[Bug 2536] ntpd sandboxing support (libseccomp2)

bk: 5301bf9ecMPxQSQgRTCSSTGeBxsuGg

diff --git a/ChangeLog b/ChangeLog
index 7f724a79b8d420e648fd0e4ce3319dcd41692918..9543d6ce1f6bd5f8cf3720bd23b70df65f923759 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,4 @@
+* [Bug 2536] ntpd sandboxing support (libseccomp2).
 (4.2.7p421) 2014/02/10 Released by Harlan Stenn <stenn@ntp.org>
 * [Bug 898] More documentation fixes.
 * [Bug 2555] Autogen mdoc man pages all stamped with SunOS 5.10.

diff --git a/configure.ac b/configure.ac
index 8b1735b50ade0310ae82a8ac676cd54558bc2775..dcf9ac7d1a9ce585a2bade473885bedef7ba90f3 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -189,6 +189,30 @@ esac
 AC_SEARCH_LIBS([openlog], [gen syslog])
 # XXX library list will be in ac_cv_search_openlog
 
+# LIBSECCOMP is off by default -- needs testing with all the features
+# Please send bug reports to loganaden@gmail.com
+AC_MSG_CHECKING([if we want to use libseccomp sandboxing (EXPERIMENTAL)])
+AC_ARG_ENABLE(
+    [libseccomp],
+    [AS_HELP_STRING(
+       [--enable-libseccomp],
+       [EXPERIMENTAL: enable support for libseccomp sandboxing (default is no) ]
+    )],
+    [ntp_ok=$enableval],
+    [ntp_ok=no]
+)
+AC_MSG_RESULT([$ntp_ok])
+case "$ntp_ok" in
+ yes)
+    AC_SEARCH_LIBS(
+       [seccomp_init],
+       [seccomp],
+       [AC_DEFINE([LIBSECCOMP], [1],
+           [Define to any value to include libseccomp sandboxing.])]
+    )
+    ;;
+esac
+
 NTP_FACILITYNAMES
 
 dnl Digital UNIX V4.0 and Solaris 7 have POSIX.1c functions in -lrt

diff --git a/ntpd/ntpd.c b/ntpd/ntpd.c
index 6a84726f26663c52a8b8dda145440cc5f7477827..8aedff47974162ae6a17ed2e6ec80aad67d2678c 100644 (file)
--- a/ntpd/ntpd.c
+++ b/ntpd/ntpd.c
@@ -113,19 +113,25 @@
 #endif /* HAVE_PRIV_H */
 #endif /* HAVE_DROPROOT */
 
+#if defined (LIBSECCOMP)
+/* # include <sys/types.h> */
+# include <sys/resource.h>
+# include <seccomp.h>
+#endif /* LIBSECCOMP */
+
 #ifdef HAVE_DNSREGISTRATION
-#include <dns_sd.h>
+# include <dns_sd.h>
 DNSServiceRef mdns;
 #endif
 
 #ifdef HAVE_SETPGRP_0
-#define ntp_setpgrp(x, y)      setpgrp()
+# define ntp_setpgrp(x, y)     setpgrp()
 #else
-#define ntp_setpgrp(x, y)      setpgrp(x, y)
+# define ntp_setpgrp(x, y)     setpgrp(x, y)
 #endif
 
 #ifdef HAVE_SOLARIS_PRIVS
-#define LOWPRIVS "basic,sys_time,net_privaddr,proc_setid,!proc_info,!proc_session,!proc_exec"
+# define LOWPRIVS "basic,sys_time,net_privaddr,proc_setid,!proc_info,!proc_session,!proc_exec"
 static priv_set_t *lowprivs = NULL;
 static priv_set_t *highprivs = NULL;
 #endif /* HAVE_SOLARIS_PRIVS */
@@ -999,6 +1005,102 @@ getgroup:
        }       /* if (droproot) */
 # endif        /* HAVE_DROPROOT */
 
+/* libssecomp sandboxing */
+#if defined (LIBSECCOMP)
+       scmp_filter_ctx ctx;
+       if ((ctx = seccomp_init(SCMP_ACT_KILL)) < 0)
+               msyslog(LOG_ERR, "%s:libseccomp activation failed", __func__);
+
+#ifdef __x86_64__
+int scmp_sc[] = {
+       SCMP_SYS(open),
+       SCMP_SYS(clock_gettime),
+       SCMP_SYS(time),
+       SCMP_SYS(read),
+       SCMP_SYS(write),
+       SCMP_SYS(close),
+       SCMP_SYS(brk),
+       SCMP_SYS(poll),
+       SCMP_SYS(select),
+       SCMP_SYS(madvise),
+       SCMP_SYS(mmap),
+       SCMP_SYS(munmap),
+       SCMP_SYS(exit_group),
+       SCMP_SYS(rt_sigprocmask),
+       SCMP_SYS(ioctl),
+       SCMP_SYS(getsockname),
+       SCMP_SYS(lseek),
+       SCMP_SYS(fstat),
+       SCMP_SYS(recvmsg),
+       SCMP_SYS(sendto),
+       SCMP_SYS(connect),
+       SCMP_SYS(rt_sigaction),
+       SCMP_SYS(socket),
+       SCMP_SYS(fsync),
+       SCMP_SYS(rt_sigreturn),
+       SCMP_SYS(setsid),
+       SCMP_SYS(chdir),
+       SCMP_SYS(futex),
+       SCMP_SYS(stat),
+       SCMP_SYS(clock_settime),
+       SCMP_SYS(getitimer),
+       SCMP_SYS(adjtimex),
+       SCMP_SYS(setitimer),
+       SCMP_SYS(rename)
+};
+#endif
+#ifdef __i386__
+int scmp_sc[] = {
+       SCMP_SYS(open),
+       SCMP_SYS(clock_gettime),
+       SCMP_SYS(time),
+       SCMP_SYS(read),
+       SCMP_SYS(write),
+       SCMP_SYS(close),
+       SCMP_SYS(brk),
+       SCMP_SYS(poll),
+       SCMP_SYS(_newselect),
+       SCMP_SYS(select),
+       SCMP_SYS(madvise),
+       SCMP_SYS(mmap2),
+       SCMP_SYS(mmap),
+       SCMP_SYS(munmap),
+       SCMP_SYS(exit_group),
+       SCMP_SYS(rt_sigprocmask),
+       SCMP_SYS(sigprocmask),
+       SCMP_SYS(rt_sigaction),
+       SCMP_SYS(socketcall),
+       SCMP_SYS(fsync),
+       SCMP_SYS(sigreturn),
+       SCMP_SYS(setsid),
+       SCMP_SYS(chdir),
+       SCMP_SYS(futex),
+       SCMP_SYS(stat64),
+       SCMP_SYS(clock_settime),
+       SCMP_SYS(getitimer),
+       SCMP_SYS(adjtimex),
+       SCMP_SYS(setitimer),
+       SCMP_SYS(rename)
+};
+#endif
+       {
+               int i;
+
+               for (i = 0; i < COUNTOF(scmp_sc); i++) {
+                       if (seccomp_rule_add(ctx,
+                           SCMP_ACT_ALLOW, scmp_sc[i], 0) < 0) {
+                               msyslog(LOG_ERR,
+                                   "%s:libseccomp rule failed: %m",
+                                   __func__);
+                       }
+               }
+       }
+
+       if (seccomp_load(ctx) < 0)
+               msyslog(LOG_ERR, "%s:libseccomp unable to load filter: %m",
+                   __func__);  
+#endif /* LIBSECCOMP */
+
 # ifdef HAVE_IO_COMPLETION_PORT
 
        for (;;) {