From cd5e52ee784f0ff67b60ffeeab335ed64df688a4 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 27 Jun 2011 07:18:18 +1000 Subject: - (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for Darwin/OS X using sandbox_init() + setrlimit(); feedback and testing markus@ --- ChangeLog | 5 +++ Makefile.in | 4 +-- configure.ac | 11 +++++-- sandbox-darwin.c | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 114 insertions(+), 4 deletions(-) create mode 100644 sandbox-darwin.c diff --git a/ChangeLog b/ChangeLog index f9f9efce..f25da55f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20110624 + - (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for + Darwin/OS X using sandbox_init() + setrlimit(); feedback and testing + markus@ + 20110623 - OpenBSD CVS Sync - djm@cvs.openbsd.org 2011/06/22 21:47:28 diff --git a/Makefile.in b/Makefile.in index f64aaac9..aeb67e1d 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.323 2011/06/22 22:30:03 djm Exp $ +# $Id: Makefile.in,v 1.324 2011/06/26 21:18:20 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -90,7 +90,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ sftp-server.o sftp-common.o \ roaming_common.o roaming_serv.o \ - sandbox-null.o sandbox-rlimit.o sandbox-systrace.o + sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 diff --git a/configure.ac b/configure.ac index 380a8b94..74d5263a 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.477 2011/06/22 22:30:03 djm Exp $ +# $Id: configure.ac,v 1.478 2011/06/26 21:18:20 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.477 $) +AC_REVISION($Revision: 1.478 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -525,6 +525,8 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV], [Define to a Set Process Title type if your system is supported by bsd-setproctitle.c]) + AC_CHECK_FUNCS([sandbox_init]) + AC_CHECK_HEADERS([sandbox.h]) ;; *-*-dragonfly*) SSHDLIBS="$SSHDLIBS -lcrypt" @@ -2487,6 +2489,11 @@ if test "x$sandbox_arg" = "xsystrace" || \ ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then SANDBOX_STYLE="systrace" AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)]) +elif test "x$sandbox_arg" = "xdarwin" || \ + ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \ + test "x$ac_cv_header_sandbox_h" = "xyes") ; then + SANDBOX_STYLE="darwin" + AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)]) elif test "x$sandbox_arg" = "xrlimit" || \ ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then SANDBOX_STYLE="rlimit" diff --git a/sandbox-darwin.c b/sandbox-darwin.c new file mode 100644 index 00000000..69901ef1 --- /dev/null +++ b/sandbox-darwin.c @@ -0,0 +1,98 @@ +/* + * Copyright (c) 2011 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#ifdef SANDBOX_DARWIN + +#include + +#include + +#include +#include +#include +#include +#include +#include + +#include "log.h" +#include "sandbox.h" +#include "xmalloc.h" + +/* Darwin/OS X sandbox */ + +struct ssh_sandbox { + pid_t child_pid; +}; + +struct ssh_sandbox * +ssh_sandbox_init(void) +{ + struct ssh_sandbox *box; + + /* + * Strictly, we don't need to maintain any state here but we need + * to return non-NULL to satisfy the API. + */ + debug3("%s: preparing Darwin sandbox", __func__); + box = xcalloc(1, sizeof(*box)); + box->child_pid = 0; + + return box; +} + +void +ssh_sandbox_child(struct ssh_sandbox *box) +{ + char *errmsg; + struct rlimit rl_zero; + + debug3("%s: starting Darwin sandbox", __func__); + if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED, + &errmsg) == -1) + fatal("%s: sandbox_init: %s", __func__, errmsg); + + /* + * The kSBXProfilePureComputation still allows sockets, so + * we must disable these using rlimit. + */ + rl_zero.rlim_cur = rl_zero.rlim_max = 0; + if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", + __func__, strerror(errno)); + if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", + __func__, strerror(errno)); + if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", + __func__, strerror(errno)); +} + +void +ssh_sandbox_parent_finish(struct ssh_sandbox *box) +{ + free(box); + debug3("%s: finished", __func__); +} + +void +ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) +{ + box->child_pid = child_pid; +} + +#endif /* SANDBOX_DARWIN */ -- cgit v1.2.3