1 files changed, 198 insertions, 0 deletions
diff --git a/sandbox-systrace.c b/sandbox-systrace.c
new file mode 100644
index 000000000..5a39f4fe1
--- /dev/null
+++ b/sandbox-systrace.c
@@ -0,0 +1,198 @@
+/* $OpenBSD: sandbox-systrace.c,v 1.4 2011/07/29 14:42:45 djm Exp $ */
+/*
+ * Copyright (c) 2011 Damien Miller <djm@mindrot.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include "includes.h"
+#ifdef SANDBOX_SYSTRACE
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/ioctl.h>
+#include <sys/syscall.h>
+#include <sys/socket.h>
+#include <dev/systrace.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include "atomicio.h"
+#include "log.h"
+#include "ssh-sandbox.h"
+#include "xmalloc.h"
+struct sandbox_policy {
+        int syscall;
+        int action;
+};
+/* Permitted syscalls in preauth. Unlisted syscalls get SYSTR_POLICY_KILL */
+static const struct sandbox_policy preauth_policy[] = {
+        { SYS_open, SYSTR_POLICY_NEVER },
+        { SYS___sysctl, SYSTR_POLICY_PERMIT },
+        { SYS_close, SYSTR_POLICY_PERMIT },
+        { SYS_exit, SYSTR_POLICY_PERMIT },
+        { SYS_getpid, SYSTR_POLICY_PERMIT },
+        { SYS_gettimeofday, SYSTR_POLICY_PERMIT },
+        { SYS_madvise, SYSTR_POLICY_PERMIT },
+        { SYS_mmap, SYSTR_POLICY_PERMIT },
+        { SYS_mprotect, SYSTR_POLICY_PERMIT },
+        { SYS_poll, SYSTR_POLICY_PERMIT },
+        { SYS_munmap, SYSTR_POLICY_PERMIT },
+        { SYS_read, SYSTR_POLICY_PERMIT },
+        { SYS_select, SYSTR_POLICY_PERMIT },
+        { SYS_sigprocmask, SYSTR_POLICY_PERMIT },
+        { SYS_write, SYSTR_POLICY_PERMIT },
+        { -1, -1 }
+};
+struct ssh_sandbox {
+        int child_sock;
+        int parent_sock;
+        int systrace_fd;
+        pid_t child_pid;
+};
+struct ssh_sandbox *
+ssh_sandbox_init(void)
+{
+        struct ssh_sandbox *box;
+        int s[2];
+        debug3("%s: preparing systrace sandbox", __func__);
+        box = xcalloc(1, sizeof(*box));
+        if (socketpair(AF_UNIX, SOCK_STREAM, 0, s) == -1)
+                fatal("%s: socketpair: %s", __func__, strerror(errno));
+        box->child_sock = s[0];
+        box->parent_sock = s[1];
+        box->systrace_fd = -1;
+        box->child_pid = 0;
+        return box;
+}
+void
+ssh_sandbox_child(struct ssh_sandbox *box)
+{
+        char whatever = 0;
+        close(box->parent_sock);
+        /* Signal parent that we are ready */
+        debug3("%s: ready", __func__);
+        if (atomicio(vwrite, box->child_sock, &whatever, 1) != 1)
+                fatal("%s: write: %s", __func__, strerror(errno));
+        /* Wait for parent to signal for us to go */
+        if (atomicio(read, box->child_sock, &whatever, 1) != 1)
+                fatal("%s: read: %s", __func__, strerror(errno));
+        debug3("%s: started", __func__);
+        close(box->child_sock);
+}
+static void
+ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid,
+    const struct sandbox_policy *allowed_syscalls)
+{
+        int dev_systrace, i, j, found;
+        char whatever = 0;
+        struct systrace_policy policy;
+        debug3("%s: wait for child %ld", __func__, (long)child_pid);
+        box->child_pid = child_pid;
+        close(box->child_sock);
+        /* Wait for child to signal that it is ready */
+        if (atomicio(read, box->parent_sock, &whatever, 1) != 1)
+                fatal("%s: read: %s", __func__, strerror(errno));
+        debug3("%s: child %ld ready", __func__, (long)child_pid);
