Blob


1 /*
2 * Copyright (c) 2021 Omar Polo <op@omarpolo.com>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
17 #include "gmid.h"
19 #if DISABLE_SANDBOX
21 #warning "Sandbox disabled! Please report issues upstream instead of disabling the sandbox."
23 void
24 sandbox_server_process(int can_open_sockets)
25 {
26 return;
27 }
29 void
30 sandbox_logger_process(void)
31 {
32 return;
33 }
35 #elif defined(__FreeBSD__)
37 #include <sys/capsicum.h>
39 void
40 sandbox_server_process(int can_open_sockets)
41 {
42 /* can't capsicum if fastcgi or proxying are used. */
43 if (can_open_sockets)
44 return;
46 if (cap_enter() == -1)
47 fatal("cap_enter");
48 }
50 void
51 sandbox_logger_process(void)
52 {
53 if (cap_enter() == -1)
54 fatal("cap_enter");
55 }
57 #elif defined(__linux__)
59 #include <sys/ioctl.h>
60 #include <sys/prctl.h>
61 #include <sys/syscall.h>
62 #include <sys/syscall.h>
63 #include <sys/types.h>
65 #include <linux/audit.h>
66 #include <linux/filter.h>
67 #include <linux/seccomp.h>
69 #include <errno.h>
70 #include <fcntl.h>
71 #include <stddef.h>
72 #include <stdio.h>
73 #include <string.h>
75 #if HAVE_LANDLOCK
76 # include "landlock_shim.h"
77 #endif
79 /* uncomment to enable debugging. ONLY FOR DEVELOPMENT */
80 /* #define SC_DEBUG */
82 #ifdef SC_DEBUG
83 # define SC_FAIL SECCOMP_RET_TRAP
84 #else
85 # define SC_FAIL SECCOMP_RET_KILL
86 #endif
88 #if (BYTE_ORDER == LITTLE_ENDIAN)
89 # define SC_ARG_LO 0
90 # define SC_ARG_HI sizeof(uint32_t)
91 #elif (BYTE_ORDER == BIG_ENDIAN)
92 # define SC_ARG_LO sizeof(uint32_t)
93 # define SC_ARG_HI 0
94 #else
95 # error "Uknown endian"
96 #endif
98 /* make the filter more readable */
99 #define SC_ALLOW(nr) \
100 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_##nr, 0, 1), \
101 BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
103 /*
104 * SC_ALLOW_ARG and the SECCOMP_AUDIT_ARCH below are courtesy of
105 * https://roy.marples.name/git/dhcpcd/blob/HEAD:/src/privsep-linux.c
106 */
107 #define SC_ALLOW_ARG(_nr, _arg, _val) \
108 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, (_nr), 0, 6), \
109 BPF_STMT(BPF_LD + BPF_W + BPF_ABS, \
110 offsetof(struct seccomp_data, args[(_arg)]) + SC_ARG_LO), \
111 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, \
112 ((_val) & 0xffffffff), 0, 3), \
113 BPF_STMT(BPF_LD + BPF_W + BPF_ABS, \
114 offsetof(struct seccomp_data, args[(_arg)]) + SC_ARG_HI), \
115 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, \
116 (((uint32_t)((uint64_t)(_val) >> 32)) & 0xffffffff), 0, 1), \
117 BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW), \
118 BPF_STMT(BPF_LD + BPF_W + BPF_ABS, \
119 offsetof(struct seccomp_data, nr))
121 /*
122 * I personally find this quite nutty. Why can a system header not
123 * define a default for this?
124 */
125 #if defined(__i386__)
126 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
127 #elif defined(__x86_64__)
128 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
129 #elif defined(__arc__)
130 # if defined(__A7__)
131 # if (BYTE_ORDER == LITTLE_ENDIAN)
132 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACT
133 # else
134 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACTBE
135 # endif
136 # elif defined(__HS__)
137 # if (BYTE_ORDER == LITTLE_ENDIAN)
138 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2
139 # else
140 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2BE
141 # endif
142 # else
143 # error "Platform does not support seccomp filter yet"
144 # endif
145 #elif defined(__arm__)
146 # ifndef EM_ARM
147 # define EM_ARM 40
148 # endif
149 # if (BYTE_ORDER == LITTLE_ENDIAN)
150 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM
151 # else
152 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARMEB
153 # endif
154 #elif defined(__aarch64__)
155 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64
156 #elif defined(__alpha__)
157 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ALPHA
158 #elif defined(__hppa__)
159 # if defined(__LP64__)
160 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC64
161 # else
162 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC
163 # endif
164 #elif defined(__ia64__)
165 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_IA64
166 #elif defined(__microblaze__)
167 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MICROBLAZE
168 #elif defined(__m68k__)
169 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_M68K
170 #elif defined(__mips__)
171 # if defined(__MIPSEL__)
172 # if defined(__LP64__)
173 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL64
174 # else
175 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL
176 # endif
177 # elif defined(__LP64__)
178 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS64
179 # else
180 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS
181 # endif
182 #elif defined(__nds32__)
183 # if (BYTE_ORDER == LITTLE_ENDIAN)
184 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32
185 #else
186 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32BE
187 #endif
188 #elif defined(__nios2__)
189 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NIOS2
190 #elif defined(__or1k__)
191 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_OPENRISC
192 #elif defined(__powerpc64__)
193 # if (BYTE_ORDER == LITTLE_ENDIAN)
194 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64LE
195 # else
196 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64
197 # endif
198 #elif defined(__powerpc__)
199 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC
200 #elif defined(__riscv)
201 # if defined(__LP64__)
202 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV64
203 # else
204 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV32
205 # endif
206 #elif defined(__s390x__)
207 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390X
208 #elif defined(__s390__)
209 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390
210 #elif defined(__sh__)
211 # if defined(__LP64__)
212 # if (BYTE_ORDER == LITTLE_ENDIAN)
213 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL64
214 # else
215 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH64
216 # endif
217 # else
218 # if (BYTE_ORDER == LITTLE_ENDIAN)
219 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL
220 # else
221 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH
222 # endif
223 # endif
224 #elif defined(__sparc__)
225 # if defined(__arch64__)
226 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC64
227 # else
228 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC
229 # endif
230 #elif defined(__xtensa__)
231 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_XTENSA
232 #else
233 # error "Platform does not support seccomp filter yet"
234 #endif
236 static const struct sock_filter filter[] = {
237 /* load the *current* architecture */
238 BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
239 (offsetof(struct seccomp_data, arch))),
240 /* ensure it's the same that we've been compiled on */
241 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,
242 SECCOMP_AUDIT_ARCH, 1, 0),
243 /* if not, kill the program */
244 BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
