1bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman/* 2bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * Copyright (c) 2011 Damien Miller <djm@mindrot.org> 3bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * 4bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * Permission to use, copy, modify, and distribute this software for any 5bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * purpose with or without fee is hereby granted, provided that the above 6bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * copyright notice and this permission notice appear in all copies. 7bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * 8bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 9bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 10bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 11bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 12bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 13bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman */ 16bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 17bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include "includes.h" 18bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 19bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#ifdef SANDBOX_DARWIN 20bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 21bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include <sys/types.h> 22bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 23bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include <sandbox.h> 24bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 25bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include <errno.h> 26bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include <stdarg.h> 27bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include <stdio.h> 28bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include <stdlib.h> 29bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include <string.h> 30bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include <unistd.h> 31bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 32bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include "log.h" 33bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include "sandbox.h" 34bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include "xmalloc.h" 35bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 36bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman/* Darwin/OS X sandbox */ 37bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 38bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanstruct ssh_sandbox { 39bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman pid_t child_pid; 40bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman}; 41bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 42bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanstruct ssh_sandbox * 43d059297112922cabb0c674840589be8db821fd9aAdam Langleyssh_sandbox_init(struct monitor *monitor) 44bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman{ 45bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman struct ssh_sandbox *box; 46bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 47bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /* 48bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * Strictly, we don't need to maintain any state here but we need 49bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * to return non-NULL to satisfy the API. 50bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman */ 51bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman debug3("%s: preparing Darwin sandbox", __func__); 52bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman box = xcalloc(1, sizeof(*box)); 53bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman box->child_pid = 0; 54bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 55bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman return box; 56bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman} 57bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 58bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanvoid 59bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanssh_sandbox_child(struct ssh_sandbox *box) 60bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman{ 61bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman char *errmsg; 62bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman struct rlimit rl_zero; 63bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 64bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman debug3("%s: starting Darwin sandbox", __func__); 65bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED, 66bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman &errmsg) == -1) 67bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fatal("%s: sandbox_init: %s", __func__, errmsg); 68bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 69bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /* 70bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * The kSBXProfilePureComputation still allows sockets, so 71bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * we must disable these using rlimit. 72bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman */ 73bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman rl_zero.rlim_cur = rl_zero.rlim_max = 0; 74bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) 75bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", 76bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman __func__, strerror(errno)); 77bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) 78bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", 79bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman __func__, strerror(errno)); 80bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1) 81bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", 82bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman __func__, strerror(errno)); 83bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman} 84bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 85bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanvoid 86bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanssh_sandbox_parent_finish(struct ssh_sandbox *box) 87bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman{ 88bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman free(box); 89bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman debug3("%s: finished", __func__); 90bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman} 91bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 92bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanvoid 93bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) 94bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman{ 95bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman box->child_pid = child_pid; 96bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman} 97bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 98bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#endif /* SANDBOX_DARWIN */ 99