diff options
Diffstat (limited to 'debian/patches/sandbox-fallback.patch')
-rw-r--r-- | debian/patches/sandbox-fallback.patch | 925 |
1 files changed, 925 insertions, 0 deletions
diff --git a/debian/patches/sandbox-fallback.patch b/debian/patches/sandbox-fallback.patch new file mode 100644 index 000000000..124504b36 --- /dev/null +++ b/debian/patches/sandbox-fallback.patch | |||
@@ -0,0 +1,925 @@ | |||
1 | Description: Add a sandbox fallback mechanism | ||
2 | Author: Colin Watson <cjwatson@debian.org> | ||
3 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2011 | ||
4 | Forwarded: https://bugzilla.mindrot.org/show_bug.cgi?id=2011 | ||
5 | Last-Update: 2012-05-26 | ||
6 | |||
7 | Index: b/Makefile.in | ||
8 | =================================================================== | ||
9 | --- a/Makefile.in | ||
10 | +++ b/Makefile.in | ||
11 | @@ -93,8 +93,8 @@ | ||
12 | loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ | ||
13 | sftp-server.o sftp-common.o \ | ||
14 | roaming_common.o roaming_serv.o \ | ||
15 | - sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ | ||
16 | - sandbox-seccomp-filter.o | ||
17 | + sandbox.o sandbox-null.o sandbox-rlimit.o sandbox-systrace.o \ | ||
18 | + sandbox-darwin.o sandbox-seccomp-filter.o | ||
19 | |||
20 | MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-vulnkey.1.out sshd_config.5.out ssh_config.5.out | ||
21 | MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-vulnkey.1 sshd_config.5 ssh_config.5 | ||
22 | Index: b/configure.ac | ||
23 | =================================================================== | ||
24 | --- a/configure.ac | ||
25 | +++ b/configure.ac | ||
26 | @@ -126,25 +126,6 @@ | ||
27 | #include <linux/seccomp.h> | ||
28 | ]) | ||
29 | fi | ||
30 | -if test "x$have_seccomp_filter" = "x1" ; then | ||
31 | -AC_MSG_CHECKING([kernel for seccomp_filter support]) | ||
32 | -AC_RUN_IFELSE([AC_LANG_PROGRAM([[ | ||
33 | - #include <errno.h> | ||
34 | - #include <linux/seccomp.h> | ||
35 | - #include <stdlib.h> | ||
36 | - #include <sys/prctl.h> | ||
37 | - ]], | ||
38 | - [[ errno = 0; | ||
39 | - prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0); | ||
40 | - exit(errno == EFAULT ? 0 : 1); ]])], | ||
41 | - [ AC_MSG_RESULT([yes]) ], [ | ||
42 | - AC_MSG_RESULT([no]) | ||
43 | - # Disable seccomp filter as a target | ||
44 | - have_seccomp_filter=0 | ||
45 | - ], | ||
46 | - [ AC_MSG_RESULT([cross-compiling, assuming yes]) ] | ||
47 | -) | ||
48 | -fi | ||
49 | |||
50 | use_stack_protector=1 | ||
51 | AC_ARG_WITH([stackprotect], | ||
52 | @@ -2599,21 +2580,24 @@ | ||
53 | fi | ||
54 | ] | ||
55 | ) | ||
56 | +SANDBOX_STYLE="" | ||
57 | if test "x$sandbox_arg" = "xsystrace" || \ | ||
58 | ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then | ||
59 | test "x$have_systr_policy_kill" != "x1" && \ | ||
60 | AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support]) | ||
61 | - SANDBOX_STYLE="systrace" | ||
62 | + SANDBOX_STYLE="$SANDBOX_STYLE systrace" | ||
63 | AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)]) | ||
64 | -elif test "x$sandbox_arg" = "xdarwin" || \ | ||
65 | +fi | ||
66 | +if test "x$sandbox_arg" = "xdarwin" || \ | ||
67 | ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \ | ||
68 | test "x$ac_cv_header_sandbox_h" = "xyes") ; then | ||
69 | test "x$ac_cv_func_sandbox_init" != "xyes" -o \ | ||
70 | "x$ac_cv_header_sandbox_h" != "xyes" && \ | ||
71 | AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function]) | ||
72 | - SANDBOX_STYLE="darwin" | ||
73 | + SANDBOX_STYLE="$SANDBOX_STYLE darwin" | ||
74 | AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)]) | ||
75 | -elif test "x$sandbox_arg" = "xseccomp_filter" || \ | ||
76 | +fi | ||
77 | +if test "x$sandbox_arg" = "xseccomp_filter" || \ | ||
78 | ( test -z "$sandbox_arg" && \ | ||
79 | test "x$have_seccomp_filter" = "x1" && \ | ||
80 | test "x$ac_cv_header_linux_audit_h" = "xyes" && \ | ||
