diff options
author | Damien Miller <djm@mindrot.org> | 2011-06-23 08:30:03 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2011-06-23 08:30:03 +1000 |
commit | 69ff1df952eebf0489b775a60ede094eaf596a05 (patch) | |
tree | 6eb76b4632b7c131e0fbb52d8ce7cccf658b6bfa /sandbox-systrace.c | |
parent | 82c558761d0fa42dc954d62812b9e4b4a94f64bd (diff) |
- djm@cvs.openbsd.org 2011/06/22 21:57:01
[servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c]
[sandbox-systrace.c sandbox.h configure.ac Makefile.in]
introduce sandboxing of the pre-auth privsep child using systrace(4).
This introduces a new "UsePrivilegeSeparation=sandbox" option for
sshd_config that applies mandatory restrictions on the syscalls the
privsep child can perform. This prevents a compromised privsep child
from being used to attack other hosts (by opening sockets and proxying)
or probing local kernel attack surface.
The sandbox is implemented using systrace(4) in unsupervised "fast-path"
mode, where a list of permitted syscalls is supplied. Any syscall not
on the list results in SIGKILL being sent to the privsep child. Note
that this requires a kernel with the new SYSTR_POLICY_KILL option.
UsePrivilegeSeparation=sandbox will become the default in the future
so please start testing it now.
feedback dtucker@; ok markus@
Diffstat (limited to 'sandbox-systrace.c')
-rw-r--r-- | sandbox-systrace.c | 187 |
1 files changed, 187 insertions, 0 deletions
diff --git a/sandbox-systrace.c b/sandbox-systrace.c new file mode 100644 index 000000000..5d0b7fb86 --- /dev/null +++ b/sandbox-systrace.c | |||
@@ -0,0 +1,187 @@ | |||
1 | /* | ||
2 | * Copyright (c) 2011 Damien Miller <djm@mindrot.org> | ||
3 | * | ||
4 | * Permission to use, copy, modify, and distribute this software for any | ||
5 | * purpose with or without fee is hereby granted, provided that the above | ||
6 | * copyright notice and this permission notice appear in all copies. | ||
7 | * | ||
8 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | ||
9 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | ||
10 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | ||
11 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | ||
12 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | ||
13 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | ||
14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
15 | */ | ||
16 | |||
17 | #include "includes.h" | ||
18 | |||
19 | #ifdef SANDBOX_SYSTRACE | ||
20 | |||
21 | #include <sys/types.h> | ||
22 | #include <sys/param.h> | ||
23 | #include <sys/ioctl.h> | ||
24 | #include <sys/syscall.h> | ||
25 | #include <sys/socket.h> | ||
26 | |||
27 | #include <dev/systrace.h> | ||
28 | |||
29 | #include <errno.h> | ||
30 | #include <fcntl.h> | ||
31 | #include <limits.h> | ||
32 | #include <stdarg.h> | ||
33 | #include <stdio.h> | ||
34 | #include <stdlib.h> | ||
35 | #include <string.h> | ||
36 | #include <unistd.h> | ||
37 | |||
38 | #include "atomicio.h" | ||
39 | #include "log.h" | ||
40 | #include "sandbox.h" | ||
41 | #include "xmalloc.h" | ||
42 | |||
43 | static const int preauth_policy[] = { | ||
44 | SYS___sysctl, | ||
45 | SYS_close, | ||
46 | SYS_exit, | ||
47 | SYS_getpid, | ||
48 | SYS_gettimeofday, | ||
49 | SYS_madvise, | ||
50 | SYS_mmap, | ||
51 | SYS_mprotect, | ||
52 | SYS_poll, | ||
53 | SYS_munmap, | ||
54 | SYS_read, | ||
55 | SYS_select, | ||
56 | SYS_sigprocmask, | ||
57 | SYS_write, | ||
58 | -1 | ||
59 | }; | ||
60 | |||
61 | struct ssh_sandbox { | ||
62 | int child_sock; | ||
63 | int parent_sock; | ||
64 | int systrace_fd; | ||
65 | pid_t child_pid; | ||
66 | struct systrace_policy policy; | ||
67 | }; | ||
68 | |||
69 | struct ssh_sandbox * | ||
70 | ssh_sandbox_init(void) | ||
71 | { | ||
72 | struct ssh_sandbox *box; | ||
73 | int s[2]; | ||
74 | |||
75 | debug3("%s: preparing systrace sandbox", __func__); | ||
76 | box = xcalloc(1, sizeof(*box)); | ||
77 | if (socketpair(AF_UNIX, SOCK_STREAM, 0, s) == -1) | ||
78 | fatal("%s: socketpair: %s", __func__, strerror(errno)); | ||
79 | box->child_sock = s[0]; | ||
80 | box->parent_sock = s[1]; | ||
81 | box->systrace_fd = -1; | ||
82 | box->child_pid = 0; | ||
83 | |||
84 | return box; | ||
85 | } | ||
86 | |||
87 | void | ||
