Add rlimit and prevent the process from forking

mscherer · mscherer · commit 96f6cc169b29 · 2015-12-26T12:38:29.000+01:00
While it doesn't prevent all exploitations, it make
like harder for a attacker who would want to spawn a shell
or similar type of attack.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,5 @@
+0.0.14 XXX
+  Use prlimit on Linux to prevent tlsdate SSL code from forking again
 0.0.13 Thu 28, May, 2015
   Update default host to google.com - www.ptb.de randomized timestamps
 0.0.12 Sun 26, Oct, 2014
diff --git a/configure.ac b/configure.ac
@@ -183,6 +183,9 @@ AM_CONDITIONAL(HAVE_STRCHRNUL, [test "x${ac_cv_func_strchrnul}" = xyes])
 AC_CHECK_FUNCS([strnlen])
 AM_CONDITIONAL(HAVE_STRNLEN, [test "x${ac_cv_func_strnlen}" = xyes])
 
+AC_CHECK_FUNCS([prlimit])
+AM_CONDITIONAL(HAVE_PRLIMIT, [test "x${ac_cv_func_prlmit}" = xyes])
+
 AC_CHECK_FUNCS_ONCE(m4_flatten([
     gettimeofday
     prctl
diff --git a/src/tlsdate-helper.c b/src/tlsdate-helper.c
@@ -1353,6 +1353,7 @@ main(int argc, char **argv)
   if (0 == ssl_child)
   {
     drop_privs_to (UNPRIV_USER, UNPRIV_GROUP);
+    forbid_fork ();
     run_ssl (time_map, leap, http);
     (void) munmap (time_map, sizeof (uint32_t));
     _exit (0);
diff --git a/src/util.c b/src/util.c
@@ -20,6 +20,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <sys/ioctl.h>
+#include <sys/resource.h>
 #include <sys/stat.h>
 #include <sys/time.h>
 #include <sys/types.h>
@@ -149,6 +150,26 @@ void enable_seccomp(void)
 #endif
 }
 
+/** Use prlimit to prevent a process from forking, thus making exploitation harder */
+void forbid_fork(void)
+{
+#ifdef TARGET_OS_LINUX
+#ifdef HAVE_PRLIMIT
+  static const struct rlimit limit = {
+    .rlim_cur = 0,
+    .rlim_max = 0,
+  };
+
+  if (-1 == prlimit(0, RLIMIT_NPROC, &limit, NULL))
+  {
+    die ("Failed to prlimit: %s\n", strerror (errno));
+  }
+#else
+  verb ("V: prlimit is not supported");
+#endif
+#endif
+}
+
 void
 drop_privs_to (const char *user, const char *group)
 {
diff --git a/src/util.h b/src/util.h
@@ -65,6 +65,7 @@ static inline int min (int x, int y)
 
 void drop_privs_to (const char *user, const char *group);
 void no_new_privs (void);
+void forbid_fork (void);
 const char *sync_type_str (int sync_type);
 
 struct state;

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+0.0.14 XXX`
	`2`	`+ Use prlimit on Linux to prevent tlsdate SSL code from forking again`
`1`	`3`	`0.0.13 Thu 28, May, 2015`
`2`	`4`	`Update default host to google.com - www.ptb.de randomized timestamps`
`3`	`5`	`0.0.12 Sun 26, Oct, 2014`
Original file line number	Diff line number	Diff line change
`@@ -1353,6 +1353,7 @@ main(int argc, char **argv)`
`1353`	`1353`	`if (0 == ssl_child)`
`1354`	`1354`	`{`
`1355`	`1355`	`drop_privs_to (UNPRIV_USER, UNPRIV_GROUP);`
	`1356`	`+ forbid_fork ();`
`1356`	`1357`	`run_ssl (time_map, leap, http);`
`1357`	`1358`	`(void) munmap (time_map, sizeof (uint32_t));`
`1358`	`1359`	`_exit (0);`