Attachment #2154 for bug #2011

Lines 90-97 SSHDOBJS=sshd.o auth-rhosts.o auth-passw Link Here

(-)Makefile.in (-2 / +2 lines)
90	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \	90	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
91	sftp-server.o sftp-common.o \	91	sftp-server.o sftp-common.o \
92	roaming_common.o roaming_serv.o \	92	roaming_common.o roaming_serv.o \
93	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \	93	sandbox.o sandbox-null.o sandbox-rlimit.o sandbox-systrace.o \
94	sandbox-seccomp-filter.o	94	sandbox-darwin.o sandbox-seccomp-filter.o
95		95
96	MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out	96	MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
97	MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5	97	MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5




	#include <linux/seccomp.h>
])
fi
if test "x$have_seccomp_filter" = "x1" ; then
AC_MSG_CHECKING([kernel for seccomp_filter support])
AC_RUN_IFELSE([AC_LANG_PROGRAM([[
		#include <errno.h>
		#include <linux/seccomp.h>
		#include <stdlib.h>
		#include <sys/prctl.h>
	]],
	[[ errno = 0;
	   prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
	   exit(errno == EFAULT ? 0 : 1); ]])],
	[ AC_MSG_RESULT([yes]) ], [
		AC_MSG_RESULT([no])
		# Disable seccomp filter as a target
		have_seccomp_filter=0
	],
	[ AC_MSG_RESULT([cross-compiling, assuming yes]) ]
)
fi

use_stack_protector=1
AC_ARG_WITH([stackprotect],

		fi
	]
)
SANDBOX_STYLE=""
if test "x$sandbox_arg" = "xsystrace" || \
   ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
	test "x$have_systr_policy_kill" != "x1" && \
		AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
	SANDBOX_STYLE="$SANDBOX_STYLE systrace"
	AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)])
fi
if test "x$sandbox_arg" = "xdarwin" || \
     ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
       test "x$ac_cv_header_sandbox_h" = "xyes") ; then
	test "x$ac_cv_func_sandbox_init" != "xyes" -o \
	     "x$ac_cv_header_sandbox_h" != "xyes" && \
		AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
	SANDBOX_STYLE="$SANDBOX_STYLE darwin"
	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
fi
if test "x$sandbox_arg" = "xseccomp_filter" || \
     ( test -z "$sandbox_arg" && \
       test "x$have_seccomp_filter" == "x1" && \
       test "x$ac_cv_header_linux_audit_h" = "xyes" && \

		AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers])
	test "x$ac_cv_func_prctl" != "xyes" && \
		AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
	SANDBOX_STYLE="$SANDBOX_STYLE seccomp_filter"
	AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
fi
if test "x$sandbox_arg" = "xrlimit" || \
     ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then
	test "x$ac_cv_func_setrlimit" != "xyes" && \
		AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
	SANDBOX_STYLE="$SANDBOX_STYLE rlimit"
	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
fi
if test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
     test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
	SANDBOX_STYLE="$SANDBOX_STYLE none"
fi
if test -z "$SANDBOX_STYLE" ; then
	AC_MSG_ERROR([unsupported --with-sandbox])
fi
SANDBOX_STYLE="${SANDBOX_STYLE# }"

