Attachment #2397 for bug #2140

Lines 96-102 SSHDOBJS=sshd.o auth-rhosts.o auth-passw Link Here

(-)Makefile.in (-2 / +1 lines)
96	sftp-server.o sftp-common.o \	96	sftp-server.o sftp-common.o \
97	roaming_common.o roaming_serv.o \	97	roaming_common.o roaming_serv.o \
98	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \	98	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
99	sandbox-seccomp-filter.o	99	sandbox-seccomp-filter.o sandbox-capsicum.o
100		100
101	MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out	101	MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
102	MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5	102	MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
Lines 472-475 package: $(CONFIGFILES) $(MANPAGES) $(TA Link Here
472	if [ "@MAKE_PACKAGE_SUPPORTED@" = yes ]; then \	472	if [ "@MAKE_PACKAGE_SUPPORTED@" = yes ]; then \
473	sh buildpkg.sh; \	473	sh buildpkg.sh; \
474	fi	474	fi
475

Lines 120-125 AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [ha Link Here

(-)configure.ac (-1 / +12 lines)
120	#include <sys/types.h>	120	#include <sys/types.h>
121	#include <linux/prctl.h>	121	#include <linux/prctl.h>
122	])	122	])
		123	AC_CHECK_DECL([cap_enter], [have_cap_enter=1], , [
		124	#include <sys/capability.h>
		125	])
		126
123	use_stack_protector=1	127	use_stack_protector=1
124	AC_ARG_WITH([stackprotect],	128	AC_ARG_WITH([stackprotect],
125	[ --without-stackprotect Don't use compiler's stack protection], [	129	[ --without-stackprotect Don't use compiler's stack protection], [
Lines 2803-2809 fi Link Here
2803	# Decide which sandbox style to use	2807	# Decide which sandbox style to use
2804	sandbox_arg=""	2808	sandbox_arg=""
2805	AC_ARG_WITH([sandbox],	2809	AC_ARG_WITH([sandbox],
2806	[ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)],	2810	[ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)],
2807	[	2811	[
2808	if test "x$withval" = "xyes" ; then	2812	if test "x$withval" = "xyes" ; then
2809	sandbox_arg=""	2813	sandbox_arg=""
Lines 2942-2947 elif test "x$sandbox_arg" = "xrlimit" \|\| Link Here
2942	AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])	2946	AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
2943	SANDBOX_STYLE="rlimit"	2947	SANDBOX_STYLE="rlimit"
2944	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])	2948	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
		2949	elif test "x$sandbox_arg" = "xcapsicum" \|\| \
		2950	( test -z "$sandbox_arg" && \
		2951	test "x$have_cap_enter" = "x1") ; then
		2952	test "x$have_cap_enter" != "x1" && \
		2953	AC_MSG_ERROR([capsicum sandbox requires cap_enter function])
		2954	SANDBOX_STYLE="capsicum"
		2955	AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
2945	elif test -z "$sandbox_arg" \|\| test "x$sandbox_arg" = "xno" \|\| \	2956	elif test -z "$sandbox_arg" \|\| test "x$sandbox_arg" = "xno" \|\| \
2946	test "x$sandbox_arg" = "xnone" \|\| test "x$sandbox_arg" = "xnull" ; then	2957	test "x$sandbox_arg" = "xnone" \|\| test "x$sandbox_arg" = "xnull" ; then
2947	SANDBOX_STYLE="none"	2958	SANDBOX_STYLE="none"




/*
 * Copyright (c) 2011 Dag-Erling Smorgrav
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include "includes.h"

#ifdef SANDBOX_CAPSICUM

#include <sys/types.h>
#include <sys/param.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/capability.h>

#include <errno.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include "log.h"
#include "monitor.h"
#include "ssh-sandbox.h"
#include "xmalloc.h"

/* 
 * Capsicum sandbox that sets zero nfiles, nprocs and filesize rlimits,
 * limits rights on stdout, stdin, stderr, monitor and switches to 
 * capability mode
*/

struct ssh_sandbox {
	struct monitor *monitor;
	pid_t child_pid;
};

struct ssh_sandbox *
ssh_sandbox_init(struct monitor *monitor)
{
	struct ssh_sandbox *box;

	/*
	 * Strictly, we don't need to maintain any state here but we need
	 * to return non-NULL to satisfy the API.
	 */
	debug3("%s: preparing capsicum sandbox", __func__);
	box = xcalloc(1, sizeof(*box));
	box->monitor = monitor;
	box->child_pid = 0;

	return box;
}

void
ssh_sandbox_child(struct ssh_sandbox *box)
{
	struct rlimit rl_zero;
	cap_rights_t rights;

	rl_zero.rlim_cur = rl_zero.rlim_max = 0;

	if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
		fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
			__func__, strerror(errno));
	if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
		fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
			__func__, strerror(errno));
	if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)
		fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s",
			__func__, strerror(errno));

	cap_rights_init(&rights);

	if (cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS)
		fatal("can't limit stdin: %m");
	if (cap_rights_limit(STDOUT_FILENO, &rights) < 0 && errno != ENOSYS)
		fatal("can't limit stdin: %m");
        if (cap_rights_limit(STDERR_FILENO, &rights) < 0 && errno != ENOSYS)
                fatal("can't limit stdin: %m");

	cap_rights_init(&rights, CAP_READ, CAP_WRITE);
	if (cap_rights_limit(box->monitor->m_recvfd, &rights) == -1)
		fatal("%s: failed to limit the network socket", __func__);
	cap_rights_init(&rights, CAP_WRITE);
	if (cap_rights_limit(box->monitor->m_log_sendfd, &rights) == -1)
		fatal("%s: failed to limit the logging socket", __func__);	
	if (cap_enter() != 0 && errno != ENOSYS)
		fatal("%s: failed to enter capability mode", __func__);

}

void
ssh_sandbox_parent_finish(struct ssh_sandbox *box)
{
	free(box);
	debug3("%s: finished", __func__);
}

void
ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
{
	box->child_pid = child_pid;
}

#endif /* SANDBOX_CAPSICUM */

Lines 40-46 struct ssh_sandbox { Link Here

(-)sandbox-darwin.c (-1 / +1 lines)
40	};	40	};
41		41
42	struct ssh_sandbox *	42	struct ssh_sandbox *
43	ssh_sandbox_init(void)	43	ssh_sandbox_init(struct monitor *monitor)
44	{	44	{
45	struct ssh_sandbox *box;	45	struct ssh_sandbox *box;
46		46

Lines 39-45 struct ssh_sandbox { Link Here

(-)sandbox-null.c (-1 / +1 lines)
39	};	39	};
40		40
41	struct ssh_sandbox *	41	struct ssh_sandbox *
42	ssh_sandbox_init(void)	42	ssh_sandbox_init(struct monitor *monitor)
43	{	43	{
44	struct ssh_sandbox *box;	44	struct ssh_sandbox *box;
45		45

Lines 42-48 struct ssh_sandbox { Link Here

(-)sandbox-rlimit.c (-1 / +1 lines)
42	};	42	};
43		43
44	struct ssh_sandbox *	44	struct ssh_sandbox *
45	ssh_sandbox_init(void)	45	ssh_sandbox_init(struct monitor *monitor)
46	{	46	{
47	struct ssh_sandbox *box;	47	struct ssh_sandbox *box;
48		48

Lines 132-138 struct ssh_sandbox { Link Here

(-)sandbox-seccomp-filter.c (-1 / +1 lines)
132	};	132	};
133		133
134	struct ssh_sandbox *	134	struct ssh_sandbox *
135	ssh_sandbox_init(void)	135	ssh_sandbox_init(struct monitor *monitor)
136	{	136	{
137	struct ssh_sandbox *box;	137	struct ssh_sandbox *box;
138		138

Lines 78-84 struct ssh_sandbox { Link Here

(-)sandbox-systrace.c (-1 / +1 lines)
78	};	78	};
79		79
80	struct ssh_sandbox *	80	struct ssh_sandbox *
81	ssh_sandbox_init(void)	81	ssh_sandbox_init(struct monitor *monitor)
82	{	82	{
83	struct ssh_sandbox *box;	83	struct ssh_sandbox *box;
84		84

Lines 15-23 Link Here

(-)ssh-sandbox.h (-1 / +2 lines)
15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	*/	16	*/
17		17
		18	struct monitor;
18	struct ssh_sandbox;	19	struct ssh_sandbox;
19		20
20	struct ssh_sandbox *ssh_sandbox_init(void);	21	struct ssh_sandbox ssh_sandbox_init(struct monitor );
21	void ssh_sandbox_child(struct ssh_sandbox *);	22	void ssh_sandbox_child(struct ssh_sandbox *);
22	void ssh_sandbox_parent_finish(struct ssh_sandbox *);	23	void ssh_sandbox_parent_finish(struct ssh_sandbox *);
23	void ssh_sandbox_parent_preauth(struct ssh_sandbox *, pid_t);	24	void ssh_sandbox_parent_preauth(struct ssh_sandbox *, pid_t);

