1 files changed, 21 insertions, 23 deletions
diff --git a/sandbox-systrace.c b/sandbox-systrace.c
index 3830ed16c..8ebdb73df 100644
--- a/sandbox-systrace.c
+++ b/sandbox-systrace.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sandbox-systrace.c,v 1.17 2015/07/27 16:29:23 guenther Exp $ */
+/* $OpenBSD: sandbox-systrace.c,v 1.18 2015/10/02 01:39:26 deraadt Exp $ */
 /*
 * Copyright (c) 2011 Damien Miller <djm@mindrot.org>
 *
@@ -15,10 +15,6 @@
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
-#include "includes.h"
-#ifdef SANDBOX_SYSTRACE
 #include <sys/types.h>
 #include <sys/ioctl.h>
 #include <sys/syscall.h>
@@ -50,9 +46,17 @@ struct sandbox_policy {
 /* Permitted syscalls in preauth. Unlisted syscalls get SYSTR_POLICY_KILL */
 static const struct sandbox_policy preauth_policy[] = {
-        { SYS_clock_gettime, SYSTR_POLICY_PERMIT },
-        { SYS_close, SYSTR_POLICY_PERMIT },
        { SYS_exit, SYSTR_POLICY_PERMIT },
+#ifdef SYS_kbind
+        { SYS_kbind, SYSTR_POLICY_PERMIT },
+#endif
+        { SYS_getpid, SYSTR_POLICY_PERMIT },
+        { SYS_getpgid, SYSTR_POLICY_PERMIT },
+        { SYS_clock_gettime, SYSTR_POLICY_PERMIT },
+        { SYS_gettimeofday, SYSTR_POLICY_PERMIT },
+        { SYS_sigprocmask, SYSTR_POLICY_PERMIT },
 #ifdef SYS_getentropy
        /* OpenBSD 5.6 and newer use getentropy(2) to seed arc4random(3). */
        { SYS_getentropy, SYSTR_POLICY_PERMIT },
@@ -60,27 +64,23 @@ static const struct sandbox_policy preauth_policy[] = {
        /* Previous releases used sysctl(3)'s kern.arnd variable. */
        { SYS___sysctl, SYSTR_POLICY_PERMIT },
 #endif
-        { SYS_getpid, SYSTR_POLICY_PERMIT },
+        { SYS_sendsyslog, SYSTR_POLICY_PERMIT },
-        { SYS_getpgid, SYSTR_POLICY_PERMIT },
-        { SYS_gettimeofday, SYSTR_POLICY_PERMIT },
-#ifdef SYS_kbind
-        { SYS_kbind, SYSTR_POLICY_PERMIT },
-#endif
        { SYS_madvise, SYSTR_POLICY_PERMIT },
        { SYS_mmap, SYSTR_POLICY_PERMIT },
        { SYS_mprotect, SYSTR_POLICY_PERMIT },
        { SYS_mquery, SYSTR_POLICY_PERMIT },
        { SYS_munmap, SYSTR_POLICY_PERMIT },
-        { SYS_open, SYSTR_POLICY_NEVER },
        { SYS_poll, SYSTR_POLICY_PERMIT },
-        { SYS_read, SYSTR_POLICY_PERMIT },
        { SYS_select, SYSTR_POLICY_PERMIT },
-#ifdef SYS_sendsyslog
+        { SYS_read, SYSTR_POLICY_PERMIT },
-        { SYS_sendsyslog, SYSTR_POLICY_PERMIT },
-#endif
-        { SYS_shutdown, SYSTR_POLICY_PERMIT },
-        { SYS_sigprocmask, SYSTR_POLICY_PERMIT },
        { SYS_write, SYSTR_POLICY_PERMIT },
+        { SYS_shutdown, SYSTR_POLICY_PERMIT },
+        { SYS_close, SYSTR_POLICY_PERMIT },
+        { SYS_open, SYSTR_POLICY_NEVER },
        { -1, -1 }
 };
@@ -91,7 +91,7 @@ struct ssh_sandbox {
 };
 struct ssh_sandbox *
-ssh_sandbox_init(struct monitor *monitor)
+ssh_sandbox_init(void)
 {
        struct ssh_sandbox *box;
@@ -208,5 +208,3 @@ ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
 {
        ssh_sandbox_parent(box, child_pid, preauth_policy);
 }
-#endif /* SANDBOX_SYSTRACE */

diff --git a/sandbox-systrace.c b/sandbox-systrace.c index 3830ed16c..8ebdb73df 100644 --- a/sandbox-systrace.c +++ b/sandbox-systrace.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: sandbox-systrace.c,v 1.17 2015/07/27 16:29:23 guenther Exp $ */	1	/* $OpenBSD: sandbox-systrace.c,v 1.18 2015/10/02 01:39:26 deraadt Exp $ */
2	/*	2	/*
3	* Copyright (c) 2011 Damien Miller <djm@mindrot.org>	3	* Copyright (c) 2011 Damien Miller <djm@mindrot.org>
4	*	4	*
@@ -15,10 +15,6 @@
15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	*/	16	*/
17		17
18	#include "includes.h"
19
20	#ifdef SANDBOX_SYSTRACE
21
22	#include <sys/types.h>	18	#include <sys/types.h>
23	#include <sys/ioctl.h>	19	#include <sys/ioctl.h>
24	#include <sys/syscall.h>	20	#include <sys/syscall.h>
@@ -50,9 +46,17 @@ struct sandbox_policy {
50		46
51	/* Permitted syscalls in preauth. Unlisted syscalls get SYSTR_POLICY_KILL */	47	/* Permitted syscalls in preauth. Unlisted syscalls get SYSTR_POLICY_KILL */
52	static const struct sandbox_policy preauth_policy[] = {	48	static const struct sandbox_policy preauth_policy[] = {
53	{ SYS_clock_gettime, SYSTR_POLICY_PERMIT },
54	{ SYS_close, SYSTR_POLICY_PERMIT },
55	{ SYS_exit, SYSTR_POLICY_PERMIT },	49	{ SYS_exit, SYSTR_POLICY_PERMIT },
		50	#ifdef SYS_kbind
		51	{ SYS_kbind, SYSTR_POLICY_PERMIT },
		52	#endif
		53
		54	{ SYS_getpid, SYSTR_POLICY_PERMIT },
		55	{ SYS_getpgid, SYSTR_POLICY_PERMIT },
		56	{ SYS_clock_gettime, SYSTR_POLICY_PERMIT },
		57	{ SYS_gettimeofday, SYSTR_POLICY_PERMIT },
		58	{ SYS_sigprocmask, SYSTR_POLICY_PERMIT },
		59
56	#ifdef SYS_getentropy	60	#ifdef SYS_getentropy
57	/* OpenBSD 5.6 and newer use getentropy(2) to seed arc4random(3). */	61	/* OpenBSD 5.6 and newer use getentropy(2) to seed arc4random(3). */
58	{ SYS_getentropy, SYSTR_POLICY_PERMIT },	62	{ SYS_getentropy, SYSTR_POLICY_PERMIT },
@@ -60,27 +64,23 @@ static const struct sandbox_policy preauth_policy[] = {
60	/* Previous releases used sysctl(3)'s kern.arnd variable. */	64	/* Previous releases used sysctl(3)'s kern.arnd variable. */
61	{ SYS___sysctl, SYSTR_POLICY_PERMIT },	65	{ SYS___sysctl, SYSTR_POLICY_PERMIT },
62	#endif	66	#endif
63	{ SYS_getpid, SYSTR_POLICY_PERMIT },	67	{ SYS_sendsyslog, SYSTR_POLICY_PERMIT },
64	{ SYS_getpgid, SYSTR_POLICY_PERMIT },	68
65	{ SYS_gettimeofday, SYSTR_POLICY_PERMIT },
66	#ifdef SYS_kbind
67	{ SYS_kbind, SYSTR_POLICY_PERMIT },
68	#endif
69	{ SYS_madvise, SYSTR_POLICY_PERMIT },	69	{ SYS_madvise, SYSTR_POLICY_PERMIT },
70	{ SYS_mmap, SYSTR_POLICY_PERMIT },	70	{ SYS_mmap, SYSTR_POLICY_PERMIT },
71	{ SYS_mprotect, SYSTR_POLICY_PERMIT },	71	{ SYS_mprotect, SYSTR_POLICY_PERMIT },
72	{ SYS_mquery, SYSTR_POLICY_PERMIT },	72	{ SYS_mquery, SYSTR_POLICY_PERMIT },
73	{ SYS_munmap, SYSTR_POLICY_PERMIT },	73	{ SYS_munmap, SYSTR_POLICY_PERMIT },
74	{ SYS_open, SYSTR_POLICY_NEVER },	74
75	{ SYS_poll, SYSTR_POLICY_PERMIT },	75	{ SYS_poll, SYSTR_POLICY_PERMIT },
76	{ SYS_read, SYSTR_POLICY_PERMIT },
77	{ SYS_select, SYSTR_POLICY_PERMIT },	76	{ SYS_select, SYSTR_POLICY_PERMIT },
78	#ifdef SYS_sendsyslog	77	{ SYS_read, SYSTR_POLICY_PERMIT },
79	{ SYS_sendsyslog, SYSTR_POLICY_PERMIT },
80	#endif
81	{ SYS_shutdown, SYSTR_POLICY_PERMIT },
82	{ SYS_sigprocmask, SYSTR_POLICY_PERMIT },
83	{ SYS_write, SYSTR_POLICY_PERMIT },	78	{ SYS_write, SYSTR_POLICY_PERMIT },
		79	{ SYS_shutdown, SYSTR_POLICY_PERMIT },
		80	{ SYS_close, SYSTR_POLICY_PERMIT },
		81
		82	{ SYS_open, SYSTR_POLICY_NEVER },
		83
84	{ -1, -1 }	84	{ -1, -1 }
85	};	85	};
86		86
@@ -91,7 +91,7 @@ struct ssh_sandbox {
91	};	91	};
92		92
93	struct ssh_sandbox *	93	struct ssh_sandbox *
94	ssh_sandbox_init(struct monitor *monitor)	94	ssh_sandbox_init(void)
95	{	95	{
96	struct ssh_sandbox *box;	96	struct ssh_sandbox *box;
97		97
@@ -208,5 +208,3 @@ ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
208	{	208	{
209	ssh_sandbox_parent(box, child_pid, preauth_policy);	209	ssh_sandbox_parent(box, child_pid, preauth_policy);
210	}	210	}
211
212	#endif /* SANDBOX_SYSTRACE */