1 dafb57b8 2021-01-15 op #include "gmid.h"
3 dafb57b8 2021-01-15 op #if defined(__FreeBSD__)
5 dafb57b8 2021-01-15 op #include <sys/capsicum.h>
6 dafb57b8 2021-01-15 op #include <err.h>
11 dafb57b8 2021-01-15 op struct vhost *h;
12 dafb57b8 2021-01-15 op int has_cgi = 0;
14 dafb57b8 2021-01-15 op for (h = hosts; h->domain != NULL; ++h)
15 dafb57b8 2021-01-15 op if (h->cgi != NULL)
18 dafb57b8 2021-01-15 op if (cap_enter() == -1)
19 dafb57b8 2021-01-15 op err(1, "cap_enter");
22 dafb57b8 2021-01-15 op #elif defined(__linux__)
24 71b7eb2f 2021-01-17 op #include <sys/prctl.h>
25 71b7eb2f 2021-01-17 op #include <sys/syscall.h>
26 71b7eb2f 2021-01-17 op #include <sys/syscall.h>
27 71b7eb2f 2021-01-17 op #include <sys/types.h>
29 71b7eb2f 2021-01-17 op #include <linux/audit.h>
30 71b7eb2f 2021-01-17 op #include <linux/filter.h>
31 71b7eb2f 2021-01-17 op #include <linux/seccomp.h>
33 71b7eb2f 2021-01-17 op #include <errno.h>
34 71b7eb2f 2021-01-17 op #include <stddef.h>
35 71b7eb2f 2021-01-17 op #include <stdio.h>
36 71b7eb2f 2021-01-17 op #include <seccomp.h>
37 71b7eb2f 2021-01-17 op #include <string.h>
39 71b7eb2f 2021-01-17 op /* thanks chromium' src/seccomp.c */
40 71b7eb2f 2021-01-17 op #if defined(__i386__)
41 71b7eb2f 2021-01-17 op # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
42 71b7eb2f 2021-01-17 op #elif defined(__x86_64__)
43 71b7eb2f 2021-01-17 op # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
44 71b7eb2f 2021-01-17 op #elif defined(__arm__)
45 71b7eb2f 2021-01-17 op # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM
46 71b7eb2f 2021-01-17 op #elif defined(__aarch64__)
47 71b7eb2f 2021-01-17 op # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64
48 71b7eb2f 2021-01-17 op #elif defined(__mips__)
49 71b7eb2f 2021-01-17 op # if defined(__mips64)
50 71b7eb2f 2021-01-17 op # if defined(__MIPSEB__)
51 71b7eb2f 2021-01-17 op # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS64
53 71b7eb2f 2021-01-17 op # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL64
56 71b7eb2f 2021-01-17 op # if defined(__MIPSEB__)
57 71b7eb2f 2021-01-17 op # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS
59 71b7eb2f 2021-01-17 op # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL
63 71b7eb2f 2021-01-17 op # error "Platform does not support seccomp filter yet"
66 71b7eb2f 2021-01-17 op /* uncomment to enable debugging. ONLY FOR DEVELOPMENT */
67 71b7eb2f 2021-01-17 op /* #define SC_DEBUG */
69 71b7eb2f 2021-01-17 op #ifdef SC_DEBUG
70 71b7eb2f 2021-01-17 op # define SC_FAIL SECCOMP_RET_TRAP
72 71b7eb2f 2021-01-17 op # define SC_FAIL SECCOMP_RET_KILL
75 71b7eb2f 2021-01-17 op /* make the filter more readable */
76 71b7eb2f 2021-01-17 op #define SC_ALLOW(nr) \
77 71b7eb2f 2021-01-17 op BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_##nr, 0, 1), \
78 71b7eb2f 2021-01-17 op BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
80 71b7eb2f 2021-01-17 op #ifdef SC_DEBUG
82 71b7eb2f 2021-01-17 op #include <signal.h>
83 71b7eb2f 2021-01-17 op #include <unistd.h>
86 71b7eb2f 2021-01-17 op sandbox_seccomp_violation(int signum, siginfo_t *info, void *ctx)
91 71b7eb2f 2021-01-17 op fprintf(stderr, "%s: unexpected system call (arch:0x%x,syscall:%d @ %p)\n",
92 71b7eb2f 2021-01-17 op __func__, info->si_arch, info->si_syscall, info->si_call_addr);
97 71b7eb2f 2021-01-17 op sandbox_seccomp_catch_sigsys(void)
99 71b7eb2f 2021-01-17 op struct sigaction act;
100 71b7eb2f 2021-01-17 op sigset_t mask;
102 71b7eb2f 2021-01-17 op memset(&act, 0, sizeof(act));
103 71b7eb2f 2021-01-17 op sigemptyset(&mask);
104 71b7eb2f 2021-01-17 op sigaddset(&mask, SIGSYS);
106 71b7eb2f 2021-01-17 op act.sa_sigaction = &sandbox_seccomp_violation;
107 71b7eb2f 2021-01-17 op act.sa_flags = SA_SIGINFO;
108 71b7eb2f 2021-01-17 op if (sigaction(SIGSYS, &act, NULL) == -1) {
109 71b7eb2f 2021-01-17 op fprintf(stderr, "%s: sigaction(SIGSYS): %s\n",
110 71b7eb2f 2021-01-17 op __func__, strerror(errno));
113 71b7eb2f 2021-01-17 op if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1) {
