Attachment 2328 Details for Bug 2142 – libseccomp patch

libseccomp patch

file_2142.txt (text/plain), 9.09 KB, created by Loganaden Velvindron on 2013-08-13 05:40:32 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Loganaden Velvindron

Created: 2013-08-13 05:40:32 AEST

Size: 9.09 KB

patch

obsolete

>Index: Makefile.in
>===================================================================
>RCS file: /cvs/openssh/Makefile.in,v
>retrieving revision 1.340
>diff -u -p -r1.340 Makefile.in
>--- Makefile.in	11 Jun 2013 01:26:10 -0000	1.340
>+++ Makefile.in	12 Aug 2013 19:27:50 -0000
>@@ -93,7 +93,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
> 	sftp-server.o sftp-common.o \
> 	roaming_common.o roaming_serv.o \
> 	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
>-	sandbox-seccomp-filter.o
>+	sandbox-seccomp-filter.o sandbox-libseccomp-filter.o
> 
> MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
> MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
>@@ -456,4 +456,3 @@ package: $(CONFIGFILES) $(MANPAGES) $(TA
> 	if [ "@MAKE_PACKAGE_SUPPORTED@" = yes ]; then \
> 		sh buildpkg.sh; \
> 	fi
>-
>Index: configure.ac
>===================================================================
>RCS file: /cvs/openssh/configure.ac,v
>retrieving revision 1.536
>diff -u -p -r1.536 configure.ac
>--- configure.ac	4 Aug 2013 11:48:41 -0000	1.536
>+++ configure.ac	12 Aug 2013 19:27:53 -0000
>@@ -2683,11 +2683,17 @@ AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [
> 	[non-privileged user for privilege separation])
> AC_SUBST([SSH_PRIVSEP_USER])
> 
>+AC_CHECK_DECL([LIBSECCOMP_MODE_FILTER], [have_libseccomp_filter=1], , [
>+	#include <sys/types.h>
>+	#include <seccomp.h>
>+])
>+
> if test "x$have_linux_no_new_privs" = "x1" ; then
> AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
> 	#include <sys/types.h>
> 	#include <linux/seccomp.h>
> ])
>+
> fi
> if test "x$have_seccomp_filter" = "x1" ; then
> AC_MSG_CHECKING([kernel for seccomp_filter support])
>@@ -2714,7 +2720,7 @@ fi
> # Decide which sandbox style to use
> sandbox_arg=""
> AC_ARG_WITH([sandbox],
>-	[  --with-sandbox=style    Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)],
>+	[  --with-sandbox=style    Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, libseccomp_filter)],
> 	[
> 		if test "x$withval" = "xyes" ; then
> 			sandbox_arg=""
>@@ -2824,6 +2830,13 @@ elif test "x$sandbox_arg" = "xdarwin" ||
> 		AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
> 	SANDBOX_STYLE="darwin"
> 	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
>+elif test "x$sandbox_arg" = "xlibseccomp_filter" || \
>+     ( test -z "$sandbox_arg" && \
>+       test -z "x$have_libseccomp_filter" = "x1" ) ; then
>+	test -z "x$have_libseccomp_filter" != "x1" && \
>+		AC_MSG_ERROR([libseccomp_filter sandbox not supported on $host])
>+        SANDBOX_STYLE="libseccomp_filter"
>+        AC_DEFINE([SANDBOX_LIBSECCOMP_FILTER], [1], [Sandbox using libseccomp filter])	
> elif test "x$sandbox_arg" = "xseccomp_filter" || \
>      ( test -z "$sandbox_arg" && \
>        test "x$have_seccomp_filter" = "x1" && \
>Index: sandbox-libseccomp-filter.c
>===================================================================
>RCS file: sandbox-libseccomp-filter.c
>diff -N sandbox-libseccomp-filter.c
>--- /dev/null	1 Jan 1970 00:00:00 -0000
>+++ sandbox-libseccomp-filter.c	12 Aug 2013 19:27:53 -0000
>@@ -0,0 +1,149 @@
>+/*
>+ * Copyright (c) 2012 Will Drewry <wad@dataspill.org>
>+ *
>+ * Permission to use, copy, modify, and distribute this software for any
>+ * purpose with or without fee is hereby granted, provided that the above
>+ * copyright notice and this permission notice appear in all copies.
>+ *
>+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
>+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
>+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
>+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
>+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
>+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
>+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
>+ */
>+
>+#include "includes.h"
>+
>+#ifdef SANDBOX_LIBSECCOMP_FILTER
>+
>+#include <sys/types.h>
>+#include <sys/resource.h>
>+#include <seccomp.h>
>+
>+
>+#include <errno.h>
>+#include <signal.h>
>+#include <stdarg.h>
>+#include <stddef.h>  /* for offsetof */
>+#include <stdio.h>
>+#include <stdlib.h>
>+#include <string.h>
>+#include <unistd.h>
>+
>+#include "log.h"
>+#include "ssh-sandbox.h"
>+#include "xmalloc.h"
>+
>+struct ssh_sandbox {
>+	pid_t child_pid;
>+};
>+
>+struct ssh_sandbox *
>+ssh_sandbox_init(void)
>+{
>+	struct ssh_sandbox *box;
>+
>+	/*
>+	 * Strictly, we don't need to maintain any state here but we need
