[packages/openssh.git] / libseccomp-sandbox.patch

https://bugzilla.mindrot.org/show_bug.cgi?id=2142

--- a/Makefile.in	
+++ a/Makefile.in	
@@ -112,7 +112,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
 	sftp-server.o sftp-common.o \
 	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
-	sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
+	sandbox-seccomp-filter.o sandbox-libseccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
 	sandbox-solaris.o
 
 MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
--- a/configure.ac	
+++ a/configure.ac	
@@ -2867,11 +2867,22 @@ else
 fi
 AC_SUBST([SSH_PRIVSEP_USER])
 
+AC_CHECK_DECL([SCMP_ARCH_NATIVE], [have_libseccomp_filter=1], , [
+	#include <sys/types.h>
+	#include <seccomp.h>
+])
+if test "x$have_libseccomp_filter" = "x1" ; then
+	AC_CHECK_LIB([seccomp], [seccomp_init],
+				 [LIBS="$LIBS -lseccomp"],
+				 [have_libseccomp_filter=0])
+fi
+
 if test "x$have_linux_no_new_privs" = "x1" ; then
 AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
 	#include <sys/types.h>
 	#include <linux/seccomp.h>
 ])
+
 fi
 if test "x$have_seccomp_filter" = "x1" ; then
 AC_MSG_CHECKING([kernel for seccomp_filter support])
@@ -2898,7 +2909,7 @@ fi
 # Decide which sandbox style to use
 sandbox_arg=""
 AC_ARG_WITH([sandbox],
-	[  --with-sandbox=style    Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
+	[  --with-sandbox=style    Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, libseccomp_filter, systrace, pledge)],
 	[
 		if test "x$withval" = "xyes" ; then
 			sandbox_arg=""
@@ -3008,6 +3019,13 @@ elif test "x$sandbox_arg" = "xdarwin" || \
 		AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
 	SANDBOX_STYLE="darwin"
 	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
+elif test "x$sandbox_arg" = "xlibseccomp_filter" || \
+     ( test -z "$sandbox_arg" && \
+       test "x$have_libseccomp_filter" = "x1" ) ; then
+	test "x$have_libseccomp_filter" != "x1" && \
+		AC_MSG_ERROR([libseccomp_filter sandbox not supported on $host])
+        SANDBOX_STYLE="libseccomp_filter"
+        AC_DEFINE([SANDBOX_LIBSECCOMP_FILTER], [1], [Sandbox using libseccomp filter])
 elif test "x$sandbox_arg" = "xseccomp_filter" || \
      ( test -z "$sandbox_arg" && \
        test "x$have_seccomp_filter" = "x1" && \
--- a/sandbox-libseccomp-filter.c	
+++ a/sandbox-libseccomp-filter.c	
@@ -0,0 +1,175 @@ 
+/*
+ * Copyright (c) 2012 Will Drewry <wad@dataspill.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+
+#ifdef SANDBOX_LIBSECCOMP_FILTER
+
+#include <sys/types.h>
+#include <sys/resource.h>
+#include <seccomp.h>
+
+#include <errno.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stddef.h>  /* for offsetof */
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "log.h"
+#include "ssh-sandbox.h"
+#include "xmalloc.h"
+
+struct ssh_sandbox {
+	pid_t child_pid;
+};
+
+struct ssh_sandbox *
+ssh_sandbox_init(struct monitor *monitor)
+{
+	struct ssh_sandbox *box;
+
+	/*
+	 * Strictly, we don't need to maintain any state here but we need
+	 * to return non-NULL to satisfy the API.
