diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2018-06-05 23:33:33 +0200 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2018-06-05 23:33:33 +0200 |
| commit | 2348bccbde4409c0cb76ba299552bbfb4206f988 (patch) | |
| tree | 103f79355367d3a85b00bfd88c577e28d24f49b1 | |
| parent | f08f519880261ec2bd72ba50bf5ff8600783fcd1 (diff) | |
POTD skeleton #95.
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| -rw-r--r-- | configure.ac | 5 | ||||
| -rw-r--r-- | src/protocol_ssh.c | 28 | ||||
| -rw-r--r-- | src/pseccomp.c | 30 | ||||
| -rw-r--r-- | src/utils.c | 7 |
4 files changed, 39 insertions, 31 deletions
diff --git a/configure.ac b/configure.ac index ea2426a..29ad884 100644 --- a/configure.ac +++ b/configure.ac @@ -51,6 +51,9 @@ dnl Some libssh versions require libssl,libcrypto,zlib. dnl This is because the libssh.pc file does not sets additional required shlibs. additional_libssh_libs="" +CFLAGS="$CFLAGS $libssh_CFLAGS" +LIBS="$LIBS $libssh_LIBS" + AC_MSG_CHECKING([if libssh requires -lcrypto]) AC_TRY_LINK([#include <libssh/libssh.h>], [ return ssh_init(); ], [ libssh_require_libcrypto="no" ], @@ -97,7 +100,7 @@ AC_SUBST([libseccomp_LIBS]) dnl Check for valgrind PKG_CHECK_MODULES([valgrind], [valgrind >= 3.12.0], [ AC_DEFINE([HAVE_VALGRIND], [1], - [Define to 1 if you have/want valgrind support]), + [Define to 1 if you have/want valgrind support]) valgrind_enabled="yes" ], [ valgrind_enabled="no" ]) AC_SUBST([valgrind_CFLAGS]) diff --git a/src/protocol_ssh.c b/src/protocol_ssh.c index a5ed4a8..44dd9b6 100644 --- a/src/protocol_ssh.c +++ b/src/protocol_ssh.c @@ -202,22 +202,22 @@ static int set_default_keys(ssh_bind sshbind, int rsa_already_set, } if (!dsa_already_set) { if (access(dsa_key, R_OK)) { - E_STRERR("DSA key '%s' inaccesible", dsa_key); - return 1; - } + W_STRERR("Access DSA key '%s'", dsa_key); + } else if (ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY, - "./ssh_host_dsa_key")) { + "./ssh_host_dsa_key")) + { E2("Failed to set DSA key: %s", ssh_get_error(sshbind)); return 1; } } if (!ecdsa_already_set) { if (access(ecdsa_key, R_OK)) { - E_STRERR("ECDSA key '%s' inaccesible", ecdsa_key); - return 1; - } + W_STRERR("Access ECDSA key '%s'", ecdsa_key); + } else if (ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_ECDSAKEY, - "./ssh_host_ecdsa_key")) { + "./ssh_host_ecdsa_key")) + { E2("Failed to set ECDSA key: %s", ssh_get_error(sshbind)); return 1; } @@ -232,17 +232,17 @@ static int gen_default_keys(void) if (gen_export_sshkey(SSH_KEYTYPE_RSA, 1024, "./ssh_host_rsa_key")) { W("libssh %s key generation failed, using fallback ssh-keygen", "RSA"); remove("./ssh_host_rsa_key"); - s = system("ssh-keygen -t rsa -b 1024 -f ./ssh_host_rsa_key -N '' >/dev/null 2>/dev/null"); + s |= system("ssh-keygen -t rsa -b 1024 -f ./ssh_host_rsa_key -N '' >/dev/null 2>/dev/null"); } - if (!s && gen_export_sshkey(SSH_KEYTYPE_DSS, 1024, "./ssh_host_dsa_key")) { + if (gen_export_sshkey(SSH_KEYTYPE_DSS, 1024, "./ssh_host_dsa_key")) { W("libssh %s key generation failed, using fallback ssh-keygen", "DSA"); remove("./ssh_host_dsa_key"); - s = system("ssh-keygen -t dsa -b 1024 -f ./ssh_host_dsa_key -N '' >/dev/null 2>/dev/null"); + s |= system("ssh-keygen -t dsa -b 1024 -f ./ssh_host_dsa_key -N '' >/dev/null 2>/dev/null"); } - if (!s && gen_export_sshkey(SSH_KEYTYPE_ECDSA, 1024, "./ssh_host_ecdsa_key")) { + if (gen_export_sshkey(SSH_KEYTYPE_ECDSA, 1024, "./ssh_host_ecdsa_key")) { W("libssh %s key generation failed, using fallback ssh-keygen", "ECDSA"); remove("./ssh_host_ecdsa_key"); - s = system("ssh-keygen -t ecdsa -b 256 -f ./ssh_host_ecdsa_key -N '' >/dev/null 2>/dev/null"); + s |= system("ssh-keygen -t ecdsa -b 256 -f ./ssh_host_ecdsa_key -N '' >/dev/null 2>/dev/null"); } return s != 0; @@ -276,7 +276,7 @@ static int gen_export_sshkey(enum ssh_keytypes_e type, int length, const char *p type_str, length, path); s = ssh_pki_generate(type, length, &priv_key); if (s != SSH_OK) { - E2("Generating %s key failed: %d", type_str, s); + W2("Generating %s key failed: %d", type_str, s); return 1; } s = ssh_pki_export_privkey_file(priv_key, "", NULL, diff --git a/src/pseccomp.c b/src/pseccomp.c index 250ffe4..4ffe572 100644 --- a/src/pseccomp.c +++ b/src/pseccomp.c @@ -20,10 +20,10 @@ static const int default_allowed_syscalls[] = { SCMP_SYS(rt_sigaction), SCMP_SYS(time), SCMP_SYS(nanosleep), SCMP_SYS(clock_gettime), SCMP_SYS(set_tid_address), SCMP_SYS(exit), SCMP_SYS(exit_group), - SCMP_SYS(read), SCMP_SYS(write), SCMP_SYS(writev), + SCMP_SYS(read), SCMP_SYS(readv), SCMP_SYS(write), SCMP_SYS(writev), SCMP_SYS(fcntl), SCMP_SYS(fcntl64), SCMP_SYS(close), SCMP_SYS(wait4), - SCMP_SYS(sigprocmask), SCMP_SYS(tgkill), SCMP_SYS(gettid), + SCMP_SYS(sigprocmask), SCMP_SYS(tgkill), SCMP_SYS(gettid), SCMP_SYS(set_tls), SCMP_SYS(fork), SCMP_SYS(clone), SCMP_SYS(execve), SCMP_SYS(socket), SCMP_SYS(bind), SCMP_SYS(setsockopt), SCMP_SYS(shutdown), SCMP_SYS(listen), SCMP_SYS(connect), SCMP_SYS(getsockname), @@ -32,23 +32,29 @@ static const int default_allowed_syscalls[] = { SCMP_SYS(poll), SCMP_SYS(pipe), SCMP_SYS(pipe2), SCMP_SYS(set_robust_list), SCMP_SYS(getrlimit), SCMP_SYS(seccomp), SCMP_SYS(getrusage), - SCMP_SYS(prctl), SCMP_SYS(mmap), SCMP_SYS(brk), SCMP_SYS(madvise), + SCMP_SYS(prlimit64), + SCMP_SYS(prctl), SCMP_SYS(mmap), SCMP_SYS(mmap2), SCMP_SYS(brk), SCMP_SYS(madvise), SCMP_SYS(mlock), SCMP_SYS(getrandom), SCMP_SYS(mprotect), SCMP_SYS(munmap), SCMP_SYS(futex), + /* operations on files */ SCMP_SYS(open), SCMP_SYS(openat), - SCMP_SYS(unlink), SCMP_SYS(fstat), SCMP_SYS(access), - SCMP_SYS(lseek), SCMP_SYS(stat), SCMP_SYS(readlink), SCMP_SYS(getcwd), + SCMP_SYS(unlink), SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(access), + SCMP_SYS(_llseek), SCMP_SYS(lseek), SCMP_SYS(stat), SCMP_SYS(readlink), SCMP_SYS(getcwd), SCMP_SYS(lstat), SCMP_SYS(sysinfo), - SCMP_SYS(setuid), SCMP_SYS(setgid), - SCMP_SYS(setresuid), SCMP_SYS(setresgid), - SCMP_SYS(getuid), SCMP_SYS(geteuid), SCMP_SYS(getgid), SCMP_SYS(getegid), + /* operations on user/group */ + SCMP_SYS(setuid), SCMP_SYS(setuid32), SCMP_SYS(setgid), SCMP_SYS(setgid32), + SCMP_SYS(setresuid), SCMP_SYS(setresuid32), SCMP_SYS(setresgid), SCMP_SYS(setresgid32), + SCMP_SYS(getuid), SCMP_SYS(getuid32), SCMP_SYS(geteuid), SCMP_SYS(geteuid32), + SCMP_SYS(getgid), SCMP_SYS(getgid32), SCMP_SYS(getegid), SCMP_SYS(getegid), SCMP_SYS(getgroups), SCMP_SYS(getdents), + /* operations on processes */ SCMP_SYS(getpgrp), SCMP_SYS(setpgid), SCMP_SYS(getpid), SCMP_SYS(kill), + /* other */ SCMP_SYS(unshare), SCMP_SYS(chroot), SCMP_SYS(chdir), SCMP_SYS(mount), SCMP_SYS(umount2), SCMP_SYS(mknod), SCMP_SYS(mkdir), SCMP_SYS(rmdir), SCMP_SYS(statfs), SCMP_SYS(ioctl), - SCMP_SYS(chown), SCMP_SYS(chmod), SCMP_SYS(setsid), + SCMP_SYS(umask), SCMP_SYS(chown), SCMP_SYS(chmod), SCMP_SYS(setsid), SCMP_SYS(dup), SCMP_SYS(dup2), SCMP_SYS(dup3), SCMP_SYS(sethostname), SCMP_SYS(uname), SCMP_SYS(arch_prctl) }; @@ -65,11 +71,11 @@ static const int jail_allowed_syscalls[] = { SCMP_SYS(read), SCMP_SYS(write), SCMP_SYS(writev), SCMP_SYS(fcntl), SCMP_SYS(fcntl64), SCMP_SYS(close), SCMP_SYS(wait4), - SCMP_SYS(sigprocmask), SCMP_SYS(tgkill), SCMP_SYS(gettid), + SCMP_SYS(sigprocmask), SCMP_SYS(tgkill), SCMP_SYS(gettid), SCMP_SYS(set_tls), SCMP_SYS(fork), SCMP_SYS(clone), SCMP_SYS(execve), - SCMP_SYS(mmap), SCMP_SYS(brk), SCMP_SYS(madvise), + SCMP_SYS(mmap), SCMP_SYS(mmap2), SCMP_SYS(brk), SCMP_SYS(madvise), SCMP_SYS(mprotect), SCMP_SYS(munmap), SCMP_SYS(futex), - SCMP_SYS(open), SCMP_SYS(openat), SCMP_SYS(fstat), SCMP_SYS(access), + SCMP_SYS(open), SCMP_SYS(openat), SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(access), SCMP_SYS(poll), SCMP_SYS(pipe), SCMP_SYS(pipe2), SCMP_SYS(lseek), SCMP_SYS(stat), SCMP_SYS(readlink), SCMP_SYS(getcwd), SCMP_SYS(lstat), SCMP_SYS(sysinfo), diff --git a/src/utils.c b/src/utils.c index 9fe158b..5c95b7c 100644 --- a/src/utils.c +++ b/src/utils.c @@ -516,11 +516,10 @@ int cgroups_set(void) if (fail == 3) { if (remove(cgdef) && errno != ENOENT) return 1; - if (mkdir(cgdef, - S_IRUSR|S_IWUSR|S_IXUSR | S_IRGRP|S_IXGRP | S_IROTH|S_IXOTH)) - { + s = mkdir(cgdef, + S_IRUSR|S_IWUSR|S_IXUSR | S_IRGRP|S_IXGRP | S_IROTH|S_IXOTH); + if (s) return 1; - } _cgmem = cgdef; _cgcpu = cgdef; |