openssh: Fall back to SANDBOX_RLIMIT when SANDBOX_SECCOMP_FILTER is not supported

3 files changed, 6 insertions, 4 deletions

diff --git a/pkg/openssh/README.md b/pkg/openssh/README.md
index 7f0fc234..c29ad8cc 100644
--- a/pkg/openssh/README.md
+++ b/pkg/openssh/README.md
@@ -6,7 +6,7 @@ Generated with
 	./configure \
 		--disable-wtmp \
 		--without-pie \
-		CPPFLAGS='-I/src/oasis/out/pkg/zlib' \
+		CPPFLAGS='-I/src/oasis/out/pkg/zlib/include' \
 		LDFLAGS='-L/src/oasis/out/pkg/libressl -L/src/oasis/out/pkg/openbsd -L/src/oasis/out/pkg/zlib' \
 		LIBS='-lbsd -lcrypto'
 
diff --git a/pkg/openssh/config.h b/pkg/openssh/config.h
index 1e4c7953..879660dd 100644
--- a/pkg/openssh/config.h
+++ b/pkg/openssh/config.h
@@ -552,8 +552,6 @@
 /* #undef SANDBOX_DARWIN */
 /* #undef SANDBOX_NULL */
 /* #undef SANDBOX_PLEDGE */
-/* #undef SANDBOX_RLIMIT */
-#define SANDBOX_SECCOMP_FILTER 1
 /* #undef SANDBOX_SKIP_RLIMIT_FSIZE */
 /* #undef SANDBOX_SKIP_RLIMIT_NOFILE */
 /* #undef SANDBOX_SOLARIS */
diff --git a/pkg/openssh/gen.lua b/pkg/openssh/gen.lua
index 78b7aaa5..f23c42e8 100644
--- a/pkg/openssh/gen.lua
+++ b/pkg/openssh/gen.lua
@@ -1,8 +1,12 @@
 local arch = config.target.toolchain:match('[^-]*')
+local archflags = {
+	x86_64='-D SANDBOX_SECCOMP_FILTER=1 -D SECCOMP_AUDIT_ARCH=AUDIT_ARCH_X86_64',
+	aarch64='-D SANDBOX_SECCOMP_FILTER=1 -D SECCOMP_AUDIT_ARCH=AUDIT_ARCH_AARCH64',
+}
 cflags{
 	'-D _XOPEN_SOURCE=600',
 	'-D _DEFAULT_SOURCE',
-	'-D SECCOMP_AUDIT_ARCH=AUDIT_ARCH_'..arch:upper(),
+	archflags[config.target.toolchain:match('[^-]*')] or '-D SANDBOX_RLIMIT=1',
 	'-I $dir',
 	'-I $srcdir',
 	'-I $srcdir/openbsd-compat',