# Cheap hack to ensure NEWS-OS libraries are arranged right.
if test ! -z "$SONY" ; then

Lines 16-25 Link Here

(-)sandbox-darwin.c (-12 / +42 lines)
16		16
17	#include "includes.h"	17	#include "includes.h"
18		18
19	#ifdef SANDBOX_DARWIN
20
21	#include <sys/types.h>	19	#include <sys/types.h>
22		20
		21	#include "ssh-sandbox.h"
		22
		23	#ifdef SANDBOX_DARWIN
		24
23	#include <sandbox.h>	25	#include <sandbox.h>
24		26
25	#include <errno.h>	27	#include <errno.h>
Lines 30-36 Link Here
30	#include <unistd.h>	32	#include <unistd.h>
31		33
32	#include "log.h"	34	#include "log.h"
33	#include "sandbox.h"
34	#include "xmalloc.h"	35	#include "xmalloc.h"
35		36
36	/* Darwin/OS X sandbox */	37	/* Darwin/OS X sandbox */
Lines 39-46 struct ssh_sandbox { Link Here
39	pid_t child_pid;	40	pid_t child_pid;
40	};	41	};
41		42
42	struct ssh_sandbox *	43	static int
43	ssh_sandbox_init(void)	44	sandbox_darwin_probe(void)
		45	{
		46	return 1;
		47	}
		48
		49	static void *
		50	sandbox_darwin_init(void)
44	{	51	{
45	struct ssh_sandbox *box;	52	struct ssh_sandbox *box;
46		53
Lines 55-63 ssh_sandbox_init(void) Link Here
55	return box;	62	return box;
56	}	63	}
57		64
58	void	65	static void
59	ssh_sandbox_child(struct ssh_sandbox *box)	66	sandbox_darwin_child(void *vbox)
60	{	67	{
		68	struct ssh_sandbox *box = vbox;
61	char *errmsg;	69	char *errmsg;
62	struct rlimit rl_zero;	70	struct rlimit rl_zero;
63		71
Lines 82-98 ssh_sandbox_child(struct ssh_sandbox *bo Link Here
82	__func__, strerror(errno));	90	__func__, strerror(errno));
83	}	91	}
84		92
85	void	93	static void
86	ssh_sandbox_parent_finish(struct ssh_sandbox *box)	94	sandbox_darwin_parent_finish(void *vbox)
87	{	95	{
88	free(box);	96	free(vbox);
89	debug3("%s: finished", __func__);	97	debug3("%s: finished", __func__);
90	}	98	}
91		99
92	void	100	static void
93	ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)	101	sandbox_darwin_parent_preauth(void *box, pid_t child_pid)
94	{	102	{
		103	struct ssh_sandbox *box = vbox;
		104
95	box->child_pid = child_pid;	105	box->child_pid = child_pid;
96	}	106	}
		107
		108	Sandbox ssh_sandbox_darwin = {
		109	"darwin",
		110	sandbox_darwin_probe,
		111	sandbox_darwin_init,
		112	sandbox_darwin_child,
		113	sandbox_darwin_parent_finish,
		114	sandbox_darwin_parent_preauth
		115	};
		116
		117	#else /* !SANDBOX_DARWIN */
		118
		119	Sandbox ssh_sandbox_darwin = {
		120	"darwin",
		121	NULL,
		122	NULL,
		123	NULL,
		124	NULL,
		125	NULL
		126	};
97		127
98	#endif /* SANDBOX_DARWIN */	128	#endif /* SANDBOX_DARWIN */

Lines 17-24 Link Here

(-)sandbox-null.c (-12 / +23 lines)
17		17
18	#include "includes.h"	18	#include "includes.h"
19		19
20	#ifdef SANDBOX_NULL
21
22	#include <sys/types.h>	20	#include <sys/types.h>
23		21
24	#include <errno.h>	22	#include <errno.h>
Lines 38-45 struct ssh_sandbox { Link Here
38	int junk;	36	int junk;
39	};	37	};
40		38
41	struct ssh_sandbox *	39	static int
42	ssh_sandbox_init(void)	40	sandbox_null_probe(void)
		41	{
		42	return 1;
		43	}
		44
		45	static void *
		46	sandbox_null_init(void)
43	{	47	{
44	struct ssh_sandbox *box;	48	struct ssh_sandbox *box;
45		49
Lines 51-72 ssh_sandbox_init(void) Link Here
51	return box;	55	return box;
52	}	56	}
53		57
54	void	58	static void
55	ssh_sandbox_child(struct ssh_sandbox *box)	59	sandbox_null_child(void *vbox)
56	{	60	{
57	/* Nothing to do here */	61	/* Nothing to do here */
58	}	62	}
59		63
60	void	64	static void
61	ssh_sandbox_parent_finish(struct ssh_sandbox *box)	65	sandbox_null_parent_finish(void *vbox)
62	{	66	{
63	free(box);	67	free(vbox);
64	}	68	}
65		69
66	void	70	static void
67	ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)	71	sandbox_null_parent_preauth(void *box, pid_t child_pid)
68	{	72	{
69	/* Nothing to do here */	73	/* Nothing to do here */
70	}	74	}
71		75
72	#endif /* SANDBOX_NULL */	76	Sandbox ssh_sandbox_null = {
		77	"null",
		78	sandbox_null_probe,
		79	sandbox_null_init,
		80	sandbox_null_child,
		81	sandbox_null_parent_finish,
		82	sandbox_null_parent_preauth
		83	};

Lines 17-25 Link Here

(-)sandbox-rlimit.c (-11 / +41 lines)
17		17
18	#include "includes.h"	18	#include "includes.h"
19		19
		20	#include <sys/types.h>
		21
		22	#include "ssh-sandbox.h"
		23
20	#ifdef SANDBOX_RLIMIT	24	#ifdef SANDBOX_RLIMIT
21		25
22	#include <sys/types.h>
23	#include <sys/param.h>	26	#include <sys/param.h>
24	#include <sys/time.h>	27	#include <sys/time.h>
25	#include <sys/resource.h>	28	#include <sys/resource.h>
Lines 32-38 Link Here
32	#include <unistd.h>	35	#include <unistd.h>
33		36
34	#include "log.h"	37	#include "log.h"
35	#include "ssh-sandbox.h"
36	#include "xmalloc.h"	38	#include "xmalloc.h"
37		39
38	/* Minimal sandbox that sets zero nfiles, nprocs and filesize rlimits */	40	/* Minimal sandbox that sets zero nfiles, nprocs and filesize rlimits */
Lines 41-48 struct ssh_sandbox { Link Here
41	pid_t child_pid;	43	pid_t child_pid;
42	};	44	};
43		45
44	struct ssh_sandbox *	46	static int
45	ssh_sandbox_init(void)	47	sandbox_rlimit_probe(void)
		48	{
		49	return 1;
		50	}
		51
		52	static void *
		53	sandbox_rlimit_init(void)
46	{	54	{
47	struct ssh_sandbox *box;	55	struct ssh_sandbox *box;
48		56
Lines 57-64 ssh_sandbox_init(void) Link Here
57	return box;	65	return box;
58	}	66	}
59		67
60	void	68	static void
61	ssh_sandbox_child(struct ssh_sandbox *box)	69	sandbox_rlimit_child(void *vbox)
62	{	70	{
63	struct rlimit rl_zero;	71	struct rlimit rl_zero;
64		72
Lines 77-93 ssh_sandbox_child(struct ssh_sandbox *bo Link Here
77	#endif	85	#endif
78	}	86	}
79		87
80	void	88	static void
81	ssh_sandbox_parent_finish(struct ssh_sandbox *box)	89	sandbox_rlimit_parent_finish(void *vbox)
82	{	90	{
83	free(box);	91	free(vbox);
84	debug3("%s: finished", __func__);	92	debug3("%s: finished", __func__);
85	}	93	}
86		94
87	void	95	static void
88	ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)	96	sandbox_rlimit_parent_preauth(void *vbox, pid_t child_pid)
89	{	97	{
		98	struct ssh_sandbox *box = vbox;
		99
90	box->child_pid = child_pid;	100	box->child_pid = child_pid;
91	}	101	}
		102
		103	Sandbox ssh_sandbox_rlimit = {
		104	"rlimit",
		105	sandbox_rlimit_probe,
		106	sandbox_rlimit_init,
		107	sandbox_rlimit_child,
		108	sandbox_rlimit_parent_finish,
		109	sandbox_rlimit_parent_preauth
		110	};
		111
		112	#else /* !SANDBOX_RLIMIT */
		113
		114	Sandbox ssh_sandbox_rlimit = {
		115	"rlimit",
		116	NULL,
		117	NULL,
		118	NULL,
		119	NULL,
		120	NULL
		121	};
92		122
93	#endif /* SANDBOX_RLIMIT */	123	#endif /* SANDBOX_RLIMIT */

Lines 35-45 Link Here

(-)sandbox-seccomp-filter.c (-15 / +69 lines)
35		35
36	#include "includes.h"	36	#include "includes.h"
37		37
		38	#include <sys/types.h>
		39
		40	#include "ssh-sandbox.h"
		41
38	#ifdef SANDBOX_SECCOMP_FILTER	42	#ifdef SANDBOX_SECCOMP_FILTER
39		43
40	#include <sys/types.h>
41	#include <sys/resource.h>	44	#include <sys/resource.h>
42	#include <sys/prctl.h>	45	#include <sys/prctl.h>
		46	#include <sys/wait.h>
43		47
44	#include <linux/audit.h>	48	#include <linux/audit.h>
45	#include <linux/filter.h>	49	#include <linux/filter.h>
Lines 57-63 Link Here
57	#include <unistd.h>	61	#include <unistd.h>
58		62
59	#include "log.h"	63	#include "log.h"
60	#include "ssh-sandbox.h"
61	#include "xmalloc.h"	64	#include "xmalloc.h"
62		65
63	/* Linux seccomp_filter sandbox */	66	/* Linux seccomp_filter sandbox */
Lines 122-129 struct ssh_sandbox { Link Here
122	pid_t child_pid;	125	pid_t child_pid;
123	};	126	};
124		127
125	struct ssh_sandbox *	128	static int
126	ssh_sandbox_init(void)	129	sandbox_seccomp_filter_probe(void)
		130	{
		131	int status;
		132	pid_t pid;
		133
		134	pid = fork();
		135	if (pid == -1) {
		136	fatal("fork of seccomp_filter probe child failed");
		137	} else if (pid != 0) {
		138	/* parent */
		139	while (waitpid(pid, &status, 0) < 0) {
		140	if (errno == EINTR)
		141	continue;
		142	fatal("%s: waitpid: %s", __func__, strerror(errno));
		143	}
		144	return (WIFEXITED(status) && WEXITSTATUS(status) == 0);
		145	} else {
		146	/* child */
		147	errno = 0;
		148	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER,
		149	&preauth_program) == 0)
		150	_exit(0);
		151	else
		152	_exit(1);
		153	}
		154	}
		155
		156	static void *
		157	sandbox_seccomp_filter_init(void)
127	{	158	{
128	struct ssh_sandbox *box;	159	struct ssh_sandbox *box;
129		160
Lines 143-149 extern struct monitor *pmonitor; Link Here
143	void mm_log_handler(LogLevel level, const char msg, void ctx);	174	void mm_log_handler(LogLevel level, const char msg, void ctx);
144		175
145	static void	176	static void
146	ssh_sandbox_violation(int signum, siginfo_t info, void void_context)	177	sandbox_seccomp_filter_violation(int signum, siginfo_t *info,
		178	void *void_context)
147	{	179	{
148	char msg[256];	180	char msg[256];
149		181
Lines 155-161 ssh_sandbox_violation(int signum, siginf Link Here
155	}	187	}
156		188
157	static void	189	static void
158	ssh_sandbox_child_debugging(void)	190	sandbox_seccomp_filter_child_debugging(void)
159	{	191	{
160	struct sigaction act;	192	struct sigaction act;
161	sigset_t mask;	193	sigset_t mask;
Lines 165-171 ssh_sandbox_child_debugging(void) Link Here
165	sigemptyset(&mask);	197	sigemptyset(&mask);
166	sigaddset(&mask, SIGSYS);	198	sigaddset(&mask, SIGSYS);
167		199
168	act.sa_sigaction = &ssh_sandbox_violation;	200	act.sa_sigaction = &sandbox_seccomp_filter_violation;
169	act.sa_flags = SA_SIGINFO;	201	act.sa_flags = SA_SIGINFO;
170	if (sigaction(SIGSYS, &act, NULL) == -1)	202	if (sigaction(SIGSYS, &act, NULL) == -1)
171	fatal("%s: sigaction(SIGSYS): %s", __func__, strerror(errno));	203	fatal("%s: sigaction(SIGSYS): %s", __func__, strerror(errno));
Lines 175-182 ssh_sandbox_child_debugging(void) Link Here
175	}	207	}
176	#endif /* SANDBOX_SECCOMP_FILTER_DEBUG */	208	#endif /* SANDBOX_SECCOMP_FILTER_DEBUG */
177		209
178	void	210	static void
179	ssh_sandbox_child(struct ssh_sandbox *box)	211	sandbox_seccomp_filter_child(void *vbox)
180	{	212	{
181	struct rlimit rl_zero;	213	struct rlimit rl_zero;
182		214
Lines 193-199 ssh_sandbox_child(struct ssh_sandbox *bo Link Here
193	__func__, strerror(errno));	225	__func__, strerror(errno));
194		226
195	#ifdef SANDBOX_SECCOMP_FILTER_DEBUG	227	#ifdef SANDBOX_SECCOMP_FILTER_DEBUG
196	ssh_sandbox_child_debugging();	228	sandbox_seccomp_filter_child_debugging();
197	#endif /* SANDBOX_SECCOMP_FILTER_DEBUG */	229	#endif /* SANDBOX_SECCOMP_FILTER_DEBUG */
198		230
199	debug3("%s: setting PR_SET_NO_NEW_PRIVS", __func__);	231	debug3("%s: setting PR_SET_NO_NEW_PRIVS", __func__);
Lines 206-222 ssh_sandbox_child(struct ssh_sandbox *bo Link Here
206	__func__, strerror(errno));	238	__func__, strerror(errno));
207	}	239	}
208		240
209	void	241	static void
210	ssh_sandbox_parent_finish(struct ssh_sandbox *box)	242	sandbox_seccomp_filter_parent_finish(void *vbox)
211	{	243	{
212	free(box);	244	free(vbox);
213	debug3("%s: finished", __func__);	245	debug3("%s: finished", __func__);
214	}	246	}
215		247
216	void	248	static void
217	ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)	249	sandbox_seccomp_filter_parent_preauth(void *vbox, pid_t child_pid)
218	{	250	{
		251	struct ssh_sandbox *box = vbox;
		252
219	box->child_pid = child_pid;	253	box->child_pid = child_pid;
220	}	254	}
		255
		256	Sandbox ssh_sandbox_seccomp_filter = {
		257	"seccomp_filter",
		258	sandbox_seccomp_filter_probe,
		259	sandbox_seccomp_filter_init,
		260	sandbox_seccomp_filter_child,
		261	sandbox_seccomp_filter_parent_finish,
		262	sandbox_seccomp_filter_parent_preauth
		263	};
		264
		265	#else /* !SANDBOX_SECCOMP_FILTER */
		266
		267	Sandbox ssh_sandbox_seccomp_filter = {
		268	"seccomp_filter",
		269	NULL,
		270	NULL,
		271	NULL,
		272	NULL,
		273	NULL
		274	};
221		275
222	#endif /* SANDBOX_SECCOMP_FILTER */	276	#endif /* SANDBOX_SECCOMP_FILTER */

