Annotation of src/usr.bin/ssh/sandbox-rlimit.c, Revision 1.1
1.1 ! djm 1: /*
! 2: * Copyright (c) 2011 Damien Miller <djm@mindrot.org>
! 3: *
! 4: * Permission to use, copy, modify, and distribute this software for any
! 5: * purpose with or without fee is hereby granted, provided that the above
! 6: * copyright notice and this permission notice appear in all copies.
! 7: *
! 8: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
! 9: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
! 10: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
! 11: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
! 12: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
! 13: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
! 14: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
! 15: */
! 16:
! 17: #include <sys/types.h>
! 18: #include <sys/param.h>
! 19: #include <sys/time.h>
! 20: #include <sys/resource.h>
! 21:
! 22: #include <errno.h>
! 23: #include <stdarg.h>
! 24: #include <stdio.h>
! 25: #include <stdlib.h>
! 26: #include <string.h>
! 27: #include <unistd.h>
! 28:
! 29: #include "log.h"
! 30: #include "sandbox.h"
! 31: #include "xmalloc.h"
! 32:
! 33: /* Minimal sandbox that sets zero nfiles, nprocs and filesize rlimits */
! 34:
! 35: struct ssh_sandbox {
! 36: pid_t child_pid;
! 37: };
! 38:
! 39: struct ssh_sandbox *
! 40: ssh_sandbox_init(void)
! 41: {
! 42: struct ssh_sandbox *box;
! 43:
! 44: /*
! 45: * Strictly, we don't need to maintain any state here but we need
! 46: * to return non-NULL to satisfy the API.
! 47: */
! 48: debug3("%s: preparing rlimit sandbox", __func__);
! 49: box = xcalloc(1, sizeof(*box));
! 50: box->child_pid = 0;
! 51:
! 52: return box;
! 53: }
! 54:
! 55: void
! 56: ssh_sandbox_child(struct ssh_sandbox *box)
! 57: {
! 58: struct rlimit rl_zero;
! 59:
! 60: rl_zero.rlim_cur = rl_zero.rlim_max = 0;
! 61:
! 62: if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
! 63: fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
! 64: __func__, strerror(errno));
! 65: if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
! 66: fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
! 67: __func__, strerror(errno));
! 68: if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)
! 69: fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s",
! 70: __func__, strerror(errno));
! 71: }
! 72:
! 73: void
! 74: ssh_sandbox_parent_finish(struct ssh_sandbox *box)
! 75: {
! 76: free(box);
! 77: debug3("%s: finished", __func__);
! 78: }
! 79:
! 80: void
! 81: ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
! 82: {
! 83: box->child_pid = child_pid;
! 84: /* Nothing to do here */
! 85: }
! 86: