From 4d1611fb09248442e0b7b5a8f731327bbed1af16 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 22 Jun 2011 21:57:02 +0000 Subject: introduce sandboxing of the pre-auth privsep child using systrace(4). This introduces a new "UsePrivilegeSeparation=sandbox" option for sshd_config that applies mandatory restrictions on the syscalls the privsep child can perform. This prevents a compromised privsep child from being used to attack other hosts (by opening sockets and proxying) or probing local kernel attack surface. The sandbox is implemented using systrace(4) in unsupervised "fast-path" mode, where a list of permitted syscalls is supplied. Any syscall not on the list results in SIGKILL being sent to the privsep child. Note that this requires a kernel with the new SYSTR_POLICY_KILL option. UsePrivilegeSeparation=sandbox will become the default in the future so please start testing it now. feedback dtucker@; ok markus@ --- usr.bin/ssh/sandbox-rlimit.c | 86 ++++++++++++++++++++ usr.bin/ssh/sandbox-systrace.c | 181 +++++++++++++++++++++++++++++++++++++++++ usr.bin/ssh/sandbox.h | 22 +++++ usr.bin/ssh/servconf.c | 15 +++- usr.bin/ssh/servconf.h | 7 +- usr.bin/ssh/sshd.c | 30 +++++-- usr.bin/ssh/sshd/Makefile | 4 +- usr.bin/ssh/sshd_config.5 | 10 ++- 8 files changed, 342 insertions(+), 13 deletions(-) create mode 100644 usr.bin/ssh/sandbox-rlimit.c create mode 100644 usr.bin/ssh/sandbox-systrace.c create mode 100755 usr.bin/ssh/sandbox.h diff --git a/usr.bin/ssh/sandbox-rlimit.c b/usr.bin/ssh/sandbox-rlimit.c new file mode 100644 index 00000000000..b0c80e5f031 --- /dev/null +++ b/usr.bin/ssh/sandbox-rlimit.c @@ -0,0 +1,86 @@ +/* + * Copyright (c) 2011 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +#include "log.h" +#include "sandbox.h" +#include "xmalloc.h" + +/* Minimal sandbox that sets zero nfiles, nprocs and filesize rlimits */ + +struct ssh_sandbox { + pid_t child_pid; +}; + +struct ssh_sandbox * +ssh_sandbox_init(void) +{ + struct ssh_sandbox *box; + + /* + * Strictly, we don't need to maintain any state here but we need + * to return non-NULL to satisfy the API. + */ + debug3("%s: preparing rlimit sandbox", __func__); + box = xcalloc(1, sizeof(*box)); + box->child_pid = 0; + + return box; +} + +void +ssh_sandbox_child(struct ssh_sandbox *box) +{ + struct rlimit rl_zero; + + rl_zero.rlim_cur = rl_zero.rlim_max = 0; + + if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", + __func__, strerror(errno)); + if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", + __func__, strerror(errno)); + if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", + __func__, strerror(errno)); +} + +void +ssh_sandbox_parent_finish(struct ssh_sandbox *box) +{ + free(box); + debug3("%s: finished", __func__); +} + +void +ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) +{ + box->child_pid = child_pid; + /* Nothing to do here */ +} + diff --git a/usr.bin/ssh/sandbox-systrace.c b/usr.bin/ssh/sandbox-systrace.c new file mode 100644 index 00000000000..ecea3ece85a --- /dev/null +++ b/usr.bin/ssh/sandbox-systrace.c @@ -0,0 +1,181 @@ +/* + * Copyright (c) 2011 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include +#include +#include +#include + +#include + +#include +#include +#include +#include +#include +#include +#include +#include + +#include "atomicio.h" +#include "log.h" +#include "sandbox.h" +#include "xmalloc.h" + +static const int preauth_policy[] = { + SYS___sysctl, + SYS_close, + SYS_exit, + SYS_getpid, + SYS_gettimeofday, + SYS_madvise, + SYS_mmap, + SYS_mprotect, + SYS_poll, + SYS_munmap, + SYS_read, + SYS_select, + SYS_sigprocmask, + SYS_write, + -1 +}; + +struct ssh_sandbox { + int child_sock; + int parent_sock; + int systrace_fd; + pid_t child_pid; + struct systrace_policy policy; +}; + +struct ssh_sandbox * +ssh_sandbox_init(void) +{ + struct ssh_sandbox *box; + int s[2]; + + debug3("%s: preparing systrace sandbox", __func__); + box = xcalloc(1, sizeof(*box)); + if (socketpair(AF_UNIX, SOCK_STREAM, 0, s) == -1) + fatal("%s: socketpair: %s", __func__, strerror(errno)); + box->child_sock = s[0]; + box->parent_sock = s[1]; + box->systrace_fd = -1; + box->child_pid = 0; + + return box; +} + +void +ssh_sandbox_child(struct ssh_sandbox *box) +{ + char whatever = 0; + + close(box->parent_sock); + /* Signal parent that we are ready */ + debug3("%s: ready", __func__); + if (atomicio(vwrite, box->child_sock, &whatever, 1) != 1) + fatal("%s: write: %s", __func__, strerror(errno)); + /* Wait for parent to signal for us to go */ + if (atomicio(read, box->child_sock, &whatever, 1) != 1) + fatal("%s: read: %s", __func__, strerror(errno)); + debug3("%s: started", __func__); + close(box->child_sock); +} + +static void +ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid, + const int *allowed_syscalls) +{ + int dev_systrace, i, j, found; + char whatever = 0; + + debug3("%s: wait for child %ld", __func__, (long)child_pid); + box->child_pid = child_pid; + close(box->child_sock); + /* Wait for child to signal that it is ready */ + if (atomicio(read, box->parent_sock, &whatever, 1) != 1) + fatal("%s: read: %s", __func__, strerror(errno)); + debug3("%s: child %ld ready", __func__, (long)child_pid); + + /* Set up systracing of child */ + if ((dev_systrace = open("/dev/systrace", O_RDONLY)) == -1) + fatal("%s: open(\"/dev/systrace\"): %s", __func__, + strerror(errno)); + if (ioctl(dev_systrace, STRIOCCLONE, &box->systrace_fd) == -1) + fatal("%s: ioctl(STRIOCCLONE, %d): %s", __func__, + dev_systrace, strerror(errno)); + close(dev_systrace); + debug3("%s: systrace attach, fd=%d", __func__, box->systrace_fd); + if (ioctl(box->systrace_fd, STRIOCATTACH, &child_pid) == -1) + fatal("%s: ioctl(%d, STRIOCATTACH, %d): %s", __func__, + box->systrace_fd, child_pid, strerror(errno)); + + /* Allocate and assign policy */ + bzero(&box->policy, sizeof(box->policy)); + box->policy.strp_op = SYSTR_POLICY_NEW; + box->policy.strp_maxents = SYS_MAXSYSCALL; + if (ioctl(box->systrace_fd, STRIOCPOLICY, &box->policy) == -1) + fatal("%s: ioctl(%d, STRIOCPOLICY (new)): %s", __func__, + box->systrace_fd, strerror(errno)); + + box->policy.strp_op = SYSTR_POLICY_ASSIGN; + box->policy.strp_pid = box->child_pid; + if (ioctl(box->systrace_fd, STRIOCPOLICY, &box->policy) == -1) + fatal("%s: ioctl(%d, STRIOCPOLICY (assign)): %s", + __func__, box->systrace_fd, strerror(errno)); + + /* Set per-syscall policy */ + for (i = 0; i < SYS_MAXSYSCALL; i++) { + for (j = found = 0; allowed_syscalls[j] != -1 && !found; j++) { + if (allowed_syscalls[j] == i) + found = 1; + } + box->policy.strp_op = SYSTR_POLICY_MODIFY; + box->policy.strp_code = i; + box->policy.strp_policy = found ? + SYSTR_POLICY_PERMIT : SYSTR_POLICY_KILL; + if (found) + debug3("%s: policy: enable syscall %d", __func__, i); + if (ioctl(box->systrace_fd, STRIOCPOLICY, + &box->policy) == -1) + fatal("%s: ioctl(%d, STRIOCPOLICY (modify)): %s", + __func__, box->systrace_fd, strerror(errno)); + } + + /* Signal the child to start running */ + debug3("%s: start child %ld", __func__, (long)child_pid); + if (atomicio(vwrite, box->parent_sock, &whatever, 1) != 1) + fatal("%s: write: %s", __func__, strerror(errno)); + close(box->parent_sock); +} + +void +ssh_sandbox_parent_finish(struct ssh_sandbox *box) +{ + /* Closing this before the child exits will terminate it */ + close(box->systrace_fd); + + free(box); + debug3("%s: finished", __func__); +} + +void +ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) +{ + ssh_sandbox_parent(box, child_pid, preauth_policy); +} diff --git a/usr.bin/ssh/sandbox.h b/usr.bin/ssh/sandbox.h new file mode 100755 index 00000000000..7593dedea32 --- /dev/null +++ b/usr.bin/ssh/sandbox.h @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2011 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +struct ssh_sandbox; + +struct ssh_sandbox *ssh_sandbox_init(void); +void ssh_sandbox_child(struct ssh_sandbox *); +void ssh_sandbox_parent_finish(struct ssh_sandbox *); +void ssh_sandbox_parent_preauth(struct ssh_sandbox *, pid_t); diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c index eaa127f86aa..597e2b6e4f7 100644 --- a/usr.bin/ssh/servconf.c +++ b/usr.bin/ssh/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.221 2011/06/22 21:47:28 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.222 2011/06/22 21:57:01 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -266,7 +266,7 @@ fill_default_server_options(ServerOptions *options) /* Turn privilege separation on by default */ if (use_privsep == -1) - use_privsep = 1; + use_privsep = PRIVSEP_ON; } /* Keyword tokens. */ @@ -662,6 +662,12 @@ static const struct multistate multistate_gatewayports[] = { { "no", 0 }, { NULL, -1 } }; +static const struct multistate multistate_privsep[] = { + { "sandbox", PRIVSEP_SANDBOX }, + { "yes", PRIVSEP_ON }, + { "no", PRIVSEP_OFF }, + { NULL, -1 } +}; int process_server_config_line(ServerOptions *options, char *line, @@ -1021,7 +1027,8 @@ process_server_config_line(ServerOptions *options, char *line, case sUsePrivilegeSeparation: intptr = &use_privsep; - goto parse_flag; + multistate_ptr = multistate_privsep; + goto parse_multistate; case sAllowUsers: while ((arg = strdelim(&cp)) && *arg != '\0') { @@ -1529,6 +1536,8 @@ fmt_intarg(ServerOpCodes code, int val) return fmt_multistate_int(val, multistate_gatewayports); case sCompression: return fmt_multistate_int(val, multistate_compression); + case sUsePrivilegeSeparation: + return fmt_multistate_int(val, multistate_privsep); case sProtocol: switch (val) { case SSH_PROTO_1: diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h index 84cc33c0c6a..d7ca51b44fe 100644 --- a/usr.bin/ssh/servconf.h +++ b/usr.bin/ssh/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.98 2011/05/23 03:30:07 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.99 2011/06/22 21:57:01 djm Exp $ */ /* * Author: Tatu Ylonen @@ -36,6 +36,11 @@ #define PERMIT_NO_PASSWD 2 #define PERMIT_YES 3 +/* use_privsep */ +#define PRIVSEP_OFF 0 +#define PRIVSEP_ON 1 +#define PRIVSEP_SANDBOX 2 + #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ #define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ diff --git a/usr.bin/ssh/sshd.c b/usr.bin/ssh/sshd.c