-# $Id: configure.ac,v 1.549 2014/01/17 04:12:16 dtucker Exp $
+# $Id: configure.ac,v 1.550 2014/01/17 05:47:04 djm Exp $
#
# Copyright (c) 1999-2004 Damien Miller
#
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
-AC_REVISION($Revision: 1.549 $)
+AC_REVISION($Revision: 1.550 $)
AC_CONFIG_SRCDIR([ssh.c])
AC_LANG([C])
#include <sys/types.h>
#include <linux/prctl.h>
])
+AC_CHECK_DECL([cap_enter], [have_cap_enter=1], , [
+ #include <sys/capability.h>
+])
+
use_stack_protector=1
use_toolchain_hardening=1
AC_ARG_WITH([stackprotect],
# Decide which sandbox style to use
sandbox_arg=""
AC_ARG_WITH([sandbox],
- [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)],
+ [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)],
[
if test "x$withval" = "xyes" ; then
sandbox_arg=""
AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
SANDBOX_STYLE="rlimit"
AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
+elif test "x$sandbox_arg" = "xcapsicum" || \
+ ( test -z "$sandbox_arg" && \
+ test "x$have_cap_enter" = "x1") ; then
+ test "x$have_cap_enter" != "x1" && \
+ AC_MSG_ERROR([capsicum sandbox requires cap_enter function])
+ SANDBOX_STYLE="capsicum"
+ AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
SANDBOX_STYLE="none"
--- /dev/null
+/*
+ * Copyright (c) 2011 Dag-Erling Smorgrav
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+
+#ifdef SANDBOX_CAPSICUM
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+#include <sys/capability.h>
+
+#include <errno.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "log.h"
+#include "monitor.h"
+#include "ssh-sandbox.h"
+#include "xmalloc.h"
+
+/*
+ * Capsicum sandbox that sets zero nfiles, nprocs and filesize rlimits,
+ * limits rights on stdout, stdin, stderr, monitor and switches to
+ * capability mode.
+ */
+
+struct ssh_sandbox {
+ struct monitor *monitor;
+ pid_t child_pid;
+};
+
+struct ssh_sandbox *
+ssh_sandbox_init(struct monitor *monitor)
+{
+ struct ssh_sandbox *box;
+
+ /*
+ * Strictly, we don't need to maintain any state here but we need
+ * to return non-NULL to satisfy the API.
+ */
+ debug3("%s: preparing capsicum sandbox", __func__);
+ box = xcalloc(1, sizeof(*box));
+ box->monitor = monitor;
+ box->child_pid = 0;
+
+ return box;
+}
+
+void
+ssh_sandbox_child(struct ssh_sandbox *box)
+{
+ struct rlimit rl_zero;
+ cap_rights_t rights;
+
+ rl_zero.rlim_cur = rl_zero.rlim_max = 0;
+
+ if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
+ fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
+ __func__, strerror(errno));
+ if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
+ fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
+ __func__, strerror(errno));
+ if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)
+ fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s",
+ __func__, strerror(errno));
+
+ cap_rights_init(&rights);
+
+ if (cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS)
+ fatal("can't limit stdin: %m");
+ if (cap_rights_limit(STDOUT_FILENO, &rights) < 0 && errno != ENOSYS)
+ fatal("can't limit stdin: %m");
+ if (cap_rights_limit(STDERR_FILENO, &rights) < 0 && errno != ENOSYS)
+ fatal("can't limit stdin: %m");
+
+ cap_rights_init(&rights, CAP_READ, CAP_WRITE);
+ if (cap_rights_limit(box->monitor->m_recvfd, &rights) == -1)
+ fatal("%s: failed to limit the network socket", __func__);
+ cap_rights_init(&rights, CAP_WRITE);
+ if (cap_rights_limit(box->monitor->m_log_sendfd, &rights) == -1)
+ fatal("%s: failed to limit the logging socket", __func__);
+ if (cap_enter() != 0 && errno != ENOSYS)
+ fatal("%s: failed to enter capability mode", __func__);
+
+}
+
+void
+ssh_sandbox_parent_finish(struct ssh_sandbox *box)
+{
+ free(box);
+ debug3("%s: finished", __func__);
+}
+
+void
+ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
+{
+ box->child_pid = child_pid;
+}
+
+#endif /* SANDBOX_CAPSICUM */
projects / thirdparty / openssh-portable.git / commitdiff
