Age | Commit message (Collapse) | Author |
|
Permit kbind(2) use in the sandbox now, to ease testing
of ld.so work using it
reminded by miod@, ok deraadt@
Upstream-ID: 523922e4d1ba7a091e3824e77a8a3c818ee97413
|
|
add getpid to sandbox, reachable by grace_alarm_handler
reported by Jakub Jelen; bz#2419
Upstream-ID: d0da1117c16d4c223954995d35b0f47c8f684cd8
|
|
getentropy() and sendsyslog() have been around long
enough. openssh-portable may want the #ifdef's but not base. discussed with
djm few weeks back
Upstream-ID: 0506a4334de108e3fb6c66f8d6e0f9c112866926
|
|
Reduce use of <sys/param.h> and transition to <limits.h>
throughout. ok djm markus
|
|
[sandbox-systrace.c]
ifdef SYS_sendsyslog so this will compile without patching on -stable
|
|
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
[auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
[auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
[clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
[readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
[ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
[sshd_config.5 sshlogin.c]
Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@
|
|
[sandbox-systrace.c]
Permit use of SYS_sendsyslog from inside the sandbox. Clock is ticking,
update your kernels and sshd soon.. libc will start using sendsyslog()
in about 4 days.
|
|
[sandbox-systrace.c]
Now that we have a dedicated getentropy(2) system call for
arc4random(3), we can disallow __sysctl(2) in OpenSSH's systrace
sandbox.
ok djm
|
|
[sandbox-systrace.c]
permit SYS_getentropy
from matthew
|
|
[auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c]
[channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c]
[kexc25519.c krl.c monitor.c sandbox-systrace.c session.c]
[sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c]
[openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h]
replace most bzero with explicit_bzero, except a few that cna be memset
ok djm dtucker
|
|
[sandbox-systrace.c]
allow shutdown(2) syscall in sandbox - it may be called by packet_close()
from portable
(Id sync only; change is already in portable)
|
|
syscall from sandboxes; it may be called by packet_close.
|
|
[sandbox-null.c sandbox-rlimit.c sandbox-seccomp-filter.c]
[sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandboxing
using the Capsicum API introduced in FreeBSD 10. Patch by Dag-Erling
Smorgrav, updated by Loganaden Velvindron @ AfriNIC; ok dtucker@
|
|
[ssh-agent.c clientloop.c misc.h packet.c progressmeter.c misc.c
channels.c sandbox-systrace.c]
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like
keepalives and rekeying will work properly over clock steps. Suggested by
markus@, "looks good" djm@.
|
|
[sandbox-systrace.c sshd.c]
fix a during the load of the sandbox policies (child can still make
the read-syscall and wait forever for systrace-answers) by replacing
the read/write synchronisation with SIGSTOP/SIGCONT;
report and help hshoexer@; ok djm@, dtucker@
|
|
[sandbox-systrace.c]
Add mquery to the list of allowed syscalls for "UsePrivilegeSeparation
sandbox" since malloc now uses it. From johnw.mail at gmail com.
|
|
[sandbox-systrace.c]
fail open(2) with EPERM rather than SIGKILLing the whole process. libc
will call open() to do strerror() when NLS is enabled;
feedback and ok markus@
|
|
[sshd.c ssh-sandbox.h sandbox.h sandbox-rlimit.c sandbox-systrace.c]
[sandbox-null.c]
rename sandbox.h => ssh-sandbox.h to make things easier for portable
|
|
[servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c]
[sandbox-systrace.c sandbox.h configure.ac Makefile.in]
introduce sandboxing of the pre-auth privsep child using systrace(4).
This introduces a new "UsePrivilegeSeparation=sandbox" option for
sshd_config that applies mandatory restrictions on the syscalls the
privsep child can perform. This prevents a compromised privsep child
from being used to attack other hosts (by opening sockets and proxying)
or probing local kernel attack surface.
The sandbox is implemented using systrace(4) in unsupervised "fast-path"
mode, where a list of permitted syscalls is supplied. Any syscall not
on the list results in SIGKILL being sent to the privsep child. Note
that this requires a kernel with the new SYSTR_POLICY_KILL option.
UsePrivilegeSeparation=sandbox will become the default in the future
so please start testing it now.
feedback dtucker@; ok markus@
|