Attachment #2364 for bug #2140

Lines 93-99 SSHDOBJS=sshd.o auth-rhosts.o auth-passw Link Here

(-)Makefile.in (-2 / +1 lines)
93	sftp-server.o sftp-common.o \	93	sftp-server.o sftp-common.o \
94	roaming_common.o roaming_serv.o \	94	roaming_common.o roaming_serv.o \
95	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \	95	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
96	sandbox-seccomp-filter.o	96	sandbox-seccomp-filter.o sandbox-capsicum.o
97		97
98	MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out	98	MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
99	MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5	99	MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
Lines 456-459 package: $(CONFIGFILES) $(MANPAGES) $(TA Link Here
456	if [ "@MAKE_PACKAGE_SUPPORTED@" = yes ]; then \	456	if [ "@MAKE_PACKAGE_SUPPORTED@" = yes ]; then \
457	sh buildpkg.sh; \	457	sh buildpkg.sh; \
458	fi	458	fi
459

Lines 120-125 AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [ha Link Here

(-)configure.ac (-1 / +12 lines)
120	#include <sys/types.h>	120	#include <sys/types.h>
121	#include <linux/prctl.h>	121	#include <linux/prctl.h>
122	])	122	])
		123	AC_CHECK_DECL([cap_enter], [have_cap_enter=1], , [
		124	#include <sys/capability.h>
		125	])
		126
123	use_stack_protector=1	127	use_stack_protector=1
124	AC_ARG_WITH([stackprotect],	128	AC_ARG_WITH([stackprotect],
125	[ --without-stackprotect Don't use compiler's stack protection], [	129	[ --without-stackprotect Don't use compiler's stack protection], [
Lines 2714-2720 fi Link Here
2714	# Decide which sandbox style to use	2718	# Decide which sandbox style to use
2715	sandbox_arg=""	2719	sandbox_arg=""
2716	AC_ARG_WITH([sandbox],	2720	AC_ARG_WITH([sandbox],
2717	[ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)],	2721	[ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)],
2718	[	2722	[
2719	if test "x$withval" = "xyes" ; then	2723	if test "x$withval" = "xyes" ; then
2720	sandbox_arg=""	2724	sandbox_arg=""
Lines 2853-2858 elif test "x$sandbox_arg" = "xrlimit" \|\| Link Here
2853	AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])	2857	AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
2854	SANDBOX_STYLE="rlimit"	2858	SANDBOX_STYLE="rlimit"
2855	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])	2859	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
		2860	elif test "x$sandbox_arg" = "xcapsicum" \|\| \
		2861	( test -z "$sandbox_arg" && \
		2862	test "x$have_cap_enter" = "x1") ; then
		2863	test "x$have_cap_enter" != "x1" && \
		2864	AC_MSG_ERROR([capsicum sandbox requires cap_enter function])
		2865	SANDBOX_STYLE="capsicum"
		2866	AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
2856	elif test -z "$sandbox_arg" \|\| test "x$sandbox_arg" = "xno" \|\| \	2867	elif test -z "$sandbox_arg" \|\| test "x$sandbox_arg" = "xno" \|\| \
2857	test "x$sandbox_arg" = "xnone" \|\| test "x$sandbox_arg" = "xnull" ; then	2868	test "x$sandbox_arg" = "xnone" \|\| test "x$sandbox_arg" = "xnull" ; then
2858	SANDBOX_STYLE="none"	2869	SANDBOX_STYLE="none"




/*
 * Copyright (c) 2011 Dag-Erling Smorgrav
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include "includes.h"

#ifdef SANDBOX_CAPSICUM

#include <sys/types.h>
#include <sys/param.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/capability.h>

#include <errno.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include "log.h"
#include "monitor.h"
#include "ssh-sandbox.h"
#include "xmalloc.h"

/* 
 * Capsicum sandbox that sets zero nfiles, nprocs and filesize rlimits,
 * limits rights on stdout, stdin, stderr, monitor and switches to 
 * capability mode
*/

struct ssh_sandbox {
	struct monitor *monitor;
	pid_t child_pid;
};

extern struct monitor *pmonitor;
struct ssh_sandbox *
ssh_sandbox_init(void)
{
	struct ssh_sandbox *box;

