blob: 5a39f4fe146f8bcc0e63d2e9227f9fb14efc4635 [file] [log] [blame]
Damien Miller35e48192011-08-06 06:16:23 +10001/* $OpenBSD: sandbox-systrace.c,v 1.4 2011/07/29 14:42:45 djm Exp $ */
Damien Miller69ff1df2011-06-23 08:30:03 +10002/*
3 * Copyright (c) 2011 Damien Miller <djm@mindrot.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include "includes.h"
19
20#ifdef SANDBOX_SYSTRACE
21
22#include <sys/types.h>
23#include <sys/param.h>
24#include <sys/ioctl.h>
25#include <sys/syscall.h>
26#include <sys/socket.h>
27
28#include <dev/systrace.h>
29
30#include <errno.h>
31#include <fcntl.h>
32#include <limits.h>
33#include <stdarg.h>
34#include <stdio.h>
35#include <stdlib.h>
36#include <string.h>
37#include <unistd.h>
38
39#include "atomicio.h"
40#include "log.h"
Damien Millerdcbd41e2011-06-23 19:45:51 +100041#include "ssh-sandbox.h"
Damien Miller69ff1df2011-06-23 08:30:03 +100042#include "xmalloc.h"
43
Damien Miller35e48192011-08-06 06:16:23 +100044struct sandbox_policy {
45 int syscall;
46 int action;
47};
48
49/* Permitted syscalls in preauth. Unlisted syscalls get SYSTR_POLICY_KILL */
50static const struct sandbox_policy preauth_policy[] = {
51 { SYS_open, SYSTR_POLICY_NEVER },
52
53 { SYS___sysctl, SYSTR_POLICY_PERMIT },
54 { SYS_close, SYSTR_POLICY_PERMIT },
55 { SYS_exit, SYSTR_POLICY_PERMIT },
56 { SYS_getpid, SYSTR_POLICY_PERMIT },
57 { SYS_gettimeofday, SYSTR_POLICY_PERMIT },
58 { SYS_madvise, SYSTR_POLICY_PERMIT },
59 { SYS_mmap, SYSTR_POLICY_PERMIT },
60 { SYS_mprotect, SYSTR_POLICY_PERMIT },
61 { SYS_poll, SYSTR_POLICY_PERMIT },
62 { SYS_munmap, SYSTR_POLICY_PERMIT },
63 { SYS_read, SYSTR_POLICY_PERMIT },
64 { SYS_select, SYSTR_POLICY_PERMIT },
65 { SYS_sigprocmask, SYSTR_POLICY_PERMIT },
66 { SYS_write, SYSTR_POLICY_PERMIT },
67 { -1, -1 }
Damien Miller69ff1df2011-06-23 08:30:03 +100068};
69
70struct ssh_sandbox {
71 int child_sock;
72 int parent_sock;
73 int systrace_fd;
74 pid_t child_pid;
Damien Miller69ff1df2011-06-23 08:30:03 +100075};
76
77struct ssh_sandbox *
78ssh_sandbox_init(void)
79{
80 struct ssh_sandbox *box;
81 int s[2];
82
83 debug3("%s: preparing systrace sandbox", __func__);
84 box = xcalloc(1, sizeof(*box));
85 if (socketpair(AF_UNIX, SOCK_STREAM, 0, s) == -1)
86 fatal("%s: socketpair: %s", __func__, strerror(errno));
87 box->child_sock = s[0];
88 box->parent_sock = s[1];
89 box->systrace_fd = -1;
90 box->child_pid = 0;
91
92 return box;
93}
94
95void
96ssh_sandbox_child(struct ssh_sandbox *box)
97{
98 char whatever = 0;
99
100 close(box->parent_sock);
101 /* Signal parent that we are ready */
102 debug3("%s: ready", __func__);
103 if (atomicio(vwrite, box->child_sock, &whatever, 1) != 1)
104 fatal("%s: write: %s", __func__, strerror(errno));
105 /* Wait for parent to signal for us to go */
106 if (atomicio(read, box->child_sock, &whatever, 1) != 1)
107 fatal("%s: read: %s", __func__, strerror(errno));
108 debug3("%s: started", __func__);
109 close(box->child_sock);
110}
111
112static void
113ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid,
Damien Miller35e48192011-08-06 06:16:23 +1000114 const struct sandbox_policy *allowed_syscalls)
Damien Miller69ff1df2011-06-23 08:30:03 +1000115{
116 int dev_systrace, i, j, found;
117 char whatever = 0;
Damien Miller35e48192011-08-06 06:16:23 +1000118 struct systrace_policy policy;
Damien Miller69ff1df2011-06-23 08:30:03 +1000119
120 debug3("%s: wait for child %ld", __func__, (long)child_pid);
121 box->child_pid = child_pid;
122 close(box->child_sock);
123 /* Wait for child to signal that it is ready */
124 if (atomicio(read, box->parent_sock, &whatever, 1) != 1)
125 fatal("%s: read: %s", __func__, strerror(errno));
126 debug3("%s: child %ld ready", __func__, (long)child_pid);
127
128 /* Set up systracing of child */
129 if ((dev_systrace = open("/dev/systrace", O_RDONLY)) == -1)
130 fatal("%s: open(\"/dev/systrace\"): %s", __func__,
131 strerror(errno));
132 if (ioctl(dev_systrace, STRIOCCLONE, &box->systrace_fd) == -1)
133 fatal("%s: ioctl(STRIOCCLONE, %d): %s", __func__,
134 dev_systrace, strerror(errno));
135 close(dev_systrace);
136 debug3("%s: systrace attach, fd=%d", __func__, box->systrace_fd);
137 if (ioctl(box->systrace_fd, STRIOCATTACH, &child_pid) == -1)
138 fatal("%s: ioctl(%d, STRIOCATTACH, %d): %s", __func__,
139 box->systrace_fd, child_pid, strerror(errno));
140
141 /* Allocate and assign policy */
Damien Miller35e48192011-08-06 06:16:23 +1000142 bzero(&policy, sizeof(policy));
143 policy.strp_op = SYSTR_POLICY_NEW;
144 policy.strp_maxents = SYS_MAXSYSCALL;
145 if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1)
Damien Miller69ff1df2011-06-23 08:30:03 +1000146 fatal("%s: ioctl(%d, STRIOCPOLICY (new)): %s", __func__,
147 box->systrace_fd, strerror(errno));
148
Damien Miller35e48192011-08-06 06:16:23 +1000149 policy.strp_op = SYSTR_POLICY_ASSIGN;
150 policy.strp_pid = box->child_pid;
151 if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1)
Damien Miller69ff1df2011-06-23 08:30:03 +1000152 fatal("%s: ioctl(%d, STRIOCPOLICY (assign)): %s",
153 __func__, box->systrace_fd, strerror(errno));
154
155 /* Set per-syscall policy */
156 for (i = 0; i < SYS_MAXSYSCALL; i++) {
Damien Miller35e48192011-08-06 06:16:23 +1000157 found = 0;
158 for (j = 0; allowed_syscalls[j].syscall != -1; j++) {
159 if (allowed_syscalls[j].syscall == i) {
Damien Miller69ff1df2011-06-23 08:30:03 +1000160 found = 1;
Damien Miller35e48192011-08-06 06:16:23 +1000161 break;
162 }
Damien Miller69ff1df2011-06-23 08:30:03 +1000163 }
Damien Miller35e48192011-08-06 06:16:23 +1000164 policy.strp_op = SYSTR_POLICY_MODIFY;
165 policy.strp_code = i;
166 policy.strp_policy = found ?
167 allowed_syscalls[j].action : SYSTR_POLICY_KILL;
Damien Miller69ff1df2011-06-23 08:30:03 +1000168 if (found)
169 debug3("%s: policy: enable syscall %d", __func__, i);
Damien Miller35e48192011-08-06 06:16:23 +1000170 if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1)
Damien Miller69ff1df2011-06-23 08:30:03 +1000171 fatal("%s: ioctl(%d, STRIOCPOLICY (modify)): %s",
172 __func__, box->systrace_fd, strerror(errno));
173 }
174
175 /* Signal the child to start running */
176 debug3("%s: start child %ld", __func__, (long)child_pid);
177 if (atomicio(vwrite, box->parent_sock, &whatever, 1) != 1)
178 fatal("%s: write: %s", __func__, strerror(errno));
179 close(box->parent_sock);
180}
181
182void
183ssh_sandbox_parent_finish(struct ssh_sandbox *box)
184{
185 /* Closing this before the child exits will terminate it */
186 close(box->systrace_fd);
187
188 free(box);
189 debug3("%s: finished", __func__);
190}
191
192void
193ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
194{
195 ssh_sandbox_parent(box, child_pid, preauth_policy);
196}
197
198#endif /* SANDBOX_SYSTRACE */