2 * Copyright (c) 2021 Omar Polo <op@omarpolo.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 #warning "Sandbox disabled! Please report issues upstream instead of disabling the sandbox."
24 sandbox_server_process(void)
30 sandbox_executor_process(void)
32 log_notice(NULL, "Sandbox disabled! "
33 "Please report issues upstream instead of disabling the sandbox.");
37 sandbox_logger_process(void)
42 #elif defined(__FreeBSD__)
44 #include <sys/capsicum.h>
47 sandbox_server_process(void)
49 if (cap_enter() == -1)
54 sandbox_executor_process(void)
56 /* We cannot capsicum the executor process because it needs
57 * to fork(2)+execve(2) cgi scripts */
62 sandbox_logger_process(void)
64 if (cap_enter() == -1)
68 #elif defined(__linux__)
70 #include <sys/prctl.h>
71 #include <sys/syscall.h>
72 #include <sys/syscall.h>
73 #include <sys/types.h>
75 #include <linux/audit.h>
76 #include <linux/filter.h>
77 #include <linux/seccomp.h>
85 /* uncomment to enable debugging. ONLY FOR DEVELOPMENT */
86 /* #define SC_DEBUG */
89 # define SC_FAIL SECCOMP_RET_TRAP
91 # define SC_FAIL SECCOMP_RET_KILL
94 #if (BYTE_ORDER == LITTLE_ENDIAN)
96 # define SC_ARG_HI sizeof(uint32_t)
97 #elif (BYTE_ORDER == BIG_ENDIAN)
98 # define SC_ARG_LO sizeof(uint32_t)
101 # error "Uknown endian"
104 /* make the filter more readable */
105 #define SC_ALLOW(nr) \
106 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_##nr, 0, 1), \
107 BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
110 * SC_ALLOW_ARG and the SECCOMP_AUDIT_ARCH below are courtesy of
111 * https://roy.marples.name/git/dhcpcd/blob/HEAD:/src/privsep-linux.c
113 #define SC_ALLOW_ARG(_nr, _arg, _val) \
114 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, (_nr), 0, 6), \
115 BPF_STMT(BPF_LD + BPF_W + BPF_ABS, \
116 offsetof(struct seccomp_data, args[(_arg)]) + SC_ARG_LO), \
117 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, \
118 ((_val) & 0xffffffff), 0, 3), \
119 BPF_STMT(BPF_LD + BPF_W + BPF_ABS, \
120 offsetof(struct seccomp_data, args[(_arg)]) + SC_ARG_HI), \
121 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, \
122 (((uint32_t)((uint64_t)(_val) >> 32)) & 0xffffffff), 0, 1), \
123 BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW), \
124 BPF_STMT(BPF_LD + BPF_W + BPF_ABS, \
125 offsetof(struct seccomp_data, nr))
128 * I personally find this quite nutty. Why can a system header not
129 * define a default for this?
131 #if defined(__i386__)
132 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
133 #elif defined(__x86_64__)
134 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
135 #elif defined(__arc__)
137 # if (BYTE_ORDER == LITTLE_ENDIAN)
138 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACT
140 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACTBE
142 # elif defined(__HS__)
143 # if (BYTE_ORDER == LITTLE_ENDIAN)
144 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2
146 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2BE
149 # error "Platform does not support seccomp filter yet"
151 #elif defined(__arm__)
155 # if (BYTE_ORDER == LITTLE_ENDIAN)
156 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM
158 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARMEB
160 #elif defined(__aarch64__)
161 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64
162 #elif defined(__alpha__)
163 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ALPHA
164 #elif defined(__hppa__)
165 # if defined(__LP64__)
166 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC64
168 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC
170 #elif defined(__ia64__)
171 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_IA64
172 #elif defined(__microblaze__)
173 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MICROBLAZE
174 #elif defined(__m68k__)
175 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_M68K
176 #elif defined(__mips__)
177 # if defined(__MIPSEL__)
178 # if defined(__LP64__)
179 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL64
181 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL
183 # elif defined(__LP64__)
184 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS64
186 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS
188 #elif defined(__nds32__)
189 # if (BYTE_ORDER == LITTLE_ENDIAN)
190 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32
192 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32BE
194 #elif defined(__nios2__)
195 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NIOS2
196 #elif defined(__or1k__)
197 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_OPENRISC
198 #elif defined(__powerpc64__)
199 # if (BYTE_ORDER == LITTLE_ENDIAN)
200 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64LE
202 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64
204 #elif defined(__powerpc__)
205 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC
206 #elif defined(__riscv)
207 # if defined(__LP64__)
208 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV64
210 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV32
212 #elif defined(__s390x__)
