diff options
author | Damien Miller <djm@mindrot.org> | 2011-06-23 08:30:03 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2011-06-23 08:30:03 +1000 |
commit | 69ff1df952eebf0489b775a60ede094eaf596a05 (patch) | |
tree | 6eb76b4632b7c131e0fbb52d8ce7cccf658b6bfa /sandbox-rlimit.c | |
parent | 82c558761d0fa42dc954d62812b9e4b4a94f64bd (diff) |
- djm@cvs.openbsd.org 2011/06/22 21:57:01
[servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c]
[sandbox-systrace.c sandbox.h configure.ac Makefile.in]
introduce sandboxing of the pre-auth privsep child using systrace(4).
This introduces a new "UsePrivilegeSeparation=sandbox" option for
sshd_config that applies mandatory restrictions on the syscalls the
privsep child can perform. This prevents a compromised privsep child
from being used to attack other hosts (by opening sockets and proxying)
or probing local kernel attack surface.
The sandbox is implemented using systrace(4) in unsupervised "fast-path"
mode, where a list of permitted syscalls is supplied. Any syscall not
on the list results in SIGKILL being sent to the privsep child. Note
that this requires a kernel with the new SYSTR_POLICY_KILL option.
UsePrivilegeSeparation=sandbox will become the default in the future
so please start testing it now.
feedback dtucker@; ok markus@
Diffstat (limited to 'sandbox-rlimit.c')
-rw-r--r-- | sandbox-rlimit.c | 92 |
1 files changed, 92 insertions, 0 deletions
diff --git a/sandbox-rlimit.c b/sandbox-rlimit.c new file mode 100644 index 000000000..4d832fc3d --- /dev/null +++ b/sandbox-rlimit.c | |||
@@ -0,0 +1,92 @@ | |||
1 | /* | ||
2 | * Copyright (c) 2011 Damien Miller <djm@mindrot.org> | ||
3 | * | ||
4 | * Permission to use, copy, modify, and distribute this software for any | ||
5 | * purpose with or without fee is hereby granted, provided that the above | ||
6 | * copyright notice and this permission notice appear in all copies. | ||
7 | * | ||
8 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | ||
9 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | ||
10 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | ||
11 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | ||
12 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | ||
13 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | ||
14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
15 | */ | ||
16 | |||
17 | #include "includes.h" | ||
18 | |||
19 | #ifdef SANDBOX_RLIMIT | ||
20 | |||
21 | #include <sys/types.h> | ||
22 | #include <sys/param.h> | ||
23 | #include <sys/time.h> | ||
24 | #include <sys/resource.h> | ||
25 | |||
26 | #include <errno.h> | ||
27 | #include <stdarg.h> | ||
28 | #include <stdio.h> | ||
29 | #include <stdlib.h> | ||
30 | #include <string.h> | ||
31 | #include <unistd.h> | ||
32 | |||
33 | #include "log.h" | ||
34 | #include "sandbox.h" | ||
35 | #include "xmalloc.h" | ||
36 | |||
37 | /* Minimal sandbox that sets zero nfiles, nprocs and filesize rlimits */ | ||
38 | |||
39 | struct ssh_sandbox { | ||
40 | pid_t child_pid; | ||
41 | }; | ||
42 | |||
43 | struct ssh_sandbox * | ||
44 | ssh_sandbox_init(void) | ||
45 | { | ||
46 | struct ssh_sandbox *box; | ||
47 | |||
48 | /* | ||
49 | * Strictly, we don't need to maintain any state here but we need | ||
50 | * to return non-NULL to satisfy the API. | ||
51 | */ | ||
52 | debug3("%s: preparing rlimit sandbox", __func__); | ||
53 | box = xcalloc(1, sizeof(*box)); | ||
54 | box->child_pid = 0; | ||
55 | |||
56 | return box; | ||
57 | } | ||
58 | |||
59 | void | ||
60 | ssh_sandbox_child(struct ssh_sandbox *box) | ||
61 | { | ||
62 | struct rlimit rl_zero; | ||
63 | |||
64 | rl_zero.rlim_cur = rl_zero.rlim_max = 0; | ||
65 | |||
66 | if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) | ||
67 | fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", | ||
68 | __func__, strerror(errno)); | ||
69 | if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) | ||
70 | fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", | ||
71 | __func__, strerror(errno)); | ||
72 | #ifdef HAVE_RLIMIT_NPROC | ||
73 | if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1) | ||
74 | fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", | ||
75 | __func__, strerror(errno)); | ||
76 | #endif | ||
77 | } | ||
78 | |||
79 | void | ||
80 | ssh_sandbox_parent_finish(struct ssh_sandbox *box) | ||
81 | { | ||
82 | free(box); | ||
83 | debug3("%s: finished", __func__); | ||
84 | } | ||
85 | |||
86 | void | ||
87 | ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) | ||
88 | { | ||
89 | box->child_pid = child_pid; | ||
90 | } | ||
91 | |||
92 | #endif /* SANDBOX_RLIMIT */ | ||