diff options
author | Damien Miller <djm@mindrot.org> | 2012-04-04 11:27:54 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2012-04-04 11:27:54 +1000 |
commit | e0956e38349d4a32f3c4a726af45a3695ff2d3c2 (patch) | |
tree | 55f6b3c7251fa1512b38640fb23c809b4af285e3 | |
parent | ce1ec9d4e27d4e08ef02e4e96818263d3ff2eecc (diff) |
- (djm) [Makefile.in configure.ac sandbox-seccomp-filter.c] Add sandbox
mode for Linux's new seccomp filter; patch from Will Drewry; feedback
and ok dtucker@
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | Makefile.in | 5 | ||||
-rw-r--r-- | configure.ac | 68 | ||||
-rw-r--r-- | sandbox-seccomp-filter.c | 222 |
4 files changed, 295 insertions, 5 deletions
@@ -1,3 +1,8 @@ | |||
1 | 20120404 | ||
2 | - (djm) [Makefile.in configure.ac sandbox-seccomp-filter.c] Add sandbox | ||
3 | mode for Linux's new seccomp filter; patch from Will Drewry; feedback | ||
4 | and ok dtucker@ | ||
5 | |||
1 | 20120330 | 6 | 20120330 |
2 | - (dtucker) [contrib/redhat/openssh.spec] Bug #1992: remove now-gone WARNING | 7 | - (dtucker) [contrib/redhat/openssh.spec] Bug #1992: remove now-gone WARNING |
3 | file from spec file. From crighter at nuclioss com. | 8 | file from spec file. From crighter at nuclioss com. |
diff --git a/Makefile.in b/Makefile.in index 3be3aa617..566f58fe6 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -1,4 +1,4 @@ | |||
1 | # $Id: Makefile.in,v 1.325 2011/08/05 20:15:18 djm Exp $ | 1 | # $Id: Makefile.in,v 1.326 2012/04/04 01:27:57 djm Exp $ |
2 | 2 | ||
3 | # uncomment if you run a non bourne compatable shell. Ie. csh | 3 | # uncomment if you run a non bourne compatable shell. Ie. csh |
4 | #SHELL = @SH@ | 4 | #SHELL = @SH@ |
@@ -90,7 +90,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ | |||
90 | loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ | 90 | loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ |
91 | sftp-server.o sftp-common.o \ | 91 | sftp-server.o sftp-common.o \ |
92 | roaming_common.o roaming_serv.o \ | 92 | roaming_common.o roaming_serv.o \ |
93 | sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o | 93 | sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ |
94 | sandbox-seccomp-filter.o | ||
94 | 95 | ||
95 | MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out | 96 | MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out |
96 | MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 | 97 | MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 |
diff --git a/configure.ac b/configure.ac index acf529b04..23ac1490a 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,4 +1,4 @@ | |||
1 | # $Id: configure.ac,v 1.487 2012/02/23 23:40:43 dtucker Exp $ | 1 | # $Id: configure.ac,v 1.488 2012/04/04 01:27:57 djm Exp $ |
2 | # | 2 | # |
3 | # Copyright (c) 1999-2004 Damien Miller | 3 | # Copyright (c) 1999-2004 Damien Miller |
4 | # | 4 | # |
@@ -15,7 +15,7 @@ | |||
15 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 15 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
16 | 16 | ||
17 | AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) | 17 | AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) |
18 | AC_REVISION($Revision: 1.487 $) | 18 | AC_REVISION($Revision: 1.488 $) |
19 | AC_CONFIG_SRCDIR([ssh.c]) | 19 | AC_CONFIG_SRCDIR([ssh.c]) |
20 | AC_LANG([C]) | 20 | AC_LANG([C]) |
21 | 21 | ||
@@ -116,6 +116,35 @@ AC_CHECK_DECL([RLIMIT_NPROC], | |||
116 | #include <sys/types.h> | 116 | #include <sys/types.h> |
117 | #include <sys/resource.h> | 117 | #include <sys/resource.h> |
118 | ]) | 118 | ]) |
119 | AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [ | ||
120 | #include <sys/types.h> | ||
121 | #include <linux/prctl.h> | ||
122 | ]) | ||
123 | if test "x$have_linux_no_new_privs" = "x1" ; then | ||
124 | AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [ | ||
125 | #include <sys/types.h> | ||
126 | #include <linux/seccomp.h> | ||
127 | ]) | ||
128 | fi | ||
129 | if test "x$have_seccomp_filter" = "x1" ; then | ||
130 | AC_MSG_CHECKING([kernel for seccomp_filter support]) | ||
131 | AC_RUN_IFELSE([AC_LANG_PROGRAM([[ | ||
132 | #include <errno.h> | ||
133 | #include <linux/seccomp.h> | ||
134 | #include <stdlib.h> | ||
135 | #include <sys/prctl.h> | ||
136 | ]], | ||
137 | [[ errno = 0; | ||
138 | prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0); | ||
139 | exit(errno == EFAULT ? 0 : 1); ]])], | ||
140 | [ AC_MSG_RESULT([yes]) ], [ | ||
141 | AC_MSG_RESULT([no]) | ||
142 | # Disable seccomp filter as a target | ||
143 | have_seccomp_filter=0 | ||
144 | ], | ||
145 | [ AC_MSG_RESULT([cross-compiling, assuming yes]) ] | ||
146 | ) | ||
147 | fi | ||
119 | 148 | ||
120 | use_stack_protector=1 | 149 | use_stack_protector=1 |
121 | AC_ARG_WITH([stackprotect], | 150 | AC_ARG_WITH([stackprotect], |
@@ -657,6 +686,22 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | |||
657 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], | 686 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], |
658 | [Prepend the address family to IP tunnel traffic]) | 687 | [Prepend the address family to IP tunnel traffic]) |
659 | fi | 688 | fi |
689 | AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h]) | ||
690 | AC_CHECK_FUNCS([prctl]) | ||
691 | have_seccomp_audit_arch=1 | ||
692 | case "$host" in | ||
693 | x86_64-*) | ||
694 | AC_DEFINE([SECCOMP_AUDIT_ARCH], [AUDIT_ARCH_X86_64], | ||
695 | [Specify the system call convention in use]) | ||
696 | ;; | ||
697 | i*86-*) | ||
698 | AC_DEFINE([SECCOMP_AUDIT_ARCH], [AUDIT_ARCH_I386], | ||
699 | [Specify the system call convention in use]) | ||
700 | ;; | ||
701 | *) | ||
702 | have_seccomp_audit_arch=0 | ||
703 | ;; | ||
704 | esac | ||
660 | ;; | 705 | ;; |
661 | mips-sony-bsd|mips-sony-newsos4) | 706 | mips-sony-bsd|mips-sony-newsos4) |
662 | AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty]) | 707 | AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty]) |
@@ -2518,7 +2563,7 @@ AC_SUBST([SSH_PRIVSEP_USER]) | |||
2518 | # Decide which sandbox style to use | 2563 | # Decide which sandbox style to use |
2519 | sandbox_arg="" | 2564 | sandbox_arg="" |
2520 | AC_ARG_WITH([sandbox], | 2565 | AC_ARG_WITH([sandbox], |
2521 | [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace)], | 2566 | [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)], |
2522 | [ | 2567 | [ |
2523 | if test "x$withval" = "xyes" ; then | 2568 | if test "x$withval" = "xyes" ; then |
2524 | sandbox_arg="" | 2569 | sandbox_arg="" |
@@ -2541,6 +2586,23 @@ elif test "x$sandbox_arg" = "xdarwin" || \ | |||
2541 | AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function]) | 2586 | AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function]) |
2542 | SANDBOX_STYLE="darwin" | 2587 | SANDBOX_STYLE="darwin" |
2543 | AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)]) | 2588 | AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)]) |
2589 | elif test "x$sandbox_arg" = "xseccomp_filter" || \ | ||
2590 | ( test -z "$sandbox_arg" && \ | ||
2591 | test "x$have_seccomp_filter" == "x1" && \ | ||
2592 | test "x$ac_cv_header_linux_audit_h" = "xyes" && \ | ||
2593 | test "x$have_seccomp_audit_arch" = "x1" && \ | ||
2594 | test "x$have_linux_no_new_privs" = "x1" && \ | ||
2595 | test "x$ac_cv_func_prctl" = "xyes" ) ; then | ||
2596 | test "x$have_seccomp_audit_arch" != "x1" && \ | ||
2597 | AC_MSG_ERROR([seccomp_filter sandbox not supported on $host]) | ||
2598 | test "x$have_linux_no_new_privs" != "x1" && \ | ||
2599 | AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS]) | ||
2600 | test "x$have_seccomp_filter" != "x1" && \ | ||
2601 | AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers]) | ||
2602 | test "x$ac_cv_func_prctl" != "xyes" && \ | ||
2603 | AC_MSG_ERROR([seccomp_filter sandbox requires prctl function]) | ||
2604 | SANDBOX_STYLE="seccomp_filter" | ||
2605 | AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter]) | ||
2544 | elif test "x$sandbox_arg" = "xrlimit" || \ | 2606 | elif test "x$sandbox_arg" = "xrlimit" || \ |
2545 | ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then | 2607 | ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then |
2546 | test "x$ac_cv_func_setrlimit" != "xyes" && \ | 2608 | test "x$ac_cv_func_setrlimit" != "xyes" && \ |
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c new file mode 100644 index 000000000..686812957 --- /dev/null +++ b/sandbox-seccomp-filter.c | |||
@@ -0,0 +1,222 @@ | |||
1 | /* | ||
2 | * Copyright (c) 2012 Will Drewry <wad@dataspill.org> | ||
3 | * | ||
4 | * Permission to use, copy, modify, and distribute this software for any | ||
5 | * purpose with or without fee is hereby granted, provided that the above | ||
6 | * copyright notice and this permission notice appear in all copies. | ||
7 | * | ||
8 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | ||
9 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | ||
10 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | ||
11 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | ||
12 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | ||
13 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | ||
14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
15 | */ | ||
16 | |||
17 | /* | ||
18 | * Uncomment the SANDBOX_SECCOMP_FILTER_DEBUG macro below to help diagnose | ||
19 | * filter breakage during development. *Do not* use this in production, | ||
20 | * as it relies on making library calls that are unsafe in signal context. | ||
21 | * | ||
22 | * Instead, live systems the auditctl(8) may be used to monitor failures. | ||
23 | * E.g. | ||
24 | * auditctl -a task,always -F uid=<privsep uid> | ||
25 | */ | ||
26 | /* #define SANDBOX_SECCOMP_FILTER_DEBUG 1 */ | ||
27 | |||
28 | #ifdef SANDBOX_SECCOMP_FILTER_DEBUG | ||
29 | /* Use the kernel headers in case of an older toolchain. */ | ||
30 | # include <asm/siginfo.h> | ||
31 | # define __have_siginfo_t 1 | ||
32 | # define __have_sigval_t 1 | ||
33 | # define __have_sigevent_t 1 | ||
34 | #endif /* SANDBOX_SECCOMP_FILTER_DEBUG */ | ||
35 | |||
36 | #include "includes.h" | ||
37 | |||
38 | #ifdef SANDBOX_SECCOMP_FILTER | ||
39 | |||
40 | #include <sys/types.h> | ||
41 | #include <sys/resource.h> | ||
42 | #include <sys/prctl.h> | ||
43 | |||
44 | #include <linux/audit.h> | ||
45 | #include <linux/filter.h> | ||
46 | #include <linux/seccomp.h> | ||
47 | |||
48 | #include <asm/unistd.h> | ||
49 | |||
50 | #include <errno.h> | ||
51 | #include <signal.h> | ||
52 | #include <stdarg.h> | ||
53 | #include <stddef.h> /* for offsetof */ | ||
54 | #include <stdio.h> | ||
55 | #include <stdlib.h> | ||
56 | #include <string.h> | ||
57 | #include <unistd.h> | ||
58 | |||
59 | #include "log.h" | ||
60 | #include "ssh-sandbox.h" | ||
61 | #include "xmalloc.h" | ||
62 | |||
63 | /* Linux seccomp_filter sandbox */ | ||
64 | #define SECCOMP_FILTER_FAIL SECCOMP_RET_KILL | ||
65 | |||
66 | /* Use a signal handler to emit violations when debugging */ | ||
67 | #ifdef SANDBOX_SECCOMP_FILTER_DEBUG | ||
68 | # undef SECCOMP_FILTER_FAIL | ||
69 | # define SECCOMP_FILTER_FAIL SECCOMP_RET_TRAP | ||
70 | #endif /* SANDBOX_SECCOMP_FILTER_DEBUG */ | ||
71 | |||
72 | /* Simple helpers to avoid manual errors (but larger BPF programs). */ | ||
73 | #define SC_DENY(_nr, _errno) \ | ||
74 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ | ||
75 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno)) | ||
76 | #define SC_ALLOW(_nr) \ | ||
77 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ | ||
78 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | ||
79 | |||
80 | /* Syscall filtering set for preauth. */ | ||
81 | static const struct sock_filter preauth_insns[] = { | ||
82 | /* Ensure the syscall arch convention is as expected. */ | ||
83 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, | ||
84 | offsetof(struct seccomp_data, arch)), | ||
85 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_AUDIT_ARCH, 1, 0), | ||
86 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), | ||
87 | /* Load the syscall number for checking. */ | ||
88 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, | ||
89 | offsetof(struct seccomp_data, nr)), | ||
90 | SC_DENY(open, EACCES), | ||
91 | SC_ALLOW(getpid), | ||
92 | SC_ALLOW(gettimeofday), | ||
93 | SC_ALLOW(time), | ||
94 | SC_ALLOW(read), | ||
95 | SC_ALLOW(write), | ||
96 | SC_ALLOW(close), | ||
97 | SC_ALLOW(brk), | ||
98 | SC_ALLOW(poll), | ||
99 | #ifdef __NR__newselect | ||
100 | SC_ALLOW(_newselect), | ||
101 | #else | ||
102 | SC_ALLOW(select), | ||
103 | #endif | ||
104 | SC_ALLOW(madvise), | ||
105 | SC_ALLOW(mmap), | ||
106 | SC_ALLOW(munmap), | ||
107 | SC_ALLOW(exit_group), | ||
108 | #ifdef __NR_rt_sigprocmask | ||
109 | SC_ALLOW(rt_sigprocmask), | ||
110 | #else | ||
111 | SC_ALLOW(sigprocmask), | ||
112 | #endif | ||
113 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), | ||
114 | }; | ||
115 | |||
116 | static const struct sock_fprog preauth_program = { | ||
117 | .len = (unsigned short)(sizeof(preauth_insns)/sizeof(preauth_insns[0])), | ||
118 | .filter = (struct sock_filter *)preauth_insns, | ||
119 | }; | ||
120 | |||
121 | struct ssh_sandbox { | ||
122 | pid_t child_pid; | ||
123 | }; | ||
124 | |||
125 | struct ssh_sandbox * | ||
126 | ssh_sandbox_init(void) | ||
127 | { | ||
128 | struct ssh_sandbox *box; | ||
129 | |||
130 | /* | ||
131 | * Strictly, we don't need to maintain any state here but we need | ||
132 | * to return non-NULL to satisfy the API. | ||
133 | */ | ||
