1 /*
2  * Copyright (c) 2021 Omar Polo <op@omarpolo.com>
3  *
4  * Permission to use, copy, modify, and distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #include "gmid.h"
18 
19 #if defined(__FreeBSD__)
20 
21 #include <sys/capsicum.h>
22 
23 void
24 sandbox()
25 {
26 	if (cap_enter() == -1)
27 		err(1, "cap_enter");
28 }
29 
30 #elif defined(__linux__)
31 
32 #include <sys/prctl.h>
33 #include <sys/syscall.h>
34 #include <sys/syscall.h>
35 #include <sys/types.h>
36 
37 #include <linux/audit.h>
38 #include <linux/filter.h>
39 #include <linux/seccomp.h>
40 
41 #include <errno.h>
42 #include <fcntl.h>
43 #include <stddef.h>
44 #include <stdio.h>
45 #include <string.h>
46 
47 /* thanks chromium' src/seccomp.c */
48 #if defined(__i386__)
49 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
50 #elif defined(__x86_64__)
51 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
52 #elif defined(__arm__)
53 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM
54 #elif defined(__aarch64__)
55 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64
56 #elif defined(__mips__)
57 #  if defined(__mips64)
58 #    if defined(__MIPSEB__)
59 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS64
60 #    else
61 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL64
62 #    endif
63 #  else
64 #    if defined(__MIPSEB__)
65 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS
66 #    else
67 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL
68 #    endif
69 #  endif
70 #else
71 #  error "Platform does not support seccomp filter yet"
72 #endif
73 
74 /* uncomment to enable debugging.  ONLY FOR DEVELOPMENT */
75 /* #define SC_DEBUG */
76 
77 #ifdef SC_DEBUG
78 # define SC_FAIL SECCOMP_RET_TRAP
79 #else
80 # define SC_FAIL SECCOMP_RET_KILL
81 #endif
82 
83 /* make the filter more readable */
84 #define SC_ALLOW(nr)						\
85 	BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_##nr, 0, 1),	\
86 	BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
87 
88 #ifdef SC_DEBUG
89 
90 #include <signal.h>
91 #include <unistd.h>
92 
93 static void
94 sandbox_seccomp_violation(int signum, siginfo_t *info, void *ctx)
95 {
96 	(void)signum;
97 	(void)ctx;
98 
99 	fprintf(stderr, "%s: unexpected system call (arch:0x%x,syscall:%d @ %p)\n",
100 	    __func__, info->si_arch, info->si_syscall, info->si_call_addr);
101 	_exit(1);
102 }
103 
104 static void
105 sandbox_seccomp_catch_sigsys(void)
106 {
107 	struct sigaction act;
108 	sigset_t mask;
109 
110 	memset(&act, 0, sizeof(act));
111 	sigemptyset(&mask);
112 	sigaddset(&mask, SIGSYS);
113 
114 	act.sa_sigaction = &sandbox_seccomp_violation;
115 	act.sa_flags = SA_SIGINFO;
116 	if (sigaction(SIGSYS, &act, NULL) == -1) {
117 		fprintf(stderr, "%s: sigaction(SIGSYS): %s\n",
118 		    __func__, strerror(errno));
119 		exit(1);
120 	}
121 	if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1) {
122 		fprintf(stderr, "%s: sigprocmask(SIGSYS): %s\n",
123 		    __func__, strerror(errno));
124 		exit(1);
125 	}
126 }
127 #endif	/* SC_DEBUG */
128 
129 void
130 sandbox()
131 {
132 	struct sock_filter filter[] = {
133 		/* load the *current* architecture */
134 		BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
135 		    (offsetof(struct seccomp_data, arch))),
136 		/* ensure it's the same that we've been compiled on */
137 		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,
138 		    SECCOMP_AUDIT_ARCH, 1, 0),
139 		/* if not, kill the program */
140 		BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
141 
142 		/* load the syscall number */
143 		BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
