Attachment #2092 for bug #1940

View | Details | Raw Unified | Return to bug 1940
Collapse All | Expand All

Lines 90-96 SSHDOBJS=sshd.o auth-rhosts.o auth-passw Link Here

(-)openssh-5.9p1/Makefile.in.sesandbox (-1 / +1 lines)
90	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \	90	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
91	sftp-server.o sftp-common.o \	91	sftp-server.o sftp-common.o \
92	roaming_common.o roaming_serv.o \	92	roaming_common.o roaming_serv.o \
93	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o	93	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o sandbox-selinux.o
94		94
95	MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out	95	MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
96	MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5	96	MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5

Lines 2476-2482 AC_SUBST([SSH_PRIVSEP_USER]) Link Here

(-)openssh-5.9p1/configure.ac.sesandbox (-1 / +5 lines)
2476	# Decide which sandbox style to use	2476	# Decide which sandbox style to use
2477	sandbox_arg=""	2477	sandbox_arg=""
2478	AC_ARG_WITH([sandbox],	2478	AC_ARG_WITH([sandbox],
2479	[ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace)],	2479	[ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, selinux)],
2480	[	2480	[
2481	if test "x$withval" = "xyes" ; then	2481	if test "x$withval" = "xyes" ; then
2482	sandbox_arg=""	2482	sandbox_arg=""
Lines 2499-2504 elif test "x$sandbox_arg" = "xdarwin" \|\| Link Here
2499	AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])	2499	AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
2500	SANDBOX_STYLE="darwin"	2500	SANDBOX_STYLE="darwin"
2501	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])	2501	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
		2502	elif test "x$sandbox_arg" = "xselinux" \|\| \
		2503	test "x$WITH_SELINUX" = "x1"; then
		2504	SANDBOX_STYLE="selinux"
		2505	AC_DEFINE([SANDBOX_SELINUX], [1], [Sandbox using selinux(8)])
2502	elif test "x$sandbox_arg" = "xrlimit" \|\| \	2506	elif test "x$sandbox_arg" = "xrlimit" \|\| \
2503	( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then	2507	( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then
2504	test "x$ac_cv_func_setrlimit" != "xyes" && \	2508	test "x$ac_cv_func_setrlimit" != "xyes" && \




	debug3("%s: done", __func__);
}

int
ssh_selinux_change_context(const char *newname)
{
	int len, newlen, rv = -1;
	char *oldctx, *newctx, *cx;
	void (*switchlog) (const char *fmt,...) = logit;

	if (!ssh_selinux_enabled())
		return -2;

	if (getcon((security_context_t *)&oldctx) < 0) {
		logit("%s: getcon failed with %s", __func__, strerror(errno));
		return -1;
	}
	if ((cx = index(oldctx, ':')) == NULL || (cx = index(cx + 1, ':')) ==
	    NULL) {
		logit ("%s: unparseable context %s", __func__, oldctx);
		return -1;
	}

	/*

	 * security context.
	 */
	if (strncmp(cx, SSH_SELINUX_UNCONFINED_TYPE,
	    sizeof(SSH_SELINUX_UNCONFINED_TYPE) - 1) == 0) {
		switchlog = debug3;
		rv = -2;
	}

	newlen = strlen(oldctx) + strlen(newname) + 1;
	newctx = xmalloc(newlen);

	if (setcon(newctx) < 0)
		switchlog("%s: setcon %s from %s failed with %s", __func__,
		    newctx, oldctx, strerror(errno));
	else
		rv = 0;
	xfree(oldctx);
	xfree(newctx);
	return rv;
}

void

Lines 23-29 Link Here

(-)openssh-5.9p1/openbsd-compat/port-linux.h.sesandbox (-1 / +1 lines)
23	int ssh_selinux_enabled(void);	23	int ssh_selinux_enabled(void);
24	void ssh_selinux_setup_pty(char , const char );	24	void ssh_selinux_setup_pty(char , const char );
25	void ssh_selinux_setup_exec_context(char *);	25	void ssh_selinux_setup_exec_context(char *);
26	void ssh_selinux_change_context(const char *);	26	int ssh_selinux_change_context(const char *);
27	void ssh_selinux_setfscreatecon(const char *);	27	void ssh_selinux_setfscreatecon(const char *);
28	#endif	28	#endif
29		29