213 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390X
214 #elif defined(__s390__)
215 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390
216 #elif defined(__sh__)
217 # if defined(__LP64__)
218 # if (BYTE_ORDER == LITTLE_ENDIAN)
219 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL64
221 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH64
224 # if (BYTE_ORDER == LITTLE_ENDIAN)
225 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL
227 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH
230 #elif defined(__sparc__)
231 # if defined(__arch64__)
232 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC64
234 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC
236 #elif defined(__xtensa__)
237 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_XTENSA
239 # error "Platform does not support seccomp filter yet"
242 static struct sock_filter filter[] = {
243 /* load the *current* architecture */
244 BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
245 (offsetof(struct seccomp_data, arch))),
246 /* ensure it's the same that we've been compiled on */
247 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,
248 SECCOMP_AUDIT_ARCH, 1, 0),
249 /* if not, kill the program */
250 BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
252 /* load the syscall number */
253 BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
254 (offsetof(struct seccomp_data, nr))),
265 #ifdef __NR_clock_gettime
266 SC_ALLOW(clock_gettime),
268 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
269 SECCOMP_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
271 #ifdef __NR_clock_gettime64
272 SC_ALLOW(clock_gettime64),
277 #ifdef __NR_epoll_ctl
280 #ifdef __NR_epoll_pwait
281 SC_ALLOW(epoll_pwait),
283 #ifdef __NR_epoll_wait
284 SC_ALLOW(epoll_wait),
289 #ifdef __NR_exit_group
290 SC_ALLOW(exit_group),
301 #ifdef __NR_getdents64
302 SC_ALLOW(getdents64),
307 #ifdef __NR_getrandom
310 #ifdef __NR_gettimeofday
311 SC_ALLOW(gettimeofday),
314 /* allow ioctl only on fd 1, glibc doing stuff? */
315 SC_ALLOW_ARG(__NR_ioctl, 0, 1),
332 #ifdef __NR_newfstatat
333 SC_ALLOW(newfstatat),
341 #ifdef __NR_prlimit64
353 #ifdef __NR_rt_sigaction
354 SC_ALLOW(rt_sigaction),
356 #ifdef __NR_rt_sigreturn
357 SC_ALLOW(rt_sigreturn),
372 /* disallow everything else */
373 BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
382 sandbox_seccomp_violation(int signum, siginfo_t *info, void *ctx)
387 fprintf(stderr, "%s: unexpected system call (arch:0x%x,syscall:%d @ %p)\n",
388 __func__, info->si_arch, info->si_syscall, info->si_call_addr);
393 sandbox_seccomp_catch_sigsys(void)
395 struct sigaction act;
398 memset(&act, 0, sizeof(act));
400 sigaddset(&mask, SIGSYS);
402 act.sa_sigaction = &sandbox_seccomp_violation;
403 act.sa_flags = SA_SIGINFO;
404 if (sigaction(SIGSYS, &act, NULL) == -1)
405 fatal("%s: sigaction(SIGSYS): %s",
406 __func__, strerror(errno));
408 if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1)
409 fatal("%s: sigprocmask(SIGSYS): %s\n",
410 __func__, strerror(errno));
412 #endif /* SC_DEBUG */
415 sandbox_server_process(void)
417 struct sock_fprog prog = {
418 .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
423 sandbox_seccomp_catch_sigsys();
426 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
427 fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
428 __func__, strerror(errno));
430 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1)
431 fatal("%s: prctl(PR_SET_SECCOMP): %s\n",
432 __func__, strerror(errno));
436 sandbox_executor_process(void)
438 /* We cannot use seccomp for the executor process because we
439 * don't know what the child will do. Also, our filter will
440 * be inherited so the child cannot set its own seccomp
446 sandbox_logger_process(void)
448 /* To be honest, here we could use a seccomp policy to only
449 * allow writev(2) and memory allocations. */
453 #elif defined(__OpenBSD__)
458 sandbox_server_process(void)
463 TAILQ_FOREACH(h, &hosts, vhosts) {
464 TAILQ_FOREACH(l, &h->locations, locations) {
468 if (unveil(l->dir, "r") == -1)
469 fatal("unveil %s for domain %s",
475 if (pledge("stdio recvfd rpath inet", NULL) == -1)
480 sandbox_executor_process(void)
487 TAILQ_FOREACH(h, &hosts, vhosts) {
488 TAILQ_FOREACH(l, &h->locations, locations) {
492 /* r so we can chdir into the correct directory */
493 if (unveil(l->dir, "rx") == -1)
494 fatal("unveil %s for domain %s",
499 for (i = 0; i < FCGI_MAX; i++) {
501 if (f->path != NULL) {
502 if (unveil(f->path, "rw") == -1)
503 fatal("unveil %s", f->path);
506 if (f->prog != NULL) {
507 if (unveil(f->prog, "rx") == -1)
508 fatal("unveil %s", f->prog);
513 * rpath: to chdir into the correct directory
515 * dns inet unix: FastCGI
517 if (pledge("stdio rpath sendfd proc exec dns inet unix", NULL))
522 sandbox_logger_process(void)
524 if (pledge("stdio recvfd", NULL) == -1)
530 #warning "No sandbox method known for this OS"
533 sandbox_server_process(void)
539 sandbox_executor_process(void)
541 log_notice(NULL, "no sandbox method known for this OS");
545 sandbox_logger_process(void)