summaryrefslogtreecommitdiff
path: root/sandbox-seccomp-filter.c
AgeCommit message (Collapse)Author
2020-01-08Deny (non-fatal) ipc in preauth privsep child.Jeremy Drake
As noted in openssh/openssh-portable#149, i386 does not have have _NR_shmget etc. Instead, it has a single ipc syscall (see man 2 ipc, https://linux.die.net/man/2/ipc). Add this syscall, if present, to the list of syscalls that seccomp will deny non-fatally.
2020-01-08seccomp: Allow clock_gettime64() in sandbox.Khem Raj
This helps sshd accept connections on mips platforms with upcoming glibc ( 2.31 )
2019-12-16Allow clock_nanosleep_time64 in seccomp sandbox.Darren Tucker
Needed on Linux ARM. bz#3100, patch from jjelen@redhat.com.
2019-11-13Remove duplicate __NR_clock_nanosleepDarren Tucker
2019-11-13seccomp: Allow clock_nanosleep() in sandbox.Darren Tucker
seccomp: Allow clock_nanosleep() to make OpenSSH working with latest glibc. Patch from Jakub Jelen <jjelen@redhat.com> via bz #3093.
2019-10-05Enable specific ioctl call for EP11 crypto card (s390)Eduardo Barretto
The EP11 crypto card needs to make an ioctl call, which receives an specific argument. This crypto card is for s390 only. Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
2019-10-02Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child.Lonnie Abelbeck
New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and shmdt in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox.
2019-08-23use SC_ALLOW_ARG_MASK to limit mmap protectionsDamien Miller
Restrict to PROT_(READ|WRITE|NONE), i.e. exclude PROT_EXEC
2019-08-23allow mprotect(2) with PROT_(READ|WRITE|NONE) onlyDamien Miller
Used by some hardened heap allocators. Requested by Yegor Timoshenko in https://github.com/openssh/openssh-portable/pull/142
2019-06-05allow s390 specific ioctl for ecc hardware supportHarald Freudenberger
Adding another s390 specific ioctl to be able to support ECC hardware acceleration to the sandbox seccomp filter rules. Now the ibmca openssl engine provides elliptic curve cryptography support with the help of libica and CCA crypto cards. This is done via jet another ioctl call to the zcrypt device driver and so there is a need to enable this on the openssl sandbox. Code is s390 specific and has been tested, verified and reviewed. Please note that I am also the originator of the previous changes in that area. I posted these changes to Eduardo and he forwarded the patches to the openssl community. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Reviewed-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
2018-09-15add futex(2) syscall to seccomp sandboxDamien Miller
Apparently needed for some glibc/openssl combinations. Patch from Arkadiusz Miƛkiewicz
2018-05-25Permit getuid()/geteuid() syscalls.Damien Miller
Requested for Linux/s390; patch from Eduardo Barretto via bz#2752; ok dtucker
2018-04-13Allow nanosleep in preauth privsep child.Darren Tucker
The new timing attack mitigation code uses nanosleep in the preauth codepath, allow in sandbox.
2017-04-25Fix typo in "socketcall".Darren Tucker
Pointed out by jjelen at redhat.com.
2017-04-24Deny socketcall in seccomp filter on ppc64le.Darren Tucker
OpenSSL is using socket() calls (in FIPS mode) when handling ECDSA keys in privsep child. The socket() syscall is already denied in the seccomp filter, but in ppc64le kernel, it is implemented using socketcall() syscall, which is not denied yet (only SYS_SHUTDOWN is allowed) and therefore fails hard. Patch from jjelen at redhat.com.
2017-03-22Missing header on Linux/s390Damien Miller
Patch from Jakub Jelen
2017-03-21Fix syntax error on Linux/X32Damien Miller
Patch from Mike Frysinger
2017-03-14Make seccomp-bpf sandbox work on Linux/X32Damien Miller
Allow clock_gettime syscall with X32 bit masked off. Apparently this is required for at least some kernel versions. bz#2142 Patch mostly by Colin Watson. ok dtucker@
2017-03-14Remove macro trickery; no binary changeDamien Miller
This stops the SC_ALLOW(), SC_ALLOW_ARG() and SC_DENY() macros prepending __NR_ to the syscall number parameter and just makes them explicit in the macro invocations. No binary change in stripped object file before/after.
2017-03-14support ioctls for ICA crypto card on Linux/s390Damien Miller
Based on patch from Eduardo Barretto; ok dtucker@
2017-03-14Fix weakness in seccomp-bpf sandbox arg inspectionDamien Miller
Syscall arguments are passed via an array of 64-bit values in struct seccomp_data, but we were only inspecting the bottom 32 bits and not even those correctly for BE systems. Fortunately, the only case argument inspection was used was in the socketcall filtering so using this for sandbox escape seems impossible. ok dtucker
2016-05-20Deny lstat syscalls in seccomp sandboxDamien Miller
Avoids sandbox violations for some krb/gssapi libraries.
2015-09-10allow getrandom syscall; from Felix von LeitnerDamien Miller
2015-06-30upstream commitdjm@openbsd.org
add getpid to sandbox, reachable by grace_alarm_handler reported by Jakub Jelen; bz#2419 Upstream-ID: d0da1117c16d4c223954995d35b0f47c8f684cd8
2015-06-25add missing pselect6Damien Miller
patch from Jakub Jelen
2015-06-17trivial optimisation for seccomp-bpfDamien Miller
When doing arg inspection and the syscall doesn't match, skip past the instruction that reloads the syscall into the accumulator, since the accumulator hasn't been modified at this point.
2015-06-17aarch64 support for seccomp-bpf sandboxDamien Miller
Also resort and tidy syscall list. Based on patches by Jakub Jelen bz#2361; ok dtucker@
2014-09-10 - (djm) [sandbox-seccomp-filter.c] Allow mremap and exit for DietLibc;Damien Miller
patch from Felix von Leitner; ok dtucker
2014-03-17 - (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX toDamien Miller
remind myself to add sandbox violation logging via the log socket.
2014-02-06 - (djm) [sandbox-seccomp-filter.c] Not all Linux architectures defineDamien Miller
__NR_shutdown; some go via the socketcall(2) multiplexer.
2014-01-31 - (djm) [sandbox-seccomp-filter.c sandbox-systrace.c] Allow shutdown(2)Damien Miller
syscall from sandboxes; it may be called by packet_close.
2014-01-17 - (djm) [Makefile.in configure.ac sandbox-capsicum.c sandbox-darwin.c]Damien Miller
[sandbox-null.c sandbox-rlimit.c sandbox-seccomp-filter.c] [sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandboxing using the Capsicum API introduced in FreeBSD 10. Patch by Dag-Erling Smorgrav, updated by Loganaden Velvindron @ AfriNIC; ok dtucker@
2013-06-02 - (dtucker) [sandbox-seccomp-filter.c] Allow clock_gettimeofday.Darren Tucker
2013-02-22 - (djm) [configure.ac sandbox-seccomp-filter.c] Support for LinuxDamien Miller
seccomp-bpf sandbox on ARM. Patch from shawnlandden AT gmail.com; ok dtucker
2012-07-06 - (djm) [sandbox-seccomp-filter.c] fallback to rlimit if seccomp filter isDamien Miller
not available. Allows use of sshd compiled on host with a filter-capable kernel on hosts that lack the support. bz#2011 ok dtucker@
2012-04-04 - (djm) [Makefile.in configure.ac sandbox-seccomp-filter.c] Add sandboxDamien Miller
mode for Linux's new seccomp filter; patch from Will Drewry; feedback and ok dtucker@