op public repos

Blob

Date:: Thu Jan 28 16:28:10 2021 UTC
Message:: don't include err.h, gmid.h (via config.h) does that
Actions:: History | Blame | Raw File
1 /*
2  * Copyright (c) 2021 Omar Polo <op@omarpolo.com>
3  *
4  * Permission to use, copy, modify, and distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #include "gmid.h"
18 
19 #if defined(__FreeBSD__)
20 
21 #include <sys/capsicum.h>
22 
23 void
24 sandbox()
25 {
26 	if (cap_enter() == -1)
27 		err(1, "cap_enter");
28 }
29 
30 #elif defined(__linux__)
31 
32 #include <sys/prctl.h>
33 #include <sys/syscall.h>
34 #include <sys/syscall.h>
35 #include <sys/types.h>
36 
37 #include <linux/audit.h>
38 #include <linux/filter.h>
39 #include <linux/seccomp.h>
40 
41 #include <errno.h>
42 #include <fcntl.h>
43 #include <stddef.h>
44 #include <stdio.h>
45 #include <string.h>
46 
47 /* thanks chromium' src/seccomp.c */
48 #if defined(__i386__)
49 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
50 #elif defined(__x86_64__)
51 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
52 #elif defined(__arm__)
53 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM
54 #elif defined(__aarch64__)
55 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64
56 #elif defined(__mips__)
57 #  if defined(__mips64)
58 #    if defined(__MIPSEB__)
59 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS64
60 #    else
61 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL64
62 #    endif
63 #  else
64 #    if defined(__MIPSEB__)
65 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS
66 #    else
67 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL
68 #    endif
69 #  endif
70 #else
71 #  error "Platform does not support seccomp filter yet"
72 #endif
73 
74 /* uncomment to enable debugging.  ONLY FOR DEVELOPMENT */
75 /* #define SC_DEBUG */
76 
77 #ifdef SC_DEBUG
78 # define SC_FAIL SECCOMP_RET_TRAP
79 #else
80 # define SC_FAIL SECCOMP_RET_KILL
81 #endif
82 
83 /* make the filter more readable */
84 #define SC_ALLOW(nr)						\
85 	BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_##nr, 0, 1),	\
86 	BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
87 
88 #ifdef SC_DEBUG
89 
90 #include <signal.h>
91 #include <unistd.h>
92 
93 static void
94 sandbox_seccomp_violation(int signum, siginfo_t *info, void *ctx)
95 {
96 	(void)signum;
97 	(void)ctx;
98 
99 	fprintf(stderr, "%s: unexpected system call (arch:0x%x,syscall:%d @ %p)\n",
100 	    __func__, info->si_arch, info->si_syscall, info->si_call_addr);
101 	_exit(1);
102 }
103 
104 static void
105 sandbox_seccomp_catch_sigsys(void)
106 {
107 	struct sigaction act;
108 	sigset_t mask;
109 
110 	memset(&act, 0, sizeof(act));
111 	sigemptyset(&mask);
112 	sigaddset(&mask, SIGSYS);
113 
114 	act.sa_sigaction = &sandbox_seccomp_violation;
115 	act.sa_flags = SA_SIGINFO;
116 	if (sigaction(SIGSYS, &act, NULL) == -1) {
117 		fprintf(stderr, "%s: sigaction(SIGSYS): %s\n",
118 		    __func__, strerror(errno));
119 		exit(1);
120 	}
121 	if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1) {
122 		fprintf(stderr, "%s: sigprocmask(SIGSYS): %s\n",
123 		    __func__, strerror(errno));
124 		exit(1);
125 	}
126 }
127 #endif	/* SC_DEBUG */
128 
129 void
130 sandbox()
131 {
132 	struct sock_filter filter[] = {
133 		/* load the *current* architecture */
134 		BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
135 		    (offsetof(struct seccomp_data, arch))),
136 		/* ensure it's the same that we've been compiled on */
137 		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,
138 		    SECCOMP_AUDIT_ARCH, 1, 0),
139 		/* if not, kill the program */
140 		BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
141 
142 		/* load the syscall number */
143 		BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
144 		    (offsetof(struct seccomp_data, nr))),
145 
146 		/* allow logging on stdout */
147 		SC_ALLOW(write),
148 		SC_ALLOW(writev),
149 		SC_ALLOW(readv),
150 
151 		/* these are used to serve the files.  note how we
152 		 * allow openat but not open. */
153 
154 #ifdef __aarch64__
155 		/* it seems that on aarch64 there isn't a poll(2)
156 		 * syscall, but instead it's implemented on top of
157 		 * ppoll(2). */
158 		SC_ALLOW(ppoll),
159 #else
160 		SC_ALLOW(poll),
161 #endif
162 		SC_ALLOW(accept),
163 		SC_ALLOW(read),
164 		SC_ALLOW(openat),
165 		SC_ALLOW(fstat),
166 		SC_ALLOW(close),
167 		SC_ALLOW(lseek),
168 		SC_ALLOW(brk),
169 		SC_ALLOW(mmap),
170 		SC_ALLOW(munmap),
171 
172 		/* we need recvmsg to receive fd */
173 		SC_ALLOW(recvmsg),
174 
175 		/* XXX: ??? */
176 		SC_ALLOW(getpid),
177 
178 		/* alpine on amd64 does a clock_gettime(2) */
179 		SC_ALLOW(clock_gettime),
180 
181 		/* void on aarch64 does a gettrandom */
182 		SC_ALLOW(getrandom),
183 
184 		/* for directory listing */
185 		SC_ALLOW(getdents64),
186 
187 		SC_ALLOW(exit),
188 		SC_ALLOW(exit_group),
189 
190 		/* allow only F_GETFL and F_SETFL fcntl */
191 		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 8),
192 		BPF_STMT(BPF_LD  | BPF_W | BPF_ABS,
193 		    (offsetof(struct seccomp_data, args[1]))),
194 		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_GETFL, 0, 1),
195 		BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
196 		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFL, 0, 1),
197 		BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
198 		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFD, 0, 1),
199 		BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
200 		BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
201 
202 		/* re-load the syscall number */
203 		BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
204 		    (offsetof(struct seccomp_data, nr))),
205 
206 		/* allow ioctl but only on fd 1, glibc doing stuff? */
207 		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_ioctl, 0, 3),
208 		BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
209 		    (offsetof(struct seccomp_data, args[0]))),
210 		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 1, 0, 1),
211 		BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
212 
213 		/* disallow enything else */
214 		BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
215 	};
216 
217 	struct sock_fprog prog = {
218 		.len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
219 		.filter = filter,
220 	};
221 
222 #ifdef SC_DEBUG
223 	sandbox_seccomp_catch_sigsys();
224 #endif
225 
226 	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) {
227 		fprintf(stderr, "%s: prctl(PR_SET_NO_NEW_PRIVS): %s\n",
228 		    __func__, strerror(errno));
229 		exit(1);
230 	}
231 
232 	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1) {
233 		fprintf(stderr, "%s: prctl(PR_SET_SECCOMP): %s\n",
234 		    __func__, strerror(errno));
235 		exit(1);
236 	}
237 }
238 
239 #elif defined(__OpenBSD__)
240 
241 #include <unistd.h>
242 
243 void
244 sandbox()
245 {
246 	struct vhost *h;
247 
248 	for (h = hosts; h->domain != NULL; ++h) {
249 		if (unveil(h->dir, "r") == -1)
250 			err(1, "unveil %s for domain %s", h->dir, h->domain);
251 	}
252 
253 	if (pledge("stdio recvfd rpath inet", NULL) == -1)
254 		err(1, "pledge");
255 }
256 
257 #else
258 
259 void
260 sandbox()
261 {
262         LOGN(NULL, "%s", "no sandbox method known for this OS");
263 }
264 
265 #endif