81 | @@ -2628,21 +2612,24 @@ | ||
82 | AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers]) | ||
83 | test "x$ac_cv_func_prctl" != "xyes" && \ | ||
84 | AC_MSG_ERROR([seccomp_filter sandbox requires prctl function]) | ||
85 | - SANDBOX_STYLE="seccomp_filter" | ||
86 | + SANDBOX_STYLE="$SANDBOX_STYLE seccomp_filter" | ||
87 | AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter]) | ||
88 | -elif test "x$sandbox_arg" = "xrlimit" || \ | ||
89 | +fi | ||
90 | +if test "x$sandbox_arg" = "xrlimit" || \ | ||
91 | ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then | ||
92 | test "x$ac_cv_func_setrlimit" != "xyes" && \ | ||
93 | AC_MSG_ERROR([rlimit sandbox requires setrlimit function]) | ||
94 | - SANDBOX_STYLE="rlimit" | ||
95 | + SANDBOX_STYLE="$SANDBOX_STYLE rlimit" | ||
96 | AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)]) | ||
97 | -elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \ | ||
98 | +fi | ||
99 | +if test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \ | ||
100 | test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then | ||
101 | - SANDBOX_STYLE="none" | ||
102 | - AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing]) | ||
103 | -else | ||
104 | + SANDBOX_STYLE="$SANDBOX_STYLE none" | ||
105 | +fi | ||
106 | +if test -z "$SANDBOX_STYLE" ; then | ||
107 | AC_MSG_ERROR([unsupported --with-sandbox]) | ||
108 | fi | ||
109 | +SANDBOX_STYLE="${SANDBOX_STYLE# }" | ||
110 | |||
111 | # Cheap hack to ensure NEWS-OS libraries are arranged right. | ||
112 | if test ! -z "$SONY" ; then | ||
113 | Index: b/configure | ||
114 | =================================================================== | ||
115 | --- a/configure | ||
116 | +++ b/configure | ||
117 | @@ -5598,48 +5598,6 @@ | ||
118 | fi | ||
119 | |||
120 | fi | ||
121 | -if test "x$have_seccomp_filter" = "x1" ; then | ||
122 | -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking kernel for seccomp_filter support" >&5 | ||
123 | -$as_echo_n "checking kernel for seccomp_filter support... " >&6; } | ||
124 | -if test "$cross_compiling" = yes; then : | ||
125 | - { $as_echo "$as_me:${as_lineno-$LINENO}: result: cross-compiling, assuming yes" >&5 | ||
126 | -$as_echo "cross-compiling, assuming yes" >&6; } | ||
127 | - | ||
128 | -else | ||
129 | - cat confdefs.h - <<_ACEOF >conftest.$ac_ext | ||
130 | -/* end confdefs.h. */ | ||
131 | - | ||
132 | - #include <errno.h> | ||
133 | - #include <linux/seccomp.h> | ||
134 | - #include <stdlib.h> | ||
135 | - #include <sys/prctl.h> | ||
136 | - | ||
137 | -int | ||
138 | -main () | ||
139 | -{ | ||
140 | - errno = 0; | ||
141 | - prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0); | ||
142 | - exit(errno == EFAULT ? 0 : 1); | ||
143 | - ; | ||
144 | - return 0; | ||
145 | -} | ||
146 | -_ACEOF | ||
147 | -if ac_fn_c_try_run "$LINENO"; then : | ||
148 | - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 | ||
149 | -$as_echo "yes" >&6; } | ||
150 | -else | ||
151 | - | ||
152 | - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | ||
153 | -$as_echo "no" >&6; } | ||
154 | - # Disable seccomp filter as a target | ||
155 | - have_seccomp_filter=0 | ||
156 | - | ||
157 | -fi | ||
158 | -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ | ||
159 | - conftest.$ac_objext conftest.beam conftest.$ac_ext | ||
160 | -fi | ||
161 | - | ||
162 | -fi | ||
163 | |||
164 | use_stack_protector=1 | ||
165 | |||
166 | @@ -11898,25 +11856,28 @@ | ||
167 | |||
168 | fi | ||
169 | |||
170 | +SANDBOX_STYLE="" | ||
171 | if test "x$sandbox_arg" = "xsystrace" || \ | ||
172 | ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then | ||
173 | test "x$have_systr_policy_kill" != "x1" && \ | ||
174 | as_fn_error $? "systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support" "$LINENO" 5 | ||
175 | - SANDBOX_STYLE="systrace" | ||
176 | + SANDBOX_STYLE="$SANDBOX_STYLE systrace" | ||
177 | |||
