sandbox-systrace.c revision 296781 
1/* $OpenBSD: sandbox-systrace.c,v 1.18 2015/10/02 01:39:26 deraadt Exp $ */
2/*
3 * Copyright (c) 2011 Damien Miller <djm@mindrot.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include "includes.h"
19
20#ifdef SANDBOX_SYSTRACE
21
22#include <sys/types.h>
23#include <sys/ioctl.h>
24#include <sys/syscall.h>
25#include <sys/socket.h>
26#include <sys/wait.h>
27
28#include <dev/systrace.h>
29
30#include <errno.h>
31#include <fcntl.h>
32#include <limits.h>
33#include <signal.h>
34#include <stdarg.h>
35#include <stdio.h>
36#include <stdlib.h>
37#include <string.h>
38#include <unistd.h>
39#include <limits.h>
40
41#include "atomicio.h"
42#include "log.h"
43#include "ssh-sandbox.h"
44#include "xmalloc.h"
45
46struct sandbox_policy {
47	int syscall;
48	int action;
49};
50
51/* Permitted syscalls in preauth. Unlisted syscalls get SYSTR_POLICY_KILL */
52static const struct sandbox_policy preauth_policy[] = {
53	{ SYS_exit, SYSTR_POLICY_PERMIT },
54#ifdef SYS_kbind
55	{ SYS_kbind, SYSTR_POLICY_PERMIT },
56#endif
57
58	{ SYS_getpid, SYSTR_POLICY_PERMIT },
59	{ SYS_getpgid, SYSTR_POLICY_PERMIT },
60	{ SYS_clock_gettime, SYSTR_POLICY_PERMIT },
61	{ SYS_gettimeofday, SYSTR_POLICY_PERMIT },
62	{ SYS_sigprocmask, SYSTR_POLICY_PERMIT },
63
64#ifdef SYS_getentropy
65	/* OpenBSD 5.6 and newer use getentropy(2) to seed arc4random(3). */
66	{ SYS_getentropy, SYSTR_POLICY_PERMIT },
67#else
68	/* Previous releases used sysctl(3)'s kern.arnd variable. */
69	{ SYS___sysctl, SYSTR_POLICY_PERMIT },
70#endif
71#ifdef SYS_sendsyslog
72	{ SYS_sendsyslog, SYSTR_POLICY_PERMIT },
73#endif
74
75	{ SYS_madvise, SYSTR_POLICY_PERMIT },
76	{ SYS_mmap, SYSTR_POLICY_PERMIT },
77	{ SYS_mprotect, SYSTR_POLICY_PERMIT },
78	{ SYS_mquery, SYSTR_POLICY_PERMIT },
79	{ SYS_munmap, SYSTR_POLICY_PERMIT },
80
81	{ SYS_poll, SYSTR_POLICY_PERMIT },
82	{ SYS_select, SYSTR_POLICY_PERMIT },
83	{ SYS_read, SYSTR_POLICY_PERMIT },
84	{ SYS_write, SYSTR_POLICY_PERMIT },
85	{ SYS_shutdown, SYSTR_POLICY_PERMIT },
86	{ SYS_close, SYSTR_POLICY_PERMIT },
87
88	{ SYS_open, SYSTR_POLICY_NEVER },
89
90	{ -1, -1 }
91};
92
93struct ssh_sandbox {
94	int systrace_fd;
95	pid_t child_pid;
96	void (*osigchld)(int);
97};
98
99struct ssh_sandbox *
100ssh_sandbox_init(struct monitor *monitor)
101{
102	struct ssh_sandbox *box;
103
104	debug3("%s: preparing systrace sandbox", __func__);
105	box = xcalloc(1, sizeof(*box));
106	box->systrace_fd = -1;
107	box->child_pid = 0;
108	box->osigchld = signal(SIGCHLD, SIG_IGN);
109
110	return box;
111}
112
113void
114ssh_sandbox_child(struct ssh_sandbox *box)
115{
116	debug3("%s: ready", __func__);
117	signal(SIGCHLD, box->osigchld);
118	if (kill(getpid(), SIGSTOP) != 0)
119		fatal("%s: kill(%d, SIGSTOP)", __func__, getpid());
120	debug3("%s: started", __func__);
121}
122
123static void
124ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid,
125    const struct sandbox_policy *allowed_syscalls)
126{
127	int dev_systrace, i, j, found, status;
128	pid_t pid;
129	struct systrace_policy policy;
130
131	/* Wait for the child to send itself a SIGSTOP */
132	debug3("%s: wait for child %ld", __func__, (long)child_pid);
133	do {
134		pid = waitpid(child_pid, &status, WUNTRACED);
135	} while (pid == -1 && errno == EINTR);
136	signal(SIGCHLD, box->osigchld);
137	if (!WIFSTOPPED(status)) {
138		if (WIFSIGNALED(status))
139			fatal("%s: child terminated with signal %d",
140			    __func__, WTERMSIG(status));
141		if (WIFEXITED(status))
142			fatal("%s: child exited with status %d",
143			    __func__, WEXITSTATUS(status));
144		fatal("%s: child not stopped", __func__);
145	}
146	debug3("%s: child %ld stopped", __func__, (long)child_pid);
147	box->child_pid = child_pid;
148
149	/* Set up systracing of child */
150	if ((dev_systrace = open("/dev/systrace", O_RDONLY)) == -1)
151		fatal("%s: open(\"/dev/systrace\"): %s", __func__,
152		    strerror(errno));
153	if (ioctl(dev_systrace, STRIOCCLONE, &box->systrace_fd) == -1)
154		fatal("%s: ioctl(STRIOCCLONE, %d): %s", __func__,
155		    dev_systrace, strerror(errno));
156	close(dev_systrace);
157	debug3("%s: systrace attach, fd=%d", __func__, box->systrace_fd);
158	if (ioctl(box->systrace_fd, STRIOCATTACH, &child_pid) == -1)
159		fatal("%s: ioctl(%d, STRIOCATTACH, %d): %s", __func__,
160		    box->systrace_fd, child_pid, strerror(errno));
161
162	/* Allocate and assign policy */
163	memset(&policy, 0, sizeof(policy));
164	policy.strp_op = SYSTR_POLICY_NEW;
165	policy.strp_maxents = SYS_MAXSYSCALL;
166	if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1)
167		fatal("%s: ioctl(%d, STRIOCPOLICY (new)): %s", __func__,
168		    box->systrace_fd, strerror(errno));
169
170	policy.strp_op = SYSTR_POLICY_ASSIGN;
171	policy.strp_pid = box->child_pid;
172	if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1)
173		fatal("%s: ioctl(%d, STRIOCPOLICY (assign)): %s",
174		    __func__, box->systrace_fd, strerror(errno));
175
176	/* Set per-syscall policy */
177	for (i = 0; i < SYS_MAXSYSCALL; i++) {
178		found = 0;
179		for (j = 0; allowed_syscalls[j].syscall != -1; j++) {
180			if (allowed_syscalls[j].syscall == i) {
181				found = 1;
182				break;
183			}
184		}
185		policy.strp_op = SYSTR_POLICY_MODIFY;
186		policy.strp_code = i;
187		policy.strp_policy = found ?
188		    allowed_syscalls[j].action : SYSTR_POLICY_KILL;
189		if (found)
190			debug3("%s: policy: enable syscall %d", __func__, i);
191		if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1)
192			fatal("%s: ioctl(%d, STRIOCPOLICY (modify)): %s",
193			    __func__, box->systrace_fd, strerror(errno));
194	}
195
196	/* Signal the child to start running */
197	debug3("%s: start child %ld", __func__, (long)child_pid);
198	if (kill(box->child_pid, SIGCONT) != 0)
199		fatal("%s: kill(%d, SIGCONT)", __func__, box->child_pid);
200}
201
202void
203ssh_sandbox_parent_finish(struct ssh_sandbox *box)
204{
205	/* Closing this before the child exits will terminate it */
206	close(box->systrace_fd);
207
208	free(box);
209	debug3("%s: finished", __func__);
210}
211
212void
213ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
214{
215	ssh_sandbox_parent(box, child_pid, preauth_policy);
216}
217
218#endif /* SANDBOX_SYSTRACE */
219