OpenBSD CVS

CVS log for src/usr.bin/ssh/Attic/sandbox-systrace.c

[BACK] Up to [local] / src / usr.bin / ssh

Request diff between arbitrary revisions

Default branch: MAIN

Revision 1.19, Sat May 7 19:56:59 2016 UTC (8 years ago) by deraadt
Branch: MAIN
CVS Tags: HEAD
Changes since 1.18: +1 -1 lines
FILE REMOVED 

systrace is dead.  long live systrace.

Revision 1.18 / (download) - annotate - [select for diffs], Fri Oct 2 01:39:26 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_9_BASE, OPENBSD_5_9
Changes since 1.17: +19 -12 lines
Diff to previous 1.17 (colored) 

re-order system calls in order of risk, ok i'll be honest, ordered this
way they look like tame...
ok djm

Revision 1.17 / (download) - annotate - [select for diffs], Mon Jul 27 16:29:23 2015 UTC (8 years, 9 months ago) by guenther
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE, OPENBSD_5_8
Changes since 1.16: +4 -1 lines
Diff to previous 1.16 (colored) 

Permit kbind(2) use in the sandbox now, to ease testing of ld.so work using it

reminded by miod@, ok deraadt@

Revision 1.16 / (download) - annotate - [select for diffs], Mon Jun 29 22:35:12 2015 UTC (8 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.15: +2 -1 lines
Diff to previous 1.15 (colored) 

add getpid to sandbox, reachable by grace_alarm_handler

reported by Jakub Jelen; bz#2419

Revision 1.15 / (download) - annotate - [select for diffs], Mon May 18 15:06:05 2015 UTC (9 years ago) by deraadt
Branch: MAIN
Changes since 1.14: +6 -15 lines
Diff to previous 1.14 (colored) 

getentropy() and sendsyslog() have been around long enough.
openssh-portable may want the #ifdef's but not base.
discussed with djm few weeks back

Revision 1.14 / (download) - annotate - [select for diffs], Tue Jan 20 23:14:00 2015 UTC (9 years, 3 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE, OPENBSD_5_7
Changes since 1.13: +2 -2 lines
Diff to previous 1.13 (colored) 

Reduce use of <sys/param.h> and transition to <limits.h> throughout.
ok djm markus

Revision 1.13 / (download) - annotate - [select for diffs], Thu Jul 17 00:10:56 2014 UTC (9 years, 10 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE, OPENBSD_5_6
Changes since 1.12: +3 -2 lines
Diff to previous 1.12 (colored) 

ifdef SYS_sendsyslog so this will compile without patching on -stable

Revision 1.12 / (download) - annotate - [select for diffs], Fri Jul 11 08:09:54 2014 UTC (9 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.11: +2 -1 lines
Diff to previous 1.11 (colored) 

Permit use of SYS_sendsyslog from inside the sandbox.  Clock is ticking,
update your kernels and sshd soon.. libc will start using sendsyslog()
in about 4 days.

Revision 1.11 / (download) - annotate - [select for diffs], Wed Jun 18 02:59:13 2014 UTC (9 years, 11 months ago) by matthew
Branch: MAIN
Changes since 1.10: +8 -2 lines
Diff to previous 1.10 (colored) 

Now that we have a dedicated getentropy(2) system call for
arc4random(3), we can disallow __sysctl(2) in OpenSSH's systrace
sandbox.

ok djm

Revision 1.10 / (download) - annotate - [select for diffs], Fri Jun 13 08:26:29 2014 UTC (9 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.9: +2 -1 lines
Diff to previous 1.9 (colored) 

permit SYS_getentropy
from matthew

Revision 1.9 / (download) - annotate - [select for diffs], Fri Jan 31 16:39:19 2014 UTC (10 years, 3 months ago) by tedu
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE, OPENBSD_5_5
Changes since 1.8: +2 -2 lines
Diff to previous 1.8 (colored) 

replace most bzero with explicit_bzero, except a few that cna be memset
ok djm dtucker

Revision 1.8 / (download) - annotate - [select for diffs], Thu Jan 30 22:26:14 2014 UTC (10 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.7: +2 -1 lines
Diff to previous 1.7 (colored) 

allow shutdown(2) syscall in sandbox - it may be called by packet_close()
from portable

Revision 1.7 / (download) - annotate - [select for diffs], Sat Jun 1 13:15:52 2013 UTC (10 years, 11 months ago) by dtucker
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE, OPENBSD_5_4
Changes since 1.6: +2 -1 lines
Diff to previous 1.6 (colored) 

Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like
keepalives and rekeying will work properly over clock steps.  Suggested by
markus@, "looks good" djm@.

Revision 1.6 / (download) - annotate - [select for diffs], Sat Jun 30 14:35:09 2012 UTC (11 years, 10 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE, OPENBSD_5_3, OPENBSD_5_2_BASE, OPENBSD_5_2
Changes since 1.5: +27 -28 lines
Diff to previous 1.5 (colored) 

fix a during the load of the sandbox policies (child can still make
the read-syscall and wait forever for systrace-answers) by replacing
the read/write synchronisation with SIGSTOP/SIGCONT;
report and help hshoexer@; ok djm@, dtucker@

Revision 1.5 / (download) - annotate - [select for diffs], Tue Jun 26 11:02:30 2012 UTC (11 years, 10 months ago) by dtucker
Branch: MAIN
Changes since 1.4: +2 -1 lines
Diff to previous 1.4 (colored) 

Add mquery to the list of allowed syscalls for "UsePrivilegeSeparation
sandbox" since malloc now uses it.  From johnw.mail at gmail com.

Revision 1.4 / (download) - annotate - [select for diffs], Fri Jul 29 14:42:45 2011 UTC (12 years, 9 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE, OPENBSD_5_1, OPENBSD_5_0_BASE, OPENBSD_5_0
Changes since 1.3: +44 -34 lines
Diff to previous 1.3 (colored) 

fail open(2) with EPERM rather than SIGKILLing the whole process. libc
will call open() to do strerror() when NLS is enabled;
feedback and ok markus@

Revision 1.3 / (download) - annotate - [select for diffs], Thu Jun 23 09:34:13 2011 UTC (12 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.2: +2 -2 lines
Diff to previous 1.2 (colored) 

rename sandbox.h => ssh-sandbox.h to make things easier for portable

Revision 1.2 / (download) - annotate - [select for diffs], Wed Jun 22 22:14:05 2011 UTC (12 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.1: +1 -0 lines
Diff to previous 1.1 (colored) 

$OpenBSD$ makers

Revision 1.1 / (download) - annotate - [select for diffs], Wed Jun 22 21:57:01 2011 UTC (12 years, 10 months ago) by djm
Branch: MAIN 

introduce sandboxing of the pre-auth privsep child using systrace(4).

This introduces a new "UsePrivilegeSeparation=sandbox" option for
sshd_config that applies mandatory restrictions on the syscalls the
privsep child can perform. This prevents a compromised privsep child
from being used to attack other hosts (by opening sockets and proxying)
or probing local kernel attack surface.

The sandbox is implemented using systrace(4) in unsupervised "fast-path"
mode, where a list of permitted syscalls is supplied. Any syscall not
on the list results in SIGKILL being sent to the privsep child. Note
that this requires a kernel with the new SYSTR_POLICY_KILL option.

UsePrivilegeSeparation=sandbox will become the default in the future
so please start testing it now.

feedback dtucker@; ok markus@

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.