1bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman/*
2bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * Copyright (c) 2011 Damien Miller <djm@mindrot.org>
3bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman *
4bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * Permission to use, copy, modify, and distribute this software for any
5bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * purpose with or without fee is hereby granted, provided that the above
6bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * copyright notice and this permission notice appear in all copies.
7bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman *
8bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman */
16bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
17bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include "includes.h"
18bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
19bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#ifdef SANDBOX_DARWIN
20bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
21bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include <sys/types.h>
22bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
23bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include <sandbox.h>
24bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
25bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include <errno.h>
26bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include <stdarg.h>
27bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include <stdio.h>
28bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include <stdlib.h>
29bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include <string.h>
30bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include <unistd.h>
31bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
32bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include "log.h"
33bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include "sandbox.h"
34bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include "xmalloc.h"
35bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
36bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman/* Darwin/OS X sandbox */
37bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
38bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanstruct ssh_sandbox {
39bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	pid_t child_pid;
40bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman};
41bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
42bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanstruct ssh_sandbox *
43d059297112922cabb0c674840589be8db821fd9aAdam Langleyssh_sandbox_init(struct monitor *monitor)
44bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman{
45bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	struct ssh_sandbox *box;
46bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
47bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	/*
48bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	 * Strictly, we don't need to maintain any state here but we need
49bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	 * to return non-NULL to satisfy the API.
50bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	 */
51bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	debug3("%s: preparing Darwin sandbox", __func__);
52bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	box = xcalloc(1, sizeof(*box));
53bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	box->child_pid = 0;
54bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
55bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	return box;
56bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman}
57bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
58bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanvoid
59bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanssh_sandbox_child(struct ssh_sandbox *box)
60bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman{
61bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	char *errmsg;
62bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	struct rlimit rl_zero;
63bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
64bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	debug3("%s: starting Darwin sandbox", __func__);
65bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED,
66bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	    &errmsg) == -1)
67bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman		fatal("%s: sandbox_init: %s", __func__, errmsg);
68bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
69bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	/*
70bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	 * The kSBXProfilePureComputation still allows sockets, so
71bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	 * we must disable these using rlimit.
72bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	 */
73bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
74bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
75bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman		fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
76bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman			__func__, strerror(errno));
77bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
78bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman		fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
79bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman			__func__, strerror(errno));
80bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)
81bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman		fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s",
82bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman			__func__, strerror(errno));
83bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman}
84bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
85bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanvoid
86bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanssh_sandbox_parent_finish(struct ssh_sandbox *box)
87bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman{
88bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	free(box);
89bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	debug3("%s: finished", __func__);
90bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman}
91bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
92bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanvoid
93bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
94bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman{
95bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	box->child_pid = child_pid;
96bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman}
97bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
98bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#endif /* SANDBOX_DARWIN */
99