246 /* load the syscall number */
247 BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
248 (offsetof(struct seccomp_data, nr))),
250 #ifdef __NR_accept
251 SC_ALLOW(accept),
252 #endif
253 #ifdef __NR_accept4
254 SC_ALLOW(accept4),
255 #endif
256 #ifdef __NR_brk
257 SC_ALLOW(brk),
258 #endif
259 #ifdef __NR_clock_gettime
260 SC_ALLOW(clock_gettime),
261 #endif
262 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
263 SECCOMP_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
264 #endif
265 #ifdef __NR_clock_gettime64
266 SC_ALLOW(clock_gettime64),
267 #endif
268 #ifdef __NR_close
269 SC_ALLOW(close),
270 #endif
271 #ifdef __NR_epoll_ctl
272 SC_ALLOW(epoll_ctl),
273 #endif
274 #ifdef __NR_epoll_pwait
275 SC_ALLOW(epoll_pwait),
276 #endif
277 #ifdef __NR_epoll_wait
278 SC_ALLOW(epoll_wait),
279 #endif
280 #ifdef __NR_exit
281 SC_ALLOW(exit),
282 #endif
283 #ifdef __NR_exit_group
284 SC_ALLOW(exit_group),
285 #endif
286 #ifdef __NR_fcntl
287 SC_ALLOW(fcntl),
288 #endif
289 #ifdef __NR_fcntl64
290 SC_ALLOW(fcntl64),
291 #endif
292 #ifdef __NR_fstat
293 SC_ALLOW(fstat),
294 #endif
295 #ifdef __NR_fstat64
296 SC_ALLOW(fstat64),
297 #endif
298 #ifdef __NR_fstatat64
299 SC_ALLOW(fstatat64),
300 #endif
301 #ifdef __NR_getdents64
302 SC_ALLOW(getdents64),
303 #endif
304 #ifdef __NR_getpid
305 SC_ALLOW(getpid),
306 #endif
307 #ifdef __NR_getrandom
308 SC_ALLOW(getrandom),
309 #endif
310 #ifdef __NR_gettimeofday
311 SC_ALLOW(gettimeofday),
312 #endif
313 #ifdef __NR_ioctl
314 /* allow ioctl on fd 1, glibc doing stuff? */
315 SC_ALLOW_ARG(__NR_ioctl, 0, 1),
316 /* allow FIONREAD needed by libevent */
317 SC_ALLOW_ARG(__NR_ioctl, 1, FIONREAD),
318 #endif
319 #ifdef __NR__llseek
320 SC_ALLOW(_llseek),
321 #endif
322 #ifdef __NR_lseek
323 SC_ALLOW(lseek),
324 #endif
325 #ifdef __NR_madvise
326 SC_ALLOW(madvise),
327 #endif
328 #ifdef __NR_mmap
329 SC_ALLOW(mmap),
330 #endif
331 #ifdef __NR_mmap2
332 SC_ALLOW(mmap2),
333 #endif
334 #ifdef __NR_munmap
335 SC_ALLOW(munmap),
336 #endif
337 #ifdef __NR_newfstatat
338 SC_ALLOW(newfstatat),
339 #endif
340 #ifdef __NR_oldfstat
341 SC_ALLOW(oldfstat),
342 #endif
343 #ifdef __NR_openat
344 SC_ALLOW_ARG(__NR_openat, 3, O_RDONLY),
345 #endif
346 #ifdef __NR_prlimit64
347 SC_ALLOW(prlimit64),
348 #endif
349 #ifdef __NR_read
350 SC_ALLOW(read),
351 #endif
352 #ifdef __NR_recvmsg
353 SC_ALLOW(recvmsg),
354 #endif
355 #ifdef __NR_readv
356 SC_ALLOW(readv),
357 #endif
358 #ifdef __NR_rt_sigaction
359 SC_ALLOW(rt_sigaction),
360 #endif
361 #ifdef __NR_rt_sigreturn
362 SC_ALLOW(rt_sigreturn),
363 #endif
364 #ifdef __NR_sendmsg
365 SC_ALLOW(sendmsg),
366 #endif
367 #ifdef __NR_sigreturn
368 SC_ALLOW(sigreturn),
369 #endif
370 #ifdef __NR_statx
371 SC_ALLOW(statx),
372 #endif
373 #ifdef __NR_ugetrlimit
374 SC_ALLOW(ugetrlimit),
375 #endif
376 #ifdef __NR_write
377 SC_ALLOW(write),
378 #endif
379 #ifdef __NR_writev
380 SC_ALLOW(writev),
381 #endif
383 /* disallow everything else */
384 BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
385 };
387 #ifdef SC_DEBUG
389 #include <signal.h>
390 #include <unistd.h>
392 static void
393 sandbox_seccomp_violation(int signum, siginfo_t *info, void *ctx)
395 fprintf(stderr, "%s: unexpected system call (arch:0x%x,syscall:%d @ %p)\n",
396 __func__, info->si_arch, info->si_syscall, info->si_call_addr);
397 _exit(1);
400 static void
401 sandbox_seccomp_catch_sigsys(void)
403 struct sigaction act;
404 sigset_t mask;
406 memset(&act, 0, sizeof(act));
407 sigemptyset(&mask);
408 sigaddset(&mask, SIGSYS);
410 act.sa_sigaction = &sandbox_seccomp_violation;
411 act.sa_flags = SA_SIGINFO;
412 if (sigaction(SIGSYS, &act, NULL) == -1)
413 fatal("%s: sigaction(SIGSYS): %s",
414 __func__, strerror(errno));
416 if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1)
417 fatal("%s: sigprocmask(SIGSYS): %s\n",
418 __func__, strerror(errno));
420 #endif /* SC_DEBUG */
422 #if HAVE_LANDLOCK
423 static inline int
424 open_landlock(void)
426 int fd;
428 const struct landlock_ruleset_attr attr = {
429 .handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE |
430 LANDLOCK_ACCESS_FS_READ_FILE |
431 LANDLOCK_ACCESS_FS_READ_DIR |
432 LANDLOCK_ACCESS_FS_WRITE_FILE |
433 LANDLOCK_ACCESS_FS_REMOVE_DIR |
434 LANDLOCK_ACCESS_FS_REMOVE_FILE |
435 LANDLOCK_ACCESS_FS_MAKE_CHAR |
436 LANDLOCK_ACCESS_FS_MAKE_DIR |