+        /* Set up systracing of child */
+        if ((dev_systrace = open("/dev/systrace", O_RDONLY)) == -1)
+                fatal("%s: open(\"/dev/systrace\"): %s", __func__,
+                    strerror(errno));
+        if (ioctl(dev_systrace, STRIOCCLONE, &box->systrace_fd) == -1)
+                fatal("%s: ioctl(STRIOCCLONE, %d): %s", __func__,
+                    dev_systrace, strerror(errno));
+        close(dev_systrace);
+        debug3("%s: systrace attach, fd=%d", __func__, box->systrace_fd);
+        if (ioctl(box->systrace_fd, STRIOCATTACH, &child_pid) == -1)
+                fatal("%s: ioctl(%d, STRIOCATTACH, %d): %s", __func__,
+                    box->systrace_fd, child_pid, strerror(errno));
+        /* Allocate and assign policy */
+        bzero(&policy, sizeof(policy));
+        policy.strp_op = SYSTR_POLICY_NEW;
+        policy.strp_maxents = SYS_MAXSYSCALL;
+        if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1)
+                fatal("%s: ioctl(%d, STRIOCPOLICY (new)): %s", __func__,
+                    box->systrace_fd, strerror(errno));
+        policy.strp_op = SYSTR_POLICY_ASSIGN;
+        policy.strp_pid = box->child_pid;
+        if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1)
+                fatal("%s: ioctl(%d, STRIOCPOLICY (assign)): %s",
+                    __func__, box->systrace_fd, strerror(errno));
+        /* Set per-syscall policy */
+        for (i = 0; i < SYS_MAXSYSCALL; i++) {
+                found = 0;
+                for (j = 0; allowed_syscalls[j].syscall != -1; j++) {
+                        if (allowed_syscalls[j].syscall == i) {
+                                found = 1;
+                                break;
+                        }
+                }
+                policy.strp_op = SYSTR_POLICY_MODIFY;
+                policy.strp_code = i;
+                policy.strp_policy = found ?
+                    allowed_syscalls[j].action : SYSTR_POLICY_KILL;
+                if (found)
+                        debug3("%s: policy: enable syscall %d", __func__, i);
+                if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1)
+                        fatal("%s: ioctl(%d, STRIOCPOLICY (modify)): %s",
+                            __func__, box->systrace_fd, strerror(errno));
+        }
+        /* Signal the child to start running */
+        debug3("%s: start child %ld", __func__, (long)child_pid);
+        if (atomicio(vwrite, box->parent_sock, &whatever, 1) != 1)
+                fatal("%s: write: %s", __func__, strerror(errno));
+        close(box->parent_sock);
+}
+void
+ssh_sandbox_parent_finish(struct ssh_sandbox *box)
+{
+        /* Closing this before the child exits will terminate it */
+        close(box->systrace_fd);
+        free(box);
+        debug3("%s: finished", __func__);
+}
+void
+ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
+{
+        ssh_sandbox_parent(box, child_pid, preauth_policy);
+}
+#endif /* SANDBOX_SYSTRACE */

diff --git a/sandbox-systrace.c b/sandbox-systrace.c new file mode 100644 index 000000000..5a39f4fe1 --- /dev/null +++ b/sandbox-systrace.c
@@ -0,0 +1,198 @@
	1	/* $OpenBSD: sandbox-systrace.c,v 1.4 2011/07/29 14:42:45 djm Exp $ */
	2	/*
	3	* Copyright (c) 2011 Damien Miller <djm@mindrot.org>
	4	*
	5	* Permission to use, copy, modify, and distribute this software for any
	6	* purpose with or without fee is hereby granted, provided that the above
	7	* copyright notice and this permission notice appear in all copies.
