-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sandbox-seccomp-filter: allow mprotect syscall #142
Conversation
This allows to use openssh-portable with OpenBSD malloc and GrapheneOS hardened_malloc.
The mprotect call you're linking in OpenBSD malloc is technically only called during initialization, before the sandbox is entered, but these are called at runtime: For malloc_freeunmap (U): https://github.com/openbsd/src/blob/df69c215c7c66baf660f3f65414fd34796c96152/lib/libc/stdlib/malloc.c#L719-L720 For malloc(0): https://github.com/openbsd/src/blob/df69c215c7c66baf660f3f65414fd34796c96152/lib/libc/stdlib/malloc.c#L899-L901 For malloc_guard (G): The hardened_malloc implementation is mostly using mmap with MAP_FIXED to both purge and protect regions at the same time, but it uses |
I think glibc malloc also uses mprotect, but it just isn't getting triggered by OpenSSH at the moment. It might only be used with threads. |
It's also worth clarifying that there is no portable version of OpenBSD malloc(3), and that people using it on platforms other than OpenBSD are kind of doing their own thing. OpenSSH on OpenBSD wouldn't be using the sandbox-seccomp-filter code, but instead sandbox-pledge, which doesn't have this problem. Note: I'm not stating an opinion on whether adding mprotect to the Linux seccomp-filter sandbox makes sense or not for OpenSSH. I will say that on OpenBSD, mprotect(2) is permitted by the "stdio" pledge promise. However, like mmap(2), the PROT_EXEC prot isn't allowed by default. |
There is a really old unofficial port, that said, you're right. However, it does make a point that other malloc implementations might also want to use
As far as I can tell, seccomp filter will currently pass through openssh-portable/sandbox-seccomp-filter.c Lines 199 to 201 in b3a77b2
In which case, passing through |
Used by some hardened heap allocators. Requested by Yegor Timoshenko in #142
Looks like this has been addressed in f6906f9. Thank you! |
Yeah, I don't want to allow PROT_EXEC mappings as these seem useful in bootstrapping a memory fault exploit to full RCE. I've added a SC_ALLOW_ARG_MASK() to allow permission of syscalls whose arguments match a particular mask. In this case mprotect() with only PROT_READ|PROT_WRITE|PROT_NONE is permitted. |
@djmdjm: Somewhat offtopic, would it make sense to limit |
I was just working on that :)
…On Fri, 23 Aug 2019 at 10:16, Yegor Timoshenko ***@***.***> wrote:
@djmdjm <https://github.com/djmdjm>: Somewhat offtopic, would it make
sense to limit PROT_EXEC for mmap(2) in that case?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#142?email_source=notifications&email_token=AABJSKIV3SAQDNU4ZX2USHDQF4T4BA5CNFSM4IOX6VKKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD46YFEQ#issuecomment-524124818>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AABJSKOSIGWL552UT6ELHJDQF4T4BANCNFSM4IOX6VKA>
.
|
OpenSSH feature request: test compatibility with hardened memory allocator Hardened Malloc |
This allows to use portable OpenSSH with OpenBSD malloc and GrapheneOS hardened_malloc.
See: