History log of /openssh-portable/sandbox-systrace.c (Results 1 – 25 of 25)
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
Revision tags: V_8_6_P1, V_8_5_P1, V_8_4_P1, V_8_3_P1, V_8_2_P1
# 3bf2a6ac 23-Jan-2020 dtucker@openbsd.org

upstream: Replace all calls to signal(2) with a wrapper around

sigaction(2). This wrapper blocks all other signals during the handler
preventing races between handlers, and sets SA_RESTART which sho

upstream: Replace all calls to signal(2) with a wrapper around

sigaction(2). This wrapper blocks all other signals during the handler
preventing races between handlers, and sets SA_RESTART which should reduce
the potential for short read/write operations.

OpenBSD-Commit-ID: 5e047663fd77a40d7b07bdabe68529df51fd2519

show more ...


Revision tags: V_8_1_P1
# edd1d3a6 01-Oct-2019 Damien Miller

remove duplicate #includes

Prompted by Jakub Jelen


Revision tags: V_8_0_P1, V_7_9_P1, V_7_8_P1
# 1c5b4bc8 13-Apr-2018 Darren Tucker

Allow nanosleep in preauth privsep child.

The new timing attack mitigation code uses nanosleep in the preauth
codepath, allow in systrace andbox too.


Revision tags: V_7_7_P1, V_7_6_P1, V_7_5_P1, V_7_4_P1, V_7_3_P1, V_7_2_P2, V_7_2_P1, V_7_1_P2
# 996b24ce 29-Oct-2015 Darren Tucker

(re)wrap SYS_sendsyslog in ifdef.

Replace ifdef that went missing in commit
c61b42f2678f21f05653ac2d3d241b48ab5d59ac. Fixes build on older
OpenBSDs.


# 0dc74512 05-Oct-2015 Damien Miller

unbreak merge botch


# c61b42f2 01-Oct-2015 deraadt@openbsd.org

upstream commit

re-order system calls in order of risk, ok i'll be
honest, ordered this way they look like tame... ok djm

Upstream-ID: 42a1e6d251fd8be13c8262bee026059ae6328813


Revision tags: V_7_1_P1, V_7_0_P1
# 3f628c7b 27-Jul-2015 guenther@openbsd.org

upstream commit

Permit kbind(2) use in the sandbox now, to ease testing
of ld.so work using it

reminded by miod@, ok deraadt@

Upstream-ID: 523922e4d1ba7a091e3824e77a8a3c818ee97413


Revision tags: V_6_9_P1
# 512caddf 29-Jun-2015 djm@openbsd.org

upstream commit

add getpid to sandbox, reachable by grace_alarm_handler

reported by Jakub Jelen; bz#2419

Upstream-ID: d0da1117c16d4c223954995d35b0f47c8f684cd8


# 7cc44ef7 18-May-2015 deraadt@openbsd.org

upstream commit

getentropy() and sendsyslog() have been around long
enough. openssh-portable may want the #ifdef's but not base. discussed with
djm few weeks back

Upstream-ID: 0506a4334de108e3fb6

upstream commit

getentropy() and sendsyslog() have been around long
enough. openssh-portable may want the #ifdef's but not base. discussed with
djm few weeks back

Upstream-ID: 0506a4334de108e3fb6c66f8d6e0f9c112866926

show more ...


Revision tags: V_6_8_P1
# 087266ec 20-Jan-2015 deraadt@openbsd.org

upstream commit

Reduce use of <sys/param.h> and transition to <limits.h>
throughout. ok djm markus


Revision tags: V_6_7_P1
# 1b833206 18-Jul-2014 Damien Miller

- djm@cvs.openbsd.org 2014/07/17 00:10:56
[sandbox-systrace.c]
ifdef SYS_sendsyslog so this will compile without patching on -stable


# 7acefbbc 18-Jul-2014 Damien Miller

- millert@cvs.openbsd.org 2014/07/15 15:54:14
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
[auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]

- millert@cvs.openbsd.org 2014/07/15 15:54:14
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
[auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
[auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
[clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
[readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
[ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
[sshd_config.5 sshlogin.c]
Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

show more ...


# 9d69d937 16-Jul-2014 Damien Miller

- deraadt@cvs.openbsd.org 2014/07/11 08:09:54
[sandbox-systrace.c]
Permit use of SYS_sendsyslog from inside the sandbox. Clock is ticking,
update your kernels and sshd soon.. libc wil

- deraadt@cvs.openbsd.org 2014/07/11 08:09:54
[sandbox-systrace.c]
Permit use of SYS_sendsyslog from inside the sandbox. Clock is ticking,
update your kernels and sshd soon.. libc will start using sendsyslog()
in about 4 days.

show more ...


# 84a89161 01-Jul-2014 Damien Miller

- matthew@cvs.openbsd.org 2014/06/18 02:59:13
[sandbox-systrace.c]
Now that we have a dedicated getentropy(2) system call for
arc4random(3), we can disallow __sysctl(2) in OpenSSH's sy

- matthew@cvs.openbsd.org 2014/06/18 02:59:13
[sandbox-systrace.c]
Now that we have a dedicated getentropy(2) system call for
arc4random(3), we can disallow __sysctl(2) in OpenSSH's systrace
sandbox.

ok djm

show more ...


# 51504cee 01-Jul-2014 Damien Miller

- deraadt@cvs.openbsd.org 2014/06/13 08:26:29
[sandbox-systrace.c]
permit SYS_getentropy
from matthew


Revision tags: V_6_6_P1
# 1d2c4564 03-Feb-2014 Damien Miller

- tedu@cvs.openbsd.org 2014/01/31 16:39:19
[auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c]
[channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c]
[kexc25

- tedu@cvs.openbsd.org 2014/01/31 16:39:19
[auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c]
[channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c]
[kexc25519.c krl.c monitor.c sandbox-systrace.c session.c]
[sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c]
[openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h]
replace most bzero with explicit_bzero, except a few that cna be memset
ok djm dtucker

show more ...


# 3928de06 03-Feb-2014 Damien Miller

- djm@cvs.openbsd.org 2014/01/30 22:26:14
[sandbox-systrace.c]
allow shutdown(2) syscall in sandbox - it may be called by packet_close()
from portable
(Id sync only; change is alr

- djm@cvs.openbsd.org 2014/01/30 22:26:14
[sandbox-systrace.c]
allow shutdown(2) syscall in sandbox - it may be called by packet_close()
from portable
(Id sync only; change is already in portable)

show more ...


# 7e5cec60 30-Jan-2014 Damien Miller

- (djm) [sandbox-seccomp-filter.c sandbox-systrace.c] Allow shutdown(2)
syscall from sandboxes; it may be called by packet_close.


Revision tags: V_6_5_P1
# 868ea1ea 17-Jan-2014 Damien Miller

- (djm) [Makefile.in configure.ac sandbox-capsicum.c sandbox-darwin.c]
[sandbox-null.c sandbox-rlimit.c sandbox-seccomp-filter.c]
[sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandb

- (djm) [Makefile.in configure.ac sandbox-capsicum.c sandbox-darwin.c]
[sandbox-null.c sandbox-rlimit.c sandbox-seccomp-filter.c]
[sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandboxing
using the Capsicum API introduced in FreeBSD 10. Patch by Dag-Erling
Smorgrav, updated by Loganaden Velvindron @ AfriNIC; ok dtucker@

show more ...


Revision tags: V_6_4_P1, V_6_3_P1
# b759c9c2 01-Jun-2013 Darren Tucker

- dtucker@cvs.openbsd.org 2013/06/01 13:15:52
[ssh-agent.c clientloop.c misc.h packet.c progressmeter.c misc.c
channels.c sandbox-systrace.c]
Use clock_gettime(CLOCK_MONOTONIC ...) for

- dtucker@cvs.openbsd.org 2013/06/01 13:15:52
[ssh-agent.c clientloop.c misc.h packet.c progressmeter.c misc.c
channels.c sandbox-systrace.c]
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like
keepalives and rekeying will work properly over clock steps. Suggested by
markus@, "looks good" djm@.

show more ...


Revision tags: V_6_2_P2, V_6_2_P1, V_6_1_P1
# 3b4b2d30 02-Jul-2012 Darren Tucker

- markus@cvs.openbsd.org 2012/06/30 14:35:09
[sandbox-systrace.c sshd.c]
fix a during the load of the sandbox policies (child can still make
the read-syscall and wait forever for systr

- markus@cvs.openbsd.org 2012/06/30 14:35:09
[sandbox-systrace.c sshd.c]
fix a during the load of the sandbox policies (child can still make
the read-syscall and wait forever for systrace-answers) by replacing
the read/write synchronisation with SIGSTOP/SIGCONT;
report and help hshoexer@; ok djm@, dtucker@

show more ...


# 560de922 29-Jun-2012 Damien Miller

- dtucker@cvs.openbsd.org 2012/06/26 11:02:30
[sandbox-systrace.c]
Add mquery to the list of allowed syscalls for "UsePrivilegeSeparation
sandbox" since malloc now uses it. From johnw

- dtucker@cvs.openbsd.org 2012/06/26 11:02:30
[sandbox-systrace.c]
Add mquery to the list of allowed syscalls for "UsePrivilegeSeparation
sandbox" since malloc now uses it. From johnw.mail at gmail com.

show more ...


Revision tags: V_6_0_P1, V_5_9_P1
# 35e48198 05-Aug-2011 Damien Miller

- djm@cvs.openbsd.org 2011/07/29 14:42:45
[sandbox-systrace.c]
fail open(2) with EPERM rather than SIGKILLing the whole process. libc
will call open() to do strerror() when NLS is enab

- djm@cvs.openbsd.org 2011/07/29 14:42:45
[sandbox-systrace.c]
fail open(2) with EPERM rather than SIGKILLing the whole process. libc
will call open() to do strerror() when NLS is enabled;
feedback and ok markus@

show more ...


# dcbd41e7 23-Jun-2011 Damien Miller

- djm@cvs.openbsd.org 2011/06/23 09:34:13
[sshd.c ssh-sandbox.h sandbox.h sandbox-rlimit.c sandbox-systrace.c]
[sandbox-null.c]
rename sandbox.h => ssh-sandbox.h to make things easier

- djm@cvs.openbsd.org 2011/06/23 09:34:13
[sshd.c ssh-sandbox.h sandbox.h sandbox-rlimit.c sandbox-systrace.c]
[sandbox-null.c]
rename sandbox.h => ssh-sandbox.h to make things easier for portable

show more ...


# 69ff1df9 22-Jun-2011 Damien Miller

- djm@cvs.openbsd.org 2011/06/22 21:57:01
[servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c]
[sandbox-systrace.c sandbox.h configure.ac Makefile.in]
introduce sandboxing of

- djm@cvs.openbsd.org 2011/06/22 21:57:01
[servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c]
[sandbox-systrace.c sandbox.h configure.ac Makefile.in]
introduce sandboxing of the pre-auth privsep child using systrace(4).

This introduces a new "UsePrivilegeSeparation=sandbox" option for
sshd_config that applies mandatory restrictions on the syscalls the
privsep child can perform. This prevents a compromised privsep child
from being used to attack other hosts (by opening sockets and proxying)
or probing local kernel attack surface.

The sandbox is implemented using systrace(4) in unsupervised "fast-path"
mode, where a list of permitted syscalls is supplied. Any syscall not
on the list results in SIGKILL being sent to the privsep child. Note
that this requires a kernel with the new SYSTR_POLICY_KILL option.

UsePrivilegeSeparation=sandbox will become the default in the future
so please start testing it now.

feedback dtucker@; ok markus@

show more ...