	8	*
	9	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	10	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	11	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	12	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	13	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	14	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	16	*/
	17
	18	#include "includes.h"
	19
	20	#ifdef SANDBOX_SYSTRACE
	21
	22	#include <sys/types.h>
	23	#include <sys/param.h>
	24	#include <sys/ioctl.h>
	25	#include <sys/syscall.h>
	26	#include <sys/socket.h>
	27
	28	#include <dev/systrace.h>
	29
	30	#include <errno.h>
	31	#include <fcntl.h>
	32	#include <limits.h>
	33	#include <stdarg.h>
	34	#include <stdio.h>
	35	#include <stdlib.h>
	36	#include <string.h>
	37	#include <unistd.h>
	38
	39	#include "atomicio.h"
	40	#include "log.h"
	41	#include "ssh-sandbox.h"
	42	#include "xmalloc.h"
	43
	44	struct sandbox_policy {
	45	int syscall;
	46	int action;
	47	};
	48
	49	/* Permitted syscalls in preauth. Unlisted syscalls get SYSTR_POLICY_KILL */
	50	static const struct sandbox_policy preauth_policy[] = {
	51	{ SYS_open, SYSTR_POLICY_NEVER },
	52
	53	{ SYS___sysctl, SYSTR_POLICY_PERMIT },
	54	{ SYS_close, SYSTR_POLICY_PERMIT },
	55	{ SYS_exit, SYSTR_POLICY_PERMIT },
	56	{ SYS_getpid, SYSTR_POLICY_PERMIT },
	57	{ SYS_gettimeofday, SYSTR_POLICY_PERMIT },
	58	{ SYS_madvise, SYSTR_POLICY_PERMIT },
	59	{ SYS_mmap, SYSTR_POLICY_PERMIT },
	60	{ SYS_mprotect, SYSTR_POLICY_PERMIT },
	61	{ SYS_poll, SYSTR_POLICY_PERMIT },
	62	{ SYS_munmap, SYSTR_POLICY_PERMIT },
	63	{ SYS_read, SYSTR_POLICY_PERMIT },
	64	{ SYS_select, SYSTR_POLICY_PERMIT },
	65	{ SYS_sigprocmask, SYSTR_POLICY_PERMIT },
	66	{ SYS_write, SYSTR_POLICY_PERMIT },
	67	{ -1, -1 }
	68	};
	69
	70	struct ssh_sandbox {
	71	int child_sock;
	72	int parent_sock;
	73	int systrace_fd;
	74	pid_t child_pid;
	75	};
	76
	77	struct ssh_sandbox *
	78	ssh_sandbox_init(void)
	79	{
	80	struct ssh_sandbox *box;
	81	int s[2];
	82
	83	debug3("%s: preparing systrace sandbox", __func__);
	84	box = xcalloc(1, sizeof(*box));
	85	if (socketpair(AF_UNIX, SOCK_STREAM, 0, s) == -1)
	86	fatal("%s: socketpair: %s", __func__, strerror(errno));
	87	box->child_sock = s[0];
	88	box->parent_sock = s[1];
	89	box->systrace_fd = -1;
	90	box->child_pid = 0;
	91
	92	return box;
	93	}
	94
	95	void
	96	ssh_sandbox_child(struct ssh_sandbox *box)
	97	{
	98	char whatever = 0;
	99
	100	close(box->parent_sock);
	101	/* Signal parent that we are ready */
	102	debug3("%s: ready", __func__);
	103	if (atomicio(vwrite, box->child_sock, &whatever, 1) != 1)
	104	fatal("%s: write: %s", __func__, strerror(errno));
	105	/* Wait for parent to signal for us to go */
	106	if (atomicio(read, box->child_sock, &whatever, 1) != 1)
	107	fatal("%s: read: %s", __func__, strerror(errno));
	108	debug3("%s: started", __func__);
	109	close(box->child_sock);
	110	}
	111
	112	static void
	113	ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid,
	114	const struct sandbox_policy *allowed_syscalls)
	115	{
