- (djm) [Makefile.in configure.ac sandbox-capsicum.c sandbox-darwin.c]

[sandbox-null.c sandbox-rlimit.c sandbox-seccomp-filter.c]
   [sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandboxing
   using the Capsicum API introduced in FreeBSD 10. Patch by Dag-Erling
   Smorgrav, updated by Loganaden Velvindron @ AfriNIC; ok dtucker@
This commit is contained in:
Damien Miller 2014-01-17 16:47:04 +11:00
parent a9d186a8b5
commit 868ea1ea1c
11 changed files with 147 additions and 13 deletions

View File

@ -23,6 +23,11 @@
- dtucker@cvs.openbsd.org 2014/01/17 05:26:41
[digest.c]
remove unused includes. ok djm@
- (djm) [Makefile.in configure.ac sandbox-capsicum.c sandbox-darwin.c]
[sandbox-null.c sandbox-rlimit.c sandbox-seccomp-filter.c]
[sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandboxing
using the Capsicum API introduced in FreeBSD 10. Patch by Dag-Erling
Smorgrav, updated by Loganaden Velvindron @ AfriNIC; ok dtucker@
20140118
- (djm) OpenBSD CVS Sync

View File

@ -1,4 +1,4 @@
# $Id: Makefile.in,v 1.349 2014/01/09 23:58:53 djm Exp $
# $Id: Makefile.in,v 1.350 2014/01/17 05:47:04 djm Exp $
# uncomment if you run a non bourne compatable shell. Ie. csh
#SHELL = @SH@
@ -96,7 +96,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
sftp-server.o sftp-common.o \
roaming_common.o roaming_serv.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
sandbox-seccomp-filter.o
sandbox-seccomp-filter.o sandbox-capsicum.o
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
@ -472,4 +472,3 @@ package: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
if [ "@MAKE_PACKAGE_SUPPORTED@" = yes ]; then \
sh buildpkg.sh; \
fi

View File

@ -1,4 +1,4 @@
# $Id: configure.ac,v 1.549 2014/01/17 04:12:16 dtucker Exp $
# $Id: configure.ac,v 1.550 2014/01/17 05:47:04 djm Exp $
#
# Copyright (c) 1999-2004 Damien Miller
#
@ -15,7 +15,7 @@
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
AC_REVISION($Revision: 1.549 $)
AC_REVISION($Revision: 1.550 $)
AC_CONFIG_SRCDIR([ssh.c])
AC_LANG([C])
@ -120,6 +120,10 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
#include <sys/types.h>
#include <linux/prctl.h>
])
AC_CHECK_DECL([cap_enter], [have_cap_enter=1], , [
#include <sys/capability.h>
])
use_stack_protector=1
use_toolchain_hardening=1
AC_ARG_WITH([stackprotect],
@ -2835,7 +2839,7 @@ fi
# Decide which sandbox style to use
sandbox_arg=""
AC_ARG_WITH([sandbox],
[ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)],
[ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)],
[
if test "x$withval" = "xyes" ; then
sandbox_arg=""
@ -2974,6 +2978,13 @@ elif test "x$sandbox_arg" = "xrlimit" || \
AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
SANDBOX_STYLE="rlimit"
AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
elif test "x$sandbox_arg" = "xcapsicum" || \
( test -z "$sandbox_arg" && \
test "x$have_cap_enter" = "x1") ; then
test "x$have_cap_enter" != "x1" && \
AC_MSG_ERROR([capsicum sandbox requires cap_enter function])
SANDBOX_STYLE="capsicum"
AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
SANDBOX_STYLE="none"

118
sandbox-capsicum.c Normal file
View File

@ -0,0 +1,118 @@
/*
* Copyright (c) 2011 Dag-Erling Smorgrav
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
#ifdef SANDBOX_CAPSICUM
#include <sys/types.h>
#include <sys/param.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/capability.h>
#include <errno.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include "log.h"
#include "monitor.h"
#include "ssh-sandbox.h"
#include "xmalloc.h"
/*
* Capsicum sandbox that sets zero nfiles, nprocs and filesize rlimits,
* limits rights on stdout, stdin, stderr, monitor and switches to
* capability mode.
*/
struct ssh_sandbox {
struct monitor *monitor;
pid_t child_pid;
};
struct ssh_sandbox *
ssh_sandbox_init(struct monitor *monitor)
{
struct ssh_sandbox *box;
/*
* Strictly, we don't need to maintain any state here but we need
* to return non-NULL to satisfy the API.
*/
debug3("%s: preparing capsicum sandbox", __func__);
box = xcalloc(1, sizeof(*box));
box->monitor = monitor;
box->child_pid = 0;
return box;
}
void
ssh_sandbox_child(struct ssh_sandbox *box)
{
struct rlimit rl_zero;
cap_rights_t rights;
rl_zero.rlim_cur = rl_zero.rlim_max = 0;
if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
__func__, strerror(errno));
if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
__func__, strerror(errno));
if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)
fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s",
__func__, strerror(errno));
cap_rights_init(&rights);
if (cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS)
fatal("can't limit stdin: %m");
if (cap_rights_limit(STDOUT_FILENO, &rights) < 0 && errno != ENOSYS)
fatal("can't limit stdin: %m");
if (cap_rights_limit(STDERR_FILENO, &rights) < 0 && errno != ENOSYS)
fatal("can't limit stdin: %m");
cap_rights_init(&rights, CAP_READ, CAP_WRITE);
if (cap_rights_limit(box->monitor->m_recvfd, &rights) == -1)
fatal("%s: failed to limit the network socket", __func__);
cap_rights_init(&rights, CAP_WRITE);
if (cap_rights_limit(box->monitor->m_log_sendfd, &rights) == -1)
fatal("%s: failed to limit the logging socket", __func__);
if (cap_enter() != 0 && errno != ENOSYS)
fatal("%s: failed to enter capability mode", __func__);
}
void
ssh_sandbox_parent_finish(struct ssh_sandbox *box)
{
free(box);
debug3("%s: finished", __func__);
}
void
ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
{
box->child_pid = child_pid;
}
#endif /* SANDBOX_CAPSICUM */

View File

@ -40,7 +40,7 @@ struct ssh_sandbox {
};
struct ssh_sandbox *
ssh_sandbox_init(void)
ssh_sandbox_init(struct monitor *monitor)
{
struct ssh_sandbox *box;

View File

@ -39,7 +39,7 @@ struct ssh_sandbox {
};
struct ssh_sandbox *
ssh_sandbox_init(void)
ssh_sandbox_init(struct monitor *monitor)
{
struct ssh_sandbox *box;

View File

@ -42,7 +42,7 @@ struct ssh_sandbox {
};
struct ssh_sandbox *
ssh_sandbox_init(void)
ssh_sandbox_init(struct monitor *monitor)
{
struct ssh_sandbox *box;

View File

@ -132,7 +132,7 @@ struct ssh_sandbox {
};
struct ssh_sandbox *
ssh_sandbox_init(void)
ssh_sandbox_init(struct monitor *monitor)
{
struct ssh_sandbox *box;

View File

@ -78,7 +78,7 @@ struct ssh_sandbox {
};
struct ssh_sandbox *
ssh_sandbox_init(void)
ssh_sandbox_init(struct monitor *monitor)
{
struct ssh_sandbox *box;

View File

@ -15,9 +15,10 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
struct monitor;
struct ssh_sandbox;
struct ssh_sandbox *ssh_sandbox_init(void);
struct ssh_sandbox *ssh_sandbox_init(struct monitor *);
void ssh_sandbox_child(struct ssh_sandbox *);
void ssh_sandbox_parent_finish(struct ssh_sandbox *);
void ssh_sandbox_parent_preauth(struct ssh_sandbox *, pid_t);

2
sshd.c
View File

@ -660,7 +660,7 @@ privsep_preauth(Authctxt *authctxt)
pmonitor->m_pkex = &xxx_kex;
if (use_privsep == PRIVSEP_ON)
box = ssh_sandbox_init();
box = ssh_sandbox_init(pmonitor);
pid = fork();
if (pid == -1) {
fatal("fork of unprivileged child failed");