commit 5a5e6771dcca2946a470f4642e5810ab358aaa86 Author: Jan Rękorajski <bagg...@pld-linux.org> Date: Thu Mar 19 01:55:50 2015 +0100
- default seccomp sandbox is broken, use patch by Steven Noonan adding libseccomp-sandbox to unbreak it - rel2 libseccomp-sandbox.patch | 239 +++++++++++++++++++++++++++++++++++++++++++++++ openssh.spec | 10 +- 2 files changed, 246 insertions(+), 3 deletions(-) --- diff --git a/openssh.spec b/openssh.spec index d66b2b1..381b83c 100644 --- a/openssh.spec +++ b/openssh.spec @@ -34,7 +34,7 @@ Summary(ru.UTF-8): OpenSSH - свободная реализация прото Summary(uk.UTF-8): OpenSSH - вільна реалізація протоколу Secure Shell (SSH) Name: openssh Version: 6.8p1 -Release: 1 +Release: 2 Epoch: 2 License: BSD Group: Applications/Networking @@ -70,6 +70,7 @@ Patch11: %{name}-chroot.patch Patch14: %{name}-bind.patch Patch15: %{name}-disable_ldap.patch +Patch16: libseccomp-sandbox.patch URL: http://www.openssh.com/portable.html BuildRequires: %{__perl} %{?with_tests:BuildRequires: %{name}-server} @@ -80,6 +81,7 @@ BuildRequires: automake %{?with_gtk:BuildRequires: gtk+2-devel} %{?with_kerberos5:BuildRequires: heimdal-devel >= 0.7} %{?with_libedit:BuildRequires: libedit-devel} +BuildRequires: libseccomp-devel %{?with_selinux:BuildRequires: libselinux-devel} %{?with_ldap:BuildRequires: openldap-devel} BuildRequires: openssl-devel >= 0.9.8f @@ -539,6 +541,7 @@ openldap-a. %patch14 -p1 %{!?with_ldap:%patch15 -p1} +%patch16 -p1 %if "%{pld_release}" == "ac" # fix for missing x11.pc @@ -556,7 +559,8 @@ cp /usr/share/automake/config.sub . %{__aclocal} %{__autoconf} %{__autoheader} -CPPFLAGS="%{rpmcppflags} -DCHROOT -std=gnu99" +CPPFLAGS="%{rpmcppflags} -DCHROOT -std=gnu99 -fno-tree-dominator-opts" +CFLAGS="%{rpmcflags} -fno-tree-dominator-opts" %configure \ PERL=%{__perl} \ --disable-strip \ @@ -574,7 +578,7 @@ CPPFLAGS="%{rpmcppflags} -DCHROOT -std=gnu99" --with-pid-dir=%{_localstatedir}/run \ --with-privsep-path=%{_privsepdir} \ %if "%{pld_release}" != "ac" - --with-sandbox=seccomp_filter \ + --with-sandbox=libseccomp_filter \ %endif %{?with_selinux:--with-selinux} \ %if "%{pld_release}" == "ac" diff --git a/libseccomp-sandbox.patch b/libseccomp-sandbox.patch new file mode 100644 index 0000000..abed09f --- /dev/null +++ b/libseccomp-sandbox.patch @@ -0,0 +1,239 @@ +https://bugzilla.mindrot.org/show_bug.cgi?id=2142 + +--- a/Makefile.in ++++ a/Makefile.in +@@ -106,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ + sftp-server.o sftp-common.o \ + roaming_common.o roaming_serv.o \ + sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ +- sandbox-seccomp-filter.o sandbox-capsicum.o ++ sandbox-seccomp-filter.o sandbox-libseccomp-filter.o sandbox-capsicum.o + + MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out + MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 +--- a/configure.ac ++++ a/configure.ac +@@ -2867,11 +2867,22 @@ else + fi + AC_SUBST([SSH_PRIVSEP_USER]) + ++AC_CHECK_DECL([SCMP_ARCH_NATIVE], [have_libseccomp_filter=1], , [ ++ #include <sys/types.h> ++ #include <seccomp.h> ++]) ++if test "x$have_libseccomp_filter" = "x1" ; then ++ AC_CHECK_LIB([seccomp], [seccomp_init], ++ [LIBS="$LIBS -lseccomp"], ++ [have_libseccomp_filter=0]) ++fi ++ + if test "x$have_linux_no_new_privs" = "x1" ; then + AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [ + #include <sys/types.h> + #include <linux/seccomp.h> + ]) ++ + fi + if test "x$have_seccomp_filter" = "x1" ; then + AC_MSG_CHECKING([kernel for seccomp_filter support]) +@@ -2898,7 +2909,7 @@ fi + # Decide which sandbox style to use + sandbox_arg="" + AC_ARG_WITH([sandbox], +- [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)], ++ [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, libseccomp_filter, capsicum)], + [ + if test "x$withval" = "xyes" ; then + sandbox_arg="" +@@ -3008,6 +3019,13 @@ elif test "x$sandbox_arg" = "xdarwin" || \ + AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function]) + SANDBOX_STYLE="darwin" + AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)]) ++elif test "x$sandbox_arg" = "xlibseccomp_filter" || \ ++ ( test -z "$sandbox_arg" && \ ++ test "x$have_libseccomp_filter" = "x1" ) ; then ++ test "x$have_libseccomp_filter" != "x1" && \ ++ AC_MSG_ERROR([libseccomp_filter sandbox not supported on $host]) ++ SANDBOX_STYLE="libseccomp_filter" ++ AC_DEFINE([SANDBOX_LIBSECCOMP_FILTER], [1], [Sandbox using libseccomp filter]) + elif test "x$sandbox_arg" = "xseccomp_filter" || \ + ( test -z "$sandbox_arg" && \ + test "x$have_seccomp_filter" = "x1" && \ +--- a/sandbox-libseccomp-filter.c ++++ a/sandbox-libseccomp-filter.c +@@ -0,0 +1,175 @@ ++/* ++ * Copyright (c) 2012 Will Drewry <w...@dataspill.org> ++ * ++ * Permission to use, copy, modify, and distribute this software for any ++ * purpose with or without fee is hereby granted, provided that the above ++ * copyright notice and this permission notice appear in all copies. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES ++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF ++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ++ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES ++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ++ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF ++ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ++ */ ++ ++#include "includes.h" ++ ++#ifdef SANDBOX_LIBSECCOMP_FILTER ++ ++#include <sys/types.h> ++#include <sys/resource.h> ++#include <seccomp.h> ++ ++#include <errno.h> ++#include <signal.h> ++#include <stdarg.h> ++#include <stddef.h> /* for offsetof */ ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++#include <unistd.h> ++ ++#include "log.h" ++#include "ssh-sandbox.h" ++#include "xmalloc.h" ++ ++struct ssh_sandbox { ++ pid_t child_pid; ++}; ++ ++struct ssh_sandbox * ++ssh_sandbox_init(struct monitor *monitor) ++{ ++ struct ssh_sandbox *box; ++ ++ /* ++ * Strictly, we don't need to maintain any state here but we need ++ * to return non-NULL to satisfy the API. ++ */ ++ debug3("%s: preparing libseccomp filter sandbox", __func__); ++ box = xcalloc(1, sizeof(*box)); ++ box->child_pid = 0; ++ ++ return box; ++} ++ ++static int ++seccomp_add_secondary_archs(scmp_filter_ctx *c) ++{ ++#if defined(__i386__) || defined(__x86_64__) ++ int r; ++ r = seccomp_arch_add(c, SCMP_ARCH_X86); ++ if (r < 0 && r != -EEXIST) ++ return r; ++ r = seccomp_arch_add(c, SCMP_ARCH_X86_64); ++ if (r < 0 && r != -EEXIST) ++ return r; ++ r = seccomp_arch_add(c, SCMP_ARCH_X32); ++ if (r < 0 && r != -EEXIST) ++ return r; ++#endif ++ return 0; ++} ++ ++struct scmp_action_def { ++ uint32_t action; ++ int