2 * Copyright (c) 2021 Omar Polo <op@omarpolo.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 #if defined(__FreeBSD__)
21 #include <sys/capsicum.h>
26 if (cap_enter() == -1)
30 #elif defined(__linux__)
32 #include <sys/prctl.h>
33 #include <sys/syscall.h>
34 #include <sys/syscall.h>
35 #include <sys/types.h>
37 #include <linux/audit.h>
38 #include <linux/filter.h>
39 #include <linux/seccomp.h>
47 /* thanks chromium' src/seccomp.c */
49 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
50 #elif defined(__x86_64__)
51 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
52 #elif defined(__arm__)
53 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM
54 #elif defined(__aarch64__)
55 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64
56 #elif defined(__mips__)
57 # if defined(__mips64)
58 # if defined(__MIPSEB__)
59 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS64
61 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL64
64 # if defined(__MIPSEB__)
65 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS
67 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL
71 # error "Platform does not support seccomp filter yet"
74 /* uncomment to enable debugging. ONLY FOR DEVELOPMENT */
75 /* #define SC_DEBUG */
78 # define SC_FAIL SECCOMP_RET_TRAP
80 # define SC_FAIL SECCOMP_RET_KILL
83 /* make the filter more readable */
84 #define SC_ALLOW(nr) \
85 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_##nr, 0, 1), \
86 BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
94 sandbox_seccomp_violation(int signum, siginfo_t *info, void *ctx)
99 fprintf(stderr, "%s: unexpected system call (arch:0x%x,syscall:%d @ %p)\n",
100 __func__, info->si_arch, info->si_syscall, info->si_call_addr);
105 sandbox_seccomp_catch_sigsys(void)
107 struct sigaction act;
110 memset(&act, 0, sizeof(act));
112 sigaddset(&mask, SIGSYS);
114 act.sa_sigaction = &sandbox_seccomp_violation;
115 act.sa_flags = SA_SIGINFO;
116 if (sigaction(SIGSYS, &act, NULL) == -1) {
117 fprintf(stderr, "%s: sigaction(SIGSYS): %s\n",
118 __func__, strerror(errno));
121 if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1) {
122 fprintf(stderr, "%s: sigprocmask(SIGSYS): %s\n",
123 __func__, strerror(errno));
127 #endif /* SC_DEBUG */
132 struct sock_filter filter[] = {
133 /* load the *current* architecture */
134 BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
135 (offsetof(struct seccomp_data, arch))),
136 /* ensure it's the same that we've been compiled on */
137 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,
138 SECCOMP_AUDIT_ARCH, 1, 0),
139 /* if not, kill the program */
140 BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
142 /* load the syscall number */
143 BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
144 (offsetof(struct seccomp_data, nr))),
146 /* allow logging on stdout */
151 /* these are used to serve the files. note how we
152 * allow openat but not open. */
153 SC_ALLOW(epoll_pwait),
165 /* needed for signal handling */
166 SC_ALLOW(rt_sigreturn),
167 SC_ALLOW(rt_sigaction),
169 /* we need recvmsg to receive fd */
175 /* alpine on amd64 */
176 SC_ALLOW(clock_gettime),
179 /* void on aarch64 does a gettrandom */
182 /* for directory listing */
183 SC_ALLOW(getdents64),
186 SC_ALLOW(exit_group),
188 /* stuff used by syslog. revisit once we move
189 * logging in its own process */
194 /* allow only F_GETFL, F_SETFL & F_SETFD fcntl */
195 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 8),
196 BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
197 (offsetof(struct seccomp_data, args[1]))),
198 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_GETFL, 0, 1),
199 BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
200 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFL, 0, 1),
201 BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
202 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFD, 0, 1),
203 BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
204 BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
206 /* re-load the syscall number */
207 BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
208 (offsetof(struct seccomp_data, nr))),
210 /* allow ioctl but only on fd 1, glibc doing stuff? */
211 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_ioctl, 0, 3),
212 BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
213 (offsetof(struct seccomp_data, args[0]))),
214 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 1, 0, 1),
215 BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
217 /* disallow enything else */
218 BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
221 struct sock_fprog prog = {
222 .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
227 sandbox_seccomp_catch_sigsys();
230 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) {
231 fprintf(stderr, "%s: prctl(PR_SET_NO_NEW_PRIVS): %s\n",
232 __func__, strerror(errno));
236 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1) {
237 fprintf(stderr, "%s: prctl(PR_SET_SECCOMP): %s\n",
238 __func__, strerror(errno));
243 #elif defined(__OpenBSD__)
252 for (h = hosts; h->domain != NULL; ++h) {
253 if (unveil(h->dir, "r") == -1)
254 err(1, "unveil %s for domain %s", h->dir, h->domain);
257 if (pledge("stdio recvfd rpath inet", NULL) == -1)
266 LOGN(NULL, "%s", "no sandbox method known for this OS");