1 https://bugzilla.mindrot.org/show_bug.cgi?id=2142
5 @@ -112,7 +112,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
6 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
7 sftp-server.o sftp-common.o \
8 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
9 - sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
10 + sandbox-seccomp-filter.o sandbox-libseccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
13 MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
16 @@ -2867,11 +2867,22 @@ else
18 AC_SUBST([SSH_PRIVSEP_USER])
20 +AC_CHECK_DECL([SCMP_ARCH_NATIVE], [have_libseccomp_filter=1], , [
21 + #include <sys/types.h>
22 + #include <seccomp.h>
24 +if test "x$have_libseccomp_filter" = "x1" ; then
25 + AC_CHECK_LIB([seccomp], [seccomp_init],
26 + [LIBS="$LIBS -lseccomp"],
27 + [have_libseccomp_filter=0])
30 if test "x$have_linux_no_new_privs" = "x1" ; then
31 AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
32 #include <sys/types.h>
33 #include <linux/seccomp.h>
37 if test "x$have_seccomp_filter" = "x1" ; then
38 AC_MSG_CHECKING([kernel for seccomp_filter support])
39 @@ -2898,7 +2909,7 @@ fi
40 # Decide which sandbox style to use
42 AC_ARG_WITH([sandbox],
43 - [ --with-sandbox=style Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
44 + [ --with-sandbox=style Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, libseccomp_filter, systrace, pledge)],
46 if test "x$withval" = "xyes" ; then
48 @@ -3008,6 +3019,13 @@ elif test "x$sandbox_arg" = "xdarwin" || \
49 AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
50 SANDBOX_STYLE="darwin"
51 AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
52 +elif test "x$sandbox_arg" = "xlibseccomp_filter" || \
53 + ( test -z "$sandbox_arg" && \
54 + test "x$have_libseccomp_filter" = "x1" ) ; then
55 + test "x$have_libseccomp_filter" != "x1" && \
56 + AC_MSG_ERROR([libseccomp_filter sandbox not supported on $host])
57 + SANDBOX_STYLE="libseccomp_filter"
58 + AC_DEFINE([SANDBOX_LIBSECCOMP_FILTER], [1], [Sandbox using libseccomp filter])
59 elif test "x$sandbox_arg" = "xseccomp_filter" || \
60 ( test -z "$sandbox_arg" && \
61 test "x$have_seccomp_filter" = "x1" && \
62 --- a/sandbox-libseccomp-filter.c
63 +++ a/sandbox-libseccomp-filter.c
66 + * Copyright (c) 2012 Will Drewry <wad@dataspill.org>
68 + * Permission to use, copy, modify, and distribute this software for any
69 + * purpose with or without fee is hereby granted, provided that the above
70 + * copyright notice and this permission notice appear in all copies.
72 + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
73 + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
74 + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
75 + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
76 + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
77 + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
78 + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
81 +#include "includes.h"
83 +#ifdef SANDBOX_LIBSECCOMP_FILTER
85 +#include <sys/types.h>
86 +#include <sys/resource.h>
92 +#include <stddef.h> /* for offsetof */
99 +#include "ssh-sandbox.h"
100 +#include "xmalloc.h"
102 +struct ssh_sandbox {
106 +struct ssh_sandbox *
107 +ssh_sandbox_init(struct monitor *monitor)
109 + struct ssh_sandbox *box;
112 + * Strictly, we don't need to maintain any state here but we need
113 + * to return non-NULL to satisfy the API.
