICY_KILL option (only OpenBSD has this mode at
The seatbelt sandbox uses OS X/Darwin sandbox(7) facilities with
a strict (kSBXProfilePureComputation) policy that disables access
to filesystem and network resources.
The rlimit sandbox is a fallback choice for platforms that don't
support a better one; it uses setrlimit() to reset the hard-limit
of file descriptors and processes to zero, which should prevent the
privsep child from forking or opening new network connections.
Sandboxing of the privilege separated child process is currently
experimental but should become the default in a future release.
Native sandboxes for other platforms are welcome (e.g. Capsicum,
Linux pid/net namespaces, etc.)