2 * Copyright (c) 2021 Omar Polo <op@omarpolo.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 #if defined(__FreeBSD__)
21 #include <sys/capsicum.h>
24 sandbox_server_process(void)
26 if (cap_enter() == -1)
31 sandbox_executor_process(void)
33 /* We cannot capsicum the executor process because it needs
34 * to fork(2)+execve(2) cgi scripts */
39 sandbox_logger_process(void)
41 if (cap_enter() == -1)
45 #elif defined(__linux__)
47 #include <sys/prctl.h>
48 #include <sys/syscall.h>
49 #include <sys/syscall.h>
50 #include <sys/types.h>
52 #include <linux/audit.h>
53 #include <linux/filter.h>
54 #include <linux/seccomp.h>
62 /* thanks chromium' src/seccomp.c */
64 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
65 #elif defined(__x86_64__)
66 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
67 #elif defined(__arm__)
68 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM
69 #elif defined(__aarch64__)
70 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64
71 #elif defined(__mips__)
72 # if defined(__mips64)
73 # if defined(__MIPSEB__)
74 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS64
76 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL64
79 # if defined(__MIPSEB__)
80 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS
82 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL
86 # error "Platform does not support seccomp filter yet"
89 /* uncomment to enable debugging. ONLY FOR DEVELOPMENT */
90 /* #define SC_DEBUG */
93 # define SC_FAIL SECCOMP_RET_TRAP
95 # define SC_FAIL SECCOMP_RET_KILL
98 /* make the filter more readable */
99 #define SC_ALLOW(nr) \
100 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_##nr, 0, 1), \
101 BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
109 sandbox_seccomp_violation(int signum, siginfo_t *info, void *ctx)
114 fprintf(stderr, "%s: unexpected system call (arch:0x%x,syscall:%d @ %p)\n",
115 __func__, info->si_arch, info->si_syscall, info->si_call_addr);
120 sandbox_seccomp_catch_sigsys(void)
122 struct sigaction act;
125 memset(&act, 0, sizeof(act));
127 sigaddset(&mask, SIGSYS);
129 act.sa_sigaction = &sandbox_seccomp_violation;
130 act.sa_flags = SA_SIGINFO;
131 if (sigaction(SIGSYS, &act, NULL) == -1)
132 fatal("%s: sigaction(SIGSYS): %s",
133 __func__, strerror(errno));
135 if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1)
136 fatal("%s: sigprocmask(SIGSYS): %s\n",
137 __func__, strerror(errno));
139 #endif /* SC_DEBUG */
142 sandbox_server_process(void)
144 struct sock_filter filter[] = {
145 /* load the *current* architecture */
146 BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
147 (offsetof(struct seccomp_data, arch))),
148 /* ensure it's the same that we've been compiled on */
149 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,
150 SECCOMP_AUDIT_ARCH, 1, 0),
151 /* if not, kill the program */
152 BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
154 /* load the syscall number */
155 BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
156 (offsetof(struct seccomp_data, nr))),
158 /* allow logging on stdout */
163 /* these are used to serve the files. note how we
164 * allow openat but not open. */
165 #ifdef __NR_epoll_wait
166 /* epoll_wait(2) isn't present on aarch64, at least */
167 SC_ALLOW(epoll_wait),
169 SC_ALLOW(epoll_pwait),
176 SC_ALLOW(newfstatat),
186 /* needed for signal handling */
187 SC_ALLOW(rt_sigreturn),
188 SC_ALLOW(rt_sigaction),
190 /* we need recvmsg to receive fd */
196 /* alpine on amd64 */
197 SC_ALLOW(clock_gettime),
200 /* void on aarch64 does a gettrandom */
204 SC_ALLOW(gettimeofday),
206 /* for directory listing */
207 SC_ALLOW(getdents64),
210 SC_ALLOW(exit_group),
212 /* allow only F_GETFL, F_SETFL & F_SETFD fcntl */
213 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 8),
214 BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
215 (offsetof(struct seccomp_data, args[1]))),
216 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_GETFL, 0, 1),
217 BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
218 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFL, 0, 1),
219 BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
220 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFD, 0, 1),
221 BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
222 BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
224 /* re-load the syscall number */
225 BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
226 (offsetof(struct seccomp_data, nr))),
228 /* allow ioctl but only on fd 1, glibc doing stuff? */
229 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_ioctl, 0, 3),
230 BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
231 (offsetof(struct seccomp_data, args[0]))),
232 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 1, 0, 1),
233 BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
235 /* disallow enything else */
236 BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
239 struct sock_fprog prog = {
240 .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
245 sandbox_seccomp_catch_sigsys();
248 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
249 fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
250 __func__, strerror(errno));
252 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1)
253 fatal("%s: prctl(PR_SET_SECCOMP): %s\n",
254 __func__, strerror(errno));
258 sandbox_executor_process(void)
260 /* We cannot use seccomp for the executor process because we
261 * don't know what the child will do. Also, our filter will
262 * be inherited so the child cannot set its own seccomp
268 sandbox_logger_process(void)
270 /* To be honest, here we could use a seccomp policy to only
271 * allow writev(2) and memory allocations. */
275 #elif defined(__OpenBSD__)
280 sandbox_server_process(void)
284 for (h = hosts; h->domain != NULL; ++h) {
285 if (unveil(h->dir, "r") == -1)
286 fatal("unveil %s for domain %s", h->dir, h->domain);
289 if (pledge("stdio recvfd rpath inet", NULL) == -1)
294 sandbox_executor_process(void)
298 for (vhost = hosts; vhost->domain != NULL; ++vhost) {
299 /* r so we can chdir into the correct directory */
300 if (unveil(vhost->dir, "rx") == -1)
301 err(1, "unveil %s for domain %s",
302 vhost->dir, vhost->domain);
305 /* rpath to chdir into the correct directory */
306 if (pledge("stdio rpath sendfd proc exec", NULL))
311 sandbox_logger_process(void)
313 if (pledge("stdio", NULL) == -1)
319 #warning "No sandbox method known for this OS"
322 sandbox_server_process(void)
328 sandbox_executor_process(void)
330 log_notice(NULL, "no sandbox method known for this OS");
334 sandbox_logger_process(void)