+	 */
+	debug3("%s: preparing libseccomp filter sandbox", __func__);
+	box = xcalloc(1, sizeof(*box));
+	box->child_pid = 0;
+
+	return box;
+}
+
+static int
+seccomp_add_secondary_archs(scmp_filter_ctx *c)
+{
+#if defined(__i386__) || defined(__x86_64__)
+	int r;
+	r = seccomp_arch_add(c, SCMP_ARCH_X86);
+	if (r < 0 && r != -EEXIST)
+		return r;
+	r = seccomp_arch_add(c, SCMP_ARCH_X86_64);
+	if (r < 0 && r != -EEXIST)
+		return r;
+	r = seccomp_arch_add(c, SCMP_ARCH_X32);
+	if (r < 0 && r != -EEXIST)
+		return r;
+#endif
+	return 0;
+}
+
+struct scmp_action_def {
+	uint32_t action;
+	int syscall;
+};
+
+static const struct scmp_action_def preauth_insns[] = {
+	{SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open)},
+	{SCMP_ACT_ERRNO(EACCES), SCMP_SYS(stat)},
+	{SCMP_ACT_ALLOW, SCMP_SYS(getpid)},
+	{SCMP_ACT_ALLOW, SCMP_SYS(getpid)},
+	{SCMP_ACT_ALLOW, SCMP_SYS(gettimeofday)},
+	{SCMP_ACT_ALLOW, SCMP_SYS(clock_gettime)},
+#ifdef __NR_time /* not defined on EABI ARM */
+	{SCMP_ACT_ALLOW, SCMP_SYS(time)},
+#endif
+	{SCMP_ACT_ALLOW, SCMP_SYS(read)},
+	{SCMP_ACT_ALLOW, SCMP_SYS(write)},
+	{SCMP_ACT_ALLOW, SCMP_SYS(close)},
+#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */
+	{SCMP_ACT_ALLOW, SCMP_SYS(shutdown)},
+#endif
+	{SCMP_ACT_ALLOW, SCMP_SYS(brk)},
+	{SCMP_ACT_ALLOW, SCMP_SYS(poll)},
+#ifdef __NR__newselect
+	{SCMP_ACT_ALLOW, SCMP_SYS(_newselect)},
+#endif
+	{SCMP_ACT_ALLOW, SCMP_SYS(select)},
+	{SCMP_ACT_ALLOW, SCMP_SYS(madvise)},
+#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
+	{SCMP_ACT_ALLOW, SCMP_SYS(mmap2)},
+#endif
+#ifdef __NR_mmap
+	{SCMP_ACT_ALLOW, SCMP_SYS(mmap)},
+#endif
+#ifdef __dietlibc__
+	{SCMP_ACT_ALLOW, SCMP_SYS(mremap)},
+	{SCMP_ACT_ALLOW, SCMP_SYS(exit)},
+#endif
+	{SCMP_ACT_ALLOW, SCMP_SYS(munmap)},
+	{SCMP_ACT_ALLOW, SCMP_SYS(exit_group)},
+#ifdef __NR_rt_sigprocmask
+	{SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask)},
+#else
+	{SCMP_ACT_ALLOW, SCMP_SYS(sigprocmask)},
+#endif
+	{0, 0}
+};
+
+
+void
+ssh_sandbox_child(struct ssh_sandbox *box)
+{
+	scmp_filter_ctx *seccomp;
+	struct rlimit rl_zero;
+	const struct scmp_action_def *insn;
+	int r;
+
+	/* Set rlimits for completeness if possible. */
+	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
+	if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
+		fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
+			__func__, strerror(errno));
+	if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
+		fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
+			__func__, strerror(errno));
+	if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)
+		fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s",
+			__func__, strerror(errno));
+
+	seccomp = seccomp_init(SCMP_ACT_KILL);
+	if (!seccomp)
+		fatal("%s:libseccomp activation failed", __func__);
+	if (seccomp_add_secondary_archs(seccomp))
+		fatal("%s:libseccomp secondary arch setup failed", __func__);
+
+	for (insn = preauth_insns; insn->action; insn++) {
+		if (seccomp_rule_add(seccomp, insn->action, insn->syscall, 0) < 0)
+			fatal("%s:libseccomp rule failed", __func__);
+	}
+
+	if ((r = seccomp_load(seccomp)) < 0)
+		fatal("%s:libseccomp unable to load filter %d", __func__, r);
+
+	seccomp_release(seccomp);
+}
+
+void
+ssh_sandbox_parent_finish(struct ssh_sandbox *box)
+{
+	free(box);
+	debug3("%s: finished", __func__);
+}
+
+void
+ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
+{
+	box->child_pid = child_pid;
+}
+
+#endif /* SANDBOX_LIBSECCOMP_FILTER */
Commit	Line	Data
5a5e6771 JR	1	https://bugzilla.mindrot.org/show_bug.cgi?id=2142
	2
	3	--- a/Makefile.in
	4	+++ a/Makefile.in
9fdc70ea AM	5	@@ -112,7 +112,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
9fdc70ea AM	6	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
5a5e6771	7	sftp-server.o sftp-common.o \
5a5e6771	8	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
9fdc70ea AM	9	- sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
	10	+ sandbox-seccomp-filter.o sandbox-libseccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
	11	sandbox-solaris.o
5a5e6771	12
9fdc70ea	13	MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
5a5e6771 JR	14	--- a/configure.ac
	15	+++ a/configure.ac
	16	@@ -2867,11 +2867,22 @@ else
	17	fi
	18	AC_SUBST([SSH_PRIVSEP_USER])
	19
	20	+AC_CHECK_DECL([SCMP_ARCH_NATIVE], [have_libseccomp_filter=1], , [
	21	+ #include <sys/types.h>
	22	+ #include <seccomp.h>
	23	+])
	24	+if test "x$have_libseccomp_filter" = "x1" ; then
	25	+ AC_CHECK_LIB([seccomp], [seccomp_init],
	26	+ [LIBS="$LIBS -lseccomp"],
	27	+ [have_libseccomp_filter=0])
	28	+fi
	29	+
	30	if test "x$have_linux_no_new_privs" = "x1" ; then
	31	AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
	32	#include <sys/types.h>
	33	#include <linux/seccomp.h>
	34	])
	35	+
	36	fi
	37	if test "x$have_seccomp_filter" = "x1" ; then
	38	AC_MSG_CHECKING([kernel for seccomp_filter support])
	39	@@ -2898,7 +2909,7 @@ fi
	40	# Decide which sandbox style to use
	41	sandbox_arg=""
	42	AC_ARG_WITH([sandbox],
9fdc70ea AM	43	- [ --with-sandbox=style Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
9fdc70ea AM	44	+ [ --with-sandbox=style Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, libseccomp_filter, systrace, pledge)],
5a5e6771 JR	45	[
	46	if test "x$withval" = "xyes" ; then
	47	sandbox_arg=""
	48	@@ -3008,6 +3019,13 @@ elif test "x$sandbox_arg" = "xdarwin" \|\| \
	49	AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
	50	SANDBOX_STYLE="darwin"
	51	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
	52	+elif test "x$sandbox_arg" = "xlibseccomp_filter" \|\| \
	53	+ ( test -z "$sandbox_arg" && \
	54	+ test "x$have_libseccomp_filter" = "x1" ) ; then
	55	+ test "x$have_libseccomp_filter" != "x1" && \
	56	+ AC_MSG_ERROR([libseccomp_filter sandbox not supported on $host])
	57	+ SANDBOX_STYLE="libseccomp_filter"
	58	+ AC_DEFINE([SANDBOX_LIBSECCOMP_FILTER], [1], [Sandbox using libseccomp filter])
	59	elif test "x$sandbox_arg" = "xseccomp_filter" \|\| \
	60	( test -z "$sandbox_arg" && \
	61	test "x$have_seccomp_filter" = "x1" && \
	62	--- a/sandbox-libseccomp-filter.c
	63	+++ a/sandbox-libseccomp-filter.c
	64	@@ -0,0 +1,175 @@
	65	+/*
	66	+ * Copyright (c) 2012 Will Drewry <wad@dataspill.org>
	67	+ *
	68	+ * Permission to use, copy, modify, and distribute this software for any
	69	+ * purpose with or without fee is hereby granted, provided that the above
	70	+ * copyright notice and this permission notice appear in all copies.
	71	+ *
	72	+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	73	+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	74	+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	75	+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	76	+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	77	+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	78	+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	79	+ */
	80	+
	81	+#include "includes.h"
	82	+
	83	+#ifdef SANDBOX_LIBSECCOMP_FILTER
	84	+
	85	+#include <sys/types.h>
	86	+#include <sys/resource.h>
	87	+#include <seccomp.h>
	88	+
	89	+#include <errno.h>
	90	+#include <signal.h>
	91	+#include <stdarg.h>
	92	+#include <stddef.h> /* for offsetof */
	93	+#include <stdio.h>
	94	+#include <stdlib.h>
	95	+#include <string.h>
	96	+#include <unistd.h>
	97	+
	98	+#include "log.h"
	99	+#include "ssh-sandbox.h"
	100	+#include "xmalloc.h"
	101	+
	102	+struct ssh_sandbox {
	103	+ pid_t child_pid;
	104	+};
	105	+
	106	+struct ssh_sandbox *
	107	+ssh_sandbox_init(struct monitor *monitor)
	108	+{
109	+ struct ssh_sandbox *box;
110	+
111	+ /*
112	+ * Strictly, we don't need to maintain any state here but we need
113	+ * to return non-NULL to satisfy the API.
114	+ */
115	+ debug3("%s: preparing libseccomp filter sandbox", __func__);
116	+ box = xcalloc(1, sizeof(*box));
117	+ box->child_pid = 0;
118	+
119	+ return box;
120	+}
121	+
122	+static int
123	+seccomp_add_secondary_archs(scmp_filter_ctx *c)
124	+{
125	+#if defined(__i386__) \|\| defined(__x86_64__)
126	+ int r;
127	+ r = seccomp_arch_add(c, SCMP_ARCH_X86);
128	+ if (r < 0 && r != -EEXIST)
129	+ return r;
130	+ r = seccomp_arch_add(c, SCMP_ARCH_X86_64);
131	+ if (r < 0 && r != -EEXIST)
132	+ return r;
133	+ r = seccomp_arch_add(c, SCMP_ARCH_X32);
134	+ if (r < 0 && r != -EEXIST)
135	+ return r;
136	+#endif
137	+ return 0;
138	+}
139	+
140	+struct scmp_action_def {
141	+ uint32_t action;
142	+ int syscall;
143	+};
144	+
145	+static const struct scmp_action_def preauth_insns[] = {
146	+ {SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open)},
147	+ {SCMP_ACT_ERRNO(EACCES), SCMP_SYS(stat)},
148	+ {SCMP_ACT_ALLOW, SCMP_SYS(getpid)},
149	+ {SCMP_ACT_ALLOW, SCMP_SYS(getpid)},
150	+ {SCMP_ACT_ALLOW, SCMP_SYS(gettimeofday)},
151	+ {SCMP_ACT_ALLOW, SCMP_SYS(clock_gettime)},
152	+#ifdef __NR_time /* not defined on EABI ARM */
153	+ {SCMP_ACT_ALLOW, SCMP_SYS(time)},
154	+#endif
155	+ {SCMP_ACT_ALLOW, SCMP_SYS(read)},
156	+ {SCMP_ACT_ALLOW, SCMP_SYS(write)},
157	+ {SCMP_ACT_ALLOW, SCMP_SYS(close)},
158	+#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */
159	+ {SCMP_ACT_ALLOW, SCMP_SYS(shutdown)},
160	+#endif
161	+ {SCMP_ACT_ALLOW, SCMP_SYS(brk)},
162	+ {SCMP_ACT_ALLOW, SCMP_SYS(poll)},
163	+#ifdef __NR__newselect
164	+ {SCMP_ACT_ALLOW, SCMP_SYS(_newselect)},
165	+#endif
166	+ {SCMP_ACT_ALLOW, SCMP_SYS(select)},
167	+ {SCMP_ACT_ALLOW, SCMP_SYS(madvise)},
168	+#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
169	+ {SCMP_ACT_ALLOW, SCMP_SYS(mmap2)},
170	+#endif
171	+#ifdef __NR_mmap
172	+ {SCMP_ACT_ALLOW, SCMP_SYS(mmap)},
173	+#endif
174	+#ifdef __dietlibc__
175	+ {SCMP_ACT_ALLOW, SCMP_SYS(mremap)},
176	+ {SCMP_ACT_ALLOW, SCMP_SYS(exit)},
177	+#endif
178	+ {SCMP_ACT_ALLOW, SCMP_SYS(munmap)},
179	+ {SCMP_ACT_ALLOW, SCMP_SYS(exit_group)},
180	+#ifdef __NR_rt_sigprocmask
181	+ {SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask)},
182	+#else
183	+ {SCMP_ACT_ALLOW, SCMP_SYS(sigprocmask)},
184	+#endif
185	+ {0, 0}
186	+};
187	+
188	+
189	+void
190	+ssh_sandbox_child(struct ssh_sandbox *box)
191	+{
192	+ scmp_filter_ctx *seccomp;
193	+ struct rlimit rl_zero;
194	+ const struct scmp_action_def *insn;
195	+ int r;
196	+
197	+ /* Set rlimits for completeness if possible. */
198	+ rl_zero.rlim_cur = rl_zero.rlim_max = 0;
199	+ if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
200	+ fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
201	+ __func__, strerror(errno));
202	+ if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
203	+ fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
204	+ __func__, strerror(errno));
205	+ if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)
206	+ fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s",
207	+ __func__, strerror(errno));
208	+
209	+ seccomp = seccomp_init(SCMP_ACT_KILL);
210	+ if (!seccomp)
211	+ fatal("%s:libseccomp activation failed", __func__);
212	+ if (seccomp_add_secondary_archs(seccomp))
213	+ fatal("%s:libseccomp secondary arch setup failed", __func__);
214	+
215	+ for (insn = preauth_insns; insn->action; insn++) {
216	+ if (seccomp_rule_add(seccomp, insn->action, insn->syscall, 0) < 0)
217	+ fatal("%s:libseccomp rule failed", __func__);
218	+ }
219	+
220	+ if ((r = seccomp_load(seccomp)) < 0)
221	+ fatal("%s:libseccomp unable to load filter %d", __func__, r);
222	+
223	+ seccomp_release(seccomp);
224	+}
225	+
226	+void
227	+ssh_sandbox_parent_finish(struct ssh_sandbox *box)
228	+{
229	+ free(box);
230	+ debug3("%s: finished", __func__);
231	+}
232	+
233	+void
234	+ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
235	+{
236	+ box->child_pid = child_pid;
237	+}
238	+
239	+#endif /* SANDBOX_LIBSECCOMP_FILTER */