index 27423765181..4cc6a6f2296 100644 --- a/usr.bin/ssh/sshd.c +++ b/usr.bin/ssh/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.383 2011/06/17 21:44:31 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.384 2011/06/22 21:57:01 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -102,6 +102,7 @@ #endif #include "monitor_wrap.h" #include "roaming.h" +#include "sandbox.h" #include "version.h" #ifdef LIBWRAP @@ -611,18 +612,23 @@ privsep_preauth(Authctxt *authctxt) { int status; pid_t pid; + struct ssh_sandbox *box = NULL; /* Set up unprivileged child process to deal with network data */ pmonitor = monitor_init(); /* Store a pointer to the kex for later rekeying */ pmonitor->m_pkex = &xxx_kex; + if (use_privsep == PRIVSEP_SANDBOX) + box = ssh_sandbox_init(); pid = fork(); if (pid == -1) { fatal("fork of unprivileged child failed"); } else if (pid != 0) { debug2("Network child is on pid %ld", (long)pid); + if (box != NULL) + ssh_sandbox_parent_preauth(box, pid); pmonitor->m_pid = pid; monitor_child_preauth(authctxt, pmonitor); @@ -630,10 +636,21 @@ privsep_preauth(Authctxt *authctxt) monitor_sync(pmonitor); /* Wait for the child's exit status */ - while (waitpid(pid, &status, 0) < 0) + while (waitpid(pid, &status, 0) < 0) { if (errno != EINTR) - break; - return (1); + fatal("%s: waitpid: %s", __func__, + strerror(errno)); + } + if (WIFEXITED(status)) { + if (WEXITSTATUS(status) != 0) + fatal("%s: preauth child exited with status %d", + __func__, WEXITSTATUS(status)); + } else if (WIFSIGNALED(status)) + fatal("%s: preauth child terminated by signal %d", + __func__, WTERMSIG(status)); + if (box != NULL) + ssh_sandbox_parent_finish(box); + return 1; } else { /* child */ close(pmonitor->m_sendfd); @@ -646,8 +663,11 @@ privsep_preauth(Authctxt *authctxt) if (getuid() == 0 || geteuid() == 0) privsep_preauth_child(); setproctitle("%s", "[net]"); + if (box != NULL) + ssh_sandbox_child(box); + + return 0; } - return (0); } static void diff --git a/usr.bin/ssh/sshd/Makefile b/usr.bin/ssh/sshd/Makefile index a479ec7ca21..15417811a83 100644 --- a/usr.bin/ssh/sshd/Makefile +++ b/usr.bin/ssh/sshd/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.72 2010/10/13 08:14:22 jsg Exp $ +# $OpenBSD: Makefile,v 1.73 2011/06/22 21:57:01 djm Exp $ .PATH: ${.CURDIR}/.. @@ -16,7 +16,7 @@ SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \ auth2-none.c auth2-passwd.c auth2-pubkey.c \ monitor_mm.c monitor.c monitor_wrap.c \ kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \ - roaming_common.c roaming_serv.c + roaming_common.c roaming_serv.c sandbox-systrace.c .include # for KERBEROS and AFS diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5 index 69de8d4d2b9..a8f46c4d256 100644 --- a/usr.bin/ssh/sshd_config.5 +++ b/usr.bin/ssh/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.133 2011/05/23 07:10:21 jmc Exp $ -.Dd $Mdocdate: May 23 2011 $ +.\" $OpenBSD: sshd_config.5,v 1.134 2011/06/22 21:57:01 djm Exp $ +.Dd $Mdocdate: June 22 2011 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -1048,6 +1048,12 @@ The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. The default is .Dq yes . +If +.Cm UsePrivilegeSeparation +is set to +.Dq sandbox +then the pre-authentication unprivileged process is subject to additional +restrictions. .It Cm X11DisplayOffset Specifies the first display number available for .Xr sshd 8 Ns 's -- cgit v1.2.3