178 | $as_echo "#define SANDBOX_SYSTRACE 1" >>confdefs.h | ||
179 | |||
180 | -elif test "x$sandbox_arg" = "xdarwin" || \ | ||
181 | +fi | ||
182 | +if test "x$sandbox_arg" = "xdarwin" || \ | ||
183 | ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \ | ||
184 | test "x$ac_cv_header_sandbox_h" = "xyes") ; then | ||
185 | test "x$ac_cv_func_sandbox_init" != "xyes" -o \ | ||
186 | "x$ac_cv_header_sandbox_h" != "xyes" && \ | ||
187 | as_fn_error $? "Darwin seatbelt sandbox requires sandbox.h and sandbox_init function" "$LINENO" 5 | ||
188 | - SANDBOX_STYLE="darwin" | ||
189 | + SANDBOX_STYLE="$SANDBOX_STYLE darwin" | ||
190 | |||
191 | $as_echo "#define SANDBOX_DARWIN 1" >>confdefs.h | ||
192 | |||
193 | -elif test "x$sandbox_arg" = "xseccomp_filter" || \ | ||
194 | +fi | ||
195 | +if test "x$sandbox_arg" = "xseccomp_filter" || \ | ||
196 | ( test -z "$sandbox_arg" && \ | ||
197 | test "x$have_seccomp_filter" = "x1" && \ | ||
198 | test "x$ac_cv_header_linux_audit_h" = "xyes" && \ | ||
199 | @@ -11931,27 +11892,28 @@ | ||
200 | as_fn_error $? "seccomp_filter sandbox requires seccomp headers" "$LINENO" 5 | ||
201 | test "x$ac_cv_func_prctl" != "xyes" && \ | ||
202 | as_fn_error $? "seccomp_filter sandbox requires prctl function" "$LINENO" 5 | ||
203 | - SANDBOX_STYLE="seccomp_filter" | ||
204 | + SANDBOX_STYLE="$SANDBOX_STYLE seccomp_filter" | ||
205 | |||
206 | $as_echo "#define SANDBOX_SECCOMP_FILTER 1" >>confdefs.h | ||
207 | |||
208 | -elif test "x$sandbox_arg" = "xrlimit" || \ | ||
209 | +fi | ||
210 | +if test "x$sandbox_arg" = "xrlimit" || \ | ||
211 | ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then | ||
212 | test "x$ac_cv_func_setrlimit" != "xyes" && \ | ||
213 | as_fn_error $? "rlimit sandbox requires setrlimit function" "$LINENO" 5 | ||
214 | - SANDBOX_STYLE="rlimit" | ||
215 | + SANDBOX_STYLE="$SANDBOX_STYLE rlimit" | ||
216 | |||
217 | $as_echo "#define SANDBOX_RLIMIT 1" >>confdefs.h | ||
218 | |||
219 | -elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \ | ||
220 | +fi | ||
221 | +if test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \ | ||
222 | test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then | ||
223 | - SANDBOX_STYLE="none" | ||
224 | - | ||
225 | -$as_echo "#define SANDBOX_NULL 1" >>confdefs.h | ||
226 | - | ||
227 | -else | ||
228 | + SANDBOX_STYLE="$SANDBOX_STYLE none" | ||
229 | +fi | ||
230 | +if test -z "$SANDBOX_STYLE" ; then | ||
231 | as_fn_error $? "unsupported --with-sandbox" "$LINENO" 5 | ||
232 | fi | ||
233 | +SANDBOX_STYLE="${SANDBOX_STYLE# }" | ||
234 | |||
235 | # Cheap hack to ensure NEWS-OS libraries are arranged right. | ||
236 | if test ! -z "$SONY" ; then | ||
237 | Index: b/config.h.in | ||
238 | =================================================================== | ||
239 | --- a/config.h.in | ||
240 | +++ b/config.h.in | ||
241 | @@ -1365,9 +1365,6 @@ | ||
242 | /* Sandbox using Darwin sandbox_init(3) */ | ||
243 | #undef SANDBOX_DARWIN | ||
244 | |||
245 | -/* no privsep sandboxing */ | ||
246 | -#undef SANDBOX_NULL | ||
247 | - | ||
248 | /* Sandbox using setrlimit(2) */ | ||
249 | #undef SANDBOX_RLIMIT | ||
250 | |||
251 | Index: b/sandbox-darwin.c | ||
252 | =================================================================== | ||
253 | --- a/sandbox-darwin.c | ||
254 | +++ b/sandbox-darwin.c | ||
255 | @@ -16,10 +16,12 @@ | ||
256 | |||
257 | #include "includes.h" | ||
258 | |||
259 | -#ifdef SANDBOX_DARWIN | ||
260 | - | ||
261 | #include <sys/types.h> | ||
262 | |||
263 | +#include "ssh-sandbox.h" | ||
264 | + | ||
265 | +#ifdef SANDBOX_DARWIN | ||
266 | + | ||
267 | #include <sandbox.h> | ||
268 | |||
269 | #include <errno.h> | ||
270 | @@ -30,7 +32,6 @@ | ||
271 | #include <unistd.h> | ||
272 | |||
273 | #include "log.h" | ||
274 | -#include "sandbox.h" | ||
275 | #include "xmalloc.h" | ||
276 | |||
277 | /* Darwin/OS X sandbox */ | ||
278 | @@ -39,8 +40,14 @@ | ||
279 | pid_t child_pid; | ||
280 | }; | ||
281 | |||
282 | -struct ssh_sandbox * | ||
283 | -ssh_sandbox_init(void) | ||
284 | +static int | ||
285 | +sandbox_darwin_probe(void) | ||
286 | +{ | ||
287 | + return 1; | ||
288 | +} | ||
289 | + | ||
290 | +static void * | ||
291 | +sandbox_darwin_init(void) | ||
292 | { | ||
293 | struct ssh_sandbox *box; | ||
294 | |||
295 | @@ -55,9 +62,10 @@ | ||
296 | return box; | ||
297 | } | ||
298 | |||
299 | -void | ||
300 | -ssh_sandbox_child(struct ssh_sandbox *box) | ||
301 | +static void | ||
302 | +sandbox_darwin_child(void *vbox) | ||
303 | { | ||
304 | + struct ssh_sandbox *box = vbox; | ||
305 | char *errmsg; | ||
306 | struct rlimit rl_zero; | ||
307 | |||
308 | @@ -82,17 +90,39 @@ | ||
309 | __func__, strerror(errno)); | ||
310 | } | ||
311 | |||
312 | -void | ||
313 | -ssh_sandbox_parent_finish(struct ssh_sandbox *box) | ||
314 | +static void | ||
315 | +sandbox_darwin_parent_finish(void *vbox) | ||
316 | { | ||
317 | - free(box); | ||
318 | + free(vbox); | ||
319 | debug3("%s: finished", __func__); | ||
320 | } | ||
321 | |||
322 | -void | ||
323 | -ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) | ||
324 | +static void | ||
325 | +sandbox_darwin_parent_preauth(void *box, pid_t child_pid) | ||
326 | { | ||
327 | + struct ssh_sandbox *box = vbox; | ||
328 | + | ||
329 | box->child_pid = child_pid; | ||
330 | } | ||
331 | |||
332 | +Sandbox ssh_sandbox_darwin = { | ||
333 | + "darwin", | ||
334 | + sandbox_darwin_probe, | ||
335 | + sandbox_darwin_init, | ||
336 | + sandbox_darwin_child, | ||
337 | + sandbox_darwin_parent_finish, | ||
338 | + sandbox_darwin_parent_preauth | ||
339 | +}; | ||
340 | + | ||
341 | +#else /* !SANDBOX_DARWIN */ | ||
342 | + | ||
343 | +Sandbox ssh_sandbox_darwin = { | ||
344 | + "darwin", | ||
345 | + NULL, | ||
346 | + NULL, | ||
347 | + NULL, | ||
348 | + NULL, | ||
349 | + NULL | ||
350 | +}; | ||
351 | + | ||
352 | #endif /* SANDBOX_DARWIN */ | ||
353 | Index: b/sandbox-null.c | ||
354 | =================================================================== | ||
355 | --- a/sandbox-null.c | ||
356 | +++ b/sandbox-null.c | ||
357 | @@ -17,8 +17,6 @@ | ||
358 | |||
359 | #include "includes.h" | ||
360 | |||
361 | -#ifdef SANDBOX_NULL | ||
362 | - | ||
363 | #include <sys/types.h> | ||
364 | |||
365 | #include <errno.h> | ||
366 | @@ -38,8 +36,14 @@ | ||
367 | int junk; | ||
368 | }; | ||
369 | |||
370 | -struct ssh_sandbox * | ||
371 | -ssh_sandbox_init(void) | ||
372 | +static int | ||
373 | +sandbox_null_probe(void) | ||
374 | +{ | ||
375 | + return 1; | ||
376 | +} | ||
377 | + | ||
378 | +static void * | ||
379 | +sandbox_null_init(void) | ||
380 | { | ||
381 | struct ssh_sandbox *box; | ||
382 | |||
383 | @@ -51,22 +55,29 @@ | ||
384 | return box; | ||
385 | } | ||
386 | |||
387 | -void | ||
388 | -ssh_sandbox_child(struct ssh_sandbox *box) | ||
389 | +static void | ||
390 | +sandbox_null_child(void *vbox) | ||
391 | { | ||
392 | /* Nothing to do here */ | ||
393 | } | ||
394 | |||
395 | -void | ||
396 | -ssh_sandbox_parent_finish(struct ssh_sandbox *box) | ||
397 | +static void | ||
398 | +sandbox_null_parent_finish(void *vbox) | ||
399 | { | ||
400 | - free(box); | ||
401 | + free(vbox); | ||
402 | } | ||
403 | |||
404 | -void | ||
405 | -ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) | ||
406 | +static void | ||
407 | +sandbox_null_parent_preauth(void *box, pid_t child_pid) | ||
408 | { | ||
409 | /* Nothing to do here */ | ||
410 | } | ||
411 | |||
412 | -#endif /* SANDBOX_NULL */ | ||
413 | +Sandbox ssh_sandbox_null = { | ||
414 | + "null", | ||
415 | + sandbox_null_probe, | ||
416 | + sandbox_null_init, | ||
417 | + sandbox_null_child, | ||
418 | + sandbox_null_parent_finish, | ||
419 | + sandbox_null_parent_preauth | ||
420 | +}; | ||
421 | Index: b/sandbox-rlimit.c | ||
422 | =================================================================== | ||
423 | --- a/sandbox-rlimit.c | ||
424 | +++ b/sandbox-rlimit.c | ||
425 | @@ -17,9 +17,12 @@ | ||
426 | |||
427 | #include "includes.h" | ||
428 | |||
429 | +#include <sys/types.h> | ||
430 | + | ||
431 | +#include "ssh-sandbox.h" | ||
432 | + | ||
433 | #ifdef SANDBOX_RLIMIT | ||
434 | |||
435 | -#include <sys/types.h> | ||
436 | #include <sys/param.h> | ||
437 | #include <sys/time.h> | ||
438 | #include <sys/resource.h> | ||
439 | @@ -32,7 +35,6 @@ | ||
440 | #include <unistd.h> | ||
441 | |||
442 | #include "log.h" | ||
443 | -#include "ssh-sandbox.h" | ||
444 | #include "xmalloc.h" | ||
445 | |||
446 | /* Minimal sandbox that sets zero nfiles, nprocs and filesize rlimits */ | ||
447 | @@ -41,8 +43,14 @@ | ||
448 | pid_t child_pid; | ||
449 | }; | ||
450 | |||
451 | -struct ssh_sandbox * | ||
452 | -ssh_sandbox_init(void) | ||
453 | +static int | ||
454 | +sandbox_rlimit_probe(void) | ||
455 | +{ | ||
456 | + return 1; | ||
457 | +} | ||
458 | + | ||
459 | +static void * | ||
460 | +sandbox_rlimit_init(void) | ||
461 | { | ||
462 | struct ssh_sandbox *box; | ||
463 | |||
464 | @@ -57,8 +65,8 @@ | ||
465 | return box; | ||
466 | } | ||
467 | |||
468 | -void | ||
469 | -ssh_sandbox_child(struct ssh_sandbox *box) | ||
470 | +static void | ||
471 | +sandbox_rlimit_child(void *vbox) | ||
472 | { | ||
473 | struct rlimit rl_zero; | ||
474 | |||
475 | @@ -77,17 +85,39 @@ | ||
476 | #endif | ||
477 | } | ||
478 | |||
479 | -void | ||
480 | -ssh_sandbox_parent_finish(struct ssh_sandbox *box) | ||
481 | +static void | ||
482 | +sandbox_rlimit_parent_finish(void *vbox) | ||
483 | { | ||
484 | - free(box); | ||
485 | + free(vbox); | ||
486 | debug3("%s: finished", __func__); | ||
487 | } | ||
488 | |||
489 | -void | ||
490 | -ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) | ||
491 | +static void | ||
492 | +sandbox_rlimit_parent_preauth(void *vbox, pid_t child_pid) | ||
493 | { | ||
494 | + struct ssh_sandbox *box = vbox; | ||
495 | + | ||
496 | box->child_pid = child_pid; | ||
497 | } | ||
498 | |||
499 | +Sandbox ssh_sandbox_rlimit = { | ||
500 | + "rlimit", | ||
501 | + sandbox_rlimit_probe, | ||
502 | + sandbox_rlimit_init, | ||
503 | + sandbox_rlimit_child, | ||
504 | + sandbox_rlimit_parent_finish, | ||
505 | + sandbox_rlimit_parent_preauth | ||
506 | +}; | ||
507 | + | ||
508 | +#else /* !SANDBOX_RLIMIT */ | ||
509 | + | ||
510 | +Sandbox ssh_sandbox_rlimit = { | ||
511 | + "rlimit", | ||
512 | + NULL, | ||
513 | + NULL, | ||
514 | + NULL, | ||
515 | + NULL, | ||
516 | + NULL | ||
517 | +}; | ||
518 | + | ||
519 | #endif /* SANDBOX_RLIMIT */ | ||
520 | Index: b/sandbox-seccomp-filter.c | ||
521 | =================================================================== | ||
522 | --- a/sandbox-seccomp-filter.c | ||
523 | +++ b/sandbox-seccomp-filter.c | ||
524 | @@ -35,11 +35,15 @@ | ||
525 | |||
526 | #include "includes.h" | ||
527 | |||
528 | +#include <sys/types.h> | ||
529 | + | ||
530 | +#include "ssh-sandbox.h" | ||
531 | + | ||
532 | #ifdef SANDBOX_SECCOMP_FILTER | ||
533 | |||
534 | -#include <sys/types.h> | ||
535 | #include <sys/resource.h> | ||
536 | #include <sys/prctl.h> | ||
537 | +#include <sys/wait.h> | ||
538 | |||
539 | #include <linux/audit.h> | ||
540 | #include <linux/filter.h> | ||
541 | @@ -57,7 +61,6 @@ | ||
542 | #include <unistd.h> | ||
543 | |||
544 | #include "log.h" | ||
545 | -#include "ssh-sandbox.h" | ||
546 | #include "xmalloc.h" | ||
547 | |||
548 | /* Linux seccomp_filter sandbox */ | ||
549 | @@ -122,8 +125,33 @@ | ||
550 | pid_t child_pid; | ||
551 | }; | ||
552 | |||
553 | -struct ssh_sandbox * | ||
554 | -ssh_sandbox_init(void) | ||
555 | +static int | ||
556 | +sandbox_seccomp_filter_probe(void) | ||
557 | +{ | ||
558 | + int status; | ||
559 | + pid_t pid; | ||
560 | + | ||
561 | + pid = fork(); | ||
562 | + if (pid == -1) { | ||
563 | + fatal("fork of seccomp_filter probe child failed"); | ||
564 | + } else if (pid != 0) { | ||
565 | + /* parent */ | ||
566 | + while (waitpid(pid, &status, 0) < 0) { | ||
567 | + if (errno == EINTR) | ||
568 | + continue; | ||
569 | + fatal("%s: waitpid: %s", __func__, strerror(errno)); | ||
570 | + } | ||
571 | + return (WIFEXITED(status) && WEXITSTATUS(status) == 0); | ||
572 | + } else { | ||
573 | + /* child */ | ||
574 | + errno = 0; | ||
575 | + prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0); | ||
576 | + _exit(errno == EFAULT ? 0 : 1); | ||
577 | + } | ||
578 | +} | ||
579 | + | ||
580 | +static void * | ||
581 | +sandbox_seccomp_filter_init(void) | ||
582 | { | ||
583 | struct ssh_sandbox *box; | ||
584 | |||
585 | @@ -143,7 +171,8 @@ | ||
586 | void mm_log_handler(LogLevel level, const char *msg, void *ctx); | ||
587 | |||
588 | static void | ||
589 | -ssh_sandbox_violation(int signum, siginfo_t *info, void *void_context) | ||
590 | +sandbox_seccomp_filter_violation(int signum, siginfo_t *info, | ||
591 | + void *void_context) | ||
592 | { | ||
593 | char msg[256]; | ||
594 | |||
595 | @@ -155,7 +184,7 @@ | ||
596 | } | ||
597 | |||
598 | static void | ||
599 | -ssh_sandbox_child_debugging(void) | ||
600 | +sandbox_seccomp_filter_child_debugging(void) | ||
601 | { | ||
602 | struct sigaction act; | ||
603 | sigset_t mask; | ||
604 | @@ -165,7 +194,7 @@ | ||
605 | sigemptyset(&mask); | ||
606 | sigaddset(&mask, SIGSYS); | ||
607 | |||
608 | - act.sa_sigaction = &ssh_sandbox_violation; | ||
609 | + act.sa_sigaction = &sandbox_seccomp_filter_violation; | ||
610 | act.sa_flags = SA_SIGINFO; | ||
611 | if (sigaction(SIGSYS, &act, NULL) == -1) | ||
612 | fatal("%s: sigaction(SIGSYS): %s", __func__, strerror(errno)); | ||
613 | @@ -175,8 +204,8 @@ | ||
614 | } | ||
615 | #endif /* SANDBOX_SECCOMP_FILTER_DEBUG */ | ||
616 | |||
617 | -void | ||
618 | -ssh_sandbox_child(struct ssh_sandbox *box) | ||
619 | +static void | ||
620 | +sandbox_seccomp_filter_child(void *vbox) | ||
621 | { | ||
622 | struct rlimit rl_zero; | ||
623 | |||
624 | @@ -193,7 +222,7 @@ | ||
625 | __func__, strerror(errno)); | ||
626 | |||
627 | #ifdef SANDBOX_SECCOMP_FILTER_DEBUG | ||
628 | - ssh_sandbox_child_debugging(); | ||
629 | + sandbox_seccomp_filter_child_debugging(); | ||
630 | #endif /* SANDBOX_SECCOMP_FILTER_DEBUG */ | ||
631 | |||
632 | debug3("%s: setting PR_SET_NO_NEW_PRIVS", __func__); | ||
633 | @@ -206,17 +235,39 @@ | ||
634 | __func__, strerror(errno)); | ||
635 | } | ||
636 | |||
637 | -void | ||
638 | -ssh_sandbox_parent_finish(struct ssh_sandbox *box) | ||
639 | +static void | ||
640 | +sandbox_seccomp_filter_parent_finish(void *vbox) | ||
641 | { | ||
642 | - free(box); | ||
643 | + free(vbox); | ||
644 | debug3("%s: finished", __func__); | ||
645 | } | ||
646 | |||
647 | -void | ||
648 | -ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) | ||
649 | +static void | ||
650 | +sandbox_seccomp_filter_parent_preauth(void *vbox, pid_t child_pid) | ||
651 | { | ||
652 | + struct ssh_sandbox *box = vbox; | ||
653 | + | ||
654 | box->child_pid = child_pid; | ||
655 | } | ||
656 | |||
657 | +Sandbox ssh_sandbox_seccomp_filter = { | ||
658 | + "seccomp_filter", | ||
659 | + sandbox_seccomp_filter_probe, | ||
660 | + sandbox_seccomp_filter_init, | ||
661 | + sandbox_seccomp_filter_child, | ||
662 | + sandbox_seccomp_filter_parent_finish, | ||
663 | + sandbox_seccomp_filter_parent_preauth | ||
664 | +}; | ||
665 | + | ||
666 | +#else /* !SANDBOX_SECCOMP_FILTER */ | ||
667 | + | ||
668 | +Sandbox ssh_sandbox_seccomp_filter = { | ||
669 | + "seccomp_filter", | ||
670 | + NULL, | ||
671 | + NULL, | ||
672 | + NULL, | ||
673 | + NULL, | ||
674 | + NULL | ||
675 | +}; | ||
676 | + | ||
677 | #endif /* SANDBOX_SECCOMP_FILTER */ | ||
678 | Index: b/sandbox-systrace.c | ||
679 | =================================================================== | ||
680 | --- a/sandbox-systrace.c | ||
681 | +++ b/sandbox-systrace.c | ||