>+	 * to return non-NULL to satisfy the API.
>+	 */
>+	debug3("%s: preparing libseccomp filter sandbox", __func__);
>+	box = xcalloc(1, sizeof(*box));
>+	box->child_pid = 0;
>+
>+	return box;
>+}
>+
>+void
>+ssh_sandbox_child(struct ssh_sandbox *box)
>+{
>+	struct rlimit rl_zero;
>+	int nnp_failed = 0;
>+
>+	/* Set rlimits for completeness if possible. */
>+	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
>+        if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
>+                fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
>+                        __func__, strerror(errno));
>+        if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
>+                fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
>+                        __func__, strerror(errno));
>+        if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)
>+                fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s",
>+                        __func__, strerror(errno));
>+
>+	if (seccomp_init(SCMP_ACT_KILL) < 0)
>+		fatal("%s:libseccomp activation failed", __func__);
>+	if (seccomp_rule_add(SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open), 0) < 0)
>+		fatal("%s:libseccomp rule failed", __func__);
>+	if (seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(open), 0) < 0)
>+		fatal("%s:libseccomp rule failed", __func__);
>+	if (seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(getpid), 0) < 0)
>+		fatal("%s:libseccomp rule failed", __func__); 
>+        if (seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(gettimeofday), 0) < 0)
>+                fatal("%s:libseccomp rule failed", __func__);
>+        if (seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(clock_gettime), 0) < 0)
>+                fatal("%s:libseccomp rule failed", __func__);
>+#ifdef __NR_time /* not defined on EABI ARM */
>+        if (seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(time), 0) < 0)
>+                fatal("%s:libseccomp rule failed", __func__);
>+#endif
>+        if (seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(read), 0) < 0)
>+                fatal("%s:libseccomp rule failed", __func__);
>+        if (seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(write), 0) < 0)
>+                fatal("%s:libseccomp rule failed", __func__);
>+        if (seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(close), 0) < 0)
>+                fatal("%s:libseccomp rule failed", __func__);
>+        if (seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(brk), 0) < 0)
>+                fatal("%s:libseccomp rule failed", __func__);
>+        if (seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(poll), 0) < 0)
>+                fatal("%s:libseccomp rule failed", __func__);
>+#ifdef __NR__newselect
>+        if (seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(_newselect), 0) < 0)
>+                fatal("%s:libseccomp rule failed", __func__);
>+#else
>+        if (seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(select), 0) < 0)
>+                fatal("%s:libseccomp rule failed", __func__);
>+#endif
>+        if (seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(madvise), 0) < 0)
>+                fatal("%s:libseccomp rule failed", __func__);
>+#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
>+        if (seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 0) < 0)
>+                fatal("%s:libseccomp rule failed", __func__);
>+#endif
>+#ifdef __NR_mmap
>+        if (seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0) < 0)
>+                fatal("%s:libseccomp rule failed", __func__);
>+#endif
>+        if (seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0) < 0)
>+                fatal("%s:libseccomp rule failed", __func__);
>+        if (seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0) < 0)
>+                fatal("%s:libseccomp rule failed", __func__);
>+#ifdef __NR_rt_sigprocmask
>+        if (seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 0) < 0)
>+                fatal("%s:libseccomp rule failed", __func__);
>+#else
>+        if (seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(sigprocmask), 0) < 0)
>+                fatal("%s:libseccomp rule failed", __func__);
>+#endif
>+
>+	if (seccomp_load() < 0)
>+		fatal("%s:libseccomp unable to load filter", __func__);	
>+}
>+
>+void
>+ssh_sandbox_parent_finish(struct ssh_sandbox *box)
>+{
>+	free(box);
>+	debug3("%s: finished", __func__);
>+}
>+
>+void
>+ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
>+{
>+	box->child_pid = child_pid;
>+}
>+
>+#endif /* SANDBOX_LIBSECCOMP_FILTER */

Actions: View

Attachments on bug 2142: 2328 | 2563 | 2927 | 2962