Lines 83-88 ssh_sandbox_child(struct ssh_sandbox *bo Link Here

(-)openssh-5.9p1/sandbox-darwin.c.sesandbox (+6 lines)
83	}	83	}
84		84
85	void	85	void
		86	ssh_sandbox_privileged_child(struct ssh_sandbox *box)
		87	{
		88	/* empty */
		89	}
		90
		91	void
86	ssh_sandbox_parent_finish(struct ssh_sandbox *box)	92	ssh_sandbox_parent_finish(struct ssh_sandbox *box)
87	{	93	{
88	free(box);	94	free(box);

Lines 58-63 ssh_sandbox_child(struct ssh_sandbox *bo Link Here

(-)openssh-5.9p1/sandbox-null.c.sesandbox (+6 lines)
58	}	58	}
59		59
60	void	60	void
		61	ssh_sandbox_privileged_child(struct ssh_sandbox *box)
		62	{
		63	/* empty */
		64	}
		65
		66	void
61	ssh_sandbox_parent_finish(struct ssh_sandbox *box)	67	ssh_sandbox_parent_finish(struct ssh_sandbox *box)
62	{	68	{
63	free(box);	69	free(box);

Lines 78-83 ssh_sandbox_child(struct ssh_sandbox *bo Link Here

(-)openssh-5.9p1/sandbox-rlimit.c.sesandbox (+6 lines)
78	}	78	}
79		79
80	void	80	void
		81	ssh_sandbox_privileged_child(struct ssh_sandbox *box)
		82	{
		83	/* empty */
		84	}
		85
		86	void
81	ssh_sandbox_parent_finish(struct ssh_sandbox *box)	87	ssh_sandbox_parent_finish(struct ssh_sandbox *box)
82	{	88	{
83	free(box);	89	free(box);




/* $Id: sandbox-selinux.c,v 1.0 2011/01/17 10:15:30 jfch Exp $ */
 
/*
 * Copyright 2011 Red Hat, Inc.  All rights reserved.
 * Use is subject to license terms.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 * Red Hat author: Jan F. Chadima <jchadima@redhat.com>
 */


#include "includes.h"

#ifdef SANDBOX_SELINUX

#include <sys/types.h>

#include <errno.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/resource.h>

#include "log.h"
#include "ssh-sandbox.h"
#include "xmalloc.h"
#include "openbsd-compat/port-linux.h"

/* selinux based sandbox */

struct ssh_sandbox {
	pid_t child_pid;
};

struct ssh_sandbox *
ssh_sandbox_init(void)
{
	struct ssh_sandbox *box;

	/*
	 * Strictly, we don't need to maintain any state here but we need
	 * to return non-NULL to satisfy the API.
	 */
	debug3("selinux sandbox init");
	box = xcalloc(1, sizeof(*box));
	box->child_pid = 0;
	return box;
}

void
ssh_sandbox_child(struct ssh_sandbox *box)
{
	struct rlimit rl_zero;

	rl_zero.rlim_cur = rl_zero.rlim_max = 0;

	if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
		fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
			__func__, strerror(errno));
	if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
		fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
			__func__, strerror(errno));
#ifdef HAVE_RLIMIT_NPROC
	if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)
		fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s",
			__func__, strerror(errno));
#endif
}

void
ssh_sandbox_privileged_child(struct ssh_sandbox *box)
{
	switch (ssh_selinux_change_context("sshd_sandbox_t")) {
	case 0:
		debug3("selinux sandbox child sucessfully enabled");
		break;
	case -2:
		logit("selinux sandbox not useful");
		break;
	case -1:
		fatal("cannot set up selinux sandbox");
	default:
		fatal("inmternal error in selinux sandbox");
	}
}

void
ssh_sandbox_parent_finish(struct ssh_sandbox *box)
{
	free(box);
	debug3("%s: finished", __func__);
}

void
ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
{
	debug3("selinux sandbox parent sucessfully enabled");
	box->child_pid = child_pid;
}

#endif /* SANDBOX_NULL */

Lines 109-114 ssh_sandbox_child(struct ssh_sandbox *bo Link Here

(-)openssh-5.9p1/sandbox-systrace.c.sesandbox (+6 lines)
109	close(box->child_sock);	109	close(box->child_sock);
110	}	110	}
111		111
		112	void
		113	ssh_sandbox_privileged_child(struct ssh_sandbox *box)
		114	{
		115	/* empty */
		116	}
		117
112	static void	118	static void
113	ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid,	119	ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid,
114	const struct sandbox_policy *allowed_syscalls)	120	const struct sandbox_policy *allowed_syscalls)

Lines 19-23 struct ssh_sandbox; Link Here

(-)openssh-5.9p1/ssh-sandbox.h.sesandbox (+1 lines)
19		19
20	struct ssh_sandbox *ssh_sandbox_init(void);	20	struct ssh_sandbox *ssh_sandbox_init(void);
21	void ssh_sandbox_child(struct ssh_sandbox *);	21	void ssh_sandbox_child(struct ssh_sandbox *);
		22	void ssh_sandbox_privileged_child(struct ssh_sandbox *);
22	void ssh_sandbox_parent_finish(struct ssh_sandbox *);	23	void ssh_sandbox_parent_finish(struct ssh_sandbox *);
23	void ssh_sandbox_parent_preauth(struct ssh_sandbox *, pid_t);	24	void ssh_sandbox_parent_preauth(struct ssh_sandbox *, pid_t);

Lines 673-680 privsep_preauth(Authctxt *authctxt) Link Here

(-)openssh-5.9p1/sshd.c.sesandbox (-1 / +3 lines)
673	set_log_handler(mm_log_handler, pmonitor);	673	set_log_handler(mm_log_handler, pmonitor);
674		674
675	/* Demote the child */	675	/* Demote the child */
676	if (getuid() == 0 \|\| geteuid() == 0)	676	if (getuid() == 0 \|\| geteuid() == 0) {
		677	ssh_sandbox_privileged_child(box);
677	privsep_preauth_child();	678	privsep_preauth_child();
		679	}
678	setproctitle("%s", "[net]");	680	setproctitle("%s", "[net]");
679	if (box != NULL)	681	if (box != NULL)
680	ssh_sandbox_child(box);	682	ssh_sandbox_child(box);

Return to bug 1940

Lines 176-199 ssh_selinux_setup_pty(char *pwname, cons Link Here

(-)openssh-5.9p1/openbsd-compat/port-linux.c.sesandbox (-6 / +11 lines)
176	debug3("%s: done", __func__);	176	debug3("%s: done", __func__);
177	}	177	}
178		178
179	void	179	int
180	ssh_selinux_change_context(const char *newname)	180	ssh_selinux_change_context(const char *newname)
181	{	181	{
182	int len, newlen;	182	int len, newlen, rv = -1;
183	char oldctx, newctx, *cx;	183	char oldctx, newctx, *cx;
184	void (switchlog) (const char fmt,...) = logit;	184	void (switchlog) (const char fmt,...) = logit;
185		185
186	if (!ssh_selinux_enabled())	186	if (!ssh_selinux_enabled())
187	return;	187	return -2;
188		188
189	if (getcon((security_context_t *)&oldctx) < 0) {	189	if (getcon((security_context_t *)&oldctx) < 0) {
190	logit("%s: getcon failed with %s", __func__, strerror(errno));	190	logit("%s: getcon failed with %s", __func__, strerror(errno));
191	return;	191	return -1;
192	}	192	}
193	if ((cx = index(oldctx, ':')) == NULL \|\| (cx = index(cx + 1, ':')) ==	193	if ((cx = index(oldctx, ':')) == NULL \|\| (cx = index(cx + 1, ':')) ==
194	NULL) {	194	NULL) {
195	logit ("%s: unparseable context %s", __func__, oldctx);	195	logit ("%s: unparseable context %s", __func__, oldctx);
196	return;	196	return -1;
197	}	197	}
198		198
199	/*	199	/*
Lines 201-208 ssh_selinux_change_context(const char *n Link Here
201	* security context.	201	* security context.
202	*/	202	*/
203	if (strncmp(cx, SSH_SELINUX_UNCONFINED_TYPE,	203	if (strncmp(cx, SSH_SELINUX_UNCONFINED_TYPE,
204	sizeof(SSH_SELINUX_UNCONFINED_TYPE) - 1) == 0)	204	sizeof(SSH_SELINUX_UNCONFINED_TYPE) - 1) == 0) {
205	switchlog = debug3;	205	switchlog = debug3;
		206	rv = -2;
		207	}
206		208
207	newlen = strlen(oldctx) + strlen(newname) + 1;	209	newlen = strlen(oldctx) + strlen(newname) + 1;
208	newctx = xmalloc(newlen);	210	newctx = xmalloc(newlen);
Lines 216-223 ssh_selinux_change_context(const char *n Link Here
216	if (setcon(newctx) < 0)	218	if (setcon(newctx) < 0)
217	switchlog("%s: setcon %s from %s failed with %s", __func__,	219	switchlog("%s: setcon %s from %s failed with %s", __func__,
218	newctx, oldctx, strerror(errno));	220	newctx, oldctx, strerror(errno));
		221	else
		222	rv = 0;
219	xfree(oldctx);	223	xfree(oldctx);
220	xfree(newctx);	224	xfree(newctx);
		225	return rv;
221	}	226	}
222		227
223	void	228	void

