summaryrefslogtreecommitdiff
path: root/sandbox-systrace.c
AgeCommit message (Collapse)Author
2014-01-17 - (djm) [Makefile.in configure.ac sandbox-capsicum.c sandbox-darwin.c]Damien Miller
[sandbox-null.c sandbox-rlimit.c sandbox-seccomp-filter.c] [sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandboxing using the Capsicum API introduced in FreeBSD 10. Patch by Dag-Erling Smorgrav, updated by Loganaden Velvindron @ AfriNIC; ok dtucker@
2013-06-02 - dtucker@cvs.openbsd.org 2013/06/01 13:15:52Darren Tucker
[ssh-agent.c clientloop.c misc.h packet.c progressmeter.c misc.c channels.c sandbox-systrace.c] Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
2012-07-02 - markus@cvs.openbsd.org 2012/06/30 14:35:09Darren Tucker
[sandbox-systrace.c sshd.c] fix a during the load of the sandbox policies (child can still make the read-syscall and wait forever for systrace-answers) by replacing the read/write synchronisation with SIGSTOP/SIGCONT; report and help hshoexer@; ok djm@, dtucker@
2012-06-30 - dtucker@cvs.openbsd.org 2012/06/26 11:02:30Damien Miller
[sandbox-systrace.c] Add mquery to the list of allowed syscalls for "UsePrivilegeSeparation sandbox" since malloc now uses it. From johnw.mail at gmail com.
2011-08-06 - djm@cvs.openbsd.org 2011/07/29 14:42:45Damien Miller
[sandbox-systrace.c] fail open(2) with EPERM rather than SIGKILLing the whole process. libc will call open() to do strerror() when NLS is enabled; feedback and ok markus@
2011-06-23 - djm@cvs.openbsd.org 2011/06/23 09:34:13Damien Miller
[sshd.c ssh-sandbox.h sandbox.h sandbox-rlimit.c sandbox-systrace.c] [sandbox-null.c] rename sandbox.h => ssh-sandbox.h to make things easier for portable
2011-06-23 - djm@cvs.openbsd.org 2011/06/22 21:57:01Damien Miller
[servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c] [sandbox-systrace.c sandbox.h configure.ac Makefile.in] introduce sandboxing of the pre-auth privsep child using systrace(4). This introduces a new "UsePrivilegeSeparation=sandbox" option for sshd_config that applies mandatory restrictions on the syscalls the privsep child can perform. This prevents a compromised privsep child from being used to attack other hosts (by opening sockets and proxying) or probing local kernel attack surface. The sandbox is implemented using systrace(4) in unsupervised "fast-path" mode, where a list of permitted syscalls is supplied. Any syscall not on the list results in SIGKILL being sent to the privsep child. Note that this requires a kernel with the new SYSTR_POLICY_KILL option. UsePrivilegeSeparation=sandbox will become the default in the future so please start testing it now. feedback dtucker@; ok markus@