1 /*
2  * Copyright (c) 2021 Omar Polo <op@omarpolo.com>
3  *
4  * Permission to use, copy, modify, and distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #include "gmid.h"
18 
19 #if DISABLE_SANDBOX
20 
21 #warning "Sandbox disabled! Please report issues upstream instead of disabling the sandbox."
22 
23 void
24 sandbox_server_process(void)
25 {
26 	return;
27 }
28 
29 void
30 sandbox_logger_process(void)
31 {
32 	return;
33 }
34 
35 #elif defined(__FreeBSD__)
36 
37 #include <sys/capsicum.h>
38 
39 void
40 sandbox_server_process(void)
41 {
42 	if (cap_enter() == -1)
43 		fatal("cap_enter");
44 }
45 
46 void
47 sandbox_logger_process(void)
48 {
49 	if (cap_enter() == -1)
50 		fatal("cap_enter");
51 }
52 
53 #elif defined(__linux__)
54 
55 #include <sys/ioctl.h>
56 #include <sys/prctl.h>
57 #include <sys/syscall.h>
58 #include <sys/syscall.h>
59 #include <sys/types.h>
60 
61 #include <linux/audit.h>
62 #include <linux/filter.h>
63 #include <linux/seccomp.h>
64 
65 #include <errno.h>
66 #include <fcntl.h>
67 #include <stddef.h>
68 #include <stdio.h>
69 #include <string.h>
70 
71 #if HAVE_LANDLOCK
72 # include "landlock_shim.h"
73 #endif
74 
75 /* uncomment to enable debugging.  ONLY FOR DEVELOPMENT */
76 /* #define SC_DEBUG */
77 
78 #ifdef SC_DEBUG
79 # define SC_FAIL SECCOMP_RET_TRAP
80 #else
81 # define SC_FAIL SECCOMP_RET_KILL
82 #endif
83 
84 #if (BYTE_ORDER == LITTLE_ENDIAN)
85 # define SC_ARG_LO	0
86 # define SC_ARG_HI	sizeof(uint32_t)
87 #elif (BYTE_ORDER == BIG_ENDIAN)
88 # define SC_ARG_LO	sizeof(uint32_t)
89 # define SC_ARG_HI	0
90 #else
91 # error "Uknown endian"
92 #endif
93 
94 /* make the filter more readable */
95 #define SC_ALLOW(nr)						\
96 	BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_##nr, 0, 1),	\
97 	BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
98 
99 /*
100  * SC_ALLOW_ARG and the SECCOMP_AUDIT_ARCH below are courtesy of
101  * https://roy.marples.name/git/dhcpcd/blob/HEAD:/src/privsep-linux.c
102  */
103 #define SC_ALLOW_ARG(_nr, _arg, _val)						\
104 	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, (_nr), 0, 6),			\
105 	BPF_STMT(BPF_LD + BPF_W + BPF_ABS,					\
106 	    offsetof(struct seccomp_data, args[(_arg)]) + SC_ARG_LO),		\
107 	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K,					\
108 	    ((_val) & 0xffffffff), 0, 3),					\
109 	BPF_STMT(BPF_LD + BPF_W + BPF_ABS,					\
110 	    offsetof(struct seccomp_data, args[(_arg)]) + SC_ARG_HI),		\
111 	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K,					\
112 	    (((uint32_t)((uint64_t)(_val) >> 32)) & 0xffffffff), 0, 1),		\
113 	BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW),				\
114 	BPF_STMT(BPF_LD + BPF_W + BPF_ABS,					\
115 	    offsetof(struct seccomp_data, nr))
116 
117 /*
118  * I personally find this quite nutty.  Why can a system header not
119  * define a default for this?
