1. 17 Jan, 2014 1 commit
  2. 23 Jun, 2011 2 commits
  3. 22 Jun, 2011 1 commit
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2011/06/22 21:57:01 · 69ff1df9
      Damien Miller authored
           [servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c]
           [sandbox-systrace.c sandbox.h configure.ac Makefile.in]
           introduce sandboxing of the pre-auth privsep child using systrace(4).
           This introduces a new "UsePrivilegeSeparation=sandbox" option for
           sshd_config that applies mandatory restrictions on the syscalls the
           privsep child can perform. This prevents a compromised privsep child
           from being used to attack other hosts (by opening sockets and proxying)
           or probing local kernel attack surface.
           The sandbox is implemented using systrace(4) in unsupervised "fast-path"
           mode, where a list of permitted syscalls is supplied. Any syscall not
           on the list results in SIGKILL being sent to the privsep child. Note
           that this requires a kernel with the new SYSTR_POLICY_KILL option.
           UsePrivilegeSeparation=sandbox will become the default in the future
           so please start testing it now.
           feedback dtucker@; ok markus@