CVSROOT: /cvs
Module name: src
Changes by: d...@cvs.openbsd.org 2011/06/22 15:57:01
Modified files:
usr.bin/ssh : servconf.c servconf.h sshd.c sshd_config.5
usr.bin/ssh/sshd: Makefile
Added files:
usr.bin/ssh : sandbox-rlimit.c sandbox-systrace.c sandbox.h
Log message:
introduce sandboxing of the pre-auth privsep child using systrace(4).
This introduces a new "UsePrivilegeSeparation=sandbox" option for
sshd_config that applies mandatory restrictions on the syscalls the
privsep child can perform. This prevents a compromised privsep child
from being used to attack other hosts (by opening sockets and proxying)
or probing local kernel attack surface.
The sandbox is implemented using systrace(4) in unsupervised "fast-path"
mode, where a list of permitted syscalls is supplied. Any syscall not
on the list results in SIGKILL being sent to the privsep child. Note
that this requires a kernel with the new SYSTR_POLICY_KILL option.
UsePrivilegeSeparation=sandbox will become the default in the future
so please start testing it now.
feedback dtucker@; ok markus@