144 		    (offsetof(struct seccomp_data, nr))),
145 
146 		/* allow logging on stdout */
147 		SC_ALLOW(write),
148 		SC_ALLOW(writev),
149 		SC_ALLOW(readv),
150 
151 		/* these are used to serve the files.  note how we
152 		 * allow openat but not open. */
153 		SC_ALLOW(epoll_pwait),
154 		SC_ALLOW(epoll_ctl),
155 		SC_ALLOW(accept4),
156 		SC_ALLOW(read),
157 		SC_ALLOW(openat),
158 		SC_ALLOW(fstat),
159 		SC_ALLOW(close),
160 		SC_ALLOW(lseek),
161 		SC_ALLOW(brk),
162 		SC_ALLOW(mmap),
163 		SC_ALLOW(munmap),
164 
165 		/* needed for signal handling */
166 		SC_ALLOW(rt_sigreturn),
167 		SC_ALLOW(rt_sigaction),
168 
169 		/* we need recvmsg to receive fd */
170 		SC_ALLOW(recvmsg),
171 
172 		/* XXX: ??? */
173 		SC_ALLOW(getpid),
174 
175 		/* alpine on amd64 */
176 		SC_ALLOW(clock_gettime),
177 		SC_ALLOW(madvise),
178 
179 		/* void on aarch64 does a gettrandom */
180 		SC_ALLOW(getrandom),
181 
182 		/* for directory listing */
183 		SC_ALLOW(getdents64),
184 
185 		SC_ALLOW(exit),
186 		SC_ALLOW(exit_group),
187 
188 		/* stuff used by syslog.  revisit once we move
189 		 * logging in its own process */
190 		SC_ALLOW(socket),
191 		SC_ALLOW(sendto),
192 		SC_ALLOW(connect),
193 
194 		/* allow only F_GETFL, F_SETFL & F_SETFD fcntl */
195 		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 8),
196 		BPF_STMT(BPF_LD  | BPF_W | BPF_ABS,
197 		    (offsetof(struct seccomp_data, args[1]))),
198 		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_GETFL, 0, 1),
199 		BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
200 		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFL, 0, 1),
201 		BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
202 		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFD, 0, 1),
203 		BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
204 		BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
205 
206 		/* re-load the syscall number */
207 		BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
208 		    (offsetof(struct seccomp_data, nr))),
209 
210 		/* allow ioctl but only on fd 1, glibc doing stuff? */
211 		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_ioctl, 0, 3),
212 		BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
213 		    (offsetof(struct seccomp_data, args[0]))),
214 		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 1, 0, 1),
215 		BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
216 
217 		/* disallow enything else */
218 		BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
219 	};
220 
221 	struct sock_fprog prog = {
222 		.len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
223 		.filter = filter,
224 	};
225 
226 #ifdef SC_DEBUG
227 	sandbox_seccomp_catch_sigsys();
228 #endif
229 
230 	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) {
231 		fprintf(stderr, "%s: prctl(PR_SET_NO_NEW_PRIVS): %s\n",
232 		    __func__, strerror(errno));
233 		exit(1);
234 	}
235 
236 	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1) {
237 		fprintf(stderr, "%s: prctl(PR_SET_SECCOMP): %s\n",
238 		    __func__, strerror(errno));
239 		exit(1);
240 	}
241 }
242 
243 #elif defined(__OpenBSD__)
244 
245 #include <unistd.h>
246 
247 void
248 sandbox()
249 {
250 	struct vhost *h;
251 
252 	for (h = hosts; h->domain != NULL; ++h) {
253 		if (unveil(h->dir, "r") == -1)
254 			err(1, "unveil %s for domain %s", h->dir, h->domain);
255 	}
256 
257 	if (pledge("stdio recvfd rpath inet", NULL) == -1)
258 		err(1, "pledge");
259 }
260 
261 #else
262 
263 void
264 sandbox()
265 {
266         LOGN(NULL, "%s", "no sandbox method known for this OS");
267 }
268 
269 #endif