1 /* $OpenBSD: sandbox-systrace.c,v 1.6 2012/06/30 14:35:09 markus Exp $ */
3 * Copyright (c) 2011 Damien Miller <djm@mindrot.org>
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 #ifdef SANDBOX_SYSTRACE
22 #include <sys/types.h>
23 #include <sys/param.h>
24 #include <sys/ioctl.h>
25 #include <sys/syscall.h>
26 #include <sys/socket.h>
29 #include <dev/systrace.h>
43 #include "ssh-sandbox.h"
46 struct sandbox_policy {
51 /* Permitted syscalls in preauth. Unlisted syscalls get SYSTR_POLICY_KILL */
52 static const struct sandbox_policy preauth_policy[] = {
53 { SYS_open, SYSTR_POLICY_NEVER },
55 { SYS___sysctl, SYSTR_POLICY_PERMIT },
56 { SYS_close, SYSTR_POLICY_PERMIT },
57 { SYS_exit, SYSTR_POLICY_PERMIT },
58 { SYS_getpid, SYSTR_POLICY_PERMIT },
59 { SYS_gettimeofday, SYSTR_POLICY_PERMIT },
60 { SYS_madvise, SYSTR_POLICY_PERMIT },
61 { SYS_mmap, SYSTR_POLICY_PERMIT },
62 { SYS_mprotect, SYSTR_POLICY_PERMIT },
63 { SYS_mquery, SYSTR_POLICY_PERMIT },
64 { SYS_poll, SYSTR_POLICY_PERMIT },
65 { SYS_munmap, SYSTR_POLICY_PERMIT },
66 { SYS_read, SYSTR_POLICY_PERMIT },
67 { SYS_select, SYSTR_POLICY_PERMIT },
68 { SYS_sigprocmask, SYSTR_POLICY_PERMIT },
69 { SYS_write, SYSTR_POLICY_PERMIT },
76 void (*osigchld)(int);
80 ssh_sandbox_init(void)
82 struct ssh_sandbox *box;
84 debug3("%s: preparing systrace sandbox", __func__);
85 box = xcalloc(1, sizeof(*box));
86 box->systrace_fd = -1;
88 box->osigchld = signal(SIGCHLD, SIG_IGN);
94 ssh_sandbox_child(struct ssh_sandbox *box)
96 debug3("%s: ready", __func__);
97 signal(SIGCHLD, box->osigchld);
98 if (kill(getpid(), SIGSTOP) != 0)
99 fatal("%s: kill(%d, SIGSTOP)", __func__, getpid());
100 debug3("%s: started", __func__);
104 ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid,
105 const struct sandbox_policy *allowed_syscalls)
107 int dev_systrace, i, j, found, status;
109 struct systrace_policy policy;
111 /* Wait for the child to send itself a SIGSTOP */
112 debug3("%s: wait for child %ld", __func__, (long)child_pid);
114 pid = waitpid(child_pid, &status, WUNTRACED);
115 } while (pid == -1 && errno == EINTR);
116 signal(SIGCHLD, box->osigchld);
117 if (!WIFSTOPPED(status)) {
118 if (WIFSIGNALED(status))
119 fatal("%s: child terminated with signal %d",
120 __func__, WTERMSIG(status));
121 if (WIFEXITED(status))
122 fatal("%s: child exited with status %d",
123 __func__, WEXITSTATUS(status));
124 fatal("%s: child not stopped", __func__);
126 debug3("%s: child %ld stopped", __func__, (long)child_pid);
127 box->child_pid = child_pid;
129 /* Set up systracing of child */
130 if ((dev_systrace = open("/dev/systrace", O_RDONLY)) == -1)
131 fatal("%s: open(\"/dev/systrace\"): %s", __func__,
133 if (ioctl(dev_systrace, STRIOCCLONE, &box->systrace_fd) == -1)
134 fatal("%s: ioctl(STRIOCCLONE, %d): %s", __func__,
135 dev_systrace, strerror(errno));
137 debug3("%s: systrace attach, fd=%d", __func__, box->systrace_fd);
138 if (ioctl(box->systrace_fd, STRIOCATTACH, &child_pid) == -1)
139 fatal("%s: ioctl(%d, STRIOCATTACH, %d): %s", __func__,
140 box->systrace_fd, child_pid, strerror(errno));
142 /* Allocate and assign policy */
143 bzero(&policy, sizeof(policy));
144 policy.strp_op = SYSTR_POLICY_NEW;
145 policy.strp_maxents = SYS_MAXSYSCALL;
146 if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1)
147 fatal("%s: ioctl(%d, STRIOCPOLICY (new)): %s", __func__,
148 box->systrace_fd, strerror(errno));
150 policy.strp_op = SYSTR_POLICY_ASSIGN;
151 policy.strp_pid = box->child_pid;
152 if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1)
153 fatal("%s: ioctl(%d, STRIOCPOLICY (assign)): %s",
154 __func__, box->systrace_fd, strerror(errno));
156 /* Set per-syscall policy */
157 for (i = 0; i < SYS_MAXSYSCALL; i++) {
159 for (j = 0; allowed_syscalls[j].syscall != -1; j++) {
160 if (allowed_syscalls[j].syscall == i) {
165 policy.strp_op = SYSTR_POLICY_MODIFY;
166 policy.strp_code = i;
167 policy.strp_policy = found ?
168 allowed_syscalls[j].action : SYSTR_POLICY_KILL;
170 debug3("%s: policy: enable syscall %d", __func__, i);
171 if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1)
172 fatal("%s: ioctl(%d, STRIOCPOLICY (modify)): %s",
173 __func__, box->systrace_fd, strerror(errno));
176 /* Signal the child to start running */
177 debug3("%s: start child %ld", __func__, (long)child_pid);
178 if (kill(box->child_pid, SIGCONT) != 0)
179 fatal("%s: kill(%d, SIGCONT)", __func__, box->child_pid);
183 ssh_sandbox_parent_finish(struct ssh_sandbox *box)
185 /* Closing this before the child exits will terminate it */
186 close(box->systrace_fd);
189 debug3("%s: finished", __func__);
193 ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
195 ssh_sandbox_parent(box, child_pid, preauth_policy);
198 #endif /* SANDBOX_SYSTRACE */