Commit Graph

46 Commits

Author SHA1 Message Date
Darren Tucker
284b6e5394 Allow ppoll_time64 in seccomp sandbox.
Should fix sandbox violations on (some? at least i386 and armhf) 32bit
Linux platforms.  Patch from chutzpahu at gentoo.org and cjwatson at
debian.org via bz#3396.
2022-02-26 14:06:14 +11:00
Alex James
8a0848cdd3 sandbox-seccomp-filter: allow gettid
Some allocators (such as Scudo) use gettid while tracing allocations [1].
Allow gettid in preauth to prevent sshd from crashing with Scudo.

[1]: https://github.com/llvm/llvm-project/blob/llvmorg-13.0.0/compiler-rt/lib/gwp_asan/common.cpp#L46
2022-01-31 16:45:10 +11:00
Damien Miller
9778a15fa6 adjust seccomp filter for select->poll conversion
Needed to add ppoll syscall but also to relax the fallback rlimit
sandbox. Linux poll() fails with EINVAL if npfds > RLIMIT_NOFILE,
so we have to allow a single fd in the rlimit.
2021-11-18 10:16:55 +11:00
Damien Miller
57ed647ee0 polish whitespace for portable files 2021-04-03 17:47:37 +11:00
Darren Tucker
82fef71e20 Allow (but return EACCES) fstatat64 in sandbox.
This is apparently used in some configurations of OpenSSL when glibc
has getrandom().  bz#3276, patch from Kris Karas, ok djm@
2021-03-12 15:58:57 +11:00
Darren Tucker
1bb130ed34 Add __NR_futex_time64 to seccomp sandbox.
This is apparently needed for (some) 32 bit platforms with glibc 2.33.
Patch from nix at esperi.org.uk and jjelen at redhat.com via bz#3260.
2021-02-11 10:18:05 +11:00
Luca Weiss
2e0beff67d Deny (non-fatal) statx in preauth privsep child. 2021-02-05 13:56:26 +11:00
Darren Tucker
0f90440ca7 Add new pselect6_time64 syscall on ARM.
This is apparently needed on armhfp/armv7hl.  bz#3232, patch from
jjelen at redhat.com.
2020-11-20 13:37:54 +11:00
Darren Tucker
8af0244d7b Add sys/syscall.h for syscall numbers.
In some architecture/libc configurations we need to explicitly include
sys/syscall.h for the syscall number (__NR_xxx) definitions.  bz#3085,
patch from blowfist at xroutine.net.
2020-04-15 10:58:02 +10:00
Damien Miller
ccd3b247d5 add clock_gettime64(2) to sandbox allowed syscalls
bz3093
2020-02-03 19:40:12 +11:00
Jeremy Drake
30f704ebc0 Deny (non-fatal) ipc in preauth privsep child.
As noted in openssh/openssh-portable#149, i386 does not have have
_NR_shmget etc.  Instead, it has a single ipc syscall (see man 2 ipc,
https://linux.die.net/man/2/ipc).  Add this syscall, if present, to the
list of syscalls that seccomp will deny non-fatally.
2020-01-08 21:47:44 +11:00
Khem Raj
b110cefdfb seccomp: Allow clock_gettime64() in sandbox.
This helps sshd accept connections on mips platforms with
upcoming glibc ( 2.31 )
2020-01-08 12:10:00 +11:00
Darren Tucker
5af6fd5461 Allow clock_nanosleep_time64 in seccomp sandbox.
Needed on Linux ARM.  bz#3100, patch from jjelen@redhat.com.
2019-12-16 13:55:56 +11:00
Darren Tucker
546274a6f8 Remove duplicate __NR_clock_nanosleep 2019-11-13 23:27:31 +11:00
Darren Tucker
b1c82f4b8a seccomp: Allow clock_nanosleep() in sandbox.
seccomp: Allow clock_nanosleep() to make OpenSSH working with latest
glibc.  Patch from Jakub Jelen <jjelen@redhat.com> via bz #3093.
2019-11-13 23:19:35 +11:00
Eduardo Barretto
8dc7d6b75a Enable specific ioctl call for EP11 crypto card (s390)
The EP11 crypto card needs to make an ioctl call, which receives an
specific argument. This crypto card is for s390 only.

Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
2019-10-05 18:30:40 +10:00
Lonnie Abelbeck
3ef92a6574 Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child.
New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and shmdt
in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox.
2019-10-02 12:24:38 +10:00
Damien Miller
e83c989bfd use SC_ALLOW_ARG_MASK to limit mmap protections
Restrict to PROT_(READ|WRITE|NONE), i.e. exclude PROT_EXEC
2019-08-23 10:19:30 +10:00
Damien Miller
f6906f9bf1 allow mprotect(2) with PROT_(READ|WRITE|NONE) only
Used by some hardened heap allocators. Requested by Yegor
Timoshenko in https://github.com/openssh/openssh-portable/pull/142
2019-08-23 10:10:03 +10:00
Harald Freudenberger
b3a77b25e5 allow s390 specific ioctl for ecc hardware support
Adding another s390 specific ioctl to be able to support ECC hardware
acceleration to the sandbox seccomp filter rules.

Now the ibmca openssl engine provides elliptic curve cryptography
support with the help of libica and CCA crypto cards. This is done via
jet another ioctl call to the zcrypt device driver and so there is a
need to enable this on the openssl sandbox.

Code is s390 specific and has been tested, verified and reviewed.

Please note that I am also the originator of the previous changes in
that area.  I posted these changes to Eduardo and he forwarded the
patches to the openssl community.

Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Reviewed-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
2019-06-05 15:08:46 +10:00
Damien Miller
149519b9f2 add futex(2) syscall to seccomp sandbox
Apparently needed for some glibc/openssl combinations.

Patch from Arkadiusz Miśkiewicz
2018-09-15 19:37:48 +10:00
Damien Miller
4ef75926ef Permit getuid()/geteuid() syscalls.
Requested for Linux/s390; patch from Eduardo Barretto via bz#2752;
ok dtucker
2018-05-25 13:45:01 +10:00
Darren Tucker
0e73428038 Allow nanosleep in preauth privsep child.
The new timing attack mitigation code uses nanosleep in the preauth
codepath, allow in sandbox.
2018-04-13 16:06:29 +10:00
Darren Tucker
17a54a03f5 Fix typo in "socketcall".
Pointed out by jjelen at redhat.com.
2017-04-25 08:32:27 +10:00
Darren Tucker
8b0eee148f Deny socketcall in seccomp filter on ppc64le.
OpenSSL is using socket() calls (in FIPS mode) when handling ECDSA keys
in privsep child. The socket() syscall is already denied in the seccomp
filter, but in ppc64le kernel, it is implemented using socketcall()
syscall, which is not denied yet (only SYS_SHUTDOWN is allowed) and
therefore fails hard.

Patch from jjelen at redhat.com.
2017-04-24 19:40:31 +10:00
Damien Miller
58b8cfa2a0 Missing header on Linux/s390
Patch from Jakub Jelen
2017-03-22 12:43:02 +11:00
Damien Miller
6b853c6f8b Fix syntax error on Linux/X32
Patch from Mike Frysinger
2017-03-21 08:47:55 +11:00
Damien Miller
f86586b03f Make seccomp-bpf sandbox work on Linux/X32
Allow clock_gettime syscall with X32 bit masked off. Apparently
this is required for at least some kernel versions. bz#2142
Patch mostly by Colin Watson. ok dtucker@
2017-03-14 18:26:29 +11:00
Damien Miller
e3ea335abe Remove macro trickery; no binary change
This stops the SC_ALLOW(), SC_ALLOW_ARG() and SC_DENY() macros
prepending __NR_ to the syscall number parameter and just makes
them explicit in the macro invocations.

No binary change in stripped object file before/after.
2017-03-14 17:53:17 +11:00
Damien Miller
5f1596e11d support ioctls for ICA crypto card on Linux/s390
Based on patch from Eduardo Barretto; ok dtucker@
2017-03-14 17:53:17 +11:00
Damien Miller
9e96b41682 Fix weakness in seccomp-bpf sandbox arg inspection
Syscall arguments are passed via an array of 64-bit values in struct
seccomp_data, but we were only inspecting the bottom 32 bits and not
even those correctly for BE systems.

Fortunately, the only case argument inspection was used was in the
socketcall filtering so using this for sandbox escape seems
impossible.

ok dtucker
2017-03-14 12:41:53 +11:00
Damien Miller
f64062b1f7 Deny lstat syscalls in seccomp sandbox
Avoids sandbox violations for some krb/gssapi libraries.
2016-05-20 09:56:53 +10:00
Damien Miller
26ad182472 allow getrandom syscall; from Felix von Leitner 2015-09-10 10:57:41 +10:00
djm@openbsd.org
512caddf59 upstream commit
add getpid to sandbox, reachable by grace_alarm_handler

reported by Jakub Jelen; bz#2419

Upstream-ID: d0da1117c16d4c223954995d35b0f47c8f684cd8
2015-06-30 08:36:34 +10:00
Damien Miller
bc20205c91 add missing pselect6
patch from Jakub Jelen
2015-06-25 09:51:39 +10:00
Damien Miller
97e2e1596c trivial optimisation for seccomp-bpf
When doing arg inspection and the syscall doesn't match, skip
past the instruction that reloads the syscall into the accumulator,
since the accumulator hasn't been modified at this point.
2015-06-17 14:36:54 +10:00
Damien Miller
99f33d7304 aarch64 support for seccomp-bpf sandbox
Also resort and tidy syscall list. Based on patches by Jakub Jelen
bz#2361; ok dtucker@
2015-06-17 10:50:51 +10:00
Damien Miller
0fa0ed061b - (djm) [sandbox-seccomp-filter.c] Allow mremap and exit for DietLibc;
patch from Felix von Leitner; ok dtucker
2014-09-10 08:15:34 +10:00
Damien Miller
48abc47e60 - (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to
remind myself to add sandbox violation logging via the log socket.
2014-03-17 14:45:56 +11:00
Damien Miller
6434cb2cfb - (djm) [sandbox-seccomp-filter.c] Not all Linux architectures define
__NR_shutdown; some go via the socketcall(2) multiplexer.
2014-02-06 11:17:50 +11:00
Damien Miller
7e5cec6070 - (djm) [sandbox-seccomp-filter.c sandbox-systrace.c] Allow shutdown(2)
syscall from sandboxes; it may be called by packet_close.
2014-01-31 09:25:34 +11:00
Damien Miller
868ea1ea1c - (djm) [Makefile.in configure.ac sandbox-capsicum.c sandbox-darwin.c]
[sandbox-null.c sandbox-rlimit.c sandbox-seccomp-filter.c]
   [sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandboxing
   using the Capsicum API introduced in FreeBSD 10. Patch by Dag-Erling
   Smorgrav, updated by Loganaden Velvindron @ AfriNIC; ok dtucker@
2014-01-17 16:47:04 +11:00
Darren Tucker
e9887d1c37 - (dtucker) [sandbox-seccomp-filter.c] Allow clock_gettimeofday. 2013-06-02 09:17:09 +10:00
Damien Miller
91f40d8592 - (djm) [configure.ac sandbox-seccomp-filter.c] Support for Linux
seccomp-bpf sandbox on ARM. Patch from shawnlandden AT gmail.com;
       ok dtucker
2013-02-22 11:37:00 +11:00
Damien Miller
a0433a7096 - (djm) [sandbox-seccomp-filter.c] fallback to rlimit if seccomp filter is
not available. Allows use of sshd compiled on host with a filter-capable
   kernel on hosts that lack the support. bz#2011 ok dtucker@
2012-07-06 10:27:10 +10:00
Damien Miller
e0956e3834 - (djm) [Makefile.in configure.ac sandbox-seccomp-filter.c] Add sandbox
mode for Linux's new seccomp filter; patch from Will Drewry; feedback
   and ok dtucker@
2012-04-04 11:27:54 +10:00