1 /* $OpenBSD: sandbox-systrace.c,v 1.17 2015/07/27 16:29:23 guenther Exp $ */
2 /*
3  * Copyright (c) 2011 Damien Miller <djm@mindrot.org>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 
18 #include "includes.h"
19 
20 #ifdef SANDBOX_SYSTRACE
21 
22 #include <sys/types.h>
23 #include <sys/ioctl.h>
24 #include <sys/syscall.h>
25 #include <sys/socket.h>
26 #include <sys/wait.h>
27 
28 #include <dev/systrace.h>
29 
30 #include <errno.h>
31 #include <fcntl.h>
32 #include <limits.h>
33 #include <signal.h>
34 #include <stdarg.h>
35 #include <stdio.h>
36 #include <stdlib.h>
37 #include <string.h>
38 #include <unistd.h>
39 #include <limits.h>
40 
41 #include "atomicio.h"
42 #include "log.h"
43 #include "ssh-sandbox.h"
44 #include "xmalloc.h"
45 
46 struct sandbox_policy {
47 	int syscall;
48 	int action;
49 };
50 
51 /* Permitted syscalls in preauth. Unlisted syscalls get SYSTR_POLICY_KILL */
52 static const struct sandbox_policy preauth_policy[] = {
53 	{ SYS_clock_gettime, SYSTR_POLICY_PERMIT },
54 	{ SYS_close, SYSTR_POLICY_PERMIT },
55 	{ SYS_exit, SYSTR_POLICY_PERMIT },
56 #ifdef SYS_getentropy
57 	/* OpenBSD 5.6 and newer use getentropy(2) to seed arc4random(3). */
58 	{ SYS_getentropy, SYSTR_POLICY_PERMIT },
59 #else
60 	/* Previous releases used sysctl(3)'s kern.arnd variable. */
61 	{ SYS___sysctl, SYSTR_POLICY_PERMIT },
62 #endif
63 	{ SYS_getpid, SYSTR_POLICY_PERMIT },
64 	{ SYS_getpgid, SYSTR_POLICY_PERMIT },
65 	{ SYS_gettimeofday, SYSTR_POLICY_PERMIT },
66 #ifdef SYS_kbind
67 	{ SYS_kbind, SYSTR_POLICY_PERMIT },
68 #endif
69 	{ SYS_madvise, SYSTR_POLICY_PERMIT },
70 	{ SYS_mmap, SYSTR_POLICY_PERMIT },
71 	{ SYS_mprotect, SYSTR_POLICY_PERMIT },
72 	{ SYS_mquery, SYSTR_POLICY_PERMIT },
73 	{ SYS_munmap, SYSTR_POLICY_PERMIT },
74 	{ SYS_open, SYSTR_POLICY_NEVER },
75 	{ SYS_poll, SYSTR_POLICY_PERMIT },
76 	{ SYS_read, SYSTR_POLICY_PERMIT },
77 	{ SYS_select, SYSTR_POLICY_PERMIT },
78 #ifdef SYS_sendsyslog
79  	{ SYS_sendsyslog, SYSTR_POLICY_PERMIT },
80 #endif
81 	{ SYS_shutdown, SYSTR_POLICY_PERMIT },
82 	{ SYS_sigprocmask, SYSTR_POLICY_PERMIT },
83 	{ SYS_write, SYSTR_POLICY_PERMIT },
84 	{ -1, -1 }
85 };
86 
87 struct ssh_sandbox {
88 	int systrace_fd;
89 	pid_t child_pid;
90 	void (*osigchld)(int);
91 };
92 
93 struct ssh_sandbox *
ssh_sandbox_init(struct monitor * monitor)94 ssh_sandbox_init(struct monitor *monitor)
95 {
96 	struct ssh_sandbox *box;
97 
98 	debug3("%s: preparing systrace sandbox", __func__);
99 	box = xcalloc(1, sizeof(*box));
100 	box->systrace_fd = -1;
101 	box->child_pid = 0;
102 	box->osigchld = signal(SIGCHLD, SIG_IGN);
103 
104 	return box;
105 }
106 
107 void
ssh_sandbox_child(struct ssh_sandbox * box)108 ssh_sandbox_child(struct ssh_sandbox *box)
109 {
110 	debug3("%s: ready", __func__);
111 	signal(SIGCHLD, box->osigchld);
112 	if (kill(getpid(), SIGSTOP) != 0)
113 		fatal("%s: kill(%d, SIGSTOP)", __func__, getpid());
114 	debug3("%s: started", __func__);
115 }
116 
117 static void
ssh_sandbox_parent(struct ssh_sandbox * box,pid_t child_pid,const struct sandbox_policy * allowed_syscalls)118 ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid,
119     const struct sandbox_policy *allowed_syscalls)
120 {
121 	int dev_systrace, i, j, found, status;
122 	pid_t pid;
123 	struct systrace_policy policy;
124 
125 	/* Wait for the child to send itself a SIGSTOP */
126 	debug3("%s: wait for child %ld", __func__, (long)child_pid);
127 	do {
128 		pid = waitpid(child_pid, &status, WUNTRACED);
129 	} while (pid == -1 && errno == EINTR);
130 	signal(SIGCHLD, box->osigchld);
131 	if (!WIFSTOPPED(status)) {
132 		if (WIFSIGNALED(status))
133 			fatal("%s: child terminated with signal %d",
134 			    __func__, WTERMSIG(status));
135 		if (WIFEXITED(status))
136 			fatal("%s: child exited with status %d",
137 			    __func__, WEXITSTATUS(status));
138 		fatal("%s: child not stopped", __func__);
139 	}
140 	debug3("%s: child %ld stopped", __func__, (long)child_pid);
141 	box->child_pid = child_pid;
142 
143 	/* Set up systracing of child */
144 	if ((dev_systrace = open("/dev/systrace", O_RDONLY)) == -1)
145 		fatal("%s: open(\"/dev/systrace\"): %s", __func__,
146 		    strerror(errno));
147 	if (ioctl(dev_systrace, STRIOCCLONE, &box->systrace_fd) == -1)
148 		fatal("%s: ioctl(STRIOCCLONE, %d): %s", __func__,
149 		    dev_systrace, strerror(errno));
150 	close(dev_systrace);
151 	debug3("%s: systrace attach, fd=%d", __func__, box->systrace_fd);
152 	if (ioctl(box->systrace_fd, STRIOCATTACH, &child_pid) == -1)
153 		fatal("%s: ioctl(%d, STRIOCATTACH, %d): %s", __func__,
154 		    box->systrace_fd, child_pid, strerror(errno));
155 
156 	/* Allocate and assign policy */
157 	memset(&policy, 0, sizeof(policy));
158 	policy.strp_op = SYSTR_POLICY_NEW;
159 	policy.strp_maxents = SYS_MAXSYSCALL;
160 	if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1)
161 		fatal("%s: ioctl(%d, STRIOCPOLICY (new)): %s", __func__,
162 		    box->systrace_fd, strerror(errno));
163 
164 	policy.strp_op = SYSTR_POLICY_ASSIGN;
165 	policy.strp_pid = box->child_pid;
166 	if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1)
167 		fatal("%s: ioctl(%d, STRIOCPOLICY (assign)): %s",
168 		    __func__, box->systrace_fd, strerror(errno));
169 
170 	/* Set per-syscall policy */
171 	for (i = 0; i < SYS_MAXSYSCALL; i++) {
172 		found = 0;
173 		for (j = 0; allowed_syscalls[j].syscall != -1; j++) {
174 			if (allowed_syscalls[j].syscall == i) {
175 				found = 1;
176 				break;
177 			}
178 		}
179 		policy.strp_op = SYSTR_POLICY_MODIFY;
180 		policy.strp_code = i;
181 		policy.strp_policy = found ?
182 		    allowed_syscalls[j].action : SYSTR_POLICY_KILL;
183 		if (found)
184 			debug3("%s: policy: enable syscall %d", __func__, i);
185 		if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1)
186 			fatal("%s: ioctl(%d, STRIOCPOLICY (modify)): %s",
187 			    __func__, box->systrace_fd, strerror(errno));
188 	}
189 
190 	/* Signal the child to start running */
191 	debug3("%s: start child %ld", __func__, (long)child_pid);
192 	if (kill(box->child_pid, SIGCONT) != 0)
193 		fatal("%s: kill(%d, SIGCONT)", __func__, box->child_pid);
194 }
195 
196 void
ssh_sandbox_parent_finish(struct ssh_sandbox * box)197 ssh_sandbox_parent_finish(struct ssh_sandbox *box)
198 {
199 	/* Closing this before the child exits will terminate it */
200 	close(box->systrace_fd);
201 
202 	free(box);
203 	debug3("%s: finished", __func__);
204 }
205 
206 void
ssh_sandbox_parent_preauth(struct ssh_sandbox * box,pid_t child_pid)207 ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
208 {
209 	ssh_sandbox_parent(box, child_pid, preauth_policy);
210 }
211 
212 #endif /* SANDBOX_SYSTRACE */
213