Attachment 2326 Details for Bug 2140 – openssh-capsicum

openssh-capsicum

file_2140.txt (text/plain), 5.29 KB, created by Loganaden Velvindron on 2013-08-08 05:54:20 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Loganaden Velvindron

Created: 2013-08-08 05:54:20 AEST

Size: 5.29 KB

patch

obsolete

>Index: sandbox-capsicum.c
>===================================================================
>RCS file: sandbox-capsicum.c
>diff -N sandbox-capsicum.c
>--- /dev/null	1 Jan 1970 00:00:00 -0000
>+++ sandbox-capsicum.c	7 Aug 2013 19:39:21 -0000
>@@ -0,0 +1,90 @@
>+
>+#include "includes.h"
>+
>+#ifdef SANDBOX_CAPSICUM
>+
>+#include <sys/types.h>
>+#include <sys/param.h>
>+#include <sys/time.h>
>+#include <sys/resource.h>
>+#include <sys/capability.h>
>+
>+#include <errno.h>
>+#include <stdarg.h>
>+#include <stdio.h>
>+#include <stdlib.h>
>+#include <string.h>
>+#include <unistd.h>
>+
>+#include "log.h"
>+#include "monitor.h"
>+#include "ssh-sandbox.h"
>+#include "xmalloc.h"
>+
>+/* Capsicum sandbox that sets zero nfiles, nprocs and filesize rlimits,
>+ * limits file descriptors on monitoring object,
>+ * and switches to capability mode
>+*/
>+
>+struct ssh_sandbox {
>+	struct monitor *monitor;
>+	pid_t child_pid;
>+};
>+
>+extern struct monitor *pmonitor;
>+struct ssh_sandbox *
>+ssh_sandbox_init(void)
>+{
>+	struct ssh_sandbox *box;
>+
>+	/*
>+	 * Strictly, we don't need to maintain any state here but we need
>+	 * to return non-NULL to satisfy the API.
>+	 */
>+	debug3("%s: preparing capsicum sandbox", __func__);
>+	box = xcalloc(1, sizeof(*box));
>+	box->monitor = pmonitor;
>+	box->child_pid = 0;
>+
>+	return box;
>+}
>+
>+void
>+ssh_sandbox_child(struct ssh_sandbox *box)
>+{
>+	struct rlimit rl_zero;
>+
>+	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
>+
>+	if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
>+		fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
>+			__func__, strerror(errno));
>+	if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
>+		fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
>+			__func__, strerror(errno));
>+	if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)
>+		fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s",
>+			__func__, strerror(errno));
>+	if (cap_rights_limit(box->monitor->m_recvfd, CAP_READ | CAP_WRITE) == -1)
>+		fatal("%s: failed to limit the network socket", __func__);
>+	if (cap_rights_limit(box->monitor->m_log_sendfd, CAP_WRITE) == -1)
>+		fatal("%s: failed to limit the logging socket", __func__);
>+	if (cap_enter() != 0)
>+		fatal("%s: failed to enter capability mode", __func__);
>+
>+}
>+
>+void
>+ssh_sandbox_parent_finish(struct ssh_sandbox *box)
>+{
>+	free(box);
>+	debug3("%s: finished", __func__);
>+}
>+
>+void
>+ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
>+{
>+	box->child_pid = child_pid;
>+}
>+
>+#endif /* SANDBOX_CAPSICUM */
>Index: configure.ac
>===================================================================
>RCS file: /cvs/openssh/configure.ac,v
>retrieving revision 1.536
>diff -u -p -r1.536 configure.ac
>--- configure.ac	4 Aug 2013 11:48:41 -0000	1.536
>+++ configure.ac	7 Aug 2013 19:39:24 -0000
>@@ -120,6 +120,10 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [ha
> 	#include <sys/types.h>
> 	#include <linux/prctl.h>
> ])
>+AC_CHECK_DECL([cap_enter], [have_cap_enter=1], , [
>+	#include <sys/capability.h>
>+])
>+
> use_stack_protector=1
> AC_ARG_WITH([stackprotect],
>     [  --without-stackprotect  Don't use compiler's stack protection], [
>@@ -2714,7 +2718,7 @@ fi
> # Decide which sandbox style to use
> sandbox_arg=""
> AC_ARG_WITH([sandbox],
>-	[  --with-sandbox=style    Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)],
>+	[  --with-sandbox=style    Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)],
> 	[
> 		if test "x$withval" = "xyes" ; then
> 			sandbox_arg=""
>@@ -2853,6 +2857,13 @@ elif test "x$sandbox_arg" = "xrlimit" ||
> 		AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
> 	SANDBOX_STYLE="rlimit"
> 	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
>+elif test "x$sandbox_arg" = "xcapsicum" || \
>+     ( test -z "$sandbox_arg" && \
>+       test "x$have_cap_enter" = "x1") ; then
>+       test "x$have_cap_enter" != "x1" && \
>+		AC_MSG_ERROR([capsicum sandbox requires cap_enter function])
>+       SANDBOX_STYLE="capsicum"
>+       AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
> elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
>      test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
> 	SANDBOX_STYLE="none"
>Index: Makefile.in
>===================================================================
>RCS file: /cvs/openssh/Makefile.in,v
>retrieving revision 1.340
>diff -u -p -r1.340 Makefile.in
>--- Makefile.in	11 Jun 2013 01:26:10 -0000	1.340
>+++ Makefile.in	7 Aug 2013 19:39:24 -0000
>@@ -93,7 +93,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
> 	sftp-server.o sftp-common.o \
> 	roaming_common.o roaming_serv.o \
> 	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
>-	sandbox-seccomp-filter.o
>+	sandbox-seccomp-filter.o sandbox-capsicum.o
> 
> MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
> MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
>@@ -456,4 +456,3 @@ package: $(CONFIGFILES) $(MANPAGES) $(TA
> 	if [ "@MAKE_PACKAGE_SUPPORTED@" = yes ]; then \
> 		sh buildpkg.sh; \
> 	fi
>-

Actions: View

Attachments on bug 2140: 2326 | 2352 | 2364 | 2365 | 2371 | 2397 | 2398 | 2401 | 2405