1/* $OpenBSD: sandbox-systrace.c,v 1.18 2015/10/02 01:39:26 deraadt Exp $ */ 2/* 3 * Copyright (c) 2011 Damien Miller <djm@mindrot.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18#include "includes.h" 19 20#ifdef SANDBOX_SYSTRACE 21 22#include <sys/types.h> 23#include <sys/ioctl.h> 24#include <sys/syscall.h> 25#include <sys/socket.h> 26#include <sys/wait.h> 27 28#include <dev/systrace.h> 29 30#include <errno.h> 31#include <fcntl.h> 32#include <limits.h> 33#include <signal.h> 34#include <stdarg.h> 35#include <stdio.h> 36#include <stdlib.h> 37#include <string.h> 38#include <unistd.h> 39#include <limits.h> 40 41#include "atomicio.h" 42#include "log.h" 43#include "ssh-sandbox.h" 44#include "xmalloc.h" 45 46struct sandbox_policy { 47 int syscall; 48 int action; 49}; 50 51/* Permitted syscalls in preauth. Unlisted syscalls get SYSTR_POLICY_KILL */ 52static const struct sandbox_policy preauth_policy[] = { 53 { SYS_exit, SYSTR_POLICY_PERMIT }, 54#ifdef SYS_kbind 55 { SYS_kbind, SYSTR_POLICY_PERMIT }, 56#endif 57 58 { SYS_getpid, SYSTR_POLICY_PERMIT }, 59 { SYS_getpgid, SYSTR_POLICY_PERMIT }, 60 { SYS_clock_gettime, SYSTR_POLICY_PERMIT }, 61 { SYS_gettimeofday, SYSTR_POLICY_PERMIT }, 62 { SYS_nanosleep, SYSTR_POLICY_PERMIT }, 63 { SYS_sigprocmask, SYSTR_POLICY_PERMIT }, 64 65#ifdef SYS_getentropy 66 /* OpenBSD 5.6 and newer use getentropy(2) to seed arc4random(3). */ 67 { SYS_getentropy, SYSTR_POLICY_PERMIT }, 68#else 69 /* Previous releases used sysctl(3)'s kern.arnd variable. */ 70 { SYS___sysctl, SYSTR_POLICY_PERMIT }, 71#endif 72#ifdef SYS_sendsyslog 73 { SYS_sendsyslog, SYSTR_POLICY_PERMIT }, 74#endif 75 76 { SYS_madvise, SYSTR_POLICY_PERMIT }, 77 { SYS_mmap, SYSTR_POLICY_PERMIT }, 78 { SYS_mprotect, SYSTR_POLICY_PERMIT }, 79 { SYS_mquery, SYSTR_POLICY_PERMIT }, 80 { SYS_munmap, SYSTR_POLICY_PERMIT }, 81 82 { SYS_poll, SYSTR_POLICY_PERMIT }, 83 { SYS_select, SYSTR_POLICY_PERMIT }, 84 { SYS_read, SYSTR_POLICY_PERMIT }, 85 { SYS_write, SYSTR_POLICY_PERMIT }, 86 { SYS_shutdown, SYSTR_POLICY_PERMIT }, 87 { SYS_close, SYSTR_POLICY_PERMIT }, 88 89 { SYS_open, SYSTR_POLICY_NEVER }, 90 91 { -1, -1 } 92}; 93 94struct ssh_sandbox { 95 int systrace_fd; 96 pid_t child_pid; 97 void (*osigchld)(int); 98}; 99 100struct ssh_sandbox * 101ssh_sandbox_init(struct monitor *monitor) 102{ 103 struct ssh_sandbox *box; 104 105 debug3("%s: preparing systrace sandbox", __func__); 106 box = xcalloc(1, sizeof(*box)); 107 box->systrace_fd = -1; 108 box->child_pid = 0; 109 box->osigchld = signal(SIGCHLD, SIG_IGN); 110 111 return box; 112} 113 114void 115ssh_sandbox_child(struct ssh_sandbox *box) 116{ 117 debug3("%s: ready", __func__); 118 signal(SIGCHLD, box->osigchld); 119 if (kill(getpid(), SIGSTOP) != 0) 120 fatal("%s: kill(%d, SIGSTOP)", __func__, getpid()); 121 debug3("%s: started", __func__); 122} 123 124static void 125ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid, 126 const struct sandbox_policy *allowed_syscalls) 127{ 128 int dev_systrace, i, j, found, status; 129 pid_t pid; 130 struct systrace_policy policy; 131 132 /* Wait for