Commit Graph

25 Commits

Author SHA1 Message Date
dtucker@openbsd.org
3bf2a6ac79 upstream: Replace all calls to signal(2) with a wrapper around
sigaction(2). This wrapper blocks all other signals during the handler
preventing races between handlers, and sets SA_RESTART which should reduce
the potential for short read/write operations.

OpenBSD-Commit-ID: 5e047663fd77a40d7b07bdabe68529df51fd2519
2020-01-23 18:51:25 +11:00
Damien Miller
edd1d3a626 remove duplicate #includes
Prompted by Jakub Jelen
2019-10-02 10:54:28 +10:00
Darren Tucker
1c5b4bc827 Allow nanosleep in preauth privsep child.
The new timing attack mitigation code uses nanosleep in the preauth
codepath, allow in systrace andbox too.
2018-04-13 16:23:57 +10:00
Darren Tucker
996b24cebf (re)wrap SYS_sendsyslog in ifdef.
Replace ifdef that went missing in commit
c61b42f267.  Fixes build on older
OpenBSDs.
2015-10-29 20:57:34 +11:00
Damien Miller
0dc74512bd unbreak merge botch 2015-10-05 18:33:05 -07:00
deraadt@openbsd.org
c61b42f267 upstream commit
re-order system calls in order of risk, ok i'll be
 honest, ordered this way they look like tame... ok djm

Upstream-ID: 42a1e6d251fd8be13c8262bee026059ae6328813
2015-10-06 12:24:54 +11:00
guenther@openbsd.org
3f628c7b53 upstream commit
Permit kbind(2) use in the sandbox now, to ease testing
 of ld.so work using it

reminded by miod@, ok deraadt@

Upstream-ID: 523922e4d1ba7a091e3824e77a8a3c818ee97413
2015-07-29 19:35:41 +10:00
djm@openbsd.org
512caddf59 upstream commit
add getpid to sandbox, reachable by grace_alarm_handler

reported by Jakub Jelen; bz#2419

Upstream-ID: d0da1117c16d4c223954995d35b0f47c8f684cd8
2015-06-30 08:36:34 +10:00
deraadt@openbsd.org
7cc44ef741 upstream commit
getentropy() and sendsyslog() have been around long
 enough. openssh-portable may want the #ifdef's but not base. discussed with
 djm few weeks back

Upstream-ID: 0506a4334de108e3fb6c66f8d6e0f9c112866926
2015-05-21 15:06:06 +10:00
deraadt@openbsd.org
087266ec33 upstream commit
Reduce use of <sys/param.h> and transition to <limits.h>
 throughout. ok djm markus
2015-01-26 23:58:53 +11:00
Damien Miller
1b83320628 - djm@cvs.openbsd.org 2014/07/17 00:10:56
[sandbox-systrace.c]
     ifdef SYS_sendsyslog so this will compile without patching on -stable
2014-07-18 15:03:02 +10:00
Damien Miller
7acefbbcbe - millert@cvs.openbsd.org 2014/07/15 15:54:14
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
     [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
     [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
     [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
     [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
     [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
     [sshd_config.5 sshlogin.c]
     Add support for Unix domain socket forwarding.  A remote TCP port
     may be forwarded to a local Unix domain socket and vice versa or
     both ends may be a Unix domain socket.  This is a reimplementation
     of the streamlocal patches by William Ahern from:
         http://www.25thandclement.com/~william/projects/streamlocal.html
     OK djm@ markus@
2014-07-18 14:11:24 +10:00
Damien Miller
9d69d937b4 - deraadt@cvs.openbsd.org 2014/07/11 08:09:54
[sandbox-systrace.c]
     Permit use of SYS_sendsyslog from inside the sandbox.  Clock is ticking,
     update your kernels and sshd soon.. libc will start using sendsyslog()
     in about 4 days.
2014-07-17 09:49:37 +10:00
Damien Miller
84a89161a9 - matthew@cvs.openbsd.org 2014/06/18 02:59:13
[sandbox-systrace.c]
     Now that we have a dedicated getentropy(2) system call for
     arc4random(3), we can disallow __sysctl(2) in OpenSSH's systrace
     sandbox.