	/*
	 * Strictly, we don't need to maintain any state here but we need
	 * to return non-NULL to satisfy the API.
	 */
	debug3("%s: preparing capsicum sandbox", __func__);
	box = xcalloc(1, sizeof(*box));
	box->monitor = pmonitor;
	box->child_pid = 0;

	return box;
}

void
ssh_sandbox_child(struct ssh_sandbox *box)
{
	struct rlimit rl_zero;
	cap_rights_t rights;

	rl_zero.rlim_cur = rl_zero.rlim_max = 0;

	if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
		fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
			__func__, strerror(errno));
	if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
		fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
			__func__, strerror(errno));
	if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)
		fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s",
			__func__, strerror(errno));

	cap_rights_init(&rights);

	if (cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS)
		fatal("can't limit stdin: %m");
	if (cap_rights_limit(STDOUT_FILENO, &rights) < 0 && errno != ENOSYS)
		fatal("can't limit stdin: %m");
        if (cap_rights_limit(STDERR_FILENO, &rights) < 0 && errno != ENOSYS)
                fatal("can't limit stdin: %m");

	cap_rights_init(&rights, CAP_READ, CAP_WRITE);
	if (cap_rights_limit(box->monitor->m_recvfd, &rights) == -1)
		fatal("%s: failed to limit the network socket", __func__);
	cap_rights_init(&rights, CAP_WRITE);
	if (cap_rights_limit(box->monitor->m_log_sendfd, &rights) == -1)
		fatal("%s: failed to limit the logging socket", __func__);	
	if (cap_enter() != 0 && errno != ENOSYS)
		fatal("%s: failed to enter capability mode", __func__);

}

void
ssh_sandbox_parent_finish(struct ssh_sandbox *box)
{
	free(box);
	debug3("%s: finished", __func__);
}

void
ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
{
	box->child_pid = child_pid;
}

#endif /* SANDBOX_CAPSICUM */

Return to bug 2140

Added Link Here

(-)sandbox-capsicum.c (+119 lines)
1	/*
2	* Copyright (c) 2011 Dag-Erling Smorgrav
3	*
4	* Permission to use, copy, modify, and distribute this software for any
5	* purpose with or without fee is hereby granted, provided that the above
6	* copyright notice and this permission notice appear in all copies.
7	*
8	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15	*/
16
17	#include "includes.h"
18
19	#ifdef SANDBOX_CAPSICUM
20
21	#include <sys/types.h>
22	#include <sys/param.h>
23	#include <sys/time.h>
24	#include <sys/resource.h>
25	#include <sys/capability.h>
26
27	#include <errno.h>
28	#include <stdarg.h>
29	#include <stdio.h>
30	#include <stdlib.h>
31	#include <string.h>
32	#include <unistd.h>
33
34	#include "log.h"
35	#include "monitor.h"
36	#include "ssh-sandbox.h"
37	#include "xmalloc.h"
38
39	/*
40	* Capsicum sandbox that sets zero nfiles, nprocs and filesize rlimits,
41	* limits rights on stdout, stdin, stderr, monitor and switches to
42	* capability mode
43	*/
44
45	struct ssh_sandbox {
46	struct monitor *monitor;
47	pid_t child_pid;
48	};
49
50	extern struct monitor *pmonitor;
51	struct ssh_sandbox *
52	ssh_sandbox_init(void)
53	{
54	struct ssh_sandbox *box;
55
56	/*
57	* Strictly, we don't need to maintain any state here but we need
58	* to return non-NULL to satisfy the API.
59	*/
60	debug3("%s: preparing capsicum sandbox", __func__);
61	box = xcalloc(1, sizeof(*box));
62	box->monitor = pmonitor;
63	box->child_pid = 0;
64
65	return box;
66	}
67
68	void
69	ssh_sandbox_child(struct ssh_sandbox *box)
70	{
71	struct rlimit rl_zero;
72	cap_rights_t rights;
73
74	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
75
76	if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
77	fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
78	__func__, strerror(errno));
79	if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
80	fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
81	__func__, strerror(errno));
82	if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)
83	fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s",
84	__func__, strerror(errno));
85
86	cap_rights_init(&rights);
87
88	if (cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS)
89	fatal("can't limit stdin: %m");
90	if (cap_rights_limit(STDOUT_FILENO, &rights) < 0 && errno != ENOSYS)
91	fatal("can't limit stdin: %m");
92	if (cap_rights_limit(STDERR_FILENO, &rights) < 0 && errno != ENOSYS)
93	fatal("can't limit stdin: %m");
94
95	cap_rights_init(&rights, CAP_READ, CAP_WRITE);
96	if (cap_rights_limit(box->monitor->m_recvfd, &rights) == -1)
97	fatal("%s: failed to limit the network socket", __func__);
98	cap_rights_init(&rights, CAP_WRITE);
99	if (cap_rights_limit(box->monitor->m_log_sendfd, &rights) == -1)
100	fatal("%s: failed to limit the logging socket", __func__);
101	if (cap_enter() != 0 && errno != ENOSYS)
102	fatal("%s: failed to enter capability mode", __func__);
103
104	}
105
106	void
107	ssh_sandbox_parent_finish(struct ssh_sandbox *box)
108	{
109	free(box);
110	debug3("%s: finished", __func__);
111	}
112
113	void
114	ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
115	{
116	box->child_pid = child_pid;
117	}
118
119	#endif /* SANDBOX_CAPSICUM */