Annotation of src/usr.bin/ssh/sandbox-systrace.c, Revision 1.3
1.3 ! djm 1: /* $OpenBSD: sandbox-systrace.c,v 1.2 2011/06/22 22:14:05 djm Exp $ */
1.1 djm 2: /*
3: * Copyright (c) 2011 Damien Miller <djm@mindrot.org>
4: *
5: * Permission to use, copy, modify, and distribute this software for any
6: * purpose with or without fee is hereby granted, provided that the above
7: * copyright notice and this permission notice appear in all copies.
8: *
9: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16: */
17:
18: #include <sys/types.h>
19: #include <sys/param.h>
20: #include <sys/ioctl.h>
21: #include <sys/syscall.h>
22: #include <sys/socket.h>
23:
24: #include <dev/systrace.h>
25:
26: #include <errno.h>
27: #include <fcntl.h>
28: #include <limits.h>
29: #include <stdarg.h>
30: #include <stdio.h>
31: #include <stdlib.h>
32: #include <string.h>
33: #include <unistd.h>
34:
35: #include "atomicio.h"
36: #include "log.h"
1.3 ! djm 37: #include "ssh-sandbox.h"
1.1 djm 38: #include "xmalloc.h"
39:
40: static const int preauth_policy[] = {
41: SYS___sysctl,
42: SYS_close,
43: SYS_exit,
44: SYS_getpid,
45: SYS_gettimeofday,
46: SYS_madvise,
47: SYS_mmap,
48: SYS_mprotect,
49: SYS_poll,
50: SYS_munmap,
51: SYS_read,
52: SYS_select,
53: SYS_sigprocmask,
54: SYS_write,
55: -1
56: };
57:
58: struct ssh_sandbox {
59: int child_sock;
60: int parent_sock;
61: int systrace_fd;
62: pid_t child_pid;
63: struct systrace_policy policy;
64: };
65:
66: struct ssh_sandbox *
67: ssh_sandbox_init(void)
68: {
69: struct ssh_sandbox *box;
70: int s[2];
71:
72: debug3("%s: preparing systrace sandbox", __func__);
73: box = xcalloc(1, sizeof(*box));
74: if (socketpair(AF_UNIX, SOCK_STREAM, 0, s) == -1)
75: fatal("%s: socketpair: %s", __func__, strerror(errno));
76: box->child_sock = s[0];
77: box->parent_sock = s[1];
78: box->systrace_fd = -1;
79: box->child_pid = 0;
80:
81: return box;
82: }
83:
84: void
85: ssh_sandbox_child(struct ssh_sandbox *box)
86: {
87: char whatever = 0;
88:
89: close(box->parent_sock);
90: /* Signal parent that we are ready */
91: debug3("%s: ready", __func__);
92: if (atomicio(vwrite, box->child_sock, &whatever, 1) != 1)
93: fatal("%s: write: %s", __func__, strerror(errno));
94: /* Wait for parent to signal for us to go */
95: if (atomicio(read, box->child_sock, &whatever, 1) != 1)
96: fatal("%s: read: %s", __func__, strerror(errno));
97: debug3("%s: started", __func__);
98: close(box->child_sock);
99: }
100:
101: static void
102: ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid,
103: const int *allowed_syscalls)
104: {
105: int dev_systrace, i, j, found;
106: char whatever = 0;
107:
108: debug3("%s: wait for child %ld", __func__, (long)child_pid);
109: box->child_pid = child_pid;
110: close(box->child_sock);
111: /* Wait for child to signal that it is ready */
112: if (atomicio(read, box->parent_sock, &whatever, 1) != 1)
113: fatal("%s: read: %s", __func__, strerror(errno));
114: debug3("%s: child %ld ready", __func__, (long)child_pid);
115:
116: /* Set up systracing of child */
117: if ((dev_systrace = open("/dev/systrace", O_RDONLY)) == -1)
118: fatal("%s: open(\"/dev/systrace\"): %s", __func__,
119: strerror(errno));
120: if (ioctl(dev_systrace, STRIOCCLONE, &box->systrace_fd) == -1)
121: fatal("%s: ioctl(STRIOCCLONE, %d): %s", __func__,
122: dev_systrace, strerror(errno));
123: close(dev_systrace);
124: debug3("%s: systrace attach, fd=%d", __func__, box->systrace_fd);
125: if (ioctl(box->systrace_fd, STRIOCATTACH, &child_pid) == -1)
126: fatal("%s: ioctl(%d, STRIOCATTACH, %d): %s", __func__,
127: box->systrace_fd, child_pid, strerror(errno));
128:
129: /* Allocate and assign policy */
130: bzero(&box->policy, sizeof(box->policy));
131: box->policy.strp_op = SYSTR_POLICY_NEW;
132: box->policy.strp_maxents = SYS_MAXSYSCALL;
133: if (ioctl(box->systrace_fd, STRIOCPOLICY, &box->policy) == -1)
134: fatal("%s: ioctl(%d, STRIOCPOLICY (new)): %s", __func__,
135: box->systrace_fd, strerror(errno));
136:
137: box->policy.strp_op = SYSTR_POLICY_ASSIGN;
138: box->policy.strp_pid = box->child_pid;
139: if (ioctl(box->systrace_fd, STRIOCPOLICY, &box->policy) == -1)
140: fatal("%s: ioctl(%d, STRIOCPOLICY (assign)): %s",
141: __func__, box->systrace_fd, strerror(errno));
142:
143: /* Set per-syscall policy */
144: for (i = 0; i < SYS_MAXSYSCALL; i++) {
145: for (j = found = 0; allowed_syscalls[j] != -1 && !found; j++) {
146: if (allowed_syscalls[j] == i)
147: found = 1;
148: }
149: box->policy.strp_op = SYSTR_POLICY_MODIFY;
150: box->policy.strp_code = i;
151: box->policy.strp_policy = found ?
152: SYSTR_POLICY_PERMIT : SYSTR_POLICY_KILL;
153: if (found)
154: debug3("%s: policy: enable syscall %d", __func__, i);
155: if (ioctl(box->systrace_fd, STRIOCPOLICY,
156: &box->policy) == -1)
157: fatal("%s: ioctl(%d, STRIOCPOLICY (modify)): %s",
158: __func__, box->systrace_fd, strerror(errno));
159: }
160:
161: /* Signal the child to start running */
162: debug3("%s: start child %ld", __func__, (long)child_pid);
163: if (atomicio(vwrite, box->parent_sock, &whatever, 1) != 1)
164: fatal("%s: write: %s", __func__, strerror(errno));
165: close(box->parent_sock);
166: }
167:
168: void
169: ssh_sandbox_parent_finish(struct ssh_sandbox *box)
170: {
171: /* Closing this before the child exits will terminate it */
172: close(box->systrace_fd);
173:
174: free(box);
175: debug3("%s: finished", __func__);
176: }
177:
178: void
179: ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
180: {
181: ssh_sandbox_parent(box, child_pid, preauth_policy);
182: }