115 + debug3("%s: preparing libseccomp filter sandbox", __func__);
116 + box = xcalloc(1, sizeof(*box));
117 + box->child_pid = 0;
123 +seccomp_add_secondary_archs(scmp_filter_ctx *c)
125 +#if defined(__i386__) || defined(__x86_64__)
127 + r = seccomp_arch_add(c, SCMP_ARCH_X86);
128 + if (r < 0 && r != -EEXIST)
130 + r = seccomp_arch_add(c, SCMP_ARCH_X86_64);
131 + if (r < 0 && r != -EEXIST)
133 + r = seccomp_arch_add(c, SCMP_ARCH_X32);
134 + if (r < 0 && r != -EEXIST)
140 +struct scmp_action_def {
145 +static const struct scmp_action_def preauth_insns[] = {
146 + {SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open)},
147 + {SCMP_ACT_ERRNO(EACCES), SCMP_SYS(stat)},
148 + {SCMP_ACT_ALLOW, SCMP_SYS(getpid)},
149 + {SCMP_ACT_ALLOW, SCMP_SYS(getpid)},
150 + {SCMP_ACT_ALLOW, SCMP_SYS(gettimeofday)},
151 + {SCMP_ACT_ALLOW, SCMP_SYS(clock_gettime)},
152 +#ifdef __NR_time /* not defined on EABI ARM */
153 + {SCMP_ACT_ALLOW, SCMP_SYS(time)},
155 + {SCMP_ACT_ALLOW, SCMP_SYS(read)},
156 + {SCMP_ACT_ALLOW, SCMP_SYS(write)},
157 + {SCMP_ACT_ALLOW, SCMP_SYS(close)},
158 +#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */
159 + {SCMP_ACT_ALLOW, SCMP_SYS(shutdown)},
161 + {SCMP_ACT_ALLOW, SCMP_SYS(brk)},
162 + {SCMP_ACT_ALLOW, SCMP_SYS(poll)},
163 +#ifdef __NR__newselect
164 + {SCMP_ACT_ALLOW, SCMP_SYS(_newselect)},
166 + {SCMP_ACT_ALLOW, SCMP_SYS(select)},
167 + {SCMP_ACT_ALLOW, SCMP_SYS(madvise)},
168 +#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
169 + {SCMP_ACT_ALLOW, SCMP_SYS(mmap2)},
172 + {SCMP_ACT_ALLOW, SCMP_SYS(mmap)},
175 + {SCMP_ACT_ALLOW, SCMP_SYS(mremap)},
176 + {SCMP_ACT_ALLOW, SCMP_SYS(exit)},
178 + {SCMP_ACT_ALLOW, SCMP_SYS(munmap)},
179 + {SCMP_ACT_ALLOW, SCMP_SYS(exit_group)},
180 +#ifdef __NR_rt_sigprocmask
181 + {SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask)},
183 + {SCMP_ACT_ALLOW, SCMP_SYS(sigprocmask)},
190 +ssh_sandbox_child(struct ssh_sandbox *box)
192 + scmp_filter_ctx *seccomp;
193 + struct rlimit rl_zero;
194 + const struct scmp_action_def *insn;
197 + /* Set rlimits for completeness if possible. */
198 + rl_zero.rlim_cur = rl_zero.rlim_max = 0;
199 + if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
200 + fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
201 + __func__, strerror(errno));
202 + if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
203 + fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
204 + __func__, strerror(errno));
205 + if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)
206 + fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s",
207 + __func__, strerror(errno));
209 + seccomp = seccomp_init(SCMP_ACT_KILL);
211 + fatal("%s:libseccomp activation failed", __func__);
212 + if (seccomp_add_secondary_archs(seccomp))
213 + fatal("%s:libseccomp secondary arch setup failed", __func__);
215 + for (insn = preauth_insns; insn->action; insn++) {
216 + if (seccomp_rule_add(seccomp, insn->action, insn->syscall, 0) < 0)
217 + fatal("%s:libseccomp rule failed", __func__);
220 + if ((r = seccomp_load(seccomp)) < 0)
221 + fatal("%s:libseccomp unable to load filter %d", __func__, r);
223 + seccomp_release(seccomp);
227 +ssh_sandbox_parent_finish(struct ssh_sandbox *box)
230 + debug3("%s: finished", __func__);
234 +ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
236 + box->child_pid = child_pid;
239 +#endif /* SANDBOX_LIBSECCOMP_FILTER */