Lines 17-25 Link Here

(-)sandbox-systrace.c (-11 / +44 lines)
17		17
18	#include "includes.h"	18	#include "includes.h"
19		19
		20	#include <sys/types.h>
		21
		22	#include "ssh-sandbox.h"
		23
20	#ifdef SANDBOX_SYSTRACE	24	#ifdef SANDBOX_SYSTRACE
21		25
22	#include <sys/types.h>
23	#include <sys/param.h>	26	#include <sys/param.h>
24	#include <sys/ioctl.h>	27	#include <sys/ioctl.h>
25	#include <sys/syscall.h>	28	#include <sys/syscall.h>
Lines 38-44 Link Here
38		41
39	#include "atomicio.h"	42	#include "atomicio.h"
40	#include "log.h"	43	#include "log.h"
41	#include "ssh-sandbox.h"
42	#include "xmalloc.h"	44	#include "xmalloc.h"
43		45
44	struct sandbox_policy {	46	struct sandbox_policy {
Lines 74-81 struct ssh_sandbox { Link Here
74	pid_t child_pid;	76	pid_t child_pid;
75	};	77	};
76		78
77	struct ssh_sandbox *	79	static int
78	ssh_sandbox_init(void)	80	sandbox_systrace_probe(void)
		81	{
		82	return 1;
		83	}
		84
		85	static void *
		86	sandbox_systrace_init(void)
79	{	87	{
80	struct ssh_sandbox *box;	88	struct ssh_sandbox *box;
81	int s[2];	89	int s[2];
Lines 92-100 ssh_sandbox_init(void) Link Here
92	return box;	100	return box;
93	}	101	}
94		102
95	void	103	static void
96	ssh_sandbox_child(struct ssh_sandbox *box)	104	sandbox_systrace_child(void *vbox)
97	{	105	{
		106	struct ssh_sandbox *box = vbox;
98	char whatever = 0;	107	char whatever = 0;
99		108
100	close(box->parent_sock);	109	close(box->parent_sock);
Lines 110-116 ssh_sandbox_child(struct ssh_sandbox *bo Link Here
110	}	119	}
111		120
112	static void	121	static void
113	ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid,	122	sandbox_systrace_parent(struct ssh_sandbox *box, pid_t child_pid,
114	const struct sandbox_policy *allowed_syscalls)	123	const struct sandbox_policy *allowed_syscalls)
115	{	124	{
116	int dev_systrace, i, j, found;	125	int dev_systrace, i, j, found;
Lines 179-187 ssh_sandbox_parent(struct ssh_sandbox *b Link Here
179	close(box->parent_sock);	188	close(box->parent_sock);
180	}	189	}
181		190
182	void	191	static void
183	ssh_sandbox_parent_finish(struct ssh_sandbox *box)	192	sandbox_systrace_parent_finish(void *vbox)
184	{	193	{
		194	struct ssh_sandbox *box = vbox;
		195
185	/* Closing this before the child exits will terminate it */	196	/* Closing this before the child exits will terminate it */
186	close(box->systrace_fd);	197	close(box->systrace_fd);
187		198
Lines 189-198 ssh_sandbox_parent_finish(struct ssh_san Link Here
189	debug3("%s: finished", __func__);	200	debug3("%s: finished", __func__);
190	}	201	}
191		202
192	void	203	static void
193	ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)	204	sandbox_systrace_parent_preauth(void *vbox, pid_t child_pid)
194	{	205	{
		206	struct ssh_sandbox *box = vbox;
		207
195	ssh_sandbox_parent(box, child_pid, preauth_policy);	208	ssh_sandbox_parent(box, child_pid, preauth_policy);
196	}	209	}
		210
		211	Sandbox ssh_sandbox_systrace = {
		212	"systrace",
		213	sandbox_systrace_probe,
		214	sandbox_systrace_init,
		215	sandbox_systrace_child,
		216	sandbox_systrace_parent_finish,
		217	sandbox_systrace_parent_preauth
		218	};
		219
		220	#else /* !SANDBOX_SYSTRACE */
		221
		222	Sandbox ssh_sandbox_systrace = {
		223	"systrace",
		224	NULL,
		225	NULL,
		226	NULL,
		227	NULL,
		228	NULL
		229	};
197		230
198	#endif /* SANDBOX_SYSTRACE */	231	#endif /* SANDBOX_SYSTRACE */