syscall; ++}; ++ ++static const struct scmp_action_def preauth_insns[] = { ++ {SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open)}, ++ {SCMP_ACT_ERRNO(EACCES), SCMP_SYS(stat)}, ++ {SCMP_ACT_ALLOW, SCMP_SYS(getpid)}, ++ {SCMP_ACT_ALLOW, SCMP_SYS(getpid)}, ++ {SCMP_ACT_ALLOW, SCMP_SYS(gettimeofday)}, ++ {SCMP_ACT_ALLOW, SCMP_SYS(clock_gettime)}, ++#ifdef __NR_time /* not defined on EABI ARM */ ++ {SCMP_ACT_ALLOW, SCMP_SYS(time)}, ++#endif ++ {SCMP_ACT_ALLOW, SCMP_SYS(read)}, ++ {SCMP_ACT_ALLOW, SCMP_SYS(write)}, ++ {SCMP_ACT_ALLOW, SCMP_SYS(close)}, ++#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */ ++ {SCMP_ACT_ALLOW, SCMP_SYS(shutdown)}, ++#endif ++ {SCMP_ACT_ALLOW, SCMP_SYS(brk)}, ++ {SCMP_ACT_ALLOW, SCMP_SYS(poll)}, ++#ifdef __NR__newselect ++ {SCMP_ACT_ALLOW, SCMP_SYS(_newselect)}, ++#endif ++ {SCMP_ACT_ALLOW, SCMP_SYS(select)}, ++ {SCMP_ACT_ALLOW, SCMP_SYS(madvise)}, ++#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */ ++ {SCMP_ACT_ALLOW, SCMP_SYS(mmap2)}, ++#endif ++#ifdef __NR_mmap ++ {SCMP_ACT_ALLOW, SCMP_SYS(mmap)}, ++#endif ++#ifdef __dietlibc__ ++ {SCMP_ACT_ALLOW, SCMP_SYS(mremap)}, ++ {SCMP_ACT_ALLOW, SCMP_SYS(exit)}, ++#endif ++ {SCMP_ACT_ALLOW, SCMP_SYS(munmap)}, ++ {SCMP_ACT_ALLOW, SCMP_SYS(exit_group)}, ++#ifdef __NR_rt_sigprocmask ++ {SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask)}, ++#else ++ {SCMP_ACT_ALLOW, SCMP_SYS(sigprocmask)}, ++#endif ++ {0, 0} ++}; ++ ++ ++void ++ssh_sandbox_child(struct ssh_sandbox *box) ++{ ++ scmp_filter_ctx *seccomp; ++ struct rlimit rl_zero; ++ const struct scmp_action_def *insn; ++ int r; ++ ++ /* Set rlimits for completeness if possible. */ ++ rl_zero.rlim_cur = rl_zero.rlim_max = 0; ++ if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) ++ fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", ++ __func__, strerror(errno)); ++ if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) ++ fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", ++ __func__, strerror(errno)); ++ if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1) ++ fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", ++ __func__, strerror(errno)); ++ ++ seccomp = seccomp_init(SCMP_ACT_KILL); ++ if (!seccomp) ++ fatal("%s:libseccomp activation failed", __func__); ++ if (seccomp_add_secondary_archs(seccomp)) ++ fatal("%s:libseccomp secondary arch setup failed", __func__); ++ ++ for (insn = preauth_insns; insn->action; insn++) { ++ if (seccomp_rule_add(seccomp, insn->action, insn->syscall, 0) < 0) ++ fatal("%s:libseccomp rule failed", __func__); ++ } ++ ++ if ((r = seccomp_load(seccomp)) < 0) ++ fatal("%s:libseccomp unable to load filter %d", __func__, r); ++ ++ seccomp_release(seccomp); ++} ++ ++void ++ssh_sandbox_parent_finish(struct ssh_sandbox *box) ++{ ++ free(box); ++ debug3("%s: finished", __func__); ++} ++ ++void ++ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) ++{ ++ box->child_pid = child_pid; ++} ++ ++#endif /* SANDBOX_LIBSECCOMP_FILTER */ ================================================================ ---- gitweb: http://git.pld-linux.org/gitweb.cgi/packages/openssh.git/commitdiff/5a5e6771dcca2946a470f4642e5810ab358aaa86 _______________________________________________ pld-cvs-commit mailing list pld-cvs-commit@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit