summaryrefslogtreecommitdiffstats
path: root/sandbox-systrace.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* upstream: Replace all calls to signal(2) with a wrapper arounddtucker@openbsd.org2020-01-231-3/+3
| | | | | | | | sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations. OpenBSD-Commit-ID: 5e047663fd77a40d7b07bdabe68529df51fd2519
* remove duplicate #includesDamien Miller2019-10-021-1/+0
| | | | Prompted by Jakub Jelen
* Allow nanosleep in preauth privsep child.Darren Tucker2018-04-131-0/+1
| | | | | The new timing attack mitigation code uses nanosleep in the preauth codepath, allow in systrace andbox too.
* (re)wrap SYS_sendsyslog in ifdef.Darren Tucker2015-10-291-0/+2
| | | | | | Replace ifdef that went missing in commit c61b42f2678f21f05653ac2d3d241b48ab5d59ac. Fixes build on older OpenBSDs.
* unbreak merge botchDamien Miller2015-10-061-1/+7
|
* upstream commitderaadt@openbsd.org2015-10-061-23/+21
| | | | | | | re-order system calls in order of risk, ok i'll be honest, ordered this way they look like tame... ok djm Upstream-ID: 42a1e6d251fd8be13c8262bee026059ae6328813
* upstream commitguenther@openbsd.org2015-07-291-1/+4
| | | | | | | | | Permit kbind(2) use in the sandbox now, to ease testing of ld.so work using it reminded by miod@, ok deraadt@ Upstream-ID: 523922e4d1ba7a091e3824e77a8a3c818ee97413
* upstream commitdjm@openbsd.org2015-06-301-1/+2
| | | | | | | | add getpid to sandbox, reachable by grace_alarm_handler reported by Jakub Jelen; bz#2419 Upstream-ID: d0da1117c16d4c223954995d35b0f47c8f684cd8
* upstream commitderaadt@openbsd.org2015-05-211-11/+9
| | | | | | | | getentropy() and sendsyslog() have been around long enough. openssh-portable may want the #ifdef's but not base. discussed with djm few weeks back Upstream-ID: 0506a4334de108e3fb6c66f8d6e0f9c112866926
* upstream commitderaadt@openbsd.org2015-01-261-2/+2
| | | | | Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
* - djm@cvs.openbsd.org 2014/07/17 00:10:56Damien Miller2014-07-181-2/+4
| | | | | [sandbox-systrace.c] ifdef SYS_sendsyslog so this will compile without patching on -stable
* - millert@cvs.openbsd.org 2014/07/15 15:54:14Damien Miller2014-07-181-1/+1
| | | | | | | | | | | | | | | | [PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c] [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c] [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h] [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c] [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c] [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c] [sshd_config.5 sshlogin.c] Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
* - deraadt@cvs.openbsd.org 2014/07/11 08:09:54Damien Miller2014-07-171-1/+2
| | | | | | | [sandbox-systrace.c] Permit use of SYS_sendsyslog from inside the sandbox. Clock is ticking, update your kernels and sshd soon.. libc will start using sendsyslog() in about 4 days.
* - matthew@cvs.openbsd.org 2014/06/18 02:59:13Damien Miller2014-07-021-2/+8
| | | | | | | | | [sandbox-systrace.c] Now that we have a dedicated getentropy(2) system call for arc4random(3), we can disallow __sysctl(2) in OpenSSH's systrace sandbox. ok djm
* - deraadt@cvs.openbsd.org 2014/06/13 08:26:29Damien Miller2014-07-021-1/+2
| | | | | | [sandbox-systrace.c] permit SYS_getentropy from matthew
* - tedu@cvs.openbsd.org 2014/01/31 16:39:19Damien Miller2014-02-041-2/+2
| | | | | | | | | | [auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c] [channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c] [kexc25519.c krl.c monitor.c sandbox-systrace.c session.c] [sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c] [openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h] replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
* - djm@cvs.openbsd.org 2014/01/30 22:26:14Damien Miller2014-02-041-1/+1
| | | | | | | [sandbox-systrace.c] allow shutdown(2) syscall in sandbox - it may be called by packet_close() from portable (Id sync only; change is already in portable)
* - (djm) [sandbox-seccomp-filter.c sandbox-systrace.c] Allow shutdown(2)Damien Miller2014-01-301-0/+1
| | | | syscall from sandboxes; it may be called by packet_close.
* - (djm) [Makefile.in configure.ac sandbox-capsicum.c sandbox-darwin.c]Damien Miller2014-01-171-1/+1
| | | | | | | [sandbox-null.c sandbox-rlimit.c sandbox-seccomp-filter.c] [sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandboxing using the Capsicum API introduced in FreeBSD 10. Patch by Dag-Erling Smorgrav, updated by Loganaden Velvindron @ AfriNIC; ok dtucker@
* - dtucker@cvs.openbsd.org 2013/06/01 13:15:52Darren Tucker2013-06-011-1/+2
| | | | | | | | [ssh-agent.c clientloop.c misc.h packet.c progressmeter.c misc.c channels.c sandbox-systrace.c] Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
* - markus@cvs.openbsd.org 2012/06/30 14:35:09Darren Tucker2012-07-021-28/+27
| | | | | | | | [sandbox-systrace.c sshd.c] fix a during the load of the sandbox policies (child can still make the read-syscall and wait forever for systrace-answers) by replacing the read/write synchronisation with SIGSTOP/SIGCONT; report and help hshoexer@; ok djm@, dtucker@
* - dtucker@cvs.openbsd.org 2012/06/26 11:02:30Damien Miller2012-06-301-1/+2
| | | | | | [sandbox-systrace.c] Add mquery to the list of allowed syscalls for "UsePrivilegeSeparation sandbox" since malloc now uses it. From johnw.mail at gmail com.
* - djm@cvs.openbsd.org 2011/07/29 14:42:45Damien Miller2011-08-051-34/+44
| | | | | | | [sandbox-systrace.c] fail open(2) with EPERM rather than SIGKILLing the whole process. libc will call open() to do strerror() when NLS is enabled; feedback and ok markus@
* - djm@cvs.openbsd.org 2011/06/23 09:34:13Damien Miller2011-06-231-1/+2
| | | | | | [sshd.c ssh-sandbox.h sandbox.h sandbox-rlimit.c sandbox-systrace.c] [sandbox-null.c] rename sandbox.h => ssh-sandbox.h to make things easier for portable
* - djm@cvs.openbsd.org 2011/06/22 21:57:01Damien Miller2011-06-231-0/+187
[servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c] [sandbox-systrace.c sandbox.h configure.ac Makefile.in] introduce sandboxing of the pre-auth privsep child using systrace(4). This introduces a new "UsePrivilegeSeparation=sandbox" option for sshd_config that applies mandatory restrictions on the syscalls the privsep child can perform. This prevents a compromised privsep child from being used to attack other hosts (by opening sockets and proxying) or probing local kernel attack surface. The sandbox is implemented using systrace(4) in unsupervised "fast-path" mode, where a list of permitted syscalls is supplied. Any syscall not on the list results in SIGKILL being sent to the privsep child. Note that this requires a kernel with the new SYSTR_POLICY_KILL option. UsePrivilegeSeparation=sandbox will become the default in the future so please start testing it now. feedback dtucker@; ok markus@