/* $Id$ */
/*
 * Copyright (c) 2012 Colin Watson <cjwatson@debian.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include <sys/types.h>

#include <stdlib.h>
#include <stdarg.h>

#include "log.h"
#include "ssh-sandbox.h"

static Sandbox *sandboxes[] = {
	&ssh_sandbox_systrace,
	&ssh_sandbox_darwin,
	&ssh_sandbox_seccomp_filter,
	&ssh_sandbox_rlimit,
	&ssh_sandbox_null,
	NULL
};

static Sandbox *selected;

static void
sandbox_select(void)
{
	Sandbox **sandbox;

	if (selected)
		return;

	for (sandbox = sandboxes; sandbox; sandbox++) {
		debug("trying sandbox %s", (*sandbox)->name);
		if ((*sandbox)->probe && (*sandbox)->probe()) {
			debug("using sandbox %s", (*sandbox)->name);
			selected = *sandbox;
			return;
		}
	}

	/* should never happen, as ssh_sandbox_null always succeeds */
	fatal("no sandbox implementation found");
}

void *
ssh_sandbox_init(void)
{
	sandbox_select();
	return selected->init();
}

void
ssh_sandbox_child(void *box)
{
	sandbox_select();
	return selected->child(box);
}

void
ssh_sandbox_parent_finish(void *box)
{
	sandbox_select();
	return selected->parent_finish(box);
}

void
ssh_sandbox_parent_preauth(void *box, pid_t child_pid)
{
	sandbox_select();
	return selected->parent_preauth(box, child_pid);
}




 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

typedef struct Sandbox Sandbox;

struct Sandbox {
	const char	*name;
	int		(*probe)(void);
	void		*(*init)(void);
	void	    	(*child)(void *);
	void		(*parent_finish)(void *);
	void	    	(*parent_preauth)(void *, pid_t);
};

void *ssh_sandbox_init(void);
void ssh_sandbox_child(void *);
void ssh_sandbox_parent_finish(void *);
void ssh_sandbox_parent_preauth(void *, pid_t);

extern Sandbox ssh_sandbox_systrace;
extern Sandbox ssh_sandbox_darwin;
extern Sandbox ssh_sandbox_seccomp_filter;
extern Sandbox ssh_sandbox_rlimit;
extern Sandbox ssh_sandbox_null;

Lines 628-634 privsep_preauth(Authctxt *authctxt) Link Here

(-)sshd.c (-1 / +1 lines)
628	{	628	{
629	int status;	629	int status;
630	pid_t pid;	630	pid_t pid;
631	struct ssh_sandbox *box = NULL;	631	void *box = NULL;
632		632
633	/* Set up unprivileged child process to deal with network data */	633	/* Set up unprivileged child process to deal with network data */
634	pmonitor = monitor_init();	634	pmonitor = monitor_init();

Return to bug 2011

Lines 126-150 AC_CHECK_DECL([SECCOMP_MODE_FILTER], [ha Link Here

(-)configure.ac (-30 / +17 lines)
126	#include <linux/seccomp.h>	126	#include <linux/seccomp.h>
127	])	127	])
128	fi	128	fi
129	if test "x$have_seccomp_filter" = "x1" ; then
130	AC_MSG_CHECKING([kernel for seccomp_filter support])
131	AC_RUN_IFELSE([AC_LANG_PROGRAM([[
132	#include <errno.h>
133	#include <linux/seccomp.h>
134	#include <stdlib.h>
135	#include <sys/prctl.h>
136	]],
137	[[ errno = 0;
138	prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
139	exit(errno == EFAULT ? 0 : 1); ]])],
140	[ AC_MSG_RESULT([yes]) ], [
141	AC_MSG_RESULT([no])
142	# Disable seccomp filter as a target
143	have_seccomp_filter=0
144	],
145	[ AC_MSG_RESULT([cross-compiling, assuming yes]) ]
146	)
147	fi
148		129
149	use_stack_protector=1	130	use_stack_protector=1
150	AC_ARG_WITH([stackprotect],	131	AC_ARG_WITH([stackprotect],
Lines 2575-2595 AC_ARG_WITH([sandbox], Link Here
2575	fi	2556	fi
2576	]	2557	]
2577	)	2558	)
		2559	SANDBOX_STYLE=""
2578	if test "x$sandbox_arg" = "xsystrace" \|\| \	2560	if test "x$sandbox_arg" = "xsystrace" \|\| \
2579	( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then	2561	( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
2580	test "x$have_systr_policy_kill" != "x1" && \	2562	test "x$have_systr_policy_kill" != "x1" && \
2581	AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])	2563	AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
2582	SANDBOX_STYLE="systrace"	2564	SANDBOX_STYLE="$SANDBOX_STYLE systrace"
2583	AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)])	2565	AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)])
2584	elif test "x$sandbox_arg" = "xdarwin" \|\| \	2566	fi
		2567	if test "x$sandbox_arg" = "xdarwin" \|\| \
2585	( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \	2568	( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
2586	test "x$ac_cv_header_sandbox_h" = "xyes") ; then	2569	test "x$ac_cv_header_sandbox_h" = "xyes") ; then
2587	test "x$ac_cv_func_sandbox_init" != "xyes" -o \	2570	test "x$ac_cv_func_sandbox_init" != "xyes" -o \
2588	"x$ac_cv_header_sandbox_h" != "xyes" && \	2571	"x$ac_cv_header_sandbox_h" != "xyes" && \
2589	AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])	2572	AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
2590	SANDBOX_STYLE="darwin"	2573	SANDBOX_STYLE="$SANDBOX_STYLE darwin"
2591	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])	2574	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
2592	elif test "x$sandbox_arg" = "xseccomp_filter" \|\| \	2575	fi
		2576	if test "x$sandbox_arg" = "xseccomp_filter" \|\| \
2593	( test -z "$sandbox_arg" && \	2577	( test -z "$sandbox_arg" && \
2594	test "x$have_seccomp_filter" == "x1" && \	2578	test "x$have_seccomp_filter" == "x1" && \
2595	test "x$ac_cv_header_linux_audit_h" = "xyes" && \	2579	test "x$ac_cv_header_linux_audit_h" = "xyes" && \
Lines 2604-2624 elif test "x$sandbox_arg" = "xseccomp_fi Link Here
2604	AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers])	2588	AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers])
2605	test "x$ac_cv_func_prctl" != "xyes" && \	2589	test "x$ac_cv_func_prctl" != "xyes" && \
2606	AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])	2590	AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
2607	SANDBOX_STYLE="seccomp_filter"	2591	SANDBOX_STYLE="$SANDBOX_STYLE seccomp_filter"
2608	AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])	2592	AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
2609	elif test "x$sandbox_arg" = "xrlimit" \|\| \	2593	fi
		2594	if test "x$sandbox_arg" = "xrlimit" \|\| \
2610	( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then	2595	( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then
2611	test "x$ac_cv_func_setrlimit" != "xyes" && \	2596	test "x$ac_cv_func_setrlimit" != "xyes" && \
2612	AC_MSG_ERROR([rlimit sandbox requires setrlimit function])	2597	AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
2613	SANDBOX_STYLE="rlimit"	2598	SANDBOX_STYLE="$SANDBOX_STYLE rlimit"
2614	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])	2599	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
2615	elif test -z "$sandbox_arg" \|\| test "x$sandbox_arg" = "xno" \|\| \	2600	fi
		2601	if test -z "$sandbox_arg" \|\| test "x$sandbox_arg" = "xno" \|\| \
2616	test "x$sandbox_arg" = "xnone" \|\| test "x$sandbox_arg" = "xnull" ; then	2602	test "x$sandbox_arg" = "xnone" \|\| test "x$sandbox_arg" = "xnull" ; then
2617	SANDBOX_STYLE="none"	2603	SANDBOX_STYLE="$SANDBOX_STYLE none"
2618	AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing])	2604	fi
2619	else	2605	if test -z "$SANDBOX_STYLE" ; then
2620	AC_MSG_ERROR([unsupported --with-sandbox])	2606	AC_MSG_ERROR([unsupported --with-sandbox])
2621	fi	2607	fi
		2608	SANDBOX_STYLE="${SANDBOX_STYLE# }"
2622		2609
2623	# Cheap hack to ensure NEWS-OS libraries are arranged right.	2610	# Cheap hack to ensure NEWS-OS libraries are arranged right.
2624	if test ! -z "$SONY" ; then	2611	if test ! -z "$SONY" ; then

