diff options
author | Damien Miller <djm@mindrot.org> | 2011-06-23 08:30:03 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2011-06-23 08:30:03 +1000 |
commit | 69ff1df952eebf0489b775a60ede094eaf596a05 (patch) | |
tree | 6eb76b4632b7c131e0fbb52d8ce7cccf658b6bfa /servconf.h | |
parent | 82c558761d0fa42dc954d62812b9e4b4a94f64bd (diff) |
- djm@cvs.openbsd.org 2011/06/22 21:57:01
[servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c]
[sandbox-systrace.c sandbox.h configure.ac Makefile.in]
introduce sandboxing of the pre-auth privsep child using systrace(4).
This introduces a new "UsePrivilegeSeparation=sandbox" option for
sshd_config that applies mandatory restrictions on the syscalls the
privsep child can perform. This prevents a compromised privsep child
from being used to attack other hosts (by opening sockets and proxying)
or probing local kernel attack surface.
The sandbox is implemented using systrace(4) in unsupervised "fast-path"
mode, where a list of permitted syscalls is supplied. Any syscall not
on the list results in SIGKILL being sent to the privsep child. Note
that this requires a kernel with the new SYSTR_POLICY_KILL option.
UsePrivilegeSeparation=sandbox will become the default in the future
so please start testing it now.
feedback dtucker@; ok markus@
Diffstat (limited to 'servconf.h')
-rw-r--r-- | servconf.h | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/servconf.h b/servconf.h index 31e621bde..89f38e20f 100644 --- a/servconf.h +++ b/servconf.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: servconf.h,v 1.98 2011/05/23 03:30:07 djm Exp $ */ | 1 | /* $OpenBSD: servconf.h,v 1.99 2011/06/22 21:57:01 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -36,6 +36,11 @@ | |||
36 | #define PERMIT_NO_PASSWD 2 | 36 | #define PERMIT_NO_PASSWD 2 |
37 | #define PERMIT_YES 3 | 37 | #define PERMIT_YES 3 |
38 | 38 | ||
39 | /* use_privsep */ | ||
40 | #define PRIVSEP_OFF 0 | ||
41 | #define PRIVSEP_ON 1 | ||
42 | #define PRIVSEP_SANDBOX 2 | ||
43 | |||
39 | #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ | 44 | #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ |
40 | #define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ | 45 | #define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ |
41 | 46 | ||