437 LANDLOCK_ACCESS_FS_MAKE_REG |
438 LANDLOCK_ACCESS_FS_MAKE_SOCK |
439 LANDLOCK_ACCESS_FS_MAKE_FIFO |
440 LANDLOCK_ACCESS_FS_MAKE_BLOCK |
441 LANDLOCK_ACCESS_FS_MAKE_SYM,
442 };
444 fd = landlock_create_ruleset(&attr, sizeof(attr), 0);
445 if (fd == -1) {
446 switch (errno) {
447 case ENOSYS:
448 fatal("%s: failed to create ruleset. "
449 "Landlock doesn't seem to be supported by the "
450 "current kernel.", __func__);
451 case EOPNOTSUPP:
452 log_warn(NULL, "%s: failed to create ruleset. "
453 "Landlock seems to be currently disabled; "
454 "continuing without it.", __func__);
455 break;
456 default:
457 fatal("%s: failed to create ruleset: %s",
458 __func__, strerror(errno));
462 return fd;
465 static int
466 landlock_unveil_path(int landlock_fd, const char *path, int perms)
468 struct landlock_path_beneath_attr pb;
469 int err, saved_errno;
471 pb.allowed_access = perms;
473 if ((pb.parent_fd = open(path, O_PATH)) == -1)
474 return -1;
476 err = landlock_add_rule(landlock_fd, LANDLOCK_RULE_PATH_BENEATH,
477 &pb, 0);
478 saved_errno = errno;
479 close(pb.parent_fd);
480 errno = saved_errno;
481 return err ? -1 : 0;
484 static int
485 landlock_apply(int fd)
487 int r, saved_errno;
489 if (fd == -1)
490 return 0;
492 r = landlock_restrict_self(fd, 0);
493 saved_errno = errno;
494 close(fd);
495 errno = saved_errno;
496 return r ? -1 : 0;
499 static int
500 server_landlock(void)
502 int fd, perms;
503 struct vhost *h;
504 struct location *l;
506 /*
507 * These are all the actions allowed for the root directories
508 * of the vhosts.
509 */
510 perms = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR;
512 if ((fd = open_landlock()) == -1)
513 return 0;
515 TAILQ_FOREACH(h, &hosts, vhosts) {
516 TAILQ_FOREACH(l, &h->locations, locations) {
517 if (*l->dir == '\0')
518 continue;
520 if (landlock_unveil_path(fd, l->dir, perms) == -1)
521 fatal("%s: landlock_unveil_path(%s): %s",
522 __func__, l->dir, strerror(errno));
526 return landlock_apply(fd);
529 static int
530 logger_landlock(void)
532 int fd;
534 if ((fd = open_landlock()) == -1)
535 return 0;
537 /* no rules. the logger doesn't need fs access at all. */
539 return landlock_apply(fd);
541 #endif
543 void
544 sandbox_server_process(int can_open_sockets)
546 const struct sock_fprog prog = {
547 .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
548 .filter = filter,
549 };
551 /* can't seccomp/landlock if fastcgi or proxying are used. */
552 if (can_open_sockets)
553 return;
556 #ifdef SC_DEBUG
557 sandbox_seccomp_catch_sigsys();
558 #endif
560 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
561 fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
562 __func__, strerror(errno));
564 #if HAVE_LANDLOCK
565 if (server_landlock() == -1)
566 fatal("%s: server_landlock: %s",
567 __func__, strerror(errno));
568 #endif
570 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1)
571 fatal("%s: prctl(PR_SET_SECCOMP): %s\n",
572 __func__, strerror(errno));
575 void
576 sandbox_logger_process(void)
578 /*
579 * Here we could use a seccomp filter to allow only recvfd,
580 * write/writev and memory allocations, but syslog is a beast
581 * and I don't know what syscalls it could end up doing.
582 * Landlock is a simpler beast, use it to disallow any file
583 * sytsem access.
584 */
586 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
587 fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
588 __func__, strerror(errno));
590 #if HAVE_LANDLOCK
591 if (logger_landlock() == -1)
592 fatal("%s: logger_landlock: %s",
593 __func__, strerror(errno));
594 #endif
596 return;
599 #elif defined(__OpenBSD__)
601 #include <unistd.h>
603 void
604 sandbox_server_process(int can_open_sockets)
606 struct vhost *h;
607 struct location *l;
609 TAILQ_FOREACH(h, &hosts, vhosts) {
610 TAILQ_FOREACH(l, &h->locations, locations) {
611 if (*l->dir == '\0')
612 continue;
614 if (unveil(l->dir, "r") == -1)
615 fatal("unveil %s for domain %s",
616 l->dir,
617 h->domain);
621 if (pledge("stdio recvfd rpath inet dns", NULL) == -1)
622 fatal("pledge");
625 void
626 sandbox_logger_process(void)
628 if (pledge("stdio recvfd", NULL) == -1)
629 err(1, "pledge");
632 #else
634 #warning "No sandbox method known for this OS"
636 void
637 sandbox_server_process(int can_open_sockets)
639 return;
642 void
643 sandbox_logger_process(void)
645 return;
648 #endif