the child to send itself a SIGSTOP */ 133 debug3("%s: wait for child %ld", __func__, (long)child_pid); 134 do { 135 pid = waitpid(child_pid, &status, WUNTRACED); 136 } while (pid == -1 && errno == EINTR); 137 signal(SIGCHLD, box->osigchld); 138 if (!WIFSTOPPED(status)) { 139 if (WIFSIGNALED(status)) 140 fatal("%s: child terminated with signal %d", 141 __func__, WTERMSIG(status)); 142 if (WIFEXITED(status)) 143 fatal("%s: child exited with status %d", 144 __func__, WEXITSTATUS(status)); 145 fatal("%s: child not stopped", __func__); 146 } 147 debug3("%s: child %ld stopped", __func__, (long)child_pid); 148 box->child_pid = child_pid; 149 150 /* Set up systracing of child */ 151 if ((dev_systrace = open("/dev/systrace", O_RDONLY)) == -1) 152 fatal("%s: open(\"/dev/systrace\"): %s", __func__, 153 strerror(errno)); 154 if (ioctl(dev_systrace, STRIOCCLONE, &box->systrace_fd) == -1) 155 fatal("%s: ioctl(STRIOCCLONE, %d): %s", __func__, 156 dev_systrace, strerror(errno)); 157 close(dev_systrace); 158 debug3("%s: systrace attach, fd=%d", __func__, box->systrace_fd); 159 if (ioctl(box->systrace_fd, STRIOCATTACH, &child_pid) == -1) 160 fatal("%s: ioctl(%d, STRIOCATTACH, %d): %s", __func__, 161 box->systrace_fd, child_pid, strerror(errno)); 162 163 /* Allocate and assign policy */ 164 memset(&policy, 0, sizeof(policy)); 165 policy.strp_op = SYSTR_POLICY_NEW; 166 policy.strp_maxents = SYS_MAXSYSCALL; 167 if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1) 168 fatal("%s: ioctl(%d, STRIOCPOLICY (new)): %s", __func__, 169 box->systrace_fd, strerror(errno)); 170 171 policy.strp_op = SYSTR_POLICY_ASSIGN; 172 policy.strp_pid = box->child_pid; 173 if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1) 174 fatal("%s: ioctl(%d, STRIOCPOLICY (assign)): %s", 175 __func__, box->systrace_fd, strerror(errno)); 176 177 /* Set per-syscall policy */ 178 for (i = 0; i < SYS_MAXSYSCALL; i++) { 179 found = 0; 180 for (j = 0; allowed_syscalls[j].syscall != -1; j++) { 181 if (allowed_syscalls[j].syscall == i) { 182 found = 1; 183 break; 184 } 185 } 186 policy.strp_op = SYSTR_POLICY_MODIFY; 187 policy.strp_code = i; 188 policy.strp_policy = found ? 189 allowed_syscalls[j].action : SYSTR_POLICY_KILL; 190 if (found) 191 debug3("%s: policy: enable syscall %d", __func__, i); 192 if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1) 193 fatal("%s: ioctl(%d, STRIOCPOLICY (modify)): %s", 194 __func__, box->systrace_fd, strerror(errno)); 195 } 196 197 /* Signal the child to start running */ 198 debug3("%s: start child %ld", __func__, (long)child_pid); 199 if (kill(box->child_pid, SIGCONT) != 0) 200 fatal("%s: kill(%d, SIGCONT)", __func__, box->child_pid); 201} 202 203void 204ssh_sandbox_parent_finish(struct ssh_sandbox *box) 205{ 206 /* Closing this before the child exits will terminate it */ 207 close(box->systrace_fd); 208 209 free(box); 210 debug3("%s: finished", __func__); 211} 212 213void 214ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) 215{ 216 ssh_sandbox_parent(box, child_pid, preauth_policy); 217} 218 219#endif /* SANDBOX_SYSTRACE */ 220