- djm@cvs.openbsd.org 2011/06/22 21:57:01

[servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c] [sandbox-systrace.c sandbox.h configure.ac Makefile.in] introduce sandboxing of the pre-auth privsep child using systrace(4). This introduces a new "UsePrivilegeSeparation=sandbox" option for sshd_config that applies mandatory restrictions on the syscalls the privsep child can perform. This prevents a compromised privsep child from being used to attack other hosts (by opening sockets and proxying) or probing local kernel attack surface. The sandbox is implemented using systrace(4) in unsupervised "fast-path" mode, where a list of permitted syscalls is supplied. Any syscall not on the list results in SIGKILL being sent to the privsep child. Note that this requires a kernel with the new SYSTR_POLICY_KILL option. UsePrivilegeSeparation=sandbox will become the default in the future so please start testing it now. feedback dtucker@; ok markus@
author: Damien Miller <djm@mindrot.org> 2011-06-23 08:30:03 +1000
committer: Damien Miller <djm@mindrot.org> 2011-06-23 08:30:03 +1000
commit: 69ff1df952eebf0489b775a60ede094eaf596a05 (patch)
tree: 6eb76b4632b7c131e0fbb52d8ce7cccf658b6bfa /ChangeLog
parent: 82c558761d0fa42dc954d62812b9e4b4a94f64bd (diff)
1 files changed, 20 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index b8adb8a87..6a18e7193 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,26 @@
   - djm@cvs.openbsd.org 2011/06/22 21:47:28
     [servconf.c]
     reuse the multistate option arrays to pretty-print options for "sshd -T"
+   - djm@cvs.openbsd.org 2011/06/22 21:57:01
+     [servconf.c servconf.h sshd.c sshd_config.5]
+     [configure.ac Makefile.in]
+     introduce sandboxing of the pre-auth privsep child using systrace(4).
+     
+     This introduces a new "UsePrivilegeSeparation=sandbox" option for
+     sshd_config that applies mandatory restrictions on the syscalls the
+     privsep child can perform. This prevents a compromised privsep child
+     from being used to attack other hosts (by opening sockets and proxying)
+     or probing local kernel attack surface.
+     
+     The sandbox is implemented using systrace(4) in unsupervised "fast-path"
+     mode, where a list of permitted syscalls is supplied. Any syscall not
+     on the list results in SIGKILL being sent to the privsep child. Note
+     that this requires a kernel with the new SYSTR_POLICY_KILL option.
+     
+     UsePrivilegeSeparation=sandbox will become the default in the future
+     so please start testing it now.
+     
+     feedback dtucker@; ok markus@
 20110620
 - OpenBSD CVS Sync
author	Damien Miller <djm@mindrot.org>	2011-06-23 08:30:03 +1000
committer	Damien Miller <djm@mindrot.org>	2011-06-23 08:30:03 +1000
commit	69ff1df952eebf0489b775a60ede094eaf596a05 (patch)
tree	6eb76b4632b7c131e0fbb52d8ce7cccf658b6bfa /ChangeLog
parent	82c558761d0fa42dc954d62812b9e4b4a94f64bd (diff)

diff --git a/ChangeLog b/ChangeLog index b8adb8a87..6a18e7193 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -3,6 +3,26 @@
3	- djm@cvs.openbsd.org 2011/06/22 21:47:28	3	- djm@cvs.openbsd.org 2011/06/22 21:47:28
4	[servconf.c]	4	[servconf.c]
5	reuse the multistate option arrays to pretty-print options for "sshd -T"	5	reuse the multistate option arrays to pretty-print options for "sshd -T"
		6	- djm@cvs.openbsd.org 2011/06/22 21:57:01
		7	[servconf.c servconf.h sshd.c sshd_config.5]
		8	[configure.ac Makefile.in]
		9	introduce sandboxing of the pre-auth privsep child using systrace(4).
		10
		11	This introduces a new "UsePrivilegeSeparation=sandbox" option for
		12	sshd_config that applies mandatory restrictions on the syscalls the
		13	privsep child can perform. This prevents a compromised privsep child
		14	from being used to attack other hosts (by opening sockets and proxying)
		15	or probing local kernel attack surface.
		16
		17	The sandbox is implemented using systrace(4) in unsupervised "fast-path"
		18	mode, where a list of permitted syscalls is supplied. Any syscall not
		19	on the list results in SIGKILL being sent to the privsep child. Note
		20	that this requires a kernel with the new SYSTR_POLICY_KILL option.
		21
		22	UsePrivilegeSeparation=sandbox will become the default in the future
		23	so please start testing it now.
		24
		25	feedback dtucker@; ok markus@
6		26
7	20110620	27	20110620
8	- OpenBSD CVS Sync	28	- OpenBSD CVS Sync