1 /* $OpenBSD: sandbox-systrace.c,v 1.18 2015/10/02 01:39:26 deraadt Exp $ */
2 /*
3 * Copyright (c) 2011 Damien Miller <djm@mindrot.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 #include "includes.h"
19
20 #ifdef SANDBOX_SYSTRACE
21
22 #include <sys/types.h>
23 #include <sys/ioctl.h>
24 #include <sys/syscall.h>
25 #include <sys/socket.h>
26 #include <sys/wait.h>
27
28 #include <dev/systrace.h>
29
30 #include <errno.h>
31 #include <fcntl.h>
32 #include <limits.h>
33 #include <signal.h>
34 #include <stdarg.h>
35 #include <stdio.h>
36 #include <stdlib.h>
37 #include <string.h>
38 #include <unistd.h>
39
40 #include "atomicio.h"
41 #include "log.h"
42 #include "ssh-sandbox.h"
43 #include "xmalloc.h"
44
45 struct sandbox_policy {
46 int syscall;
47 int action;
48 };
49
50 /* Permitted syscalls in preauth. Unlisted syscalls get SYSTR_POLICY_KILL */
51 static const struct sandbox_policy preauth_policy[] = {
52 { SYS_exit, SYSTR_POLICY_PERMIT },
53 #ifdef SYS_kbind
54 { SYS_kbind, SYSTR_POLICY_PERMIT },
55 #endif
56
57 { SYS_getpid, SYSTR_POLICY_PERMIT },
58 { SYS_getpgid, SYSTR_POLICY_PERMIT },
59 { SYS_clock_gettime, SYSTR_POLICY_PERMIT },
60 { SYS_gettimeofday, SYSTR_POLICY_PERMIT },
61 { SYS_nanosleep, SYSTR_POLICY_PERMIT },
62 { SYS_sigprocmask, SYSTR_POLICY_PERMIT },
63
64 #ifdef SYS_getentropy
65 /* OpenBSD 5.6 and newer use getentropy(2) to seed arc4random(3). */
66 { SYS_getentropy, SYSTR_POLICY_PERMIT },
67 #else
68 /* Previous releases used sysctl(3)'s kern.arnd variable. */
69 { SYS___sysctl, SYSTR_POLICY_PERMIT },
70 #endif
71 #ifdef SYS_sendsyslog
72 { SYS_sendsyslog, SYSTR_POLICY_PERMIT },
73 #endif
74
75 { SYS_madvise, SYSTR_POLICY_PERMIT },
76 { SYS_mmap, SYSTR_POLICY_PERMIT },
77 { SYS_mprotect, SYSTR_POLICY_PERMIT },
78 { SYS_mquery, SYSTR_POLICY_PERMIT },
79 { SYS_munmap, SYSTR_POLICY_PERMIT },
80
81 { SYS_poll, SYSTR_POLICY_PERMIT },
82 { SYS_select, SYSTR_POLICY_PERMIT },
83 { SYS_read, SYSTR_POLICY_PERMIT },
84 { SYS_write, SYSTR_POLICY_PERMIT },
85 { SYS_shutdown, SYSTR_POLICY_PERMIT },
86 { SYS_close, SYSTR_POLICY_PERMIT },
87
88 { SYS_open, SYSTR_POLICY_NEVER },
89
90 { -1, -1 }
91 };
92
93 struct ssh_sandbox {
94 int systrace_fd;
95 pid_t child_pid;
96 void (*osigchld)(int);
97 };
98
99 struct ssh_sandbox *
ssh_sandbox_init(struct monitor * monitor)100 ssh_sandbox_init(struct monitor *monitor)
101 {
102 struct ssh_sandbox *box;
103
104 debug3("%s: preparing systrace sandbox", __func__);
105 box = xcalloc(1, sizeof(*box));
106 box->systrace_fd = -1;
107 box->child_pid = 0;
108 box->osigchld = ssh_signal(SIGCHLD, SIG_IGN);
109
110 return box;
111 }
112
113 void
ssh_sandbox_child(struct ssh_sandbox * box)114 ssh_sandbox_child(struct ssh_sandbox *box)
115 {
116 debug3("%s: ready", __func__);
117 ssh_signal(SIGCHLD, box->osigchld);
118 if (kill(getpid(), SIGSTOP) != 0)
119 fatal("%s: kill(%d, SIGSTOP)", __func__, getpid());
120 debug3("%s: started", __func__);
121 }
122
123 static void
ssh_sandbox_parent(struct ssh_sandbox * box,pid_t child_pid,const struct sandbox_policy * allowed_syscalls)124 ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid,
125 const struct sandbox_policy *allowed_syscalls)
126 {
127 int dev_systrace, i, j, found, status;
128 pid_t pid;
129 struct systrace_policy policy;
130
131 /* Wait for the child to send itself a SIGSTOP */
132 debug3("%s: wait for child %ld", __func__, (long)child_pid);
133 do {
134 pid = waitpid(child_pid, &status, WUNTRACED);
135 } while (pid == -1 && errno == EINTR);
136 ssh_signal(SIGCHLD, box->osigchld);
137 if (!WIFSTOPPED(status)) {
138 if (WIFSIGNALED(status))
139 fatal("%s: child terminated with signal %d",
140 __func__, WTERMSIG(status));
141 if (WIFEXITED(status))
142 fatal("%s: child exited with status %d",
143 __func__, WEXITSTATUS(status));
144 fatal("%s: child not stopped", __func__);
145 }
146 debug3("%s: child %ld stopped", __func__, (long)child_pid);
147 box->child_pid = child_pid;
148
149 /* Set up systracing of child */
150 if ((dev_systrace = open("/dev/systrace", O_RDONLY)) == -1)
151 fatal("%s: open(\"/dev/systrace\"): %s", __func__,
152 strerror(errno));
153 if (ioctl(dev_systrace, STRIOCCLONE, &box->systrace_fd) == -1)
154 fatal("%s: ioctl(STRIOCCLONE, %d): %s", __func__,
155 dev_systrace, strerror(errno));
156 close(dev_systrace);
157 debug3("%s: systrace attach, fd=%d", __func__, box->systrace_fd);
158 if (ioctl(box->systrace_fd, STRIOCATTACH, &child_pid) == -1)
159 fatal("%s: ioctl(%d, STRIOCATTACH, %d): %s", __func__,
160 box->systrace_fd, child_pid, strerror(errno));
161
162 /* Allocate and assign policy */
163 memset(&policy, 0, sizeof(policy));
164 policy.strp_op = SYSTR_POLICY_NEW;
165 policy.strp_maxents = SYS_MAXSYSCALL;
166 if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1)
167 fatal("%s: ioctl(%d, STRIOCPOLICY (new)): %s", __func__,
168 box->systrace_fd, strerror(errno));
169
170 policy.strp_op = SYSTR_POLICY_ASSIGN;
171 policy.strp_pid = box->child_pid;
172 if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1)
173 fatal("%s: ioctl(%d, STRIOCPOLICY (assign)): %s",
174 __func__, box->systrace_fd, strerror(errno));
175
176 /* Set per-syscall policy */
177 for (i = 0; i < SYS_MAXSYSCALL; i++) {
178 found = 0;
179 for (j = 0; allowed_syscalls[j].syscall != -1; j++) {
180 if (allowed_syscalls[j].syscall == i) {
181 found = 1;
182 break;
183 }
184 }
185 policy.strp_op = SYSTR_POLICY_MODIFY;
186 policy.strp_code = i;
187 policy.strp_policy = found ?
188 allowed_syscalls[j].action : SYSTR_POLICY_KILL;
189 if (found)
190 debug3("%s: policy: enable syscall %d", __func__, i);
191 if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1)
192 fatal("%s: ioctl(%d, STRIOCPOLICY (modify)): %s",
193 __func__, box->systrace_fd, strerror(errno));
194 }
195
196 /* Signal the child to start running */
197 debug3("%s: start child %ld", __func__, (long)child_pid);
198 if (kill(box->child_pid, SIGCONT) != 0)
199 fatal("%s: kill(%d, SIGCONT)", __func__, box->child_pid);
200 }
201
202 void
ssh_sandbox_parent_finish(struct ssh_sandbox * box)203 ssh_sandbox_parent_finish(struct ssh_sandbox *box)
204 {
205 /* Closing this before the child exits will terminate it */
206 close(box->systrace_fd);
207
208 free(box);
209 debug3("%s: finished", __func__);
210 }
211
212 void
ssh_sandbox_parent_preauth(struct ssh_sandbox * box,pid_t child_pid)213 ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
214 {
215 ssh_sandbox_parent(box, child_pid, preauth_policy);
216 }
217
218 #endif /* SANDBOX_SYSTRACE */
219