682 | @@ -17,9 +17,12 @@ | ||
683 | |||
684 | #include "includes.h" | ||
685 | |||
686 | +#include <sys/types.h> | ||
687 | + | ||
688 | +#include "ssh-sandbox.h" | ||
689 | + | ||
690 | #ifdef SANDBOX_SYSTRACE | ||
691 | |||
692 | -#include <sys/types.h> | ||
693 | #include <sys/param.h> | ||
694 | #include <sys/ioctl.h> | ||
695 | #include <sys/syscall.h> | ||
696 | @@ -38,7 +41,6 @@ | ||
697 | |||
698 | #include "atomicio.h" | ||
699 | #include "log.h" | ||
700 | -#include "ssh-sandbox.h" | ||
701 | #include "xmalloc.h" | ||
702 | |||
703 | struct sandbox_policy { | ||
704 | @@ -74,8 +76,14 @@ | ||
705 | pid_t child_pid; | ||
706 | }; | ||
707 | |||
708 | -struct ssh_sandbox * | ||
709 | -ssh_sandbox_init(void) | ||
710 | +static int | ||
711 | +sandbox_systrace_probe(void) | ||
712 | +{ | ||
713 | + return 1; | ||
714 | +} | ||
715 | + | ||
716 | +static void * | ||
717 | +sandbox_systrace_init(void) | ||
718 | { | ||
719 | struct ssh_sandbox *box; | ||
720 | int s[2]; | ||
721 | @@ -92,9 +100,10 @@ | ||
722 | return box; | ||
723 | } | ||
724 | |||
725 | -void | ||
726 | -ssh_sandbox_child(struct ssh_sandbox *box) | ||
727 | +static void | ||
728 | +sandbox_systrace_child(void *vbox) | ||
729 | { | ||
730 | + struct ssh_sandbox *box = vbox; | ||
731 | char whatever = 0; | ||
732 | |||
733 | close(box->parent_sock); | ||
734 | @@ -110,7 +119,7 @@ | ||
735 | } | ||
736 | |||
737 | static void | ||
738 | -ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid, | ||
739 | +sandbox_systrace_parent(struct ssh_sandbox *box, pid_t child_pid, | ||
740 | const struct sandbox_policy *allowed_syscalls) | ||
741 | { | ||
742 | int dev_systrace, i, j, found; | ||
743 | @@ -179,9 +188,11 @@ | ||
744 | close(box->parent_sock); | ||
745 | } | ||
746 | |||
747 | -void | ||
748 | -ssh_sandbox_parent_finish(struct ssh_sandbox *box) | ||
749 | +static void | ||
750 | +sandbox_systrace_parent_finish(void *vbox) | ||
751 | { | ||
752 | + struct ssh_sandbox *box = vbox; | ||
753 | + | ||
754 | /* Closing this before the child exits will terminate it */ | ||
755 | close(box->systrace_fd); | ||
756 | |||
757 | @@ -189,10 +200,32 @@ | ||
758 | debug3("%s: finished", __func__); | ||
759 | } | ||
760 | |||
761 | -void | ||
762 | -ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) | ||
763 | +static void | ||
764 | +sandbox_systrace_parent_preauth(void *vbox, pid_t child_pid) | ||
765 | { | ||
766 | + struct ssh_sandbox *box = vbox; | ||
767 | + | ||
768 | ssh_sandbox_parent(box, child_pid, preauth_policy); | ||
769 | } | ||
770 | |||
771 | +Sandbox ssh_sandbox_systrace = { | ||
772 | + "systrace", | ||
773 | + sandbox_systrace_probe, | ||
774 | + sandbox_systrace_init, | ||
775 | + sandbox_systrace_child, | ||
776 | + sandbox_systrace_parent_finish, | ||
777 | + sandbox_systrace_parent_preauth | ||
778 | +}; | ||
779 | + | ||
780 | +#else /* !SANDBOX_SYSTRACE */ | ||
781 | + | ||
782 | +Sandbox ssh_sandbox_systrace = { | ||
783 | + "systrace", | ||
784 | + NULL, | ||
785 | + NULL, | ||
786 | + NULL, | ||
787 | + NULL, | ||
788 | + NULL | ||
789 | +}; | ||
790 | + | ||
791 | #endif /* SANDBOX_SYSTRACE */ | ||
792 | Index: b/sandbox.c | ||
793 | =================================================================== | ||
794 | --- /dev/null | ||
795 | +++ b/sandbox.c | ||
796 | @@ -0,0 +1,82 @@ | ||
797 | +/* $Id$ */ | ||
798 | +/* | ||
799 | + * Copyright (c) 2012 Colin Watson <cjwatson@debian.org> | ||
800 | + * | ||
801 | + * Permission to use, copy, modify, and distribute this software for any | ||
802 | + * purpose with or without fee is hereby granted, provided that the above | ||
803 | + * copyright notice and this permission notice appear in all copies. | ||
804 | + * | ||
805 | + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | ||
806 | + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | ||
807 | + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | ||
