summaryrefslogtreecommitdiff
path: root/sandbox-systrace.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2012-05-26 01:44:40 +0100
committerColin Watson <cjwatson@debian.org>2012-05-26 01:44:40 +0100
commit15784261dfaece73ef53f5beb5d3917a95dc1ae4 (patch)
treec39ee6c8ff10efca0e0060d6db07780667832eeb /sandbox-systrace.c
parent9fce61538243d8d04d6cf174e118df6c4ece351d (diff)
Add a sandbox fallback mechanism, so that behaviour on Linux depends on
whether the running system's kernel has seccomp_filter support, not the build system's kernel (forwarded upstream as https://bugzilla.mindrot.org/show_bug.cgi?id=2011).
Diffstat (limited to 'sandbox-systrace.c')
-rw-r--r--sandbox-systrace.c55
1 files changed, 44 insertions, 11 deletions
diff --git a/sandbox-systrace.c b/sandbox-systrace.c
index 5a39f4fe1..04f54a3b6 100644
--- a/sandbox-systrace.c
+++ b/sandbox-systrace.c
@@ -17,9 +17,12 @@
17 17
18#include "includes.h" 18#include "includes.h"
19 19
20#include <sys/types.h>
21
22#include "ssh-sandbox.h"
23
20#ifdef SANDBOX_SYSTRACE 24#ifdef SANDBOX_SYSTRACE
21 25
22#include <sys/types.h>
23#include <sys/param.h> 26#include <sys/param.h>
24#include <sys/ioctl.h> 27#include <sys/ioctl.h>
25#include <sys/syscall.h> 28#include <sys/syscall.h>
@@ -38,7 +41,6 @@
38 41
39#include "atomicio.h" 42#include "atomicio.h"
40#include "log.h" 43#include "log.h"
41#include "ssh-sandbox.h"
42#include "xmalloc.h" 44#include "xmalloc.h"
43 45
44struct sandbox_policy { 46struct sandbox_policy {
@@ -74,8 +76,14 @@ struct ssh_sandbox {
74 pid_t child_pid; 76 pid_t child_pid;
75}; 77};
76 78
77struct ssh_sandbox * 79static int
78ssh_sandbox_init(void) 80sandbox_systrace_probe(void)
81{
82 return 1;
83}
84
85static void *
86sandbox_systrace_init(void)
79{ 87{
80 struct ssh_sandbox *box; 88 struct ssh_sandbox *box;
81 int s[2]; 89 int s[2];
@@ -92,9 +100,10 @@ ssh_sandbox_init(void)
92 return box; 100 return box;
93} 101}
94 102
95void 103static void
96ssh_sandbox_child(struct ssh_sandbox *box) 104sandbox_systrace_child(void *vbox)
97{ 105{
106 struct ssh_sandbox *box = vbox;
98 char whatever = 0; 107 char whatever = 0;
99 108
100 close(box->parent_sock); 109 close(box->parent_sock);
@@ -110,7 +119,7 @@ ssh_sandbox_child(struct ssh_sandbox *box)
110} 119}
111 120
112static void 121static void
113ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid, 122sandbox_systrace_parent(struct ssh_sandbox *box, pid_t child_pid,
114 const struct sandbox_policy *allowed_syscalls) 123 const struct sandbox_policy *allowed_syscalls)
115{ 124{
116 int dev_systrace, i, j, found; 125 int dev_systrace, i, j, found;
@@ -179,9 +188,11 @@ ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid,
179 close(box->parent_sock); 188 close(box->parent_sock);
180} 189}
181 190
182void 191static void
183ssh_sandbox_parent_finish(struct ssh_sandbox *box) 192sandbox_systrace_parent_finish(void *vbox)
184{ 193{
194 struct ssh_sandbox *box = vbox;
195
185 /* Closing this before the child exits will terminate it */ 196 /* Closing this before the child exits will terminate it */
186 close(box->systrace_fd); 197 close(box->systrace_fd);
187 198
@@ -189,10 +200,32 @@ ssh_sandbox_parent_finish(struct ssh_sandbox *box)
189 debug3("%s: finished", __func__); 200 debug3("%s: finished", __func__);
190} 201}
191 202
192void 203static void
193ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) 204sandbox_systrace_parent_preauth(void *vbox, pid_t child_pid)
194{ 205{
206 struct ssh_sandbox *box = vbox;
207
195 ssh_sandbox_parent(box, child_pid, preauth_policy); 208 ssh_sandbox_parent(box, child_pid, preauth_policy);
196} 209}
197 210
211Sandbox ssh_sandbox_systrace = {
212 "systrace",
213 sandbox_systrace_probe,
214 sandbox_systrace_init,
215 sandbox_systrace_child,
216 sandbox_systrace_parent_finish,
217 sandbox_systrace_parent_preauth
218};
219
220#else /* !SANDBOX_SYSTRACE */
221
222Sandbox ssh_sandbox_systrace = {
223 "systrace",
224 NULL,
225 NULL,
226 NULL,
227 NULL,
228 NULL
229};
230
198#endif /* SANDBOX_SYSTRACE */ 231#endif /* SANDBOX_SYSTRACE */