From: Harlan Stenn <stenn@ntp.org>
Date: Mon, 17 Feb 2014 07:51:58 +0000 (+0000)
Subject: [Bug 2536] ntpd sandboxing support (libseccomp2)
X-Git-Tag: NTP_4_2_7P422~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b811d888169d9c8f076667679e789314f50449f8;p=thirdparty%2Fntp.git

[Bug 2536] ntpd sandboxing support (libseccomp2)

bk: 5301bf9ecMPxQSQgRTCSSTGeBxsuGg
---

diff --git a/ChangeLog b/ChangeLog
index 7f724a79b..9543d6ce1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,4 @@
+* [Bug 2536] ntpd sandboxing support (libseccomp2).
 (4.2.7p421) 2014/02/10 Released by Harlan Stenn <stenn@ntp.org>
 * [Bug 898] More documentation fixes.
 * [Bug 2555] Autogen mdoc man pages all stamped with SunOS 5.10.
diff --git a/configure.ac b/configure.ac
index 8b1735b50..dcf9ac7d1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -189,6 +189,30 @@ esac
 AC_SEARCH_LIBS([openlog], [gen syslog])
 # XXX library list will be in ac_cv_search_openlog
 
+# LIBSECCOMP is off by default -- needs testing with all the features
+# Please send bug reports to loganaden@gmail.com
+AC_MSG_CHECKING([if we want to use libseccomp sandboxing (EXPERIMENTAL)])
+AC_ARG_ENABLE(
+    [libseccomp],
+    [AS_HELP_STRING(
+	[--enable-libseccomp],
+	[EXPERIMENTAL: enable support for libseccomp sandboxing (default is no) ]
+    )],
+    [ntp_ok=$enableval],
+    [ntp_ok=no]
+)
+AC_MSG_RESULT([$ntp_ok])
+case "$ntp_ok" in
+ yes)
+    AC_SEARCH_LIBS(
+	[seccomp_init],
+	[seccomp],
+	[AC_DEFINE([LIBSECCOMP], [1],
+	    [Define to any value to include libseccomp sandboxing.])]
+    )
+    ;;
+esac
+
 NTP_FACILITYNAMES
 
 dnl Digital UNIX V4.0 and Solaris 7 have POSIX.1c functions in -lrt
diff --git a/ntpd/ntpd.c b/ntpd/ntpd.c
index 6a84726f2..8aedff479 100644
--- a/ntpd/ntpd.c
+++ b/ntpd/ntpd.c
@@ -113,19 +113,25 @@
 #endif /* HAVE_PRIV_H */
 #endif /* HAVE_DROPROOT */
 
+#if defined (LIBSECCOMP)
+/* # include <sys/types.h> */
+# include <sys/resource.h>
+# include <seccomp.h>
+#endif /* LIBSECCOMP */
+
 #ifdef HAVE_DNSREGISTRATION
-#include <dns_sd.h>
+# include <dns_sd.h>
 DNSServiceRef mdns;
 #endif
 
 #ifdef HAVE_SETPGRP_0
-#define ntp_setpgrp(x, y)	setpgrp()
+# define ntp_setpgrp(x, y)	setpgrp()
 #else
-#define ntp_setpgrp(x, y)	setpgrp(x, y)
+# define ntp_setpgrp(x, y)	setpgrp(x, y)
 #endif
 
 #ifdef HAVE_SOLARIS_PRIVS
-#define LOWPRIVS "basic,sys_time,net_privaddr,proc_setid,!proc_info,!proc_session,!proc_exec"
+# define LOWPRIVS "basic,sys_time,net_privaddr,proc_setid,!proc_info,!proc_session,!proc_exec"
 static priv_set_t *lowprivs = NULL;
 static priv_set_t *highprivs = NULL;
 #endif /* HAVE_SOLARIS_PRIVS */
@@ -999,6 +1005,102 @@ getgroup:
 	}	/* if (droproot) */
 # endif	/* HAVE_DROPROOT */
 
