- djm@cvs.openbsd.org 2011/06/22 21:57:01

     [servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c]
     [sandbox-systrace.c sandbox.h configure.ac Makefile.in]
     introduce sandboxing of the pre-auth privsep child using systrace(4).

     This introduces a new "UsePrivilegeSeparation=sandbox" option for
     sshd_config that applies mandatory restrictions on the syscalls the
     privsep child can perform. This prevents a compromised privsep child
     from being used to attack other hosts (by opening sockets and proxying)
     or probing local kernel attack surface.

     The sandbox is implemented using systrace(4) in unsupervised "fast-path"
     mode, where a list of permitted syscalls is supplied. Any syscall not
     on the list results in SIGKILL being sent to the privsep child. Note
     that this requires a kernel with the new SYSTR_POLICY_KILL option.

     UsePrivilegeSeparation=sandbox will become the default in the future
     so please start testing it now.

     feedback dtucker@; ok markus@

1 files changed, 6 insertions, 1 deletions

diff --git a/servconf.h b/servconf.h
index 31e621bde..89f38e20f 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.98 2011/05/23 03:30:07 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.99 2011/06/22 21:57:01 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -36,6 +36,11 @@
 #define PERMIT_NO_PASSWD        2
 #define PERMIT_YES              3
 
+/* use_privsep */
+#define PRIVSEP_OFF             0
+#define PRIVSEP_ON              1
+#define PRIVSEP_SANDBOX         2
+
 #define DEFAULT_AUTH_FAIL_MAX   6       /* Default for MaxAuthTries */
 #define DEFAULT_SESSIONS_MAX    10      /* Default for MaxSessions */