- djm@cvs.openbsd.org 2011/06/22 21:57:01

[servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c] [sandbox-systrace.c sandbox.h configure.ac Makefile.in] introduce sandboxing of the pre-auth privsep child using systrace(4). This introduces a new "UsePrivilegeSeparation=sandbox" option for sshd_config that applies mandatory restrictions on the syscalls the privsep child can perform. This prevents a compromised privsep child from being used to attack other hosts (by opening sockets and proxying) or probing local kernel attack surface. The sandbox is implemented using systrace(4) in unsupervised "fast-path" mode, where a list of permitted syscalls is supplied. Any syscall not on the list results in SIGKILL being sent to the privsep child. Note that this requires a kernel with the new SYSTR_POLICY_KILL option. UsePrivilegeSeparation=sandbox will become the default in the future so please start testing it now. feedback dtucker@; ok markus@
author: Damien Miller <djm@mindrot.org> 2011-06-23 08:30:03 +1000
committer: Damien Miller <djm@mindrot.org> 2011-06-23 08:30:03 +1000
commit: 69ff1df952eebf0489b775a60ede094eaf596a05 (patch)
tree: 6eb76b4632b7c131e0fbb52d8ce7cccf658b6bfa /servconf.c
parent: 82c558761d0fa42dc954d62812b9e4b4a94f64bd (diff)
1 files changed, 12 insertions, 3 deletions
diff --git a/servconf.c b/servconf.c
index 03b974617..91986e55d 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.221 2011/06/22 21:47:28 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.222 2011/06/22 21:57:01 djm Exp $ */
 /*
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
@@ -280,7 +280,7 @@ fill_default_server_options(ServerOptions *options)
        /* Turn privilege separation on by default */
        if (use_privsep == -1)
-                use_privsep = 1;
+                use_privsep = PRIVSEP_ON;
 #ifndef HAVE_MMAP
        if (use_privsep && options->compression == 1) {
@@ -701,6 +701,12 @@ static const struct multistate multistate_gatewayports[] = {
        { "no",                         0 },
        { NULL, -1 }
 };
+static const struct multistate multistate_privsep[] = {
+        { "sandbox",                    PRIVSEP_SANDBOX },
+        { "yes",                        PRIVSEP_ON },
+        { "no",                         PRIVSEP_OFF },
+        { NULL, -1 }
+};
 int
 process_server_config_line(ServerOptions *options, char *line,
@@ -1066,7 +1072,8 @@ process_server_config_line(ServerOptions *options, char *line,
        case sUsePrivilegeSeparation:
                intptr = &use_privsep;
-                goto parse_flag;
+                multistate_ptr = multistate_privsep;
+                goto parse_multistate;
        case sAllowUsers:
                while ((arg = strdelim(&cp)) && *arg != '\0') {
@@ -1574,6 +1581,8 @@ fmt_intarg(ServerOpCodes code, int val)
                return fmt_multistate_int(val, multistate_gatewayports);
        case sCompression:
                return fmt_multistate_int(val, multistate_compression);
+        case sUsePrivilegeSeparation:
+                return fmt_multistate_int(val, multistate_privsep);
        case sProtocol:
                switch (val) {
                case SSH_PROTO_1:
author	Damien Miller <djm@mindrot.org>	2011-06-23 08:30:03 +1000
committer	Damien Miller <djm@mindrot.org>	2011-06-23 08:30:03 +1000
commit	69ff1df952eebf0489b775a60ede094eaf596a05 (patch)
tree	6eb76b4632b7c131e0fbb52d8ce7cccf658b6bfa /servconf.c
parent	82c558761d0fa42dc954d62812b9e4b4a94f64bd (diff)