OpenSSH seems to auto-detect libseccomp if it's on the system and enable it. It does not have a USE for seccomp. >OpenSSH has been configured with the following options: > User binaries: /usr/bin > System binaries: /usr/sbin > Configuration files: /etc/ssh > ... > Random number source: OpenSSL internal ONLY > Privsep sandbox style: seccomp_filter Reproducible: Always Steps to Reproduce: USE="-seccomp" emerge -v openssh Actual Results: The build system detects libseccomp on the system and enables it regardless of seccomp USE flag. Expected Results: seccomp should be disabled for openssh
(In reply to sam_c - Security Padawan from comment #0) > OpenSSH seems to auto-detect libseccomp if it's on the system and enable it. > It does not have a USE for seccomp. OpenSSH does not utilize libseccomp; it makes the necessary system calls directly. Given that there is no external dependency, I don't see much point in adding a USE flag.
I agree, I didn't notice that it wasn't actually using libseccomp. I don't think there's much need to provide a USE flag just to let people shoot themselves in the foot with less sandboxing.