Attachment #3640 for bug #3478




 */

/*
 * Uncomment the SANDBOX_SECCOMP_FILTER_DEBUG macro below and run sshd with
 * stderr attached (sshd -De ... or sshd -d ...) to receive notifications of
 * sandbox violations to stderr. E.g.
 *
 * Alternately, live systems the auditctl(8) may be used to monitor
 * failures. E.g.
 *   auditctl -a task,always -F uid=<privsep uid>
 */
/* #define SANDBOX_SECCOMP_FILTER_DEBUG 1 */

}

#ifdef SANDBOX_SECCOMP_FILTER_DEBUG
/* convert an integer to a hex string; for use in signal handler */
static const char *
ntoh(long unsigned int n)
{
	static char ret[sizeof(long unsigned int) * 2 + 2 + 1];
	int i = sizeof(ret) - 2;

	if (n == 0)
		return "0";
	while (n > 0) {
		ret[i--] = "0123456789abcdef"[n & 0xf];
		n >>= 4;
	}
	ret[i--] = 'x';
	ret[i--] = '0';
	ret[sizeof(ret) - 1] = '\0';
	return &(ret[i + 1]);
}

static void
ssh_sandbox_violation(int signum, siginfo_t *info, void *void_context)
{
	char msg[256];
	extern int log_stderr; /* from sshd.c */

	/*
	 * Attempt to write details of the offending syscall to stderr
	 * using only signal handler-safe calls.
	 */

	if (!log_stderr)
		return;

	strlcpy(msg, __func__, sizeof(msg));
	strlcat(msg, ": unexpected system call: arch:", sizeof(msg));
	strlcat(msg, ntoh(info->si_arch), sizeof(msg));
	strlcat(msg, " syscall:", sizeof(msg));
	strlcat(msg, ntoh(info->si_syscall), sizeof(msg));
	strlcat(msg, " addr:", sizeof(msg));
	strlcat(msg, ntoh((unsigned long)info->si_call_addr), sizeof(msg));
	strlcat(msg, "\n", sizeof(msg));

	write(STDERR_FILENO, msg, strlen(msg));

	snprintf(msg, sizeof(msg),
	    "%s: unexpected system call (arch:0x%x,syscall:%d @ %p)",
	    __func__, info->si_arch, info->si_syscall, info->si_call_addr);
	mm_log_handler(SYSLOG_LEVEL_FATAL, 0, msg, pmonitor);
	_exit(1);
}


	sigaddset(&mask, SIGSYS);

	act.sa_sigaction = &ssh_sandbox_violation;
	act.sa_flags = SA_SIGINFO | SA_RESETHAND;
	if (sigaction(SIGSYS, &act, NULL) == -1)
		fatal("%s: sigaction(SIGSYS): %s", __func__, strerror(errno));
	if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1)
		fatal("%s: sigprocmask(SIGSYS): %s",
		    __func__, strerror(errno));
}
#endif

void
ssh_sandbox_child(struct ssh_sandbox *box)


#ifdef SANDBOX_SECCOMP_FILTER_DEBUG
	ssh_sandbox_child_debugging();
#endif

	debug3("%s: setting PR_SET_NO_NEW_PRIVS", __func__);
	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) {

Lines 166-172 static int inetd_flag = 0; Link Here

(-)a/sshd.c (-1 / +1 lines)
166	static int no_daemon_flag = 0;	166	static int no_daemon_flag = 0;
167		167
168	/* debug goes to stderr unless inetd_flag is set */	168	/* debug goes to stderr unless inetd_flag is set */
169	static int log_stderr = 0;	169	int log_stderr = 0;
170		170
171	/* Saved arguments to main(). */	171	/* Saved arguments to main(). */
172	static char **saved_argv;	172	static char **saved_argv;