Added Link Here

(-)sandbox.c (+84 lines)
1	/* $Id$ */
2	/*
3	* Copyright (c) 2012 Colin Watson <cjwatson@debian.org>
4	*
5	* Permission to use, copy, modify, and distribute this software for any
6	* purpose with or without fee is hereby granted, provided that the above
7	* copyright notice and this permission notice appear in all copies.
8	*
9	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	*/
17
18	#include <sys/types.h>
19
20	#include <stdlib.h>
21	#include <stdarg.h>
22
23	#include "log.h"
24	#include "ssh-sandbox.h"
25
26	static Sandbox *sandboxes[] = {
27	&ssh_sandbox_systrace,
28	&ssh_sandbox_darwin,
29	&ssh_sandbox_seccomp_filter,
30	&ssh_sandbox_rlimit,
31	&ssh_sandbox_null,
32	NULL
33	};
34
35	static Sandbox *selected;
36
37	static void
38	sandbox_select(void)
39	{
40	Sandbox **sandbox;
41
42	if (selected)
43	return;
44
45	for (sandbox = sandboxes; sandbox; sandbox++) {
46	debug("trying sandbox %s", (*sandbox)->name);
47	if ((sandbox)->probe && (sandbox)->probe()) {
48	debug("using sandbox %s", (*sandbox)->name);
49	selected = *sandbox;
50	return;
51	}
52	}
53
54	/* should never happen, as ssh_sandbox_null always succeeds */
55	fatal("no sandbox implementation found");
56	}
57
58	void *
59	ssh_sandbox_init(void)
60	{
61	sandbox_select();
62	return selected->init();
63	}
64
65	void
66	ssh_sandbox_child(void *box)
67	{
68	sandbox_select();
69	return selected->child(box);
70	}
71
72	void
73	ssh_sandbox_parent_finish(void *box)
74	{
75	sandbox_select();
76	return selected->parent_finish(box);
77	}
78
79	void
80	ssh_sandbox_parent_preauth(void *box, pid_t child_pid)
81	{
82	sandbox_select();
83	return selected->parent_preauth(box, child_pid);
84	}

Lines 15-23 Link Here

(-)ssh-sandbox.h (-5 / +20 lines)
15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	*/	16	*/
17		17
18	struct ssh_sandbox;	18	typedef struct Sandbox Sandbox;
19		19
20	struct ssh_sandbox *ssh_sandbox_init(void);	20	struct Sandbox {
21	void ssh_sandbox_child(struct ssh_sandbox *);	21	const char *name;
22	void ssh_sandbox_parent_finish(struct ssh_sandbox *);	22	int (*probe)(void);
23	void ssh_sandbox_parent_preauth(struct ssh_sandbox *, pid_t);	23	void (init)(void);
		24	void (child)(void );
		25	void (parent_finish)(void );
		26	void (parent_preauth)(void , pid_t);
		27	};
		28
		29	void *ssh_sandbox_init(void);
		30	void ssh_sandbox_child(void *);
		31	void ssh_sandbox_parent_finish(void *);
		32	void ssh_sandbox_parent_preauth(void *, pid_t);
		33
		34	extern Sandbox ssh_sandbox_systrace;
		35	extern Sandbox ssh_sandbox_darwin;
		36	extern Sandbox ssh_sandbox_seccomp_filter;
		37	extern Sandbox ssh_sandbox_rlimit;
		38	extern Sandbox ssh_sandbox_null;