sshenv 0.0.1-alpha.1

SSH-key-backed encrypted vault for environment variables
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147

//! Runtime hardening for commands that receive decrypted environment values.

use anyhow::Result;

/// Human-readable summary of runtime hardening selected for this platform.
#[must_use]
pub const fn platform_status() -> &'static str {
    if cfg!(target_os = "linux") {
        "Unix core dumps disabled; Linux non-dumpable; best-effort memory lock"
    } else if cfg!(unix) {
        "Unix core dumps disabled; best-effort memory lock"
    } else if cfg!(windows) {
        "Windows crash dialogs suppressed; heap corruption termination enabled"
    } else {
        "No platform-specific runtime hardening available"
    }
}

/// Apply best-effort process hardening before secrets are decrypted/injected.
///
/// This intentionally avoids changing user-visible command ergonomics. On Unix
/// it disables core dumps for the current process, which is inherited by the
/// exec'd child. On Linux it also marks the process non-dumpable where
/// supported. On Windows it applies best-effort crash-dialog and heap-corruption
/// hardening for the process before spawning the child.
///
/// # Errors
///
/// Returns an error only when a platform hardening syscall fails.
pub fn apply_for_secret_runtime() -> Result<()> {
    apply_core_dump_limit()?;
    apply_non_dumpable()?;
    apply_windows_hardening_best_effort();
    apply_memory_lock_best_effort();
    Ok(())
}

#[cfg(unix)]
fn apply_core_dump_limit() -> Result<()> {
    let limit = libc::rlimit {
        rlim_cur: 0,
        rlim_max: 0,
    };
    let rc = unsafe { libc::setrlimit(libc::RLIMIT_CORE, std::ptr::addr_of!(limit)) };
    if rc == 0 {
        Ok(())
    } else {
        Err(std::io::Error::last_os_error().into())
    }
}

#[cfg(not(unix))]
#[allow(clippy::missing_const_for_fn, clippy::unnecessary_wraps)]
fn apply_core_dump_limit() -> Result<()> {
    Ok(())
}

#[cfg(target_os = "linux")]
fn apply_non_dumpable() -> Result<()> {
    let rc = unsafe { libc::prctl(libc::PR_SET_DUMPABLE, 0, 0, 0, 0) };
    if rc == 0 {
        Ok(())
    } else {
        Err(std::io::Error::last_os_error().into())
    }
}

#[cfg(not(target_os = "linux"))]
#[allow(clippy::missing_const_for_fn, clippy::unnecessary_wraps)]
fn apply_non_dumpable() -> Result<()> {
    Ok(())
}

#[cfg(windows)]
fn apply_windows_hardening_best_effort() {
    apply_windows_error_mode();
    apply_windows_heap_termination_on_corruption();
}

#[cfg(windows)]
fn apply_windows_error_mode() {
    use windows_sys::Win32::System::Diagnostics::Debug::{
        SEM_NOGPFAULTERRORBOX, SEM_NOOPENFILEERRORBOX, SetErrorMode,
    };

    // SAFETY: SetErrorMode only updates process-global error UI behavior.
    unsafe {
        SetErrorMode(SEM_NOGPFAULTERRORBOX | SEM_NOOPENFILEERRORBOX);
    }
}

#[cfg(windows)]
fn apply_windows_heap_termination_on_corruption() {
    use windows_sys::Win32::System::Memory::{
        HeapEnableTerminationOnCorruption, HeapSetInformation,
    };

    // SAFETY: Passing a null heap handle applies the process default and this
    // information class requires no input buffer.
    let rc = unsafe {
        HeapSetInformation(
            std::ptr::null_mut(),
            HeapEnableTerminationOnCorruption,
            std::ptr::null(),
            0,
        )
    };
    if rc == 0 {
        eprintln!(
            "warning: could not enable Windows heap corruption termination for sshenv runtime hardening: {}",
            std::io::Error::last_os_error()
        );
    }
}

#[cfg(not(windows))]
const fn apply_windows_hardening_best_effort() {}

#[cfg(unix)]
fn apply_memory_lock_best_effort() {
    let rc = unsafe { libc::mlockall(libc::MCL_CURRENT | libc::MCL_FUTURE) };
    if rc != 0 {
        eprintln!(
            "warning: could not lock process memory for sshenv runtime hardening: {}",
            std::io::Error::last_os_error()
        );
    }
}

#[cfg(not(unix))]
const fn apply_memory_lock_best_effort() {}

#[cfg(test)]
mod tests {
    #[test]
    fn platform_status_matches_target_family() {
        let status = super::platform_status();
        #[cfg(target_os = "linux")]
        assert!(status.contains("Linux non-dumpable"));
        #[cfg(all(unix, not(target_os = "linux")))]
        assert!(status.contains("Unix core dumps disabled"));
        #[cfg(windows)]
        assert!(status.contains("Windows crash dialogs suppressed"));
        #[cfg(not(any(unix, windows)))]
        assert!(status.contains("No platform-specific"));
    }
}