MIME-Version: 1.0
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RP_MATCHES_RCVD autolearn=ham version=3.3.2
X-Authentication-Warning: mx.elandsys.com: logan set sender to logan@elandsys.com using -f
Content-Disposition: inline
content-type: text/plain; charset="utf-8"
Message-ID: <20140111071407.GA5742@mx.elandsys.com>
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) by bugs.isc.org (Postfix) with ESMTP id 2D22D2D20051 for <dhcp-bugs@bugs.isc.org>; Sat, 11 Jan 2014 07:14:24 +0000 (UTC)
Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by mx.ams1.isc.org (Postfix) with ESMTP id 889312383E9 for <dhcp-bugs@isc.org>; Sat, 11 Jan 2014 07:14:11 +0000 (UTC) (envelope-from logan@elandsys.com)
Received: from mx.elandsys.com (IDENT:logan@localhost [127.0.0.1]) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id s0B7E8eJ001075 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <dhcp-bugs@isc.org>; Fri, 10 Jan 2014 23:14:08 -0800 (PST)
Received: (from logan@localhost) by mx.elandsys.com (8.14.5/8.14.5/Submit) id s0B7E78a022877 for dhcp-bugs@isc.org; Fri, 10 Jan 2014 23:14:07 -0800 (PST)
Delivered-To: dhcp-bugs@bugs.isc.org
Subject: isc-dhcpd sandboxing patch
User-Agent: Mutt/1.5.21 (2010-09-15)
Return-Path: <logan@elandsys.com>
X-Original-To: dhcp-bugs@bugs.isc.org
Dkim-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1389424448; bh=ptrjrsP567PsORVI8ahGp0mdqLvI5BcJ5XzCjWiqxm0=; h=Date:From:To:Subject; b=hPYZ1CQiPtm4jlSeWd0LmOBBosJQFT0QlJFrQX3ZbeH6/nl/wIyzJxA6yAqD4gTcH x+aVIpl+U4pvRL7X3Ltz8Ix/AsM2vAN8Ks++q/0p2jVT6lRXQFRitiyVBOBb54XWWe Zsew0Y7EuUwqbO4CsluNEEFGWT1JCraxeFgHqnYk=
Dkim-Signature: v=1; a=rsa-sha256; c=simple/simple; d=elandsys.com; s=mail; t=1389424448; i=@elandsys.com; bh=ptrjrsP567PsORVI8ahGp0mdqLvI5BcJ5XzCjWiqxm0=; h=Date:From:To:Subject; b=1JqFH1GLZsaWEztctJ51tiD4O0uU4pLvG24iWp6zKjDe78nfKp50B3XdRdgL9/UgX hdqhqY99XFjnnEhdPYLwvFCkQn7XMTXQLSVVP69IAXVfcctxDiZVpitLkXqz3+nVlF ldTao6FwEaCgMok2AE/7IIjKlOYuSnMrQRdke32Q=
Date: Fri, 10 Jan 2014 23:14:07 -0800
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mx.ams1.isc.org
To: dhcp-bugs@isc.org
From: Loganaden Velvindron <logan@elandsys.com>
X-RT-Original-Encoding: us-ascii
Content-Length: 6240

Dear Jeremy and ISC team,

I'm currently running with isc-dhcpd sandboxed on Production Ubuntu servers.

The patch restricts dhcpd to a small number of whitelisted C functions using
seccomp. OpenSSH and systemd ship with a similar sandbox on Linux.

This prevents exploits that use execve() and such.

If there is interest in such a patch, I'm willing to improve it futher
based on the feedback I get from ISC.


diff --git a/dhcp-4.3.0a1/configure.ac b/dhcp-4.3.0a1/configure.ac
index 3b7f12e..b4e87fe 100644
--- a/dhcp-4.3.0a1/configure.ac
+++ b/dhcp-4.3.0a1/configure.ac
@@ -145,6 +145,17 @@ if test "$enable_early_chroot" = "yes" ; then
 		  [Define to any value to chroot() prior to loading config.])
 fi
 
+# LIBSECCOMP is off by default -- needs testing with all the features
+AC_ARG_ENABLE(libseccomp,
+        AS_HELP_STRING([--enable-libseccomp],[enable support for libseccomp sandboxing (default is no)]))
+if test "$enable_libseccomp" = "yes" ; then
+	AC_SEARCH_LIBS(seccomp_init, [seccomp])
+	if test "$ac_cv_search_seccomp_init" = "-lseccomp" ; then
+		AC_DEFINE([LIBSECCOMP], [1],
+			[Define to any value to include libseccomp sandboxing.])
+	fi
+fi
+
 AC_ARG_ENABLE(ipv4_pktinfo,
 	AS_HELP_STRING([--enable-ipv4-pktinfo],[enable use of pktinfo on IPv4 sockets (default is no)]))
 
diff --git a/dhcp-4.3.0a1/server/dhcpd.c b/dhcp-4.3.0a1/server/dhcpd.c
index ebf00fd..be21f37 100644
--- a/dhcp-4.3.0a1/server/dhcpd.c
+++ b/dhcp-4.3.0a1/server/dhcpd.c
@@ -58,6 +58,12 @@ static const char url [] =
 #  undef group
 #endif /* PARANOIA */
 
+#if defined (LIBSECCOMP)
+#include <sys/types.h>
+#include <sys/resource.h>
+#include <seccomp.h>
+#endif /* LIBSECCOMP */
+
 #ifndef UNIT_TEST
 static void usage(void);
 #endif
@@ -746,6 +752,79 @@ main(int argc, char **argv) {
 		}
 	}
 
+#if defined (LIBSECCOMP)
+	scmp_filter_ctx ctx;
+	if ((ctx = seccomp_init(SCMP_ACT_KILL)) < 0)
+		log_fatal("%s:libseccomp activation failed", __func__);
+	if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0) < 0)
+		log_fatal("%s:libseccomp rule failed", __func__);
+	if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpid), 0) < 0)
+		log_fatal("%s:libseccomp rule failed", __func__); 
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(gettimeofday), 0) < 0)
+                log_fatal("%s:libseccomp rule failed", __func__);
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(clock_gettime), 0) < 0)
+                log_fatal("%s:libseccomp rule failed", __func__);
+#ifdef __NR_time /* not defined on EABI ARM */
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(time), 0) < 0)
+                log_fatal("%s:libseccomp rule failed", __func__);
+#endif
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0) < 0)
+                log_fatal("%s:libseccomp rule failed", __func__);
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0) < 0)
+                log_fatal("%s:libseccomp rule failed", __func__);
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0) < 0)
+                log_fatal("%s:libseccomp rule failed", __func__);
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0) < 0)
+                log_fatal("%s:libseccomp rule failed", __func__);
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(poll), 0) < 0)
+                log_fatal("%s:libseccomp rule failed", __func__);
+#ifdef __NR__newselect
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(_newselect), 0) < 0)
+                log_fatal("%s:libseccomp rule failed", __func__);
+#else
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(select), 0) < 0)
+                log_fatal("%s:libseccomp rule failed", __func__);
+#endif
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(madvise), 0) < 0)
+                log_fatal("%s:libseccomp rule failed", __func__);
+#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 0) < 0)
+                log_fatal("%s:libseccomp rule failed", __func__);
+#endif
+#ifdef __NR_mmap
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0) < 0)
+                log_fatal("%s:libseccomp rule failed", __func__);
+#endif
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0) < 0)
+                log_fatal("%s:libseccomp rule failed", __func__);
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0) < 0)
+                log_fatal("%s:libseccomp rule failed", __func__);
+#ifdef __NR_rt_sigprocmask
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 0) < 0)
+                log_fatal("%s:libseccomp rule failed", __func__);
+#else
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sigprocmask), 0) < 0)
+                log_fatal("%s:libseccomp rule failed", __func__);
+#endif
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigaction), 0) < 0)
+                log_fatal("%s:libseccomp rule failed", __func__);
+
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketcall), 0) < 0)
+                log_fatal("%s:libseccomp rule failed", __func__);
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fsync), 0) < 0)
+                log_fatal("%s:libseccomp rule failed", __func__);
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sigreturn), 0) < 0)
+                log_fatal("%s:libseccomp rule failed", __func__);
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsid), 0) < 0)
+                log_fatal("%s:libseccomp rule failed", __func__);
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chdir), 0) < 0)
+                log_fatal("%s:libseccomp rule failed", __func__);
+
+
+	if (seccomp_load(ctx) < 0)
+		log_fatal("%s:libseccomp unable to load filter", __func__);	
+#endif /* LIBSECCOMP */
+
 	/* If we were requested to log to stdout on the command line,
 	   keep doing so; otherwise, stop. */
 	if (log_perror == -1)
@@ -789,6 +868,7 @@ main(int argc, char **argv) {
 	/* Log that we are about to start working */
 	log_info("Server starting service.");
 
+
 	/*
 	 * Receive packets and dispatch them...
 	 * dispatch() will never return.