bugzilla-daemon at mindrot.org
2013-Aug-12 19:40 UTC
[Bug 2142] New: openssh sandboxing using libseccomp
https://bugzilla.mindrot.org/show_bug.cgi?id=2142 Bug ID: 2142 Summary: openssh sandboxing using libseccomp Product: Portable OpenSSH Version: -current Hardware: All OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: loganaden at gmail.com Created attachment 2328 --> https://bugzilla.mindrot.org/attachment.cgi?id=2328&action=edit libseccomp patch Hi I've been playing with libseccomp and i think that it abstracts a lot of the low-level BPF stuff by providing a simpler, easier & portable API. The patch is based off will drewry's seccomp patch. I tested it on my ubuntu box. It's still a WiP. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2013-Aug-13 19:29 UTC
[Bug 2142] openssh sandboxing using libseccomp
https://bugzilla.mindrot.org/show_bug.cgi?id=2142 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #1 from Damien Miller <djm at mindrot.org> --- Comment on attachment 2328 --> https://bugzilla.mindrot.org/attachment.cgi?id=2328 libseccomp patch I don't think this is an improvement: the code isn't much shorter, only a little more readable and we have to use an external library. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Aug-13 20:16 UTC
[Bug 2142] openssh sandboxing using libseccomp
https://bugzilla.mindrot.org/show_bug.cgi?id=2142 --- Comment #2 from Loganaden Velvindron <loganaden at gmail.com> --- So libseccomp would be "untrusted", similar to kerberos ? libseccomp has seen steady progress, and I think that it would be nice if openssh takes advantage of it if it is deployed on a fairly recent linux system. http://www.paul-moore.com/files/lj/libseccomp-pmoore-lss2012-r1.pdf Please see page 3 :-) Capsicum is also working towards a similar approach with libcapsicum & libangel. (https://code.google.com/p/capsicum-core/) I'm not suggesting replacing will's seccomp patch, but rather provide it as an additional build time option that package maintainers can take advantage of if libseccomp is present. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Aug-14 01:08 UTC
[Bug 2142] openssh sandboxing using libseccomp
https://bugzilla.mindrot.org/show_bug.cgi?id=2142 --- Comment #3 from Damien Miller <djm at mindrot.org> --- Sure, but I don't see the point - what's the advantage to using libseccomp? It looks like it might have some advantages if we were doing argument inspection, were scared of writing BPF or running a complex policy but we aren't. The existing seccomp sandbox will work on any system that has libseccomp and will do the same thing with fewer dependencies and less code. Adding another sandbox that does exactly the same thing just means we need to maintain two sets of code instead of one. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Aug-14 03:49 UTC
[Bug 2142] openssh sandboxing using libseccomp
https://bugzilla.mindrot.org/show_bug.cgi?id=2142 --- Comment #4 from Loganaden Velvindron <loganaden at gmail.com> --- (In reply to Damien Miller from comment #3)> Sure, but I don't see the point - what's the advantage to using > libseccomp? It looks like it might have some advantages if we were > doing argument inspection, were scared of writing BPF or running a > complex policy but we aren't.Agreed.> The existing seccomp sandbox will work on any system that has > libseccomp and will do the same thing with fewer dependencies and > less code. Adding another sandbox that does exactly the same thing > just means we need to maintain two sets of code instead of one.I see your point ("Reduced attack surface") :-) In that case, it's probably better that i don't spend more time further on this. Thanks. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Aug-14 07:23 UTC
[Bug 2142] openssh sandboxing using libseccomp
https://bugzilla.mindrot.org/show_bug.cgi?id=2142 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WONTFIX --- Comment #5 from Damien Miller <djm at mindrot.org> --- It's not so much a question of attack surface, just the amount of code that needs to be maintained. I think if the sandbox were ever to grow more complicated then libseccomp might be worth investigating, but we'll pass for now. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2015-Mar-06 14:26 UTC
[Bug 2142] openssh sandboxing using libseccomp
https://bugzilla.mindrot.org/show_bug.cgi?id=2142 Steven Noonan <steven at uplinklabs.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |steven at uplinklabs.net Resolution|WONTFIX |--- Status|RESOLVED |REOPENED --- Comment #6 from Steven Noonan <steven at uplinklabs.net> --- I'd like to reopen this because there's now a reason to implement this change. A build of portable OpenSSH with the x32 ABI (gcc -mx32) on x86_64 doesn't work correctly with the seccomp_filter sandbox. With libseccomp I'm able to do seccomp_arch_add for SCMP_ARCH_X86_64 and SCMP_ARCH_X32 -- which is sufficient to unbreak things. I'm attaching an updated patch which is a bit smaller and cleaner than the previous version, and contains an array of syscall rules similar to the one in sandbox-seccomp-filter.c. This reduces code size by a fair amount. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2015-Mar-06 14:26 UTC