     ok djm
2014-07-02 12:47:48 +10:00
Damien Miller
51504ceec6 - deraadt@cvs.openbsd.org 2014/06/13 08:26:29
[sandbox-systrace.c]
     permit SYS_getentropy
     from matthew
2014-07-02 12:47:25 +10:00
Damien Miller
1d2c456426 - tedu@cvs.openbsd.org 2014/01/31 16:39:19
[auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c]
     [channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c]
     [kexc25519.c krl.c monitor.c sandbox-systrace.c session.c]
     [sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c]
     [openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h]
     replace most bzero with explicit_bzero, except a few that cna be memset
     ok djm dtucker
2014-02-04 11:18:20 +11:00
Damien Miller
3928de067c - djm@cvs.openbsd.org 2014/01/30 22:26:14
[sandbox-systrace.c]
     allow shutdown(2) syscall in sandbox - it may be called by packet_close()
     from portable
     (Id sync only; change is already in portable)
2014-02-04 11:13:54 +11:00
Damien Miller
7e5cec6070 - (djm) [sandbox-seccomp-filter.c sandbox-systrace.c] Allow shutdown(2)
syscall from sandboxes; it may be called by packet_close.
2014-01-31 09:25:34 +11:00
Damien Miller
868ea1ea1c - (djm) [Makefile.in configure.ac sandbox-capsicum.c sandbox-darwin.c]
[sandbox-null.c sandbox-rlimit.c sandbox-seccomp-filter.c]
   [sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandboxing
   using the Capsicum API introduced in FreeBSD 10. Patch by Dag-Erling
   Smorgrav, updated by Loganaden Velvindron @ AfriNIC; ok dtucker@
2014-01-17 16:47:04 +11:00
Darren Tucker
b759c9c2ef - dtucker@cvs.openbsd.org 2013/06/01 13:15:52
[ssh-agent.c clientloop.c misc.h packet.c progressmeter.c misc.c
     channels.c sandbox-systrace.c]
     Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like
     keepalives and rekeying will work properly over clock steps.  Suggested by
     markus@, "looks good" djm@.
2013-06-02 07:46:16 +10:00
Darren Tucker
3b4b2d3021 - markus@cvs.openbsd.org 2012/06/30 14:35:09
[sandbox-systrace.c sshd.c]
     fix a during the load of the sandbox policies (child can still make
     the read-syscall and wait forever for systrace-answers) by replacing
     the read/write synchronisation with SIGSTOP/SIGCONT;
     report and help hshoexer@; ok djm@, dtucker@
2012-07-02 18:54:31 +10:00
Damien Miller
560de922b1 - dtucker@cvs.openbsd.org 2012/06/26 11:02:30
[sandbox-systrace.c]
     Add mquery to the list of allowed syscalls for "UsePrivilegeSeparation
     sandbox" since malloc now uses it.  From johnw.mail at gmail com.
2012-06-30 08:33:53 +10:00
Damien Miller
35e48198a8 - djm@cvs.openbsd.org 2011/07/29 14:42:45
[sandbox-systrace.c]
     fail open(2) with EPERM rather than SIGKILLing the whole process. libc
     will call open() to do strerror() when NLS is enabled;
     feedback and ok markus@
2011-08-06 06:16:23 +10:00
Damien Miller
dcbd41e7af - djm@cvs.openbsd.org 2011/06/23 09:34:13
[sshd.c ssh-sandbox.h sandbox.h sandbox-rlimit.c sandbox-systrace.c]
     [sandbox-null.c]
     rename sandbox.h => ssh-sandbox.h to make things easier for portable
2011-06-23 19:45:51 +10:00
Damien Miller
69ff1df952 - djm@cvs.openbsd.org 2011/06/22 21:57:01
[servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c]
     [sandbox-systrace.c sandbox.h configure.ac Makefile.in]
     introduce sandboxing of the pre-auth privsep child using systrace(4).

     This introduces a new "UsePrivilegeSeparation=sandbox" option for
     sshd_config that applies mandatory restrictions on the syscalls the
     privsep child can perform. This prevents a compromised privsep child
     from being used to attack other hosts (by opening sockets and proxying)
     or probing local kernel attack surface.

     The sandbox is implemented using systrace(4) in unsupervised "fast-path"
     mode, where a list of permitted syscalls is supplied. Any syscall not
     on the list results in SIGKILL being sent to the privsep child. Note
     that this requires a kernel with the new SYSTR_POLICY_KILL option.

     UsePrivilegeSeparation=sandbox will become the default in the future
     so please start testing it now.

     feedback dtucker@; ok markus@
2011-06-23 08:30:03 +10:00