2 * Copyright (c) 2021 Omar Polo <op@omarpolo.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 #warning "Sandbox disabled! Please report issues upstream instead of disabling the sandbox."
24 sandbox_server_process(void)
30 sandbox_logger_process(void)
35 #elif defined(__FreeBSD__)
37 #include <sys/capsicum.h>
40 sandbox_server_process(void)
42 if (cap_enter() == -1)
47 sandbox_logger_process(void)
49 if (cap_enter() == -1)
53 #elif defined(__linux__)
55 #include <sys/ioctl.h>
56 #include <sys/prctl.h>
57 #include <sys/syscall.h>
58 #include <sys/syscall.h>
59 #include <sys/types.h>
61 #include <linux/audit.h>
62 #include <linux/filter.h>
63 #include <linux/seccomp.h>
72 # include "landlock_shim.h"
75 /* uncomment to enable debugging. ONLY FOR DEVELOPMENT */
76 /* #define SC_DEBUG */
79 # define SC_FAIL SECCOMP_RET_TRAP
81 # define SC_FAIL SECCOMP_RET_KILL
84 #if (BYTE_ORDER == LITTLE_ENDIAN)
86 # define SC_ARG_HI sizeof(uint32_t)
87 #elif (BYTE_ORDER == BIG_ENDIAN)
88 # define SC_ARG_LO sizeof(uint32_t)
91 # error "Uknown endian"
94 /* make the filter more readable */
95 #define SC_ALLOW(nr) \
96 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_##nr, 0, 1), \
97 BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
100 * SC_ALLOW_ARG and the SECCOMP_AUDIT_ARCH below are courtesy of
101 * https://roy.marples.name/git/dhcpcd/blob/HEAD:/src/privsep-linux.c
103 #define SC_ALLOW_ARG(_nr, _arg, _val) \
104 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, (_nr), 0, 6), \
105 BPF_STMT(BPF_LD + BPF_W + BPF_ABS, \
106 offsetof(struct seccomp_data, args[(_arg)]) + SC_ARG_LO), \
107 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, \
108 ((_val) & 0xffffffff), 0, 3), \
109 BPF_STMT(BPF_LD + BPF_W + BPF_ABS, \
110 offsetof(struct seccomp_data, args[(_arg)]) + SC_ARG_HI), \
111 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, \
112 (((uint32_t)((uint64_t)(_val) >> 32)) & 0xffffffff), 0, 1), \
113 BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW), \
114 BPF_STMT(BPF_LD + BPF_W + BPF_ABS, \
115 offsetof(struct seccomp_data, nr))
118 * I personally find this quite nutty. Why can a system header not
119 * define a default for this?
121 #if defined(__i386__)
122 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
123 #elif defined(__x86_64__)
124 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
125 #elif defined(__arc__)
127 # if (BYTE_ORDER == LITTLE_ENDIAN)
128 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACT
130 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACTBE
132 # elif defined(__HS__)
133 # if (BYTE_ORDER == LITTLE_ENDIAN)
134 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2
136 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2BE
139 # error "Platform does not support seccomp filter yet"
141 #elif defined(__arm__)
145 # if (BYTE_ORDER == LITTLE_ENDIAN)
146 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM
148 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARMEB
150 #elif defined(__aarch64__)
151 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64
152 #elif defined(__alpha__)
153 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ALPHA
154 #elif defined(__hppa__)
155 # if defined(__LP64__)
156 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC64
158 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC
160 #elif defined(__ia64__)
161 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_IA64
162 #elif defined(__microblaze__)
163 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MICROBLAZE
164 #elif defined(__m68k__)
165 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_M68K
166 #elif defined(__mips__)
167 # if defined(__MIPSEL__)
168 # if defined(__LP64__)
169 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL64
171 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL
173 # elif defined(__LP64__)
174 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS64
176 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS
178 #elif defined(__nds32__)
179 # if (BYTE_ORDER == LITTLE_ENDIAN)
180 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32
182 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32BE
184 #elif defined(__nios2__)
185 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NIOS2
186 #elif defined(__or1k__)
187 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_OPENRISC
188 #elif defined(__powerpc64__)
189 # if (BYTE_ORDER == LITTLE_ENDIAN)
190 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64LE
192 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64
194 #elif defined(__powerpc__)
195 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC
196 #elif defined(__riscv)
197 # if defined(__LP64__)
198 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV64
200 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV32
202 #elif defined(__s390x__)
203 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390X
204 #elif defined(__s390__)
205 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390
206 #elif defined(__sh__)
207 # if defined(__LP64__)
208 # if (BYTE_ORDER == LITTLE_ENDIAN)
209 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL64
211 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH64
214 # if (BYTE_ORDER == LITTLE_ENDIAN)
215 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL
217 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH
220 #elif defined(__sparc__)
221 # if defined(__arch64__)
222 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC64
224 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC
226 #elif defined(__xtensa__)
227 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_XTENSA
229 # error "Platform does not support seccomp filter yet"
232 static const struct sock_filter filter[] = {
233 /* load the *current* architecture */
234 BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
235 (offsetof(struct seccomp_data, arch))),
236 /* ensure it's the same that we've been compiled on */
237 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,
238 SECCOMP_AUDIT_ARCH, 1, 0),
239 /* if not, kill the program */
240 BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
242 /* load the syscall number */
243 BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
244 (offsetof(struct seccomp_data, nr))),
255 #ifdef __NR_clock_gettime
256 SC_ALLOW(clock_gettime),
258 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
259 SECCOMP_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
261 #ifdef __NR_clock_gettime64
262 SC_ALLOW(clock_gettime64),
267 #ifdef __NR_epoll_ctl
270 #ifdef __NR_epoll_pwait
271 SC_ALLOW(epoll_pwait),
273 #ifdef __NR_epoll_wait
274 SC_ALLOW(epoll_wait),
279 #ifdef __NR_exit_group
280 SC_ALLOW(exit_group),
294 #ifdef __NR_fstatat64
297 #ifdef __NR_getdents64
298 SC_ALLOW(getdents64),
303 #ifdef __NR_getrandom
306 #ifdef __NR_gettimeofday
307 SC_ALLOW(gettimeofday),
310 /* allow ioctl on fd 1, glibc doing stuff? */
311 SC_ALLOW_ARG(__NR_ioctl, 0, 1),
312 /* allow FIONREAD needed by libevent */
313 SC_ALLOW_ARG(__NR_ioctl, 1, FIONREAD),
333 #ifdef __NR_newfstatat
334 SC_ALLOW(newfstatat),
340 SC_ALLOW_ARG(__NR_openat, 3, O_RDONLY),
342 #ifdef __NR_prlimit64
354 #ifdef __NR_rt_sigaction
355 SC_ALLOW(rt_sigaction),
357 #ifdef __NR_rt_sigreturn
358 SC_ALLOW(rt_sigreturn),
363 #ifdef __NR_sigreturn
369 #ifdef __NR_ugetrlimit
370 SC_ALLOW(ugetrlimit),
379 /* disallow everything else */
380 BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
389 sandbox_seccomp_violation(int signum, siginfo_t *info, void *ctx)
391 fprintf(stderr, "%s: unexpected system call (arch:0x%x,syscall:%d @ %p)\n",
392 __func__, info->si_arch, info->si_syscall, info->si_call_addr);
397 sandbox_seccomp_catch_sigsys(void)
399 struct sigaction act;
402 memset(&act, 0, sizeof(act));
404 sigaddset(&mask, SIGSYS);
406 act.sa_sigaction = &sandbox_seccomp_violation;
407 act.sa_flags = SA_SIGINFO;
408 if (sigaction(SIGSYS, &act, NULL) == -1)
409 fatal("%s: sigaction(SIGSYS): %s",
410 __func__, strerror(errno));
412 if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1)
413 fatal("%s: sigprocmask(SIGSYS): %s\n",
414 __func__, strerror(errno));
416 #endif /* SC_DEBUG */
424 const struct landlock_ruleset_attr attr = {
425 .handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE |
426 LANDLOCK_ACCESS_FS_READ_FILE |
427 LANDLOCK_ACCESS_FS_READ_DIR |
428 LANDLOCK_ACCESS_FS_WRITE_FILE |
429 LANDLOCK_ACCESS_FS_REMOVE_DIR |
430 LANDLOCK_ACCESS_FS_REMOVE_FILE |
431 LANDLOCK_ACCESS_FS_MAKE_CHAR |
432 LANDLOCK_ACCESS_FS_MAKE_DIR |
433 LANDLOCK_ACCESS_FS_MAKE_REG |
434 LANDLOCK_ACCESS_FS_MAKE_SOCK |
435 LANDLOCK_ACCESS_FS_MAKE_FIFO |
436 LANDLOCK_ACCESS_FS_MAKE_BLOCK |
437 LANDLOCK_ACCESS_FS_MAKE_SYM,
440 fd = landlock_create_ruleset(&attr, sizeof(attr), 0);
444 fatal("%s: failed to create ruleset. "
445 "Landlock doesn't seem to be supported by the "
446 "current kernel.", __func__);
448 log_warn(NULL, "%s: failed to create ruleset. "
449 "Landlock seems to be currently disabled; "
450 "continuing without it.", __func__);
453 fatal("%s: failed to create ruleset: %s",
454 __func__, strerror(errno));
462 landlock_unveil_path(int landlock_fd, const char *path, int perms)
464 struct landlock_path_beneath_attr pb;
465 int err, saved_errno;
467 pb.allowed_access = perms;
469 if ((pb.parent_fd = open(path, O_PATH)) == -1)
472 err = landlock_add_rule(landlock_fd, LANDLOCK_RULE_PATH_BENEATH,
481 landlock_apply(int fd)
488 r = landlock_restrict_self(fd, 0);
496 server_landlock(void)
503 * These are all the actions allowed for the root directories
506 perms = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR;
508 if ((fd = open_landlock()) == -1)
511 TAILQ_FOREACH(h, &hosts, vhosts) {
512 TAILQ_FOREACH(l, &h->locations, locations) {
516 if (landlock_unveil_path(fd, l->dir, perms) == -1)
517 fatal("%s: landlock_unveil_path(%s): %s",
518 __func__, l->dir, strerror(errno));
522 return landlock_apply(fd);
526 logger_landlock(void)
530 if ((fd = open_landlock()) == -1)
533 /* no rules. the logger doesn't need fs access at all. */
535 return landlock_apply(fd);
540 sandbox_server_process(void)
542 const struct sock_fprog prog = {
543 .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
548 sandbox_seccomp_catch_sigsys();
551 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
552 fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
553 __func__, strerror(errno));
556 if (server_landlock() == -1)
557 fatal("%s: server_landlock: %s",
558 __func__, strerror(errno));
561 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1)
562 fatal("%s: prctl(PR_SET_SECCOMP): %s\n",
563 __func__, strerror(errno));
567 sandbox_logger_process(void)
570 * Here we could use a seccomp filter to allow only recvfd,
571 * write/writev and memory allocations, but syslog is a beast
572 * and I don't know what syscalls it could end up doing.
573 * Landlock is a simpler beast, use it to disallow any file
577 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
578 fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
579 __func__, strerror(errno));
582 if (logger_landlock() == -1)
583 fatal("%s: logger_landlock: %s",
584 __func__, strerror(errno));
590 #elif defined(__OpenBSD__)
595 sandbox_server_process(void)
600 TAILQ_FOREACH(h, &hosts, vhosts) {
601 TAILQ_FOREACH(l, &h->locations, locations) {
605 if (unveil(l->dir, "r") == -1)
606 fatal("unveil %s for domain %s",
612 if (pledge("stdio recvfd rpath inet dns", NULL) == -1)
617 sandbox_logger_process(void)
619 if (pledge("stdio recvfd", NULL) == -1)
625 #warning "No sandbox method known for this OS"
628 sandbox_server_process(void)
634 sandbox_logger_process(void)