	116	int dev_systrace, i, j, found;
	117	char whatever = 0;
	118	struct systrace_policy policy;
	119
	120	debug3("%s: wait for child %ld", __func__, (long)child_pid);
	121	box->child_pid = child_pid;
	122	close(box->child_sock);
	123	/* Wait for child to signal that it is ready */
	124	if (atomicio(read, box->parent_sock, &whatever, 1) != 1)
	125	fatal("%s: read: %s", __func__, strerror(errno));
	126	debug3("%s: child %ld ready", __func__, (long)child_pid);
	127
	128	/* Set up systracing of child */
	129	if ((dev_systrace = open("/dev/systrace", O_RDONLY)) == -1)
	130	fatal("%s: open(\"/dev/systrace\"): %s", __func__,
	131	strerror(errno));
	132	if (ioctl(dev_systrace, STRIOCCLONE, &box->systrace_fd) == -1)
	133	fatal("%s: ioctl(STRIOCCLONE, %d): %s", __func__,
	134	dev_systrace, strerror(errno));
	135	close(dev_systrace);
	136	debug3("%s: systrace attach, fd=%d", __func__, box->systrace_fd);
	137	if (ioctl(box->systrace_fd, STRIOCATTACH, &child_pid) == -1)
	138	fatal("%s: ioctl(%d, STRIOCATTACH, %d): %s", __func__,
	139	box->systrace_fd, child_pid, strerror(errno));
	140
	141	/* Allocate and assign policy */
	142	bzero(&policy, sizeof(policy));
	143	policy.strp_op = SYSTR_POLICY_NEW;
	144	policy.strp_maxents = SYS_MAXSYSCALL;
	145	if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1)
	146	fatal("%s: ioctl(%d, STRIOCPOLICY (new)): %s", __func__,
	147	box->systrace_fd, strerror(errno));
	148
	149	policy.strp_op = SYSTR_POLICY_ASSIGN;
	150	policy.strp_pid = box->child_pid;
	151	if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1)
	152	fatal("%s: ioctl(%d, STRIOCPOLICY (assign)): %s",
	153	__func__, box->systrace_fd, strerror(errno));
	154
	155	/* Set per-syscall policy */
	156	for (i = 0; i < SYS_MAXSYSCALL; i++) {
	157	found = 0;
	158	for (j = 0; allowed_syscalls[j].syscall != -1; j++) {
	159	if (allowed_syscalls[j].syscall == i) {
	160	found = 1;
	161	break;
	162	}
	163	}
	164	policy.strp_op = SYSTR_POLICY_MODIFY;
	165	policy.strp_code = i;
	166	policy.strp_policy = found ?
	167	allowed_syscalls[j].action : SYSTR_POLICY_KILL;
	168	if (found)
	169	debug3("%s: policy: enable syscall %d", __func__, i);
	170	if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1)
	171	fatal("%s: ioctl(%d, STRIOCPOLICY (modify)): %s",
	172	__func__, box->systrace_fd, strerror(errno));
	173	}
	174
	175	/* Signal the child to start running */
	176	debug3("%s: start child %ld", __func__, (long)child_pid);
	177	if (atomicio(vwrite, box->parent_sock, &whatever, 1) != 1)
	178	fatal("%s: write: %s", __func__, strerror(errno));
	179	close(box->parent_sock);
	180	}
	181
	182	void
	183	ssh_sandbox_parent_finish(struct ssh_sandbox *box)
	184	{
	185	/* Closing this before the child exits will terminate it */
	186	close(box->systrace_fd);
	187
	188	free(box);
	189	debug3("%s: finished", __func__);
	190	}
	191
	192	void
	193	ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
	194	{
	195	ssh_sandbox_parent(box, child_pid, preauth_policy);
	196	}
	197
	198	#endif /* SANDBOX_SYSTRACE */