Line 0 Link Here

(-)openssh-5.9p1/sandbox-selinux.c.sesandbox (+122 lines)
		1	/* $Id: sandbox-selinux.c,v 1.0 2011/01/17 10:15:30 jfch Exp $ */
		2
		3	/*
		4	* Copyright 2011 Red Hat, Inc. All rights reserved.
		5	* Use is subject to license terms.
		6	*
		7	* Redistribution and use in source and binary forms, with or without
		8	* modification, are permitted provided that the following conditions
		9	* are met:
		10	* 1. Redistributions of source code must retain the above copyright
		11	* notice, this list of conditions and the following disclaimer.
		12	* 2. Redistributions in binary form must reproduce the above copyright
		13	* notice, this list of conditions and the following disclaimer in the
		14	* documentation and/or other materials provided with the distribution.
		15	*
		16	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
		17	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
		18	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
		19	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
		20	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		21	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
		22	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
		23	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
		24	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
		25	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
		26	*
		27	* Red Hat author: Jan F. Chadima <jchadima@redhat.com>
		28	*/
		29
		30
		31	#include "includes.h"
		32
		33	#ifdef SANDBOX_SELINUX
		34
		35	#include <sys/types.h>
		36
		37	#include <errno.h>
		38	#include <stdarg.h>
		39	#include <stdio.h>
		40	#include <stdlib.h>
		41	#include <string.h>
		42	#include <unistd.h>
		43	#include <sys/resource.h>
		44
		45	#include "log.h"
		46	#include "ssh-sandbox.h"
		47	#include "xmalloc.h"
		48	#include "openbsd-compat/port-linux.h"
		49
		50	/* selinux based sandbox */
		51
		52	struct ssh_sandbox {
		53	pid_t child_pid;
		54	};
		55
		56	struct ssh_sandbox *
		57	ssh_sandbox_init(void)
		58	{
		59	struct ssh_sandbox *box;
		60
		61	/*
		62	* Strictly, we don't need to maintain any state here but we need
		63	* to return non-NULL to satisfy the API.
		64	*/
65	debug3("selinux sandbox init");
66	box = xcalloc(1, sizeof(*box));
67	box->child_pid = 0;
68	return box;
69	}
70
71	void
72	ssh_sandbox_child(struct ssh_sandbox *box)
73	{
74	struct rlimit rl_zero;
75
76	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
77
78	if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
79	fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
80	__func__, strerror(errno));
81	if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
82	fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
83	__func__, strerror(errno));
84	#ifdef HAVE_RLIMIT_NPROC
85	if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)
86	fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s",
87	__func__, strerror(errno));
88	#endif
89	}
90
91	void
92	ssh_sandbox_privileged_child(struct ssh_sandbox *box)
93	{
94	switch (ssh_selinux_change_context("sshd_sandbox_t")) {
95	case 0:
96	debug3("selinux sandbox child sucessfully enabled");
97	break;
98	case -2:
99	logit("selinux sandbox not useful");
100	break;
101	case -1:
102	fatal("cannot set up selinux sandbox");
103	default:
104	fatal("inmternal error in selinux sandbox");
105	}
106	}
107
108	void
109	ssh_sandbox_parent_finish(struct ssh_sandbox *box)
110	{
111	free(box);
112	debug3("%s: finished", __func__);
113	}
114
115	void
116	ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
117	{
118	debug3("selinux sandbox parent sucessfully enabled");
119	box->child_pid = child_pid;
120	}
121
122	#endif /* SANDBOX_NULL */