- djm@cvs.openbsd.org 2011/06/22 21:57:01

     [servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c]
     [sandbox-systrace.c sandbox.h configure.ac Makefile.in]
     introduce sandboxing of the pre-auth privsep child using systrace(4).

     This introduces a new "UsePrivilegeSeparation=sandbox" option for
     sshd_config that applies mandatory restrictions on the syscalls the
     privsep child can perform. This prevents a compromised privsep child
     from being used to attack other hosts (by opening sockets and proxying)
     or probing local kernel attack surface.

     The sandbox is implemented using systrace(4) in unsupervised "fast-path"
     mode, where a list of permitted syscalls is supplied. Any syscall not
     on the list results in SIGKILL being sent to the privsep child. Note
     that this requires a kernel with the new SYSTR_POLICY_KILL option.

     UsePrivilegeSeparation=sandbox will become the default in the future
     so please start testing it now.

     feedback dtucker@; ok markus@

1 files changed, 187 insertions, 0 deletions

diff --git a/sandbox-systrace.c b/sandbox-systrace.c
new file mode 100644
index 000000000..5d0b7fb86
--- /dev/null
+++ b/sandbox-systrace.c
@@ -0,0 +1,187 @@
+/*
+ * Copyright (c) 2011 Damien Miller <djm@mindrot.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+
+#ifdef SANDBOX_SYSTRACE
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/ioctl.h>
+#include <sys/syscall.h>
+#include <sys/socket.h>
+
+#include <dev/systrace.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "atomicio.h"
+#include "log.h"
+#include "sandbox.h"
+#include "xmalloc.h"
+
+static const int preauth_policy[] = {
+        SYS___sysctl,
+        SYS_close,
+        SYS_exit,
+        SYS_getpid,
+        SYS_gettimeofday,
+        SYS_madvise,
+        SYS_mmap,
+        SYS_mprotect,
+        SYS_poll,
+        SYS_munmap,
+        SYS_read,
+        SYS_select,
+        SYS_sigprocmask,
+        SYS_write,
+        -1
+};
+
+struct ssh_sandbox {
+        int child_sock;
+        int parent_sock;
+        int systrace_fd;
+        pid_t child_pid;
+        struct systrace_policy policy;
+};
+
+struct ssh_sandbox *
+ssh_sandbox_init(void)
+{
+        struct ssh_sandbox *box;
+        int s[2];
+
+        debug3("%s: preparing systrace sandbox", __func__);
+        box = xcalloc(1, sizeof(*box));
+        if (socketpair(AF_UNIX, SOCK_STREAM, 0, s) == -1)
+                fatal("%s: socketpair: %s", __func__, strerror(errno));
+        box->child_sock = s[0];
+        box->parent_sock = s[1];
+        box->systrace_fd = -1;
+        box->child_pid = 0;
+
+        return box;
+}
+
+void
+ssh_sandbox_child(struct ssh_sandbox *box)
+{
+        char whatever = 0;
+
+        close(box->parent_sock);
+        /* Signal parent that we are ready */
+        debug3("%s: ready", __func__);
+        if (atomicio(vwrite, box->child_sock, &whatever, 1) != 1)
+                fatal("%s: write: %s", __func__, strerror(errno));
+        /* Wait for parent to signal for us to go */
+        if (atomicio(read, box->child_sock, &whatever, 1) != 1)
+                fatal("%s: read: %s", __func__, strerror(errno));
+        debug3("%s: started", __func__);
+        close(box->child_sock);
+}
+
+static void
+ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid,
+    const int *allowed_syscalls)
+{
+        int dev_systrace, i, j, found;
+        char whatever = 0;
+
+        debug3("%s: wait for child %ld", __func__, (long)child_pid);
+        box->child_pid = child_pid;
+        close(box->child_sock);
+        /* Wait for child to signal that it is ready */
+        if (atomicio(read, box->parent_sock, &whatever, 1) != 1)
+                fatal("%s: read: %s", __func__, strerror(errno));
+        debug3("%s: child %ld ready", __func__, (long)child_pid);
+
+        /* Set up systracing of child */
+        if ((dev_systrace = open("/dev/systrace", O_RDONLY)) == -1)
+                fatal("%s: open(\"/dev/systrace\"): %s", __func__,
+                    strerror(errno));
+        if (ioctl(dev_systrace, STRIOCCLONE, &box->systrace_fd) == -1)
+                fatal("%s: ioctl(STRIOCCLONE, %d): %s", __func__,
+                    dev_systrace, strerror(errno));
+        close(dev_systrace);
+        debug3("%s: systrace attach, fd=%d", __func__, box->systrace_fd);
+        if (ioctl(box->systrace_fd, STRIOCATTACH, &child_pid) == -1)
+                fatal("%s: ioctl(%d, STRIOCATTACH, %d): %s", __func__,
+                    box->systrace_fd, child_pid, strerror(errno));
+
+        /* Allocate and assign policy */
+        bzero(&box->policy, sizeof(box->policy));
+        box->policy.strp_op = SYSTR_POLICY_NEW;
+        box->policy.strp_maxents = SYS_MAXSYSCALL;
+        if (ioctl(box->systrace_fd, STRIOCPOLICY, &box->policy) == -1)
+                fatal("%s: ioctl(%d, STRIOCPOLICY (new)): %s", __func__,
+                    box->systrace_fd, strerror(errno));
+
+        box->policy.strp_op = SYSTR_POLICY_ASSIGN;
+        box->policy.strp_pid = box->child_pid;
+        if (ioctl(box->systrace_fd, STRIOCPOLICY, &box->policy) == -1)
+                fatal("%s: ioctl(%d, STRIOCPOLICY (assign)): %s",
+                    __func__, box->systrace_fd, strerror(errno));
+
+        /* Set per-syscall policy */
+        for (i = 0; i < SYS_MAXSYSCALL; i++) {
+                for (j = found = 0; allowed_syscalls[j] != -1 && !found; j++) {
+                        if (allowed_syscalls[j] == i)
+                                found = 1;
+                }
+                box->policy.strp_op = SYSTR_POLICY_MODIFY;
+                box->policy.strp_code = i;
+                box->policy.strp_policy = found ?
+                    SYSTR_POLICY_PERMIT : SYSTR_POLICY_KILL;
+                if (found)
+                        debug3("%s: policy: enable syscall %d", __func__, i);
+                if (ioctl(box->systrace_fd, STRIOCPOLICY,
+                    &box->policy) == -1)
+                        fatal("%s: ioctl(%d, STRIOCPOLICY (modify)): %s",
+                            __func__, box->systrace_fd, strerror(errno));
+        }
+
+        /* Signal the child to start running */
+        debug3("%s: start child %ld", __func__, (long)child_pid);
+        if (atomicio(vwrite, box->parent_sock, &whatever, 1) != 1)
+                fatal("%s: write: %s", __func__, strerror(errno));
+        close(box->parent_sock);
+}
+
+void
+ssh_sandbox_parent_finish(struct ssh_sandbox *box)
+{
+        /* Closing this before the child exits will terminate it */
+        close(box->systrace_fd);
+
+        free(box);
+        debug3("%s: finished", __func__);
+}
+
+void
+ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
+{
+        ssh_sandbox_parent(box, child_pid, preauth_policy);
+}
+
+#endif /* SANDBOX_SYSTRACE */