s2n-tls needs a chroot test #4360
Labels
Comments
|
I would suggest a broader 'sandboxing' test (maybe out of scope of this issue). Isolation strategies like chroot and seccomp filtering might rely on s2n-tls fully initializing before-hand to avoid unwanted inits later for various reasons. I recognize seccomp filtering is a hard one to test, as consumers will have varying syscall allowlists. |
|
Adding a seccomp test is being tracked in #4766 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Problem:
s2n-tls was built with the idea of being functional after a chroot call. We don't have any tests that assert that we can still do a handshake after a call to chroot. Presumably the fear is that after the call we may not be able to access our entropy file descriptor to pull random values.
Solution:
Add a test that calls chroot() after(before?) the s2n-library initialization and then performs a negotiation.
The text was updated successfully, but these errors were encountered: