| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
Check if flags to mmap and madvise are defined before using them.
Should fix problems building on older Linux systems that don't have
these. bz#3537, with & ok djm@.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Linux mmap(2) and madvise(2) syscalls support quite a number of funky
flags that we don't expect that sshd/libc will ever need. We can
exclude this kernel attack surface by filtering the mmap(2) flags
and the madvise(2) advice arguments.
Similarly, the sandboxed process in sshd is a single-threaded program
that does not use shared memory for synchronisation or communication.
Therefore, there should be no reason for the advanced priority
inheritance futex(2) operations to be necessary. These can also be
excluded.
Motivated by Jann Horn pointing out that there have been kernel bugs
in nearby Linux kernel code, e.g. CVE-2020-29368, CVE-2020-29374 and
CVE-2022-42703.
Feedback Jann Horn, ok dtucker@
|
|
|
|
|
| |
This seems to be used by recent glibcs at least in some configurations.
From bz#3512, ok djm@
|
|
|
|
|
|
| |
It was mistakenly enabled in 2580916e4872
Reported by Peter sec-openssh-com.22.fichtner AT 0sg.net
|
| |
|
|
|
|
|
|
| |
Should fix sandbox violations on (some? at least i386 and armhf) 32bit
Linux platforms. Patch from chutzpahu at gentoo.org and cjwatson at
debian.org via bz#3396.
|
|
|
|
|
|
|
| |
Some allocators (such as Scudo) use gettid while tracing allocations [1].
Allow gettid in preauth to prevent sshd from crashing with Scudo.
[1]: https://github.com/llvm/llvm-project/blob/llvmorg-13.0.0/compiler-rt/lib/gwp_asan/common.cpp#L46
|
|
|
|
|
|
| |
Needed to add ppoll syscall but also to relax the fallback rlimit
sandbox. Linux poll() fails with EINVAL if npfds > RLIMIT_NOFILE,
so we have to allow a single fd in the rlimit.
|
| |
|
|
|
|
|
| |
This is apparently used in some configurations of OpenSSL when glibc
has getrandom(). bz#3276, patch from Kris Karas, ok djm@
|
|
|
|
|
| |
This is apparently needed for (some) 32 bit platforms with glibc 2.33.
Patch from nix at esperi.org.uk and jjelen at redhat.com via bz#3260.
|
| |
|
|
|
|
|
| |
This is apparently needed on armhfp/armv7hl. bz#3232, patch from
jjelen at redhat.com.
|
|
|
|
|
|
| |
In some architecture/libc configurations we need to explicitly include
sys/syscall.h for the syscall number (__NR_xxx) definitions. bz#3085,
patch from blowfist at xroutine.net.
|
|
|
|
| |
bz3093
|
|
|
|
|
|
|
| |
As noted in openssh/openssh-portable#149, i386 does not have have
_NR_shmget etc. Instead, it has a single ipc syscall (see man 2 ipc,
https://linux.die.net/man/2/ipc). Add this syscall, if present, to the
list of syscalls that seccomp will deny non-fatally.
|
|
|
|
|
| |
This helps sshd accept connections on mips platforms with
upcoming glibc ( 2.31 )
|
|
|
|
| |
Needed on Linux ARM. bz#3100, patch from jjelen@redhat.com.
|
| |
|
|
|
|
|
| |
seccomp: Allow clock_nanosleep() to make OpenSSH working with latest
glibc. Patch from Jakub Jelen <jjelen@redhat.com> via bz #3093.
|
|
|
|
|
|
|
| |
The EP11 crypto card needs to make an ioctl call, which receives an
specific argument. This crypto card is for s390 only.
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
|
|
|
|
| |
New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and shmdt
in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox.
|
|
|
|
| |
Restrict to PROT_(READ|WRITE|NONE), i.e. exclude PROT_EXEC
|
|
|
|
|
| |
Used by some hardened heap allocators. Requested by Yegor
Timoshenko in https://github.com/openssh/openssh-portable/pull/142
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adding another s390 specific ioctl to be able to support ECC hardware
acceleration to the sandbox seccomp filter rules.