Lines 655-661 privsep_preauth(Authctxt *authctxt) Link Here

(-)sshd.c (-1 / +1 lines)
655	pmonitor->m_pkex = &xxx_kex;	655	pmonitor->m_pkex = &xxx_kex;
656		656
657	if (use_privsep == PRIVSEP_ON)	657	if (use_privsep == PRIVSEP_ON)
658	box = ssh_sandbox_init();	658	box = ssh_sandbox_init(pmonitor);
659	pid = fork();	659	pid = fork();
660	if (pid == -1) {	660	if (pid == -1) {
661	fatal("fork of unprivileged	661	fatal("fork of unprivileged

Return to bug 2140

Added Link Here

(-)sandbox-capsicum.c (+118 lines)
1	/*
2	* Copyright (c) 2011 Dag-Erling Smorgrav
3	*
4	* Permission to use, copy, modify, and distribute this software for any
5	* purpose with or without fee is hereby granted, provided that the above
6	* copyright notice and this permission notice appear in all copies.
7	*
8	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15	*/
16
17	#include "includes.h"
18
19	#ifdef SANDBOX_CAPSICUM
20
21	#include <sys/types.h>
22	#include <sys/param.h>
23	#include <sys/time.h>
24	#include <sys/resource.h>
25	#include <sys/capability.h>
26
27	#include <errno.h>
28	#include <stdarg.h>
29	#include <stdio.h>
30	#include <stdlib.h>
31	#include <string.h>
32	#include <unistd.h>
33
34	#include "log.h"
35	#include "monitor.h"
36	#include "ssh-sandbox.h"
37	#include "xmalloc.h"
38
39	/*
40	* Capsicum sandbox that sets zero nfiles, nprocs and filesize rlimits,
41	* limits rights on stdout, stdin, stderr, monitor and switches to
42	* capability mode
43	*/
44
45	struct ssh_sandbox {
46	struct monitor *monitor;
47	pid_t child_pid;
48	};
49
50	struct ssh_sandbox *
51	ssh_sandbox_init(struct monitor *monitor)
52	{
53	struct ssh_sandbox *box;
54
55	/*
56	* Strictly, we don't need to maintain any state here but we need
57	* to return non-NULL to satisfy the API.
58	*/
59	debug3("%s: preparing capsicum sandbox", __func__);
60	box = xcalloc(1, sizeof(*box));
61	box->monitor = monitor;
62	box->child_pid = 0;
63
64	return box;
65	}
66
67	void
68	ssh_sandbox_child(struct ssh_sandbox *box)
69	{
70	struct rlimit rl_zero;
71	cap_rights_t rights;
72
73	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
74
75	if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
76	fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
77	__func__, strerror(errno));
78	if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
79	fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
80	__func__, strerror(errno));
81	if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)
82	fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s",
83	__func__, strerror(errno));
84
85	cap_rights_init(&rights);
86
87	if (cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS)
88	fatal("can't limit stdin: %m");
89	if (cap_rights_limit(STDOUT_FILENO, &rights) < 0 && errno != ENOSYS)
90	fatal("can't limit stdin: %m");
91	if (cap_rights_limit(STDERR_FILENO, &rights) < 0 && errno != ENOSYS)
92	fatal("can't limit stdin: %m");
93
94	cap_rights_init(&rights, CAP_READ, CAP_WRITE);
95	if (cap_rights_limit(box->monitor->m_recvfd, &rights) == -1)
96	fatal("%s: failed to limit the network socket", __func__);
97	cap_rights_init(&rights, CAP_WRITE);
98	if (cap_rights_limit(box->monitor->m_log_sendfd, &rights) == -1)
99	fatal("%s: failed to limit the logging socket", __func__);
100	if (cap_enter() != 0 && errno != ENOSYS)
101	fatal("%s: failed to enter capability mode", __func__);
102
103	}
104
105	void
106	ssh_sandbox_parent_finish(struct ssh_sandbox *box)
107	{
108	free(box);
109	debug3("%s: finished", __func__);
110	}
111
112	void
113	ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
114	{
115	box->child_pid = child_pid;
116	}
117
118	#endif /* SANDBOX_CAPSICUM */