88 | ssh_sandbox_child(struct ssh_sandbox *box) | ||
89 | { | ||
90 | char whatever = 0; | ||
91 | |||
92 | close(box->parent_sock); | ||
93 | /* Signal parent that we are ready */ | ||
94 | debug3("%s: ready", __func__); | ||
95 | if (atomicio(vwrite, box->child_sock, &whatever, 1) != 1) | ||
96 | fatal("%s: write: %s", __func__, strerror(errno)); | ||
97 | /* Wait for parent to signal for us to go */ | ||
98 | if (atomicio(read, box->child_sock, &whatever, 1) != 1) | ||
99 | fatal("%s: read: %s", __func__, strerror(errno)); | ||
100 | debug3("%s: started", __func__); | ||
101 | close(box->child_sock); | ||
102 | } | ||
103 | |||
104 | static void | ||
105 | ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid, | ||
106 | const int *allowed_syscalls) | ||
107 | { | ||
108 | int dev_systrace, i, j, found; | ||
109 | char whatever = 0; | ||
110 | |||
111 | debug3("%s: wait for child %ld", __func__, (long)child_pid); | ||
112 | box->child_pid = child_pid; | ||
113 | close(box->child_sock); | ||
114 | /* Wait for child to signal that it is ready */ | ||
115 | if (atomicio(read, box->parent_sock, &whatever, 1) != 1) | ||
116 | fatal("%s: read: %s", __func__, strerror(errno)); | ||
117 | debug3("%s: child %ld ready", __func__, (long)child_pid); | ||
118 | |||
119 | /* Set up systracing of child */ | ||
120 | if ((dev_systrace = open("/dev/systrace", O_RDONLY)) == -1) | ||
121 | fatal("%s: open(\"/dev/systrace\"): %s", __func__, | ||
122 | strerror(errno)); | ||
123 | if (ioctl(dev_systrace, STRIOCCLONE, &box->systrace_fd) == -1) | ||
124 | fatal("%s: ioctl(STRIOCCLONE, %d): %s", __func__, | ||
125 | dev_systrace, strerror(errno)); | ||
126 | close(dev_systrace); | ||
127 | debug3("%s: systrace attach, fd=%d", __func__, box->systrace_fd); | ||
128 | if (ioctl(box->systrace_fd, STRIOCATTACH, &child_pid) == -1) | ||
129 | fatal("%s: ioctl(%d, STRIOCATTACH, %d): %s", __func__, | ||
130 | box->systrace_fd, child_pid, strerror(errno)); | ||
131 | |||
132 | /* Allocate and assign policy */ | ||
133 | bzero(&box->policy, sizeof(box->policy)); | ||
134 | box->policy.strp_op = SYSTR_POLICY_NEW; | ||
135 | box->policy.strp_maxents = SYS_MAXSYSCALL; | ||
136 | if (ioctl(box->systrace_fd, STRIOCPOLICY, &box->policy) == -1) | ||
137 | fatal("%s: ioctl(%d, STRIOCPOLICY (new)): %s", __func__, | ||
138 | box->systrace_fd, strerror(errno)); | ||
139 | |||
140 | box->policy.strp_op = SYSTR_POLICY_ASSIGN; | ||
141 | box->policy.strp_pid = box->child_pid; | ||
142 | if (ioctl(box->systrace_fd, STRIOCPOLICY, &box->policy) == -1) | ||
143 | fatal("%s: ioctl(%d, STRIOCPOLICY (assign)): %s", | ||
144 | __func__, box->systrace_fd, strerror(errno)); | ||
145 | |||
146 | /* Set per-syscall policy */ | ||
147 | for (i = 0; i < SYS_MAXSYSCALL; i++) { | ||
148 | for (j = found = 0; allowed_syscalls[j] != -1 && !found; j++) { | ||
149 | if (allowed_syscalls[j] == i) | ||
150 | found = 1; | ||
151 | } | ||
152 | box->policy.strp_op = SYSTR_POLICY_MODIFY; | ||
153 | box->policy.strp_code = i; | ||
154 | box->policy.strp_policy = found ? | ||
155 | SYSTR_POLICY_PERMIT : SYSTR_POLICY_KILL; | ||
156 | if (found) | ||
157 | debug3("%s: policy: enable syscall %d", __func__, i); | ||
158 | if (ioctl(box->systrace_fd, STRIOCPOLICY, | ||
159 | &box->policy) == -1) | ||
160 | fatal("%s: ioctl(%d, STRIOCPOLICY (modify)): %s", | ||
161 | __func__, box->systrace_fd, strerror(errno)); | ||
162 | } | ||
163 | |||
164 | /* Signal the child to start running */ | ||
165 | debug3("%s: start child %ld", __func__, (long)child_pid); | ||
166 | if (atomicio(vwrite, box->parent_sock, &whatever, 1) != 1) | ||
167 | fatal("%s: write: %s", __func__, strerror(errno)); | ||
168 | close(box->parent_sock); | ||
169 | } | ||
170 | |||
171 | void | ||
172 | ssh_sandbox_parent_finish(struct ssh_sandbox *box) | ||
173 | { | ||
174 | /* Closing this before the child exits will terminate it */ | ||
175 | close(box->systrace_fd); | ||
176 | |||
177 | free(box); | ||
178 | debug3("%s: finished", __func__); | ||
179 | } | ||
180 | |||
181 | void | ||
182 | ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) | ||
183 | { | ||
184 | ssh_sandbox_parent(box, child_pid, preauth_policy); | ||
185 | } | ||
186 | |||
187 | #endif /* SANDBOX_SYSTRACE */ | ||