Bug #35184 for dhcp-public: isc-dhcpd sandboxing patch

Sat, 11 Jan 2014 02:14:25 -0500 Loganaden Velvindron <logan@elandsys.com> - Ticket created

Subject:	isc-dhcpd sandboxing patch
Date:	Fri, 10 Jan 2014 23:14:07 -0800
To:	dhcp-bugs@isc.org
From:	Loganaden Velvindron <logan@elandsys.com>

Dear Jeremy and ISC team, I'm currently running with isc-dhcpd sandboxed on Production Ubuntu servers. The patch restricts dhcpd to a small number of whitelisted C functions using seccomp. OpenSSH and systemd ship with a similar sandbox on Linux. This prevents exploits that use execve() and such. If there is interest in such a patch, I'm willing to improve it futher based on the feedback I get from ISC. diff --git a/dhcp-4.3.0a1/configure.ac b/dhcp-4.3.0a1/configure.ac index 3b7f12e..b4e87fe 100644 --- a/dhcp-4.3.0a1/configure.ac +++ b/dhcp-4.3.0a1/configure.ac @@ -145,6 +145,17 @@ if test "$enable_early_chroot" = "yes" ; then [Define to any value to chroot() prior to loading config.]) fi +# LIBSECCOMP is off by default -- needs testing with all the features +AC_ARG_ENABLE(libseccomp, + AS_HELP_STRING([--enable-libseccomp],[enable support for libseccomp sandboxing (default is no)])) +if test "$enable_libseccomp" = "yes" ; then + AC_SEARCH_LIBS(seccomp_init, [seccomp]) + if test "$ac_cv_search_seccomp_init" = "-lseccomp" ; then + AC_DEFINE([LIBSECCOMP], [1], + [Define to any value to include libseccomp sandboxing.]) + fi +fi + AC_ARG_ENABLE(ipv4_pktinfo, AS_HELP_STRING([--enable-ipv4-pktinfo],[enable use of pktinfo on IPv4 sockets (default is no)])) diff --git a/dhcp-4.3.0a1/server/dhcpd.c b/dhcp-4.3.0a1/server/dhcpd.c index ebf00fd..be21f37 100644 --- a/dhcp-4.3.0a1/server/dhcpd.c +++ b/dhcp-4.3.0a1/server/dhcpd.c @@ -58,6 +58,12 @@ static const char url [] = # undef group #endif /* PARANOIA */ +#if defined (LIBSECCOMP) +#include <sys/types.h> +#include <sys/resource.h> +#include <seccomp.h> +#endif /* LIBSECCOMP */ + #ifndef UNIT_TEST static void usage(void); #endif @@ -746,6 +752,79 @@ main(int argc, char **argv) { } } +#if defined (LIBSECCOMP) + scmp_filter_ctx ctx; + if ((ctx = seccomp_init(SCMP_ACT_KILL)) < 0) + log_fatal("%s:libseccomp activation failed", __func__); + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpid), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(gettimeofday), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(clock_gettime), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); +#ifdef __NR_time /* not defined on EABI ARM */ + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(time), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); +#endif + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(poll), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); +#ifdef __NR__newselect + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(_newselect), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); +#else + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(select), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); +#endif + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(madvise), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); +#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */ + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); +#endif +#ifdef __NR_mmap + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); +#endif + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); +#ifdef __NR_rt_sigprocmask + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); +#else + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sigprocmask), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); +#endif + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigaction), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); + + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketcall), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fsync), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sigreturn), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsid), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chdir), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); + + + if (seccomp_load(ctx) < 0) + log_fatal("%s:libseccomp unable to load filter", __func__); +#endif /* LIBSECCOMP */ + /* If we were requested to log to stdout on the command line, keep doing so; otherwise, stop. */ if (log_perror == -1) @@ -789,6 +868,7 @@ main(int argc, char **argv) { /* Log that we are about to start working */ log_info("Server starting service."); + /* * Receive packets and dispatch them... * dispatch() will never return.

Thu, 23 Jan 2014 13:07:14 -0500 Michael McNally <mcnally@isc.org> - Correspondence added

On Sat Jan 11 07:14:25 2014, logan@elandsys.com wrote:
> Dear Jeremy and ISC team,
>
> I'm currently running with isc-dhcpd sandboxed on Production Ubuntu
> servers.
>
> The patch restricts dhcpd to a small number of whitelisted C functions
> using
> seccomp. OpenSSH and systemd ship with a similar sandbox on Linux.
>
> This prevents exploits that use execve() and such.
>
> If there is interest in such a patch, I'm willing to improve it futher
> based on the feedback I get from ISC.

Hello.

Thank you for your patch, and apologies for the slow response --
our DHCP team has been very busy putting the finishing touches
on DHCP 4.3.0 and new maintenance versions of 4.2.x and 4.1-ESV.

Your patch looks interesting and will be forwarded to the development
team for assessment, but probably will not receive scrutiny until after
the release schedules currently in process are completed.

Thank you, though, for your submission and for your efforts to help
us improve ISC DHCP.

Michael McNally
ISC Support

Thu, 23 Jan 2014 13:07:14 -0500 The RT System itself - Status changed from 'new' to 'open'

Fri, 24 Jan 2014 18:36:12 -0500 Cathy Almond <cathya@isc.org> - Severity S2 Normal added

Thu, 13 Feb 2014 23:11:35 -0500 Loganaden Velvindron <logan@elandsys.com> - Correspondence added

Subject:	Re: [ISC-Bugs #35184] isc-dhcpd sandboxing patch
Date:	Thu, 13 Feb 2014 20:11:11 -0800
To:	Michael McNally via RT <dhcp-bugs@isc.org>
From:	Loganaden Velvindron <logan@elandsys.com>

On Thu, Jan 23, 2014 at 06:07:14PM +0000, Michael McNally via RT wrote: > On Sat Jan 11 07:14:25 2014, logan@elandsys.com wrote: > > Dear Jeremy and ISC team, > > > > I'm currently running with isc-dhcpd sandboxed on Production Ubuntu > > servers. > > > > The patch restricts dhcpd to a small number of whitelisted C functions > > using > > seccomp. OpenSSH and systemd ship with a similar sandbox on Linux. > > > > This prevents exploits that use execve() and such. > > > > If there is interest in such a patch, I'm willing to improve it futher > > based on the feedback I get from ISC. > > Hello. > > Thank you for your patch, and apologies for the slow response -- > our DHCP team has been very busy putting the finishing touches > on DHCP 4.3.0 and new maintenance versions of 4.2.x and 4.1-ESV. > > Your patch looks interesting and will be forwarded to the development > team for assessment, but probably will not receive scrutiny until after > the release schedules currently in process are completed. Thank you very much ! > > Thank you, though, for your submission and for your efforts to help > us improve ISC DHCP. You're most welcomed. > > Michael McNally > ISC Support > We've improved the diff further by testing it on 64-bit ubuntu servers running in production. Diff below: diff --git a/configure.ac b/configure.ac index a14366d..40a0cf0 100644 --- a/configure.ac +++ b/configure.ac @@ -145,6 +145,17 @@ if test "$enable_early_chroot" = "yes" ; then [Define to any value to chroot() prior to loading config.]) fi +# LIBSECCOMP is off by default -- needs testing with all the features +AC_ARG_ENABLE(libseccomp, + AS_HELP_STRING([--enable-libseccomp],[enable support for libseccomp sandboxing (default is no)])) +if test "$enable_libseccomp" = "yes" ; then + AC_SEARCH_LIBS(seccomp_init, [seccomp]) + if test "$ac_cv_search_seccomp_init" = "-lseccomp" ; then + AC_DEFINE([LIBSECCOMP], [1], + [Define to any value to include libseccomp sandboxing.]) + fi +fi + AC_ARG_ENABLE(ipv4_pktinfo, AS_HELP_STRING([--enable-ipv4-pktinfo],[enable use of pktinfo on IPv4 sockets (default is no)])) diff --git a/server/dhcpd.c b/server/dhcpd.c index a06913e..db00003 100644 --- a/server/dhcpd.c +++ b/server/dhcpd.c @@ -52,6 +52,12 @@ static const char url [] = # undef group #endif /* PARANOIA */ +#if defined (LIBSECCOMP) +#include <sys/types.h> +#include <sys/resource.h> +#include <seccomp.h> +#endif /* LIBSECCOMP */ + #ifndef UNIT_TEST static void usage(void); #endif @@ -740,6 +746,93 @@ main(int argc, char **argv) { } } +#if defined (LIBSECCOMP) + scmp_filter_ctx ctx; + if ((ctx = seccomp_init(SCMP_ACT_KILL)) < 0) + log_fatal("%s:libseccomp activation failed", __func__); + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpid), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(gettimeofday), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(clock_gettime), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); +#ifdef __NR_time /* not defined on EABI ARM */ + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(time), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); +#endif + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(poll), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); +#ifdef __NR__newselect + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(_newselect), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); +#else + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(select), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); +#endif + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(madvise), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); +#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */ + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); +#endif +#ifdef __NR_mmap + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); +#endif + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); +#ifdef __NR_rt_sigprocmask + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); +#else + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sigprocmask), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); +#endif + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigaction), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); + + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fsync), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); +#ifdef __NR_sigreturn + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sigreturn), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); +#else + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); +#endif + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsid), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chdir), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); +#ifdef __NR_socketcall + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketcall), 0) < 0) + log_fatal("%s:libseccomp rule failed", __func__); +#endif +#ifdef __NR_sendto /* x86_64 */ + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendto), 0) <0) + log_fatal("%s:libseccomp rule failed", __func__); +#endif +#ifdef __NR_recvfrom /* x86_64 */ + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvfrom), 0) <0) + log_fatal("%s:libseccomp rule failed", __func__); +#endif + + if (seccomp_load(ctx) < 0) + log_fatal("%s:libseccomp unable to load filter", __func__); +#endif /* LIBSECCOMP */ + /* If we were requested to log to stdout on the command line, keep doing so; otherwise, stop. */ if (log_perror == -1) @@ -783,6 +876,7 @@ main(int argc, char **argv) { /* Log that we are about to start working */ log_info("Server starting service."); + /* * Receive packets and dispatch them... * dispatch() will never return.

Fri, 21 Feb 2014 19:03:45 -0500 Shawn Routhier <sar@isc.org> - Reference to #35347: added

Mon, 24 Feb 2014 07:51:27 -0500 Loganaden Velvindron <logan@elandsys.com> - Correspondence added

Subject:	Re: [ISC-Bugs #35184] isc-dhcpd sandboxing patch
Date:	Mon, 24 Feb 2014 04:51:10 -0800
To:	Michael McNally via RT <dhcp-bugs@isc.org>
From:	Loganaden Velvindron <logan@elandsys.com>

On Thu, Jan 23, 2014 at 06:07:14PM +0000, Michael McNally via RT wrote: > On Sat Jan 11 07:14:25 2014, logan@elandsys.com wrote: > > Dear Jeremy and ISC team, > > > > I'm currently running with isc-dhcpd sandboxed on Production Ubuntu > > servers. > > > > The patch restricts dhcpd to a small number of whitelisted C functions > > using > > seccomp. OpenSSH and systemd ship with a similar sandbox on Linux. > > > > This prevents exploits that use execve() and such. > > > > If there is interest in such a patch, I'm willing to improve it futher > > based on the feedback I get from ISC. > > Hello. > > Thank you for your patch, and apologies for the slow response -- > our DHCP team has been very busy putting the finishing touches > on DHCP 4.3.0 and new maintenance versions of 4.2.x and 4.1-ESV. I saw that DHCP 4.3.0 was released. I would like to know if there is interest in the sandboxing patch for the next release of ISC-dhcpd. I've made further improvements to it. > > Your patch looks interesting and will be forwarded to the development > team for assessment, but probably will not receive scrutiny until after > the release schedules currently in process are completed. > > Thank you, though, for your submission and for your efforts to help > us improve ISC DHCP. > > Michael McNally > ISC Support >

Tue, 25 Feb 2014 23:28:43 -0500 Shawn Routhier <sar@isc.org> - Correspondence added

On Mon Feb 24 12:51:27 2014, logan@elandsys.com wrote:

>
> I saw that DHCP 4.3.0 was released. I would like to know if there is
> interest in the sandboxing patch for the next release of ISC-dhcpd.
>
> I've made further improvements to it.
>

We are interested in it, but I have been allowing the Bind9 team to work on and review the version of it you did for Bind9. After they complete their effort we shall evaluate it and probably include something similar in DHCP. I would like the two of them to use a similar style to allow for slightly easier updating in the future.

I do have some concerns about how difficult it will be to keep the code up to date, but believe if the patch is written to require the admin to enable it at configuration or run time it should be acceptable.

Wed, 26 Feb 2014 02:21:36 -0500 Loganaden Velvindron <logan@elandsys.com> - Correspondence added

Subject:	Re: [ISC-Bugs #35184] isc-dhcpd sandboxing patch
Date:	Tue, 25 Feb 2014 23:21:20 -0800
To:	Shawn Routhier via RT <dhcp-bugs@isc.org>
From:	Loganaden Velvindron <logan@elandsys.com>

On Wed, Feb 26, 2014 at 04:28:43AM +0000, Shawn Routhier via RT wrote: > On Mon Feb 24 12:51:27 2014, logan@elandsys.com wrote: > > > > > I saw that DHCP 4.3.0 was released. I would like to know if there is > > interest in the sandboxing patch for the next release of ISC-dhcpd. > > > > I've made further improvements to it. > > > > We are interested in it, but I have been allowing the Bind9 team to work on and > review the version of it you did for Bind9. After they complete their effort we > shall evaluate it and probably include something similar in DHCP. I would like > the two of them to use a similar style to allow for slightly easier updating in > the future. Hi Shawn, I've updated the diff to shape it closer to what Evan did. > > I do have some concerns about how difficult it will be to keep the code up to > date, but believe if the patch is written to require the admin to enable it at > configuration or run time it should be acceptable. > I have the same concerns, and that's why we've been talking to the bind team about a mailing list for contributors to test the sandbox each each release is close. Since we use dhcpd and bind in production environments, we're happy to push any changes upstream, and report issues, as we run with seccomp enabled on Linux servers. Kind regards, //Logan

Thu, 15 May 2014 14:05:53 -0400 Loganaden Velvindron <logan@elandsys.com> - Correspondence added

Subject:	Re: [ISC-Bugs #35184] isc-dhcpd sandboxing patch
Date:	Thu, 15 May 2014 11:05:50 -0700
To:	Shawn Routhier via RT <dhcp-bugs@isc.org>
From:	Loganaden Velvindron <logan@elandsys.com>

On Wed, Feb 26, 2014 at 04:28:43AM +0000, Shawn Routhier via RT wrote: > On Mon Feb 24 12:51:27 2014, logan@elandsys.com wrote: > > > > > I saw that DHCP 4.3.0 was released. I would like to know if there is > > interest in the sandboxing patch for the next release of ISC-dhcpd. > > > > I've made further improvements to it. > > > > We are interested in it, but I have been allowing the Bind9 team to work on and > review the version of it you did for Bind9. After they complete their effort we > shall evaluate it and probably include something similar in DHCP. I would like > the two of them to use a similar style to allow for slightly easier updating in > the future. Hi Shawn, I've put the finishing touches to the bind-seccomp patch. Evan is going to review it. > > I do have some concerns about how difficult it will be to keep the code up to > date, but believe if the patch is written to require the admin to enable it at > configuration or run time it should be acceptable. > I've modified the configure.in code in bind to have better suppor for detection of seccomp. Would you be interested in a similar addition for the dhcpd-seccomp sandbox patch ?

Mon, 19 May 2014 10:38:12 -0400 Loganaden Velvindron <logan@elandsys.com> - Correspondence added

Subject:	Re: [ISC-Bugs #35184] isc-dhcpd sandboxing patch
Date:	Mon, 19 May 2014 07:38:05 -0700
To:	Shawn Routhier via RT <dhcp-bugs@isc.org>
From:	Loganaden Velvindron <logan@elandsys.com>

On Wed, Feb 26, 2014 at 04:28:43AM +0000, Shawn Routhier via RT wrote: > On Mon Feb 24 12:51:27 2014, logan@elandsys.com wrote: > > > > > I saw that DHCP 4.3.0 was released. I would like to know if there is > > interest in the sandboxing patch for the next release of ISC-dhcpd. > > > > I've made further improvements to it. > > > > We are interested in it, but I have been allowing the Bind9 team to work on and > review the version of it you did for Bind9. After they complete their effort we > shall evaluate it and probably include something similar in DHCP. I would like > the two of them to use a similar style to allow for slightly easier updating in > the future. > Hi Shawn, I made further improvements to the isc-dhcpd seccomp diff and Evan committed support for seccomp in BIND. > I do have some concerns about how difficult it will be to keep the code up to > date, but believe if the patch is written to require the admin to enable it at > configuration or run time it should be acceptable. >

Mon, 19 May 2014 18:59:08 -0400 Shawn Routhier <sar@isc.org> - Correspondence added

On Mon May 19 14:38:12 2014, logan@elandsys.com wrote:
> On Wed, Feb 26, 2014 at 04:28:43AM +0000, Shawn Routhier via RT wrote:
>
> Hi Shawn,
>
> I made further improvements to the isc-dhcpd seccomp diff and
> Evan committed support for seccomp in BIND.

Evan mentioned this to me.

We are determining the content and release date for 4.3.1. This is
being done as a release with a number of smallish fixes and is probably
not the correct vehicle for your changes. I think we can try to put it
into 4.3.2. If you have a complete patch now and want to attach it
to this ticket that would be fine. Or if you'd like to work on it a bit more
that also would fine as we won't be starting work on 4.3.2 for a little.

>
>
> > I do have some concerns about how difficult it will be to keep the
> code up to
> > date, but believe if the patch is written to require the admin to
> enable it at
> > configuration or run time it should be acceptable.
> >
>

regards,
Shawn

Fri, 22 Aug 2014 04:06:28 -0400 Loganaden Velvindron <logan@elandsys.com> - Correspondence added

Subject:	Re: [ISC-Bugs #35184] isc-dhcpd sandboxing patch
Date:	Fri, 22 Aug 2014 01:06:19 -0700
To:	Shawn Routhier via RT <dhcp-bugs@isc.org>
From:	Loganaden Velvindron <logan@elandsys.com>

On Mon, May 19, 2014 at 10:59:09PM +0000, Shawn Routhier via RT wrote: > On Mon May 19 14:38:12 2014, logan@elandsys.com wrote: > > On Wed, Feb 26, 2014 at 04:28:43AM +0000, Shawn Routhier via RT wrote: > > > > Hi Shawn, > > > > I made further improvements to the isc-dhcpd seccomp diff and > > Evan committed support for seccomp in BIND. > > Evan mentioned this to me. Hi Shawn, Can I upload the diff now ? > > We are determining the content and release date for 4.3.1. This is > being done as a release with a number of smallish fixes and is probably > not the correct vehicle for your changes. I think we can try to put it > into 4.3.2. If you have a complete patch now and want to attach it > to this ticket that would be fine. Or if you'd like to work on it a bit more > that also would fine as we won't be starting work on 4.3.2 for a little. > > > > > > > > I do have some concerns about how difficult it will be to keep the > > code up to > > > date, but believe if the patch is written to require the admin to > > enable it at > > > configuration or run time it should be acceptable. > > > > > > > regards, > Shawn >

Mon, 25 Aug 2014 21:57:08 -0400 Shawn Routhier <sar@isc.org> - Correspondence added

On Fri Aug 22 08:06:28 2014, logan@elandsys.com wrote:

> Hi Shawn, Can I upload the diff now ?
>

Yes, we are working on the ticket list for 4.3.2 now
uploading the proposed patch would be fine.

thanks,
Shawn

Tue, 02 Sep 2014 17:43:08 -0400 Vicky Risk <vicky@isc.org> - Versions Planned 4.3.2 added

Mon, 15 Sep 2014 03:48:17 -0400 Loganaden Velvindron <logan@elandsys.com> - Correspondence added

Subject:	Re: [ISC-Bugs #35184] isc-dhcpd sandboxing patch
Date:	Mon, 15 Sep 2014 00:48:10 -0700
To:	Shawn Routhier via RT <dhcp-bugs@isc.org>
From:	Loganaden Velvindron <logan@elandsys.com>

On Tue, Aug 26, 2014 at 01:57:08AM +0000, Shawn Routhier via RT wrote: > On Fri Aug 22 08:06:28 2014, logan@elandsys.com wrote: > > > Hi Shawn, Can I upload the diff now ? > > > > Yes, we are working on the ticket list for 4.3.2 now > uploading the proposed patch would be fine. > > thanks, > Shawn > Hi Shawn, please find the first patch for the configure.ac script. (I'll upload the rest soon -- I'm still debugging a few stuff). diff --git a/configure.ac b/configure.ac index d5bd6de..239fe03 100644 --- a/configure.ac +++ b/configure.ac @@ -145,6 +145,60 @@ if test "$enable_early_chroot" = "yes" ; then [Define to any value to chroot() prior to loading config.]) fi +# LIBSECCOMP is off by default -- needs testing with all the features +AC_ARG_ENABLE(seccomp, + AS_HELP_STRING([--enable-seccomp],[enable support for seccomp sandboxing using libseccomp (default is no)])) +if test "$enable_libseccomp" = "yes" ; then + AC_SEARCH_LIBS(seccomp_init, [seccomp]) + if test "$ac_cv_search_seccomp_init" = "-lseccomp" ; then + AC_DEFINE([LIBSECCOMP], [1], + [Define to any value to include libseccomp sandboxing.]) + fi + # Test for kernel seccomp v2 support + AC_TRY_RUN([ + #include <stdio.h> + #include <stdlib.h> + #include <errno.h> + #include <sys/prctl.h> + #include <linux/seccomp.h> + + int main(void) + { + int ret; + ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0); + if (ret < 0) { + switch (errno) { + case ENOSYS: + return 1; + case EINVAL: + return 1; + default: + return 1; + } + } + ret = + prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0); + if (ret < 0) { + switch (errno) { + case EINVAL: + return 1; + case EFAULT: + return 0; + default: + return 1; + } + } + return 1; + } +] +, AC_DEFINE([KERN_SECCOMP], 1, +[Define to use libseccomp system call filtering.]) +, [] +) + +fi + + AC_ARG_ENABLE(ipv4_pktinfo, AS_HELP_STRING([--enable-ipv4-pktinfo],[enable use of pktinfo on IPv4 sockets (default is no)])) @@ -655,9 +709,10 @@ Flags: CFLAGS: $CFLAGS Features: - debug: $enable_debug - failover: $enable_failover - execute: $enable_execute + debug: $enable_debug + failover: $enable_failover + execute: $enable_execute + seccomp sandbox: $enable_seccomp Developer: ATF unittests : $atf_path

Thu, 02 Oct 2014 00:22:58 -0400 Shawn Routhier <sar@isc.org> - Priority P2 Normal added

Mon, 23 Mar 2015 21:11:08 -0400 Shawn Routhier <sar@isc.org> - FinalPriority changed from 'Medium' to 'Low'

Mon, 23 Mar 2015 21:11:08 -0400 Shawn Routhier <sar@isc.org> - Priority changed from 'Medium' to 'Low'

Mon, 23 Mar 2015 21:11:09 -0400 Shawn Routhier <sar@isc.org> - Versions Planned 4.3.2 changed to 4.3.3

Thu, 26 Mar 2015 00:48:58 -0400 Shawn Routhier <sar@isc.org> - FinalPriority changed from 'Low' to 'Low'

Thu, 26 Mar 2015 00:48:58 -0400 Shawn Routhier <sar@isc.org> - Priority changed from 'Low' to 'Low'

Thu, 26 Mar 2015 15:47:01 -0400 Shawn Routhier <sar@isc.org> - FinalPriority changed from 'Low' to 'Medium'

Thu, 26 Mar 2015 15:47:02 -0400 Shawn Routhier <sar@isc.org> - Priority changed from 'Low' to 'Medium'

Thu, 26 Mar 2015 16:48:30 -0400 Shawn Routhier <sar@isc.org> - TimeEstimated changed from (no value) to '3600'

Thu, 30 Jul 2015 00:54:59 -0400 Shawn Routhier <sar@isc.org> - Versions Planned 4.3.3 changed to 4.3.4

Thu, 21 Apr 2016 13:00:10 -0400 Shawn Routhier <sar@isc.org> - Versions Planned 4.3.4 changed to 4.3.5

Wed, 30 Nov 2016 10:00:10 -0500 Thomas Markwalder <tmark@isc.org> - Versions Planned 4.3.5 changed to 4.3.6

Fri, 07 Jul 2017 15:41:33 -0400 Vicky Risk <vicky@isc.org> - Queue changed from #8 to dhcp-public

Fri, 07 Jul 2017 15:41:34 -0400 Vicky Risk <vicky@isc.org> - Area feature added

Created:	Sat, 11 Jan 2014 02:14:25 -0500
Updated:	Thu, 03 Aug 2017 07:55:00 -0400
Closed:	Not set

Bug #35184 for dhcp-public: isc-dhcpd sandboxing patch

This bug tracker is no longer active.