diff options
author | Damien Miller <djm@mindrot.org> | 2011-06-23 08:30:03 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2011-06-23 08:30:03 +1000 |
commit | 69ff1df952eebf0489b775a60ede094eaf596a05 (patch) | |
tree | 6eb76b4632b7c131e0fbb52d8ce7cccf658b6bfa /ChangeLog | |
parent | 82c558761d0fa42dc954d62812b9e4b4a94f64bd (diff) |
- djm@cvs.openbsd.org 2011/06/22 21:57:01
[servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c]
[sandbox-systrace.c sandbox.h configure.ac Makefile.in]
introduce sandboxing of the pre-auth privsep child using systrace(4).
This introduces a new "UsePrivilegeSeparation=sandbox" option for
sshd_config that applies mandatory restrictions on the syscalls the
privsep child can perform. This prevents a compromised privsep child
from being used to attack other hosts (by opening sockets and proxying)
or probing local kernel attack surface.
The sandbox is implemented using systrace(4) in unsupervised "fast-path"
mode, where a list of permitted syscalls is supplied. Any syscall not
on the list results in SIGKILL being sent to the privsep child. Note
that this requires a kernel with the new SYSTR_POLICY_KILL option.
UsePrivilegeSeparation=sandbox will become the default in the future
so please start testing it now.
feedback dtucker@; ok markus@
Diffstat (limited to 'ChangeLog')
-rw-r--r-- | ChangeLog | 20 |
1 files changed, 20 insertions, 0 deletions
@@ -3,6 +3,26 @@ | |||
3 | - djm@cvs.openbsd.org 2011/06/22 21:47:28 | 3 | - djm@cvs.openbsd.org 2011/06/22 21:47:28 |
4 | [servconf.c] | 4 | [servconf.c] |
5 | reuse the multistate option arrays to pretty-print options for "sshd -T" | 5 | reuse the multistate option arrays to pretty-print options for "sshd -T" |
6 | - djm@cvs.openbsd.org 2011/06/22 21:57:01 | ||
7 | [servconf.c servconf.h sshd.c sshd_config.5] | ||
8 | [configure.ac Makefile.in] | ||
9 | introduce sandboxing of the pre-auth privsep child using systrace(4). | ||
10 | |||
11 | This introduces a new "UsePrivilegeSeparation=sandbox" option for | ||
12 | sshd_config that applies mandatory restrictions on the syscalls the | ||
13 | privsep child can perform. This prevents a compromised privsep child | ||
14 | from being used to attack other hosts (by opening sockets and proxying) | ||
15 | or probing local kernel attack surface. | ||
16 | |||
17 | The sandbox is implemented using systrace(4) in unsupervised "fast-path" | ||
18 | mode, where a list of permitted syscalls is supplied. Any syscall not | ||
19 | on the list results in SIGKILL being sent to the privsep child. Note | ||
20 | that this requires a kernel with the new SYSTR_POLICY_KILL option. | ||
21 | |||
22 | UsePrivilegeSeparation=sandbox will become the default in the future | ||
23 | so please start testing it now. | ||
24 | |||
25 | feedback dtucker@; ok markus@ | ||
6 | 26 | ||
7 | 20110620 | 27 | 20110620 |
8 | - OpenBSD CVS Sync | 28 | - OpenBSD CVS Sync |