Return to bug 3478

Lines 15-26 Link Here

(-)a/sandbox-seccomp-filter.c (-14 / +46 lines)
15	*/	15	*/
16		16
17	/*	17	/*
18	* Uncomment the SANDBOX_SECCOMP_FILTER_DEBUG macro below to help diagnose	18	* Uncomment the SANDBOX_SECCOMP_FILTER_DEBUG macro below and run sshd with
19	* filter breakage during development. Do not use this in production,	19	* stderr attached (sshd -De ... or sshd -d ...) to receive notifications of
20	* as it relies on making library calls that are unsafe in signal context.	20	* sandbox violations to stderr. E.g.
21	*	21	*
22	* Instead, live systems the auditctl(8) may be used to monitor failures.	22	* Alternately, live systems the auditctl(8) may be used to monitor
23	* E.g.	23	* failures. E.g.
24	* auditctl -a task,always -F uid=<privsep uid>	24	* auditctl -a task,always -F uid=<privsep uid>
25	*/	25	*/
26	/* #define SANDBOX_SECCOMP_FILTER_DEBUG 1 */	26	/* #define SANDBOX_SECCOMP_FILTER_DEBUG 1 */
Lines 364-381 ssh_sandbox_init(struct monitor *monitor) Link Here
364	}	364	}
365		365
366	#ifdef SANDBOX_SECCOMP_FILTER_DEBUG	366	#ifdef SANDBOX_SECCOMP_FILTER_DEBUG
367	extern struct monitor *pmonitor;	367	/* convert an integer to a hex string; for use in signal handler */
368	void mm_log_handler(LogLevel level, int forced, const char msg, void ctx);	368	static const char *
		369	ntoh(long unsigned int n)
		370	{
		371	static char ret[sizeof(long unsigned int) * 2 + 2 + 1];
		372	int i = sizeof(ret) - 2;
		373
		374	if (n == 0)
		375	return "0";
		376	while (n > 0) {
		377	ret[i--] = "0123456789abcdef"[n & 0xf];
		378	n >>= 4;
		379	}
		380	ret[i--] = 'x';
		381	ret[i--] = '0';
		382	ret[sizeof(ret) - 1] = '\0';
		383	return &(ret[i + 1]);
		384	}
369		385
370	static void	386	static void
371	ssh_sandbox_violation(int signum, siginfo_t info, void void_context)	387	ssh_sandbox_violation(int signum, siginfo_t info, void void_context)
372	{	388	{
373	char msg[256];	389	char msg[256];
		390	extern int log_stderr; /* from sshd.c */
		391
		392	/*
		393	* Attempt to write details of the offending syscall to stderr
		394	* using only signal handler-safe calls.
		395	*/
		396
		397	if (!log_stderr)
		398	return;
		399
		400	strlcpy(msg, __func__, sizeof(msg));
		401	strlcat(msg, ": unexpected system call: arch:", sizeof(msg));
		402	strlcat(msg, ntoh(info->si_arch), sizeof(msg));
		403	strlcat(msg, " syscall:", sizeof(msg));
		404	strlcat(msg, ntoh(info->si_syscall), sizeof(msg));
		405	strlcat(msg, " addr:", sizeof(msg));
		406	strlcat(msg, ntoh((unsigned long)info->si_call_addr), sizeof(msg));
		407	strlcat(msg, "\n", sizeof(msg));
		408
		409	write(STDERR_FILENO, msg, strlen(msg));
374		410
375	snprintf(msg, sizeof(msg),
376	"%s: unexpected system call (arch:0x%x,syscall:%d @ %p)",
377	__func__, info->si_arch, info->si_syscall, info->si_call_addr);
378	mm_log_handler(SYSLOG_LEVEL_FATAL, 0, msg, pmonitor);
379	_exit(1);	411	_exit(1);
380	}	412	}
381		413
Lines 391-404 ssh_sandbox_child_debugging(void) Link Here
391	sigaddset(&mask, SIGSYS);	423	sigaddset(&mask, SIGSYS);
392		424
393	act.sa_sigaction = &ssh_sandbox_violation;	425	act.sa_sigaction = &ssh_sandbox_violation;
394	act.sa_flags = SA_SIGINFO;	426	act.sa_flags = SA_SIGINFO \| SA_RESETHAND;
395	if (sigaction(SIGSYS, &act, NULL) == -1)	427	if (sigaction(SIGSYS, &act, NULL) == -1)
396	fatal("%s: sigaction(SIGSYS): %s", __func__, strerror(errno));	428	fatal("%s: sigaction(SIGSYS): %s", __func__, strerror(errno));
397	if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1)	429	if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1)
398	fatal("%s: sigprocmask(SIGSYS): %s",	430	fatal("%s: sigprocmask(SIGSYS): %s",
399	__func__, strerror(errno));	431	__func__, strerror(errno));
400	}	432	}
401	#endif /* SANDBOX_SECCOMP_FILTER_DEBUG */	433	#endif
402		434
403	void	435	void
404	ssh_sandbox_child(struct ssh_sandbox *box)	436	ssh_sandbox_child(struct ssh_sandbox *box)
Lines 424-430 ssh_sandbox_child(struct ssh_sandbox *box) Link Here
424		456
425	#ifdef SANDBOX_SECCOMP_FILTER_DEBUG	457	#ifdef SANDBOX_SECCOMP_FILTER_DEBUG
426	ssh_sandbox_child_debugging();	458	ssh_sandbox_child_debugging();
427	#endif /* SANDBOX_SECCOMP_FILTER_DEBUG */	459	#endif
428		460
429	debug3("%s: setting PR_SET_NO_NEW_PRIVS", __func__);	461	debug3("%s: setting PR_SET_NO_NEW_PRIVS", __func__);
430	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) {	462	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) {