summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh/sandbox-systrace.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Reduce use of <sys/param.h> and transition to <limits.h> throughout.deraadt2015-01-201-2/+2
| | | | ok djm markus
* ifdef SYS_sendsyslog so this will compile without patching on -stabledjm2014-07-171-2/+3
|
* Permit use of SYS_sendsyslog from inside the sandbox. Clock is ticking,deraadt2014-07-111-1/+2
| | | | | update your kernels and sshd soon.. libc will start using sendsyslog() in about 4 days.
* Now that we have a dedicated getentropy(2) system call formatthew2014-06-181-2/+8
| | | | | | | arc4random(3), we can disallow __sysctl(2) in OpenSSH's systrace sandbox. ok djm
* permit SYS_getentropyderaadt2014-06-131-1/+2
| | | | from matthew
* replace most bzero with explicit_bzero, except a few that cna be memsettedu2014-01-311-2/+2
| | | | ok djm dtucker
* allow shutdown(2) syscall in sandbox - it may be called by packet_close()djm2014-01-301-1/+2
| | | | from portable
* Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things likedtucker2013-06-011-1/+2
| | | | | keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
* fix a during the load of the sandbox policies (child can still makemarkus2012-06-301-28/+27
| | | | | | the read-syscall and wait forever for systrace-answers) by replacing the read/write synchronisation with SIGSTOP/SIGCONT; report and help hshoexer@; ok djm@, dtucker@
* Add mquery to the list of allowed syscalls for "UsePrivilegeSeparationdtucker2012-06-261-1/+2
| | | | sandbox" since malloc now uses it. From johnw.mail at gmail com.
* fail open(2) with EPERM rather than SIGKILLing the whole process. libcdjm2011-07-291-34/+44
| | | | | will call open() to do strerror() when NLS is enabled; feedback and ok markus@
* rename sandbox.h => ssh-sandbox.h to make things easier for portabledjm2011-06-231-2/+2
|
* $OpenBSD$ makersdjm2011-06-221-0/+1
|
* introduce sandboxing of the pre-auth privsep child using systrace(4).djm2011-06-221-0/+181
This introduces a new "UsePrivilegeSeparation=sandbox" option for sshd_config that applies mandatory restrictions on the syscalls the privsep child can perform. This prevents a compromised privsep child from being used to attack other hosts (by opening sockets and proxying) or probing local kernel attack surface. The sandbox is implemented using systrace(4) in unsupervised "fast-path" mode, where a list of permitted syscalls is supplied. Any syscall not on the list results in SIGKILL being sent to the privsep child. Note that this requires a kernel with the new SYSTR_POLICY_KILL option. UsePrivilegeSeparation=sandbox will become the default in the future so please start testing it now. feedback dtucker@; ok markus@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.