[Bug 2142] openssh sandboxing using libseccomp
https://bugzilla.mindrot.org/show_bug.cgi?id=2142 Steven Noonan <steven at uplinklabs.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #2328|0 |1 is obsolete| | --- Comment #7 from Steven Noonan <steven at uplinklabs.net> --- Created attachment 2563 --> https://bugzilla.mindrot.org/attachment.cgi?id=2563&action=edit libseccomp patch v2 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2015-Aug-04 05:40 UTC
[Bug 2142] openssh sandboxing using libseccomp
https://bugzilla.mindrot.org/show_bug.cgi?id=2142 --- Comment #8 from Mike Frysinger <vapier at gentoo.org> --- Comment on attachment 2563 --> https://bugzilla.mindrot.org/attachment.cgi?id=2563 libseccomp patch v2>+static int >+seccomp_add_secondary_archs(scmp_filter_ctx *c) >+{ >+#if defined(__i386__) || defined(__x86_64__) >+ int r; >+ r = seccomp_arch_add(c, SCMP_ARCH_X86); >+ if (r < 0 && r != -EEXIST) >+ return r; >+ r = seccomp_arch_add(c, SCMP_ARCH_X86_64); >+ if (r < 0 && r != -EEXIST) >+ return r; >+ r = seccomp_arch_add(c, SCMP_ARCH_X32); >+ if (r < 0 && r != -EEXIST) >+ return r; >+#endif >+ return 0; >+}i don't think this is correct. there's no reason to permit alternative ABIs from the one you're currently executing as. x86/32bit should only permit the X86 ABI, x86_64/64bit should only permit the X86_64 ABI, and x86_64/32bit should only permit the X32 ABI. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2015-Aug-04 05:47 UTC
[Bug 2142] openssh sandboxing using libseccomp
https://bugzilla.mindrot.org/show_bug.cgi?id=2142 --- Comment #9 from Steven Noonan <steven at uplinklabs.net> --- In principle, I agree. But I wasn't able to get it to work without that. :( -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jan-03 14:48 UTC
[Bug 2142] openssh sandboxing using libseccomp
https://bugzilla.mindrot.org/show_bug.cgi?id=2142 Colin Watson <cjwatson at debian.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |cjwatson at debian.org --- Comment #10 from Colin Watson <cjwatson at debian.org> --- Created attachment 2927 --> https://bugzilla.mindrot.org/attachment.cgi?id=2927&action=edit Work around clock_gettime kernel bug on Linux x32 Here's an alternative patch that fixes the seccomp sandbox on Linux x32. It's working around what I consider to be a kernel bug (reported in Debian and we'll see where it goes), so I don't know what you'll make of this, but it's reasonably unobtrusive as workarounds go. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jan-06 01:48 UTC
[Bug 2142] openssh sandboxing using libseccomp
https://bugzilla.mindrot.org/show_bug.cgi?id=2142 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2647 CC| |dtucker at zip.com.au Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2647 [Bug 2647] Tracking bug for OpenSSH 7.5 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Mar-14 07:00 UTC
[Bug 2142] openssh sandboxing using libseccomp
https://bugzilla.mindrot.org/show_bug.cgi?id=2142 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #2927|0 |1 is obsolete| | Attachment #2962| |ok?(dtucker at zip.com.au) Flags| | --- Comment #11 from Damien Miller <djm at mindrot.org> --- Created attachment 2962 --> https://bugzilla.mindrot.org/attachment.cgi?id=2962&action=edit updated diff I've refactored that file a bit to make the manual expansion of SC_ALLOW() unnecessary here. Here's an updated and simpler diff that just allows the clock_gettime syscall with the X32 bit masked off. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Mar-14 07:22 UTC
[Bug 2142] openssh sandboxing using libseccomp
https://bugzilla.mindrot.org/show_bug.cgi?id=2142 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #2962|ok?(dtucker at zip.com.au) |ok+ Flags| | -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Mar-14 07:28 UTC
[Bug 2142] Make seccomp-bpf sandbox work for Linux/X32
https://bugzilla.mindrot.org/show_bug.cgi?id=2142 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|openssh sandboxing using |Make seccomp-bpf sandbox |libseccomp |work for Linux/X32 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Mar-14 07:29 UTC
[Bug 2142] Make seccomp-bpf sandbox work for Linux/X32
https://bugzilla.mindrot.org/show_bug.cgi?id=2142 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution|--- |FIXED --- Comment #12 from Damien Miller <djm at mindrot.org> --- Patch is applied and the refactoring of that file will make it easier to permit other syscalls with the X32 bit masked off in future if necessary. This will be in the OpenSSH 7.5 release, due very soon. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 05:03 UTC
[Bug 2142] Make seccomp-bpf sandbox work for Linux/X32
https://bugzilla.mindrot.org/show_bug.cgi?id=2142 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #13 from Damien Miller <djm at mindrot.org> --- closing resolved bugs as of 8.6p1 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.