114 71b7eb2f 2021-01-17 op fprintf(stderr, "%s: sigprocmask(SIGSYS): %s\n",
115 71b7eb2f 2021-01-17 op __func__, strerror(errno));
119 71b7eb2f 2021-01-17 op #endif /* SC_DEBUG */
124 71b7eb2f 2021-01-17 op struct sock_filter filter[] = {
125 71b7eb2f 2021-01-17 op /* load the *current* architecture */
126 71b7eb2f 2021-01-17 op BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
127 71b7eb2f 2021-01-17 op (offsetof(struct seccomp_data, arch))),
128 71b7eb2f 2021-01-17 op /* ensure it's the same that we've been compiled on */
129 71b7eb2f 2021-01-17 op BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,
130 71b7eb2f 2021-01-17 op SECCOMP_AUDIT_ARCH, 1, 0),
131 71b7eb2f 2021-01-17 op /* if not, kill the program */
132 71b7eb2f 2021-01-17 op BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
134 71b7eb2f 2021-01-17 op /* load the syscall number */
135 71b7eb2f 2021-01-17 op BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
136 71b7eb2f 2021-01-17 op (offsetof(struct seccomp_data, nr))),
138 71b7eb2f 2021-01-17 op /* allow logging on stdout */
139 71b7eb2f 2021-01-17 op SC_ALLOW(write),
140 71b7eb2f 2021-01-17 op SC_ALLOW(writev),
141 71b7eb2f 2021-01-17 op SC_ALLOW(readv),
143 71b7eb2f 2021-01-17 op /* these are used to serve the files. note how we
144 71b7eb2f 2021-01-17 op * allow openat but not open. */
145 71b7eb2f 2021-01-17 op SC_ALLOW(ppoll),
146 71b7eb2f 2021-01-17 op SC_ALLOW(accept),
147 71b7eb2f 2021-01-17 op SC_ALLOW(fcntl),
148 71b7eb2f 2021-01-17 op SC_ALLOW(read),
149 71b7eb2f 2021-01-17 op SC_ALLOW(openat),
150 71b7eb2f 2021-01-17 op SC_ALLOW(fstat),
151 71b7eb2f 2021-01-17 op SC_ALLOW(close),
152 71b7eb2f 2021-01-17 op SC_ALLOW(lseek),
153 71b7eb2f 2021-01-17 op SC_ALLOW(brk),
154 71b7eb2f 2021-01-17 op SC_ALLOW(mmap),
155 71b7eb2f 2021-01-17 op SC_ALLOW(munmap),
157 71b7eb2f 2021-01-17 op /* we need recvmsg to receive fd */
158 71b7eb2f 2021-01-17 op SC_ALLOW(recvmsg),
160 71b7eb2f 2021-01-17 op /* XXX: ??? */
161 71b7eb2f 2021-01-17 op SC_ALLOW(getpid),
163 71b7eb2f 2021-01-17 op SC_ALLOW(exit),
164 71b7eb2f 2021-01-17 op SC_ALLOW(exit_group),
166 71b7eb2f 2021-01-17 op /* allow ioctl but only on fd 1, glibc doing stuff? */
167 71b7eb2f 2021-01-17 op BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_ioctl, 0, 3),
168 71b7eb2f 2021-01-17 op BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
169 71b7eb2f 2021-01-17 op (offsetof(struct seccomp_data, args[0]))),
170 71b7eb2f 2021-01-17 op BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 1, 0, 1),
171 71b7eb2f 2021-01-17 op BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
173 71b7eb2f 2021-01-17 op /* disallow enything else */
174 71b7eb2f 2021-01-17 op BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
177 71b7eb2f 2021-01-17 op struct sock_fprog prog = {
178 71b7eb2f 2021-01-17 op .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
179 71b7eb2f 2021-01-17 op .filter = filter,
182 71b7eb2f 2021-01-17 op #ifdef SC_DEBUG
183 71b7eb2f 2021-01-17 op sandbox_seccomp_catch_sigsys();
186 71b7eb2f 2021-01-17 op if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) {
187 71b7eb2f 2021-01-17 op fprintf(stderr, "%s: prctl(PR_SET_NO_NEW_PRIVS): %s\n",
188 71b7eb2f 2021-01-17 op __func__, strerror(errno));
192 71b7eb2f 2021-01-17 op if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1) {
193 71b7eb2f 2021-01-17 op fprintf(stderr, "%s: prctl(PR_SET_SECCOMP): %s\n",
194 71b7eb2f 2021-01-17 op __func__, strerror(errno));
199 dafb57b8 2021-01-15 op #elif defined(__OpenBSD__)
201 dafb57b8 2021-01-15 op #include <err.h>
202 dafb57b8 2021-01-15 op #include <unistd.h>
207 dafb57b8 2021-01-15 op struct vhost *h;
209 dafb57b8 2021-01-15 op for (h = hosts; h->domain != NULL; ++h) {
210 dafb57b8 2021-01-15 op if (unveil(h->dir, "rx") == -1)
211 dafb57b8 2021-01-15 op err(1, "unveil %s for domain %s", h->dir, h->domain);
214 881a9dd9 2021-01-16 op if (pledge("stdio recvfd rpath inet", NULL) == -1)
215 dafb57b8 2021-01-15 op err(1, "pledge");
223 dafb57b8 2021-01-15 op LOGN(NULL, "%s", "no sandbox method known for this OS");