summaryrefslogtreecommitdiffstats
path: root/sandbox-systrace.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 14:40:04 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 14:40:04 +0000
commit25505898530a333011f4fd5cbc841ad6b26c089c (patch)
tree333a33fdd60930bcccc3f177ed9467d535e9bac6 /sandbox-systrace.c
parentInitial commit. (diff)
downloadopenssh-upstream.tar.xz
openssh-upstream.zip
Adding upstream version 1:9.2p1.upstream/1%9.2p1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'sandbox-systrace.c')
-rw-r--r--sandbox-systrace.c218
1 files changed, 218 insertions, 0 deletions
diff --git a/sandbox-systrace.c b/sandbox-systrace.c
new file mode 100644
index 0000000..e61d581
--- /dev/null
+++ b/sandbox-systrace.c
@@ -0,0 +1,218 @@
+/* $OpenBSD: sandbox-systrace.c,v 1.18 2015/10/02 01:39:26 deraadt Exp $ */
+/*
+ * Copyright (c) 2011 Damien Miller <djm@mindrot.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+
+#ifdef SANDBOX_SYSTRACE
+
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <sys/syscall.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+
+#include <dev/systrace.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "atomicio.h"
+#include "log.h"
+#include "ssh-sandbox.h"
+#include "xmalloc.h"
+
+struct sandbox_policy {
+ int syscall;
+ int action;
+};
+
+/* Permitted syscalls in preauth. Unlisted syscalls get SYSTR_POLICY_KILL */
+static const struct sandbox_policy preauth_policy[] = {
+ { SYS_exit, SYSTR_POLICY_PERMIT },
+#ifdef SYS_kbind
+ { SYS_kbind, SYSTR_POLICY_PERMIT },
+#endif
+
+ { SYS_getpid, SYSTR_POLICY_PERMIT },
+ { SYS_getpgid, SYSTR_POLICY_PERMIT },
+ { SYS_clock_gettime, SYSTR_POLICY_PERMIT },
+ { SYS_gettimeofday, SYSTR_POLICY_PERMIT },
+ { SYS_nanosleep, SYSTR_POLICY_PERMIT },
+ { SYS_sigprocmask, SYSTR_POLICY_PERMIT },
+
+#ifdef SYS_getentropy
+ /* OpenBSD 5.6 and newer use getentropy(2) to seed arc4random(3). */
+ { SYS_getentropy, SYSTR_POLICY_PERMIT },
+#else
+ /* Previous releases used sysctl(3)'s kern.arnd variable. */
+ { SYS___sysctl, SYSTR_POLICY_PERMIT },
+#endif
+#ifdef SYS_sendsyslog
+ { SYS_sendsyslog, SYSTR_POLICY_PERMIT },
+#endif
+
+ { SYS_madvise, SYSTR_POLICY_PERMIT },
+ { SYS_mmap, SYSTR_POLICY_PERMIT },
+ { SYS_mprotect, SYSTR_POLICY_PERMIT },
+ { SYS_mquery, SYSTR_POLICY_PERMIT },
+ { SYS_munmap, SYSTR_POLICY_PERMIT },
+
+ { SYS_poll, SYSTR_POLICY_PERMIT },
+ { SYS_select, SYSTR_POLICY_PERMIT },
+ { SYS_read, SYSTR_POLICY_PERMIT },
+ { SYS_write, SYSTR_POLICY_PERMIT },
+ { SYS_shutdown, SYSTR_POLICY_PERMIT },
+ { SYS_close, SYSTR_POLICY_PERMIT },
+
+ { SYS_open, SYSTR_POLICY_NEVER },
+
+ { -1, -1 }
+};
+
+struct ssh_sandbox {
+ int systrace_fd;
+ pid_t child_pid;
+ void (*osigchld)(int);
+};
+
+struct ssh_sandbox *
+ssh_sandbox_init(struct monitor *monitor)
+{
+ struct ssh_sandbox *box;
+
+ debug3("%s: preparing systrace sandbox", __func__);
+ box = xcalloc(1, sizeof(*box));
+ box->systrace_fd = -1;
+ box->child_pid = 0;
+ box->osigchld = ssh_signal(SIGCHLD, SIG_IGN);
+
+ return box;
+}
+
+void
+ssh_sandbox_child(struct ssh_sandbox *box)
+{
+ debug3("%s: ready", __func__);
+ ssh_signal(SIGCHLD, box->osigchld);
+ if (kill(getpid(), SIGSTOP) != 0)
+ fatal("%s: kill(%d, SIGSTOP)", __func__, getpid());
+ debug3("%s: started", __func__);
+}
+
+static void
+ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid,
+ const struct sandbox_policy *allowed_syscalls)
+{
+ int dev_systrace, i, j, found, status;
+ pid_t pid;
+ struct systrace_policy policy;
+
+ /* Wait for the child to send itself a SIGSTOP */
+ debug3("%s: wait for child %ld", __func__, (long)child_pid);
+ do {
+ pid = waitpid(child_pid, &status, WUNTRACED);
+ } while (pid == -1 && errno == EINTR);
+ ssh_signal(SIGCHLD, box->osigchld);
+ if (!WIFSTOPPED(status)) {
+ if (WIFSIGNALED(status))
+ fatal("%s: child terminated with signal %d",
+ __func__, WTERMSIG(status));
+ if (WIFEXITED(status))
+ fatal("%s: child exited with status %d",
+ __func__, WEXITSTATUS(status));
+ fatal("%s: child not stopped", __func__);
+ }
+ debug3("%s: child %ld stopped", __func__, (long)child_pid);
+ box->child_pid = child_pid;
+
+ /* Set up systracing of child */
+ if ((dev_systrace = open("/dev/systrace", O_RDONLY)) == -1)
+ fatal("%s: open(\"/dev/systrace\"): %s", __func__,
+ strerror(errno));
+ if (ioctl(dev_systrace, STRIOCCLONE, &box->systrace_fd) == -1)
+ fatal("%s: ioctl(STRIOCCLONE, %d): %s", __func__,
+ dev_systrace, strerror(errno));
+ close(dev_systrace);
+ debug3("%s: systrace attach, fd=%d", __func__, box->systrace_fd);
+ if (ioctl(box->systrace_fd, STRIOCATTACH, &child_pid) == -1)
+ fatal("%s: ioctl(%d, STRIOCATTACH, %d): %s", __func__,
+ box->systrace_fd, child_pid, strerror(errno));
+
+ /* Allocate and assign policy */
+ memset(&policy, 0, sizeof(policy));
+ policy.strp_op = SYSTR_POLICY_NEW;
+ policy.strp_maxents = SYS_MAXSYSCALL;
+ if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1)
+ fatal("%s: ioctl(%d, STRIOCPOLICY (new)): %s", __func__,
+ box->systrace_fd, strerror(errno));
+
+ policy.strp_op = SYSTR_POLICY_ASSIGN;
+ policy.strp_pid = box->child_pid;
+ if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1)
+ fatal("%s: ioctl(%d, STRIOCPOLICY (assign)): %s",
+ __func__, box->systrace_fd, strerror(errno));
+
+ /* Set per-syscall policy */
+ for (i = 0; i < SYS_MAXSYSCALL; i++) {
+ found = 0;
+ for (j = 0; allowed_syscalls[j].syscall != -1; j++) {
+ if (allowed_syscalls[j].syscall == i) {
+ found = 1;
+ break;
+ }
+ }
+ policy.strp_op = SYSTR_POLICY_MODIFY;
+ policy.strp_code = i;
+ policy.strp_policy = found ?
+ allowed_syscalls[j].action : SYSTR_POLICY_KILL;
+ if (found)
+ debug3("%s: policy: enable syscall %d", __func__, i);
+ if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1)
+ fatal("%s: ioctl(%d, STRIOCPOLICY (modify)): %s",
+ __func__, box->systrace_fd, strerror(errno));
+ }
+
+ /* Signal the child to start running */
+ debug3("%s: start child %ld", __func__, (long)child_pid);
+ if (kill(box->child_pid, SIGCONT) != 0)
+ fatal("%s: kill(%d, SIGCONT)", __func__, box->child_pid);
+}
+
+void
+ssh_sandbox_parent_finish(struct ssh_sandbox *box)
+{
+ /* Closing this before the child exits will terminate it */
+ close(box->systrace_fd);
+
+ free(box);
+ debug3("%s: finished", __func__);
+}
+
+void
+ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
+{
+ ssh_sandbox_parent(box, child_pid, preauth_policy);
+}
+
+#endif /* SANDBOX_SYSTRACE */