Bugzilla – Attachment 2563 Details for
Bug 2142
Make seccomp-bpf sandbox work for Linux/X32
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
libseccomp patch v2
openssh-6.7p1-x32-seccomp.patch (text/plain), 7.69 KB, created by
Steven Noonan
on 2015-03-07 01:26:29 AEDT
(
hide
)
Description:
libseccomp patch v2
Filename:
MIME Type:
Creator:
Steven Noonan
Created:
2015-03-07 01:26:29 AEDT
Size:
7.69 KB
patch
obsolete
>diff --git a/Makefile.in b/Makefile.in >index 06be3d5..b1f0931 100644 >--- a/Makefile.in >+++ b/Makefile.in >@@ -106,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ > sftp-server.o sftp-common.o \ > roaming_common.o roaming_serv.o \ > sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ >- sandbox-seccomp-filter.o sandbox-capsicum.o >+ sandbox-seccomp-filter.o sandbox-libseccomp-filter.o sandbox-capsicum.o > > MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out > MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 >diff --git a/configure.ac b/configure.ac >index 67c4486..ddaf7c0 100644 >--- a/configure.ac >+++ b/configure.ac >@@ -2867,11 +2867,22 @@ else > fi > AC_SUBST([SSH_PRIVSEP_USER]) > >+AC_CHECK_DECL([SCMP_ARCH_NATIVE], [have_libseccomp_filter=1], , [ >+ #include <sys/types.h> >+ #include <seccomp.h> >+]) >+if test "x$have_libseccomp_filter" = "x1" ; then >+ AC_CHECK_LIB([seccomp], [seccomp_init], >+ [LIBS="$LIBS -lseccomp"], >+ [have_libseccomp_filter=0]) >+fi >+ > if test "x$have_linux_no_new_privs" = "x1" ; then > AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [ > #include <sys/types.h> > #include <linux/seccomp.h> > ]) >+ > fi > if test "x$have_seccomp_filter" = "x1" ; then > AC_MSG_CHECKING([kernel for seccomp_filter support]) >@@ -2898,7 +2909,7 @@ fi > # Decide which sandbox style to use > sandbox_arg="" > AC_ARG_WITH([sandbox], >- [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)], >+ [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, libseccomp_filter, capsicum)], > [ > if test "x$withval" = "xyes" ; then > sandbox_arg="" >@@ -3008,6 +3019,13 @@ elif test "x$sandbox_arg" = "xdarwin" || \ > AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function]) > SANDBOX_STYLE="darwin" > AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)]) >+elif test "x$sandbox_arg" = "xlibseccomp_filter" || \ >+ ( test -z "$sandbox_arg" && \ >+ test "x$have_libseccomp_filter" = "x1" ) ; then >+ test "x$have_libseccomp_filter" != "x1" && \ >+ AC_MSG_ERROR([libseccomp_filter sandbox not supported on $host]) >+ SANDBOX_STYLE="libseccomp_filter" >+ AC_DEFINE([SANDBOX_LIBSECCOMP_FILTER], [1], [Sandbox using libseccomp filter]) > elif test "x$sandbox_arg" = "xseccomp_filter" || \ > ( test -z "$sandbox_arg" && \ > test "x$have_seccomp_filter" = "x1" && \ >diff --git a/sandbox-libseccomp-filter.c b/sandbox-libseccomp-filter.c >new file mode 100644 >index 0000000..d03856b >--- /dev/null >+++ b/sandbox-libseccomp-filter.c >@@ -0,0 +1,175 @@ >+/* >+ * Copyright (c) 2012 Will Drewry <wad@dataspill.org> >+ * >+ * Permission to use, copy, modify, and distribute this software for any >+ * purpose with or without fee is hereby granted, provided that the above >+ * copyright notice and this permission notice appear in all copies. >+ * >+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES >+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF >+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR >+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES >+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN >+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF >+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. >+ */ >+ >+#include "includes.h" >+ >+#ifdef SANDBOX_LIBSECCOMP_FILTER >+ >+#include <sys/types.h> >+#include <sys/resource.h> >+#include <seccomp.h> >+ >+#include <errno.h> >+#include <signal.h> >+#include <stdarg.h> >+#include <stddef.h> /* for offsetof */ >+#include <stdio.h> >+#include <stdlib.h> >+#include <string.h> >+#include <unistd.h> >+ >+#include "log.h" >+#include "ssh-sandbox.h" >+#include "xmalloc.h" >+ >+struct ssh_sandbox { >+ pid_t child_pid; >+}; >+ >+struct ssh_sandbox * >+ssh_sandbox_init(struct monitor *monitor) >+{ >+ struct ssh_sandbox *box; >+ >+ /* >+ * Strictly, we don't need to maintain any state here but we need >+ * to return non-NULL to satisfy the API. >+ */ >+ debug3("%s: preparing libseccomp filter sandbox", __func__); >+ box = xcalloc(1, sizeof(*box)); >+ box->child_pid = 0; >+ >+ return box; >+} >+ >+static int >+seccomp_add_secondary_archs(scmp_filter_ctx *c) >+{ >+#if defined(__i386__) || defined(__x86_64__) >+ int r; >+ r = seccomp_arch_add(c, SCMP_ARCH_X86); >+ if (r < 0 && r != -EEXIST) >+ return r; >+ r = seccomp_arch_add(c, SCMP_ARCH_X86_64); >+ if (r < 0 && r != -EEXIST) >+ return r; >+ r = seccomp_arch_add(c, SCMP_ARCH_X32); >+ if (r < 0 && r != -EEXIST) >+ return r; >+#endif >+ return 0; >+} >+ >+struct scmp_action_def { >+ uint32_t action; >+ int syscall; >+}; >+ >+static const struct scmp_action_def preauth_insns[] = { >+ {SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open)}, >+ {SCMP_ACT_ERRNO(EACCES), SCMP_SYS(stat)}, >+ {SCMP_ACT_ALLOW, SCMP_SYS(getpid)}, >+ {SCMP_ACT_ALLOW, SCMP_SYS(getpid)}, >+ {SCMP_ACT_ALLOW, SCMP_SYS(gettimeofday)}, >+ {SCMP_ACT_ALLOW, SCMP_SYS(clock_gettime)}, >+#ifdef __NR_time /* not defined on EABI ARM */ >+ {SCMP_ACT_ALLOW, SCMP_SYS(time)}, >+#endif >+ {SCMP_ACT_ALLOW, SCMP_SYS(read)}, >+ {SCMP_ACT_ALLOW, SCMP_SYS(write)}, >+ {SCMP_ACT_ALLOW, SCMP_SYS(close)}, >+#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */ >+ {SCMP_ACT_ALLOW, SCMP_SYS(shutdown)}, >+#endif >+ {SCMP_ACT_ALLOW, SCMP_SYS(brk)}, >+ {SCMP_ACT_ALLOW, SCMP_SYS(poll)}, >+#ifdef __NR__newselect >+ {SCMP_ACT_ALLOW, SCMP_SYS(_newselect)}, >+#endif >+ {SCMP_ACT_ALLOW, SCMP_SYS(select)}, >+ {SCMP_ACT_ALLOW, SCMP_SYS(madvise)}, >+#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */ >+ {SCMP_ACT_ALLOW, SCMP_SYS(mmap2)}, >+#endif >+#ifdef __NR_mmap >+ {SCMP_ACT_ALLOW, SCMP_SYS(mmap)}, >+#endif >+#ifdef __dietlibc__ >+ {SCMP_ACT_ALLOW, SCMP_SYS(mremap)}, >+ {SCMP_ACT_ALLOW, SCMP_SYS(exit)}, >+#endif >+ {SCMP_ACT_ALLOW, SCMP_SYS(munmap)}, >+ {SCMP_ACT_ALLOW, SCMP_SYS(exit_group)}, >+#ifdef __NR_rt_sigprocmask >+ {SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask)}, >+#else >+ {SCMP_ACT_ALLOW, SCMP_SYS(sigprocmask)}, >+#endif >+ {0, 0} >+}; >+ >+ >+void >+ssh_sandbox_child(struct ssh_sandbox *box) >+{ >+ scmp_filter_ctx *seccomp; >+ struct rlimit rl_zero; >+ const struct scmp_action_def *insn; >+ int r; >+ >+ /* Set rlimits for completeness if possible. */ >+ rl_zero.rlim_cur = rl_zero.rlim_max = 0; >+ if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) >+ fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", >+ __func__, strerror(errno)); >+ if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) >+ fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", >+ __func__, strerror(errno)); >+ if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1) >+ fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", >+ __func__, strerror(errno)); >+ >+ seccomp = seccomp_init(SCMP_ACT_KILL); >+ if (!seccomp) >+ fatal("%s:libseccomp activation failed", __func__); >+ if (seccomp_add_secondary_archs(seccomp)) >+ fatal("%s:libseccomp secondary arch setup failed", __func__); >+ >+ for (insn = preauth_insns; insn->action; insn++) { >+ if (seccomp_rule_add(seccomp, insn->action, insn->syscall, 0) < 0) >+ fatal("%s:libseccomp rule failed", __func__); >+ } >+ >+ if ((r = seccomp_load(seccomp)) < 0) >+ fatal("%s:libseccomp unable to load filter %d", __func__, r); >+ >+ seccomp_release(seccomp); >+} >+ >+void >+ssh_sandbox_parent_finish(struct ssh_sandbox *box) >+{ >+ free(box); >+ debug3("%s: finished", __func__); >+} >+ >+void >+ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) >+{ >+ box->child_pid = child_pid; >+} >+ >+#endif /* SANDBOX_LIBSECCOMP_FILTER */
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2563">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2142
:
2328
| 2563 |
2927
|
2962