Some applications use s2n-tls in a sandboxed environment which restricts the syscalls that a process is able to make. After s2n_init(), only essential syscalls should be performed to increase compatibility in these environments. A test should be added which initializes s2n-tls, enables seccomop with the necessary syscalls permitted, and performs a handshake, ensuring that unexpected syscalls aren't made.
Problem:
Some applications use s2n-tls in a sandboxed environment which restricts the syscalls that a process is able to make. After s2n_init(), only essential syscalls should be performed to increase compatibility in these environments. A test should be added which initializes s2n-tls, enables seccomop with the necessary syscalls permitted, and performs a handshake, ensuring that unexpected syscalls aren't made.
Changes may need to be made to s2n_init() in order to avoid lazily initializing libcrypto features that make syscalls. See: https://github.com/aws/aws-lc/blob/3c221518cc8f054209112f71b233c2404c5a8a3e/include/openssl/crypto.h#L75
AWS-LC added a similar test that we may be able to borrow from: https://github.com/aws/aws-lc/pull/1835
Solution:
Add a seccomp test to ensure that s2n-tls is able to run in sandboxed environments.