808 | + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | ||
809 | + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | ||
810 | + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | ||
811 | + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
812 | + */ | ||
813 | + | ||
814 | +#include <sys/types.h> | ||
815 | + | ||
816 | +#include <stdlib.h> | ||
817 | +#include <stdarg.h> | ||
818 | + | ||
819 | +#include "log.h" | ||
820 | +#include "ssh-sandbox.h" | ||
821 | + | ||
822 | +static Sandbox *sandboxes[] = { | ||
823 | + &ssh_sandbox_systrace, | ||
824 | + &ssh_sandbox_darwin, | ||
825 | + &ssh_sandbox_seccomp_filter, | ||
826 | + &ssh_sandbox_rlimit, | ||
827 | + &ssh_sandbox_null, | ||
828 | + NULL | ||
829 | +}; | ||
830 | + | ||
831 | +static Sandbox *selected; | ||
832 | + | ||
833 | +static void | ||
834 | +sandbox_select(void) | ||
835 | +{ | ||
836 | + Sandbox **sandbox; | ||
837 | + | ||
838 | + if (selected) | ||
839 | + return; | ||
840 | + | ||
841 | + for (sandbox = sandboxes; sandbox; sandbox++) { | ||
842 | + if ((*sandbox)->probe && (*sandbox)->probe()) { | ||
843 | + selected = *sandbox; | ||
844 | + return; | ||
845 | + } | ||
846 | + } | ||
847 | + | ||
848 | + /* should never happen, as ssh_sandbox_null always succeeds */ | ||
849 | + fatal("no sandbox implementation found"); | ||
850 | +} | ||
851 | + | ||
852 | +void * | ||
853 | +ssh_sandbox_init(void) | ||
854 | +{ | ||
855 | + sandbox_select(); | ||
856 | + return selected->init(); | ||
857 | +} | ||
858 | + | ||
859 | +void | ||
860 | +ssh_sandbox_child(void *box) | ||
861 | +{ | ||
862 | + sandbox_select(); | ||
863 | + return selected->child(box); | ||
864 | +} | ||
865 | + | ||
866 | +void | ||
867 | +ssh_sandbox_parent_finish(void *box) | ||
868 | +{ | ||
869 | + sandbox_select(); | ||
870 | + return selected->parent_finish(box); | ||
871 | +} | ||
872 | + | ||
873 | +void | ||
874 | +ssh_sandbox_parent_preauth(void *box, pid_t child_pid) | ||
875 | +{ | ||
876 | + sandbox_select(); | ||
877 | + return selected->parent_preauth(box, child_pid); | ||
878 | +} | ||
879 | Index: b/ssh-sandbox.h | ||
880 | =================================================================== | ||
881 | --- a/ssh-sandbox.h | ||
882 | +++ b/ssh-sandbox.h | ||
883 | @@ -15,9 +15,24 @@ | ||
884 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
885 | */ | ||
886 | |||
887 | -struct ssh_sandbox; | ||
888 | +typedef struct Sandbox Sandbox; | ||
889 | |||
890 | -struct ssh_sandbox *ssh_sandbox_init(void); | ||
891 | -void ssh_sandbox_child(struct ssh_sandbox *); | ||
892 | -void ssh_sandbox_parent_finish(struct ssh_sandbox *); | ||
893 | -void ssh_sandbox_parent_preauth(struct ssh_sandbox *, pid_t); | ||
894 | +struct Sandbox { | ||
895 | + const char *name; | ||
896 | + int (*probe)(void); | ||
897 | + void *(*init)(void); | ||
898 | + void (*child)(void *); | ||
899 | + void (*parent_finish)(void *); | ||
900 | + void (*parent_preauth)(void *, pid_t); | ||
901 | +}; | ||
902 | + | ||
903 | +void *ssh_sandbox_init(void); | ||
904 | +void ssh_sandbox_child(void *); | ||
905 | +void ssh_sandbox_parent_finish(void *); | ||
906 | +void ssh_sandbox_parent_preauth(void *, pid_t); | ||
907 | + | ||
908 | +extern Sandbox ssh_sandbox_systrace; | ||
909 | +extern Sandbox ssh_sandbox_darwin; | ||
910 | +extern Sandbox ssh_sandbox_seccomp_filter; | ||
911 | +extern Sandbox ssh_sandbox_rlimit; | ||
912 | +extern Sandbox ssh_sandbox_null; | ||
913 | Index: b/sshd.c | ||
914 | =================================================================== | ||
915 | --- a/sshd.c | ||
916 | +++ b/sshd.c | ||
917 | @@ -631,7 +631,7 @@ | ||
918 | { | ||
919 | int status; | ||
920 | pid_t pid; | ||
921 | - struct ssh_sandbox *box = NULL; | ||
922 | + void *box = NULL; | ||
923 | |||
924 | /* Set up unprivileged child process to deal with network data */ | ||
925 | pmonitor = monitor_init(); | ||