Now the ibmca openssl engine provides elliptic curve cryptography
support with the help of libica and CCA crypto cards. This is done via
jet another ioctl call to the zcrypt device driver and so there is a
need to enable this on the openssl sandbox.
Code is s390 specific and has been tested, verified and reviewed.
Please note that I am also the originator of the previous changes in
that area. I posted these changes to Eduardo and he forwarded the
patches to the openssl community.
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Reviewed-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
|
|
|
|
|
| |
Apparently needed for some glibc/openssl combinations.
Patch from Arkadiusz MiĆkiewicz
|
|
|
|
|
| |
Requested for Linux/s390; patch from Eduardo Barretto via bz#2752;
ok dtucker
|
|
|
|
|
| |
The new timing attack mitigation code uses nanosleep in the preauth
codepath, allow in sandbox.
|
|
|
|
| |
Pointed out by jjelen at redhat.com.
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL is using socket() calls (in FIPS mode) when handling ECDSA keys
in privsep child. The socket() syscall is already denied in the seccomp
filter, but in ppc64le kernel, it is implemented using socketcall()
syscall, which is not denied yet (only SYS_SHUTDOWN is allowed) and
therefore fails hard.
Patch from jjelen at redhat.com.
|
|
|
|
| |
Patch from Jakub Jelen
|
|
|
|
| |
Patch from Mike Frysinger
|
|
|
|
|
|
| |
Allow clock_gettime syscall with X32 bit masked off. Apparently
this is required for at least some kernel versions. bz#2142
Patch mostly by Colin Watson. ok dtucker@
|
|
|
|
|
|
|
|
| |
This stops the SC_ALLOW(), SC_ALLOW_ARG() and SC_DENY() macros
prepending __NR_ to the syscall number parameter and just makes
them explicit in the macro invocations.
No binary change in stripped object file before/after.
|
|
|
|
| |
Based on patch from Eduardo Barretto; ok dtucker@
|
|
|
|
|
|
|
|
|
|
|
|
| |
Syscall arguments are passed via an array of 64-bit values in struct
seccomp_data, but we were only inspecting the bottom 32 bits and not
even those correctly for BE systems.
Fortunately, the only case argument inspection was used was in the
socketcall filtering so using this for sandbox escape seems
impossible.
ok dtucker
|
|
|
|
| |
Avoids sandbox violations for some krb/gssapi libraries.
|
| |
|
|
|
|
|
|
|
|
| |
add getpid to sandbox, reachable by grace_alarm_handler
reported by Jakub Jelen; bz#2419
Upstream-ID: d0da1117c16d4c223954995d35b0f47c8f684cd8
|
|
|
|
| |
patch from Jakub Jelen
|
|
|
|
|
|
| |
When doing arg inspection and the syscall doesn't match, skip
past the instruction that reloads the syscall into the accumulator,
since the accumulator hasn't been modified at this point.
|
|
|
|
|
| |
Also resort and tidy syscall list. Based on patches by Jakub Jelen
bz#2361; ok dtucker@
|
|
|
|
| |
patch from Felix von Leitner; ok dtucker
|
|
|
|
| |
remind myself to add sandbox violation logging via the log socket.
|
|
|
|
| |
__NR_shutdown; some go via the socketcall(2) multiplexer.
|
|
|
|
| |
syscall from sandboxes; it may be called by packet_close.
|
|
|
|
|
|
|
| |
[sandbox-null.c sandbox-rlimit.c sandbox-seccomp-filter.c]
[sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandboxing
using the Capsicum API introduced in FreeBSD 10. Patch by Dag-Erling
Smorgrav, updated by Loganaden Velvindron @ AfriNIC; ok dtucker@
|
| |
|
|
|
|
|
| |
seccomp-bpf sandbox on ARM. Patch from shawnlandden AT gmail.com;
ok dtucker
|
|
|
|
|
| |
not available. Allows use of sshd compiled on host with a filter-capable
kernel on hosts that lack the support. bz#2011 ok dtucker@
|