+/* libssecomp sandboxing */
+#if defined (LIBSECCOMP)
+	scmp_filter_ctx ctx;
+	if ((ctx = seccomp_init(SCMP_ACT_KILL)) < 0)
+		msyslog(LOG_ERR, "%s:libseccomp activation failed", __func__);
+
+#ifdef __x86_64__
+int scmp_sc[] = {
+	SCMP_SYS(open),
+	SCMP_SYS(clock_gettime),
+	SCMP_SYS(time),
+	SCMP_SYS(read),
+	SCMP_SYS(write),
+	SCMP_SYS(close),
+	SCMP_SYS(brk),
+	SCMP_SYS(poll),
+	SCMP_SYS(select),
+	SCMP_SYS(madvise),
+	SCMP_SYS(mmap),
+	SCMP_SYS(munmap),
+	SCMP_SYS(exit_group),
+	SCMP_SYS(rt_sigprocmask),
+	SCMP_SYS(ioctl),
+	SCMP_SYS(getsockname),
+	SCMP_SYS(lseek),
+	SCMP_SYS(fstat),
+	SCMP_SYS(recvmsg),
+	SCMP_SYS(sendto),
+	SCMP_SYS(connect),
+	SCMP_SYS(rt_sigaction),
+	SCMP_SYS(socket),
+	SCMP_SYS(fsync),
+	SCMP_SYS(rt_sigreturn),
+	SCMP_SYS(setsid),
+	SCMP_SYS(chdir),
+	SCMP_SYS(futex),
+	SCMP_SYS(stat),
+	SCMP_SYS(clock_settime),
+	SCMP_SYS(getitimer),
+	SCMP_SYS(adjtimex),
+	SCMP_SYS(setitimer),
+	SCMP_SYS(rename)
+};
+#endif
+#ifdef __i386__
+int scmp_sc[] = {
+	SCMP_SYS(open),
+	SCMP_SYS(clock_gettime),
+	SCMP_SYS(time),
+	SCMP_SYS(read),
+	SCMP_SYS(write),
+	SCMP_SYS(close),
+	SCMP_SYS(brk),
+	SCMP_SYS(poll),
+	SCMP_SYS(_newselect),
+	SCMP_SYS(select),
+	SCMP_SYS(madvise),
+	SCMP_SYS(mmap2),
+	SCMP_SYS(mmap),
+	SCMP_SYS(munmap),
+	SCMP_SYS(exit_group),
+	SCMP_SYS(rt_sigprocmask),
+	SCMP_SYS(sigprocmask),
+	SCMP_SYS(rt_sigaction),
+	SCMP_SYS(socketcall),
+	SCMP_SYS(fsync),
+	SCMP_SYS(sigreturn),
+	SCMP_SYS(setsid),
+	SCMP_SYS(chdir),
+	SCMP_SYS(futex),
+	SCMP_SYS(stat64),
+	SCMP_SYS(clock_settime),
+	SCMP_SYS(getitimer),
+	SCMP_SYS(adjtimex),
+	SCMP_SYS(setitimer),
+	SCMP_SYS(rename)
+};
+#endif
+	{
+		int i;
+
+		for (i = 0; i < COUNTOF(scmp_sc); i++) {
+			if (seccomp_rule_add(ctx,
+			    SCMP_ACT_ALLOW, scmp_sc[i], 0) < 0) {
+				msyslog(LOG_ERR,
+				    "%s:libseccomp rule failed: %m",
+				    __func__);
+			}
+		}
+	}
+
+	if (seccomp_load(ctx) < 0)
+		msyslog(LOG_ERR, "%s:libseccomp unable to load filter: %m",
+		    __func__);	
+#endif /* LIBSECCOMP */
+
 # ifdef HAVE_IO_COMPLETION_PORT
 
 	for (;;) {