134 | debug3("%s: preparing seccomp filter sandbox", __func__); | ||
135 | box = xcalloc(1, sizeof(*box)); | ||
136 | box->child_pid = 0; | ||
137 | |||
138 | return box; | ||
139 | } | ||
140 | |||
141 | #ifdef SANDBOX_SECCOMP_FILTER_DEBUG | ||
142 | extern struct monitor *pmonitor; | ||
143 | void mm_log_handler(LogLevel level, const char *msg, void *ctx); | ||
144 | |||
145 | static void | ||
146 | ssh_sandbox_violation(int signum, siginfo_t *info, void *void_context) | ||
147 | { | ||
148 | char msg[256]; | ||
149 | |||
150 | snprintf(msg, sizeof(msg), | ||
151 | "%s: unexpected system call (arch:0x%x,syscall:%d @ %p)", | ||
152 | __func__, info->si_arch, info->si_syscall, info->si_call_addr); | ||
153 | mm_log_handler(SYSLOG_LEVEL_FATAL, msg, pmonitor); | ||
154 | _exit(1); | ||
155 | } | ||
156 | |||
157 | static void | ||
158 | ssh_sandbox_child_debugging(void) | ||
159 | { | ||
160 | struct sigaction act; | ||
161 | sigset_t mask; | ||
162 | |||
163 | debug3("%s: installing SIGSYS handler", __func__); | ||
164 | memset(&act, 0, sizeof(act)); | ||
165 | sigemptyset(&mask); | ||
166 | sigaddset(&mask, SIGSYS); | ||
167 | |||
168 | act.sa_sigaction = &ssh_sandbox_violation; | ||
169 | act.sa_flags = SA_SIGINFO; | ||
170 | if (sigaction(SIGSYS, &act, NULL) == -1) | ||
171 | fatal("%s: sigaction(SIGSYS): %s", __func__, strerror(errno)); | ||
172 | if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1) | ||
173 | fatal("%s: sigprocmask(SIGSYS): %s", | ||
174 | __func__, strerror(errno)); | ||
175 | } | ||
176 | #endif /* SANDBOX_SECCOMP_FILTER_DEBUG */ | ||
177 | |||
178 | void | ||
179 | ssh_sandbox_child(struct ssh_sandbox *box) | ||
180 | { | ||
181 | struct rlimit rl_zero; | ||
182 | |||
183 | /* Set rlimits for completeness if possible. */ | ||
184 | rl_zero.rlim_cur = rl_zero.rlim_max = 0; | ||
185 | if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) | ||
186 | fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", | ||
187 | __func__, strerror(errno)); | ||
188 | if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) | ||
189 | fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", | ||
190 | __func__, strerror(errno)); | ||
191 | if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1) | ||
192 | fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", | ||
193 | __func__, strerror(errno)); | ||
194 | |||
195 | #ifdef SANDBOX_SECCOMP_FILTER_DEBUG | ||
196 | ssh_sandbox_child_debugging(); | ||
197 | #endif /* SANDBOX_SECCOMP_FILTER_DEBUG */ | ||
198 | |||
199 | debug3("%s: setting PR_SET_NO_NEW_PRIVS", __func__); | ||
200 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) | ||
201 | fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s", | ||
202 | __func__, strerror(errno)); | ||
203 | debug3("%s: attaching seccomp filter program", __func__); | ||
204 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &preauth_program) == -1) | ||
205 | fatal("%s: prctl(PR_SET_SECCOMP): %s", | ||
206 | __func__, strerror(errno)); | ||
207 | } | ||
208 | |||
209 | void | ||
210 | ssh_sandbox_parent_finish(struct ssh_sandbox *box) | ||
211 | { | ||
212 | free(box); | ||
213 | debug3("%s: finished", __func__); | ||
214 | } | ||
215 | |||
216 | void | ||
217 | ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) | ||
218 | { | ||
219 | box->child_pid = child_pid; | ||
220 | } | ||
221 | |||
222 | #endif /* SANDBOX_SECCOMP_FILTER */ | ||