120  */
121 #if defined(__i386__)
122 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
123 #elif defined(__x86_64__)
124 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
125 #elif defined(__arc__)
126 #  if defined(__A7__)
127 #    if (BYTE_ORDER == LITTLE_ENDIAN)
128 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACT
129 #    else
130 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACTBE
131 #    endif
132 #  elif defined(__HS__)
133 #    if (BYTE_ORDER == LITTLE_ENDIAN)
134 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2
135 #    else
136 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2BE
137 #    endif
138 #  else
139 #    error "Platform does not support seccomp filter yet"
140 #  endif
141 #elif defined(__arm__)
142 #  ifndef EM_ARM
143 #    define EM_ARM 40
144 #  endif
145 #  if (BYTE_ORDER == LITTLE_ENDIAN)
146 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM
147 #  else
148 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARMEB
149 #  endif
150 #elif defined(__aarch64__)
151 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64
152 #elif defined(__alpha__)
153 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ALPHA
154 #elif defined(__hppa__)
155 #  if defined(__LP64__)
156 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC64
157 #  else
158 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC
159 #  endif
160 #elif defined(__ia64__)
161 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_IA64
162 #elif defined(__microblaze__)
163 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MICROBLAZE
164 #elif defined(__m68k__)
165 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_M68K
166 #elif defined(__mips__)
167 #  if defined(__MIPSEL__)
168 #    if defined(__LP64__)
169 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL64
170 #    else
171 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL
172 #    endif
173 #  elif defined(__LP64__)
174 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS64
175 #  else
176 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS
177 #  endif
178 #elif defined(__nds32__)
179 #  if (BYTE_ORDER == LITTLE_ENDIAN)
180 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32
181 #else
182 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32BE
183 #endif
184 #elif defined(__nios2__)
185 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NIOS2
186 #elif defined(__or1k__)
187 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_OPENRISC
188 #elif defined(__powerpc64__)
189 #  if (BYTE_ORDER == LITTLE_ENDIAN)
190 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64LE
191 #  else
192 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64
193 #  endif
194 #elif defined(__powerpc__)
195 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC
196 #elif defined(__riscv)
197 #  if defined(__LP64__)
198 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV64
199 #  else
200 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV32
201 #  endif
202 #elif defined(__s390x__)
203 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390X
204 #elif defined(__s390__)
205 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390
206 #elif defined(__sh__)
207 #  if defined(__LP64__)
208 #    if (BYTE_ORDER == LITTLE_ENDIAN)
209 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL64
210 #    else
211 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH64
212 #    endif
213 #  else
214 #    if (BYTE_ORDER == LITTLE_ENDIAN)
215 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL
216 #    else
217 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH
218 #    endif
219 #  endif
220 #elif defined(__sparc__)
221 #  if defined(__arch64__)
222 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC64
223 #  else
224 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC
225 #  endif
226 #elif defined(__xtensa__)
227 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_XTENSA
228 #else
229 #  error "Platform does not support seccomp filter yet"
230 #endif
231 
232 static const struct sock_filter filter[] = {
233 	/* load the *current* architecture */
234 	BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
235 	    (offsetof(struct seccomp_data, arch))),
236 	/* ensure it's the same that we've been compiled on */
237 	BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,
238 	    SECCOMP_AUDIT_ARCH, 1, 0),
239 	/* if not, kill the program */
240 	BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
241 
242 	/* load the syscall number */
243 	BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
244 	    (offsetof(struct seccomp_data, nr))),
245 
246 #ifdef __NR_accept
247 	SC_ALLOW(accept),
248 #endif
249 #ifdef __NR_accept4
250 	SC_ALLOW(accept4),
251 #endif
252 #ifdef __NR_brk
253 	SC_ALLOW(brk),
254 #endif
255 #ifdef __NR_clock_gettime
256 	SC_ALLOW(clock_gettime),
257 #endif
258 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
259 	SECCOMP_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
260 #endif
261 #ifdef __NR_clock_gettime64
262 	SC_ALLOW(clock_gettime64),
263 #endif
264 #ifdef __NR_close
265 	SC_ALLOW(close),
266 #endif
267 #ifdef __NR_epoll_ctl
268 	SC_ALLOW(epoll_ctl),
269 #endif
270 #ifdef __NR_epoll_pwait
271 	SC_ALLOW(epoll_pwait),
272 #endif
273 #ifdef __NR_epoll_wait
274 	SC_ALLOW(epoll_wait),
275 #endif
276 #ifdef __NR_exit
277 	SC_ALLOW(exit),
278 #endif
279 #ifdef __NR_exit_group
280 	SC_ALLOW(exit_group),
281 #endif
282 #ifdef __NR_fcntl
283 	SC_ALLOW(fcntl),
284 #endif
285 #ifdef __NR_fcntl64
286 	SC_ALLOW(fcntl64),
287 #endif
288 #ifdef __NR_fstat
289 	SC_ALLOW(fstat),
290 #endif
291 #ifdef __NR_fstat64
292 	SC_ALLOW(fstat64),
293 #endif
294 #ifdef __NR_fstatat64
295 	SC_ALLOW(fstatat64),
296 #endif
297 #ifdef __NR_getdents64
298 	SC_ALLOW(getdents64),
299 #endif
300 #ifdef __NR_getpid
301 	SC_ALLOW(getpid),
302 #endif
303 #ifdef __NR_getrandom
304 	SC_ALLOW(getrandom),
305 #endif
306 #ifdef __NR_gettimeofday
307 	SC_ALLOW(gettimeofday),
308 #endif
309 #ifdef __NR_ioctl
310 	/* allow ioctl on fd 1, glibc doing stuff? */
311 	SC_ALLOW_ARG(__NR_ioctl, 0, 1),
312 	/* allow FIONREAD needed by libevent */
313 	SC_ALLOW_ARG(__NR_ioctl, 1, FIONREAD),
314 #endif
315 #ifdef __NR__llseek
316 	SC_ALLOW(_llseek),
317 #endif
318 #ifdef __NR_lseek
319 	SC_ALLOW(lseek),
320 #endif
321 #ifdef __NR_madvise
322 	SC_ALLOW(madvise),
323 #endif
324 #ifdef __NR_mmap
325 	SC_ALLOW(mmap),
326 #endif
327 #ifdef __NR_mmap2
328 	SC_ALLOW(mmap2),
329 #endif
330 #ifdef __NR_munmap
331 	SC_ALLOW(munmap),
332 #endif
333 #ifdef __NR_newfstatat
334 	SC_ALLOW(newfstatat),
335 #endif
336 #ifdef __NR_oldfstat
337 	SC_ALLOW(oldfstat),
338 #endif
339 #ifdef __NR_openat
340 	SC_ALLOW_ARG(__NR_openat, 3, O_RDONLY),
341 #endif
342 #ifdef __NR_prlimit64
343 	SC_ALLOW(prlimit64),
344 #endif
345 #ifdef __NR_read
346 	SC_ALLOW(read),
347 #endif
348 #ifdef __NR_recvmsg
349 	SC_ALLOW(recvmsg),
350 #endif
351 #ifdef __NR_readv
352 	SC_ALLOW(readv),
353 #endif
354 #ifdef __NR_rt_sigaction
355 	SC_ALLOW(rt_sigaction),
356 #endif
357 #ifdef __NR_rt_sigreturn
358 	SC_ALLOW(rt_sigreturn),
359 #endif
360 #ifdef __NR_sendmsg
361 	SC_ALLOW(sendmsg),
362 #endif
363 #ifdef __NR_sigreturn
364 	SC_ALLOW(sigreturn),
365 #endif
366 #ifdef __NR_statx
367 	SC_ALLOW(statx),
368 #endif
369 #ifdef __NR_ugetrlimit
370 	SC_ALLOW(ugetrlimit),
371 #endif
372 #ifdef __NR_write
373 	SC_ALLOW(write),
374 #endif
375 #ifdef __NR_writev
376 	SC_ALLOW(writev),
377 #endif
378 
379 	/* disallow everything else */
380 	BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
381 };
382 
383 #ifdef SC_DEBUG
384 
385 #include <signal.h>
386 #include <unistd.h>
387 
388 static void
389 sandbox_seccomp_violation(int signum, siginfo_t *info, void *ctx)
390 {
391 	fprintf(stderr, "%s: unexpected system call (arch:0x%x,syscall:%d @ %p)\n",
392 	    __func__, info->si_arch, info->si_syscall, info->si_call_addr);
393 	_exit(1);
394 }
395 
396 static void
397 sandbox_seccomp_catch_sigsys(void)
398 {
399 	struct sigaction act;
400 	sigset_t mask;
401 
402 	memset(&act, 0, sizeof(act));
403 	sigemptyset(&mask);
404 	sigaddset(&mask, SIGSYS);
405 
406 	act.sa_sigaction = &sandbox_seccomp_violation;
407 	act.sa_flags = SA_SIGINFO;
408 	if (sigaction(SIGSYS, &act, NULL) == -1)
409 		fatal("%s: sigaction(SIGSYS): %s",
410 		    __func__, strerror(errno));
411 
412 	if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1)
413 		fatal("%s: sigprocmask(SIGSYS): %s\n",
414 		    __func__, strerror(errno));
415 }
416 #endif	/* SC_DEBUG */
417 
418 #if HAVE_LANDLOCK
419 static inline int
420 open_landlock(void)
421 {
422 	int fd;
423 
424 	const struct landlock_ruleset_attr attr = {
425 		.handled_access_fs =	LANDLOCK_ACCESS_FS_EXECUTE |
426 					LANDLOCK_ACCESS_FS_READ_FILE |
427 					LANDLOCK_ACCESS_FS_READ_DIR |
428 					LANDLOCK_ACCESS_FS_WRITE_FILE |
429 					LANDLOCK_ACCESS_FS_REMOVE_DIR |
430 					LANDLOCK_ACCESS_FS_REMOVE_FILE |
431 					LANDLOCK_ACCESS_FS_MAKE_CHAR |
432 					LANDLOCK_ACCESS_FS_MAKE_DIR |
433 					LANDLOCK_ACCESS_FS_MAKE_REG |
434 					LANDLOCK_ACCESS_FS_MAKE_SOCK |
435 					LANDLOCK_ACCESS_FS_MAKE_FIFO |
436 					LANDLOCK_ACCESS_FS_MAKE_BLOCK |
437 					LANDLOCK_ACCESS_FS_MAKE_SYM,
438 	};
439 
440 	fd = landlock_create_ruleset(&attr, sizeof(attr), 0);
441 	if (fd == -1) {
442 		switch (errno) {
443 		case ENOSYS:
444 			fatal("%s: failed to create ruleset.  "
445 			    "Landlock doesn't seem to be supported by the "
446 			    "current kernel.", __func__);
447 		case EOPNOTSUPP:
448 			log_warn(NULL, "%s: failed to create ruleset.  "
449 			    "Landlock seems to be currently disabled; "
450 			    "continuing without it.", __func__);
451 			break;
452 		default:
453 			fatal("%s: failed to create ruleset: %s",
454 			    __func__, strerror(errno));
455 		}
456 	}
457 
458 	return fd;
459 }
460 
461 static int
462 landlock_unveil_path(int landlock_fd, const char *path, int perms)
463 {
464 	struct landlock_path_beneath_attr pb;
465 	int err, saved_errno;
466 
467 	pb.allowed_access = perms;
468 
469 	if ((pb.parent_fd = open(path, O_PATH)) == -1)
470 		return -1;
471 
472 	err = landlock_add_rule(landlock_fd, LANDLOCK_RULE_PATH_BENEATH,
473 	    &pb, 0);
474 	saved_errno = errno;
475 	close(pb.parent_fd);
476 	errno = saved_errno;
477 	return err ? -1 : 0;
478 }
479 
480 static int
481 landlock_apply(int fd)
482 {
483 	int r, saved_errno;
484 
485 	if (fd == -1)
486 		return 0;
487 
488 	r = landlock_restrict_self(fd, 0);
489 	saved_errno = errno;
490 	close(fd);
491 	errno = saved_errno;
492 	return r ? -1 : 0;
493 }
494 
495 static int
496 server_landlock(void)
497 {
498 	int		 fd, perms;
499 	struct vhost	*h;
500 	struct location	*l;
501 
502 	/*
503 	 * These are all the actions allowed for the root directories
504 	 * of the vhosts.
505 	 */
506 	perms = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR;
507 
508 	if ((fd = open_landlock()) == -1)
509 		return 0;
510 
511 	TAILQ_FOREACH(h, &hosts, vhosts) {
512 		TAILQ_FOREACH(l, &h->locations, locations) {
513 			if (l->dir == NULL)
514 				continue;
515 
516 			if (landlock_unveil_path(fd, l->dir, perms) == -1)
517 				fatal("%s: landlock_unveil_path(%s): %s",
518 				    __func__, l->dir, strerror(errno));
519 		}
520 	}
521 
522 	return landlock_apply(fd);
523 }
524 
525 static int
526 logger_landlock(void)
527 {
528 	int fd;
529 
530 	if ((fd = open_landlock()) == -1)
531 		return 0;
532 
533 	/* no rules.  the logger doesn't need fs access at all. */
534 
535 	return landlock_apply(fd);
536 }
537 #endif
538 
539 void
540 sandbox_server_process(void)
541 {
542 	const struct sock_fprog prog = {
543 		.len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
544 		.filter = filter,
545 	};
546 
547 #ifdef SC_DEBUG
548 	sandbox_seccomp_catch_sigsys();
549 #endif
550 
551 	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
552 		fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
553 		    __func__, strerror(errno));
554 
555 #if HAVE_LANDLOCK
556 	if (server_landlock() == -1)
557 		fatal("%s: server_landlock: %s",
558 		    __func__, strerror(errno));
559 #endif
560 
561 	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1)
562 		fatal("%s: prctl(PR_SET_SECCOMP): %s\n",
563 		    __func__, strerror(errno));
564 }
565 
566 void
567 sandbox_logger_process(void)
568 {
569 	/*
570 	 * Here we could use a seccomp filter to allow only recvfd,
571 	 * write/writev and memory allocations, but syslog is a beast
572 	 * and I don't know what syscalls it could end up doing.
573 	 * Landlock is a simpler beast, use it to disallow any file
574 	 * sytsem access.
575 	 */
576 
577 	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
578 		fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
579 		    __func__, strerror(errno));
580 
581 #if HAVE_LANDLOCK
582 	if (logger_landlock() == -1)
583 		fatal("%s: logger_landlock: %s",
584 		    __func__, strerror(errno));
585 #endif
586 
587 	return;
588 }
589 
590 #elif defined(__OpenBSD__)
591 
592 #include <unistd.h>
593 
594 void
595 sandbox_server_process(void)
596 {
597 	struct vhost	*h;
598 	struct location	*l;
599 
600 	TAILQ_FOREACH(h, &hosts, vhosts) {
601 		TAILQ_FOREACH(l, &h->locations, locations) {
602 			if (l->dir == NULL)
603 				continue;
604 
605 			if (unveil(l->dir, "r") == -1)
606 				fatal("unveil %s for domain %s",
607 				    l->dir,
608 				    h->domain);
609 		}
610 	}
611 
612 	if (pledge("stdio recvfd rpath inet dns", NULL) == -1)
613 		fatal("pledge");
614 }
615 
616 void
617 sandbox_logger_process(void)
618 {
619 	if (pledge("stdio recvfd", NULL) == -1)
620 		err(1, "pledge");
621 }
622 
623 #else
624 
625 #warning "No sandbox method known for this OS"
626 
627 void
628 sandbox_server_process(void)
629 {
630 	return;
631 }
632 
633 void
634 sandbox_logger_process(void)
635 {
636 	return;
637 }
638 
639 #endif