op public repos

Blob

Date:: Sat Jul 3 06:59:33 2021 UTC
Message:: configure: add --disable-sandbox Calling `configure' with --disable-sandbox will disable the sandbox support *completely* at compile time. gmid will still complain at compile time and during the startup. Users shouldn't disable the sandbox if possible, but instead report problem upstream so they get fixed (hopefully.) #4 related
Actions:: History | Blame | Raw File
1 /*
2  * Copyright (c) 2021 Omar Polo <op@omarpolo.com>
3  *
4  * Permission to use, copy, modify, and distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #include "gmid.h"
18 
19 #if DISABLE_SANDBOX
20 
21 #warning "Sandbox disabled! Please report issues upstream instead of disabling the sandbox."
22 
23 void
24 sandbox_server_process(void)
25 {
26 	return;
27 }
28 
29 void
30 sandbox_executor_process(void)
31 {
32         log_notice(NULL, "Sandbox disabled!  "
33 	    "Please report issues upstream instead of disabling the sandbox.");
34 }
35 
36 void
37 sandbox_logger_process(void)
38 {
39 	return;
40 }
41 
42 #elif defined(__FreeBSD__)
43 
44 #include <sys/capsicum.h>
45 
46 void
47 sandbox_server_process(void)
48 {
49 	if (cap_enter() == -1)
50 		fatal("cap_enter");
51 }
52 
53 void
54 sandbox_executor_process(void)
55 {
56 	/* We cannot capsicum the executor process because it needs
57 	 * to fork(2)+execve(2) cgi scripts */
58 	return;
59 }
60 
61 void
62 sandbox_logger_process(void)
63 {
64 	if (cap_enter() == -1)
65 		fatal("cap_enter");
66 }
67 
68 #elif defined(__linux__)
69 
70 #include <sys/prctl.h>
71 #include <sys/syscall.h>
72 #include <sys/syscall.h>
73 #include <sys/types.h>
74 
75 #include <linux/audit.h>
76 #include <linux/filter.h>
77 #include <linux/seccomp.h>
78 
79 #include <errno.h>
80 #include <fcntl.h>
81 #include <stddef.h>
82 #include <stdio.h>
83 #include <string.h>
84 
85 /* uncomment to enable debugging.  ONLY FOR DEVELOPMENT */
86 /* #define SC_DEBUG */
87 
88 #ifdef SC_DEBUG
89 # define SC_FAIL SECCOMP_RET_TRAP
90 #else
91 # define SC_FAIL SECCOMP_RET_KILL
92 #endif
93 
94 #if (BYTE_ORDER == LITTLE_ENDIAN)
95 # define SC_ARG_LO	0
96 # define SC_ARG_HI	sizeof(uint32_t)
97 #elif (BYTE_ORDER == BIG_ENDIAN)
98 # define SC_ARG_LO	sizeof(uint32_t)
99 # define SC_ARG_HI	0
100 #else
101 # error "Uknown endian"
102 #endif
103 
104 /* make the filter more readable */
105 #define SC_ALLOW(nr)						\
106 	BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_##nr, 0, 1),	\
107 	BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
108 
109 /*
110  * SC_ALLOW_ARG and the SECCOMP_AUDIT_ARCH below are courtesy of
111  * https://roy.marples.name/git/dhcpcd/blob/HEAD:/src/privsep-linux.c
112  */
113 #define SC_ALLOW_ARG(_nr, _arg, _val)						\
114 	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, (_nr), 0, 6),			\
115 	BPF_STMT(BPF_LD + BPF_W + BPF_ABS,					\
116 	    offsetof(struct seccomp_data, args[(_arg)]) + SC_ARG_LO),		\
117 	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K,					\
118 	    ((_val) & 0xffffffff), 0, 3),					\
119 	BPF_STMT(BPF_LD + BPF_W + BPF_ABS,					\
120 	    offsetof(struct seccomp_data, args[(_arg)]) + SC_ARG_HI),		\
121 	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K,					\
122 	    (((uint32_t)((uint64_t)(_val) >> 32)) & 0xffffffff), 0, 1),		\
123 	BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW),				\
124 	BPF_STMT(BPF_LD + BPF_W + BPF_ABS,					\
125 	    offsetof(struct seccomp_data, nr))
126 
127 /*
128  * I personally find this quite nutty.  Why can a system header not
129  * define a default for this?
130  */
131 #if defined(__i386__)
132 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
133 #elif defined(__x86_64__)
134 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
135 #elif defined(__arc__)
136 #  if defined(__A7__)
137 #    if (BYTE_ORDER == LITTLE_ENDIAN)
138 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACT
139 #    else
140 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACTBE
141 #    endif
142 #  elif defined(__HS__)
143 #    if (BYTE_ORDER == LITTLE_ENDIAN)
144 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2
145 #    else
146 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2BE
147 #    endif
148 #  else
149 #    error "Platform does not support seccomp filter yet"
150 #  endif
151 #elif defined(__arm__)
152 #  ifndef EM_ARM
153 #    define EM_ARM 40
154 #  endif
155 #  if (BYTE_ORDER == LITTLE_ENDIAN)
156 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM
157 #  else
158 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARMEB
159 #  endif
160 #elif defined(__aarch64__)
161 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64
162 #elif defined(__alpha__)
163 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ALPHA
164 #elif defined(__hppa__)
165 #  if defined(__LP64__)
166 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC64
167 #  else
168 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC
169 #  endif
170 #elif defined(__ia64__)
171 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_IA64
172 #elif defined(__microblaze__)
173 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MICROBLAZE
174 #elif defined(__m68k__)
175 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_M68K
176 #elif defined(__mips__)
177 #  if defined(__MIPSEL__)
178 #    if defined(__LP64__)
179 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL64
180 #    else
181 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL
182 #    endif
183 #  elif defined(__LP64__)
184 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS64
185 #  else
186 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS
187 #  endif
188 #elif defined(__nds32__)
189 #  if (BYTE_ORDER == LITTLE_ENDIAN)
190 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32
191 #else
192 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32BE
193 #endif
194 #elif defined(__nios2__)
195 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NIOS2
196 #elif defined(__or1k__)
197 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_OPENRISC
198 #elif defined(__powerpc64__)
199 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64
200 #elif defined(__powerpc__)
201 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC
202 #elif defined(__riscv)
203 #  if defined(__LP64__)
204 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV64
205 #  else
206 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV32
207 #  endif
208 #elif defined(__s390x__)
209 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390X
210 #elif defined(__s390__)
211 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390
212 #elif defined(__sh__)
213 #  if defined(__LP64__)
214 #    if (BYTE_ORDER == LITTLE_ENDIAN)
215 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL64
216 #    else
217 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH64
218 #    endif
219 #  else
220 #    if (BYTE_ORDER == LITTLE_ENDIAN)
221 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL
222 #    else
223 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH
224 #    endif
225 #  endif
226 #elif defined(__sparc__)
227 #  if defined(__arch64__)
228 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC64
229 #  else
230 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC
231 #  endif
232 #elif defined(__xtensa__)
233 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_XTENSA
234 #else
235 #  error "Platform does not support seccomp filter yet"
236 #endif
237 
238 static struct sock_filter filter[] = {
239 	/* load the *current* architecture */
240 	BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
241 	    (offsetof(struct seccomp_data, arch))),
242 	/* ensure it's the same that we've been compiled on */
243 	BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,
244 	    SECCOMP_AUDIT_ARCH, 1, 0),
245 	/* if not, kill the program */
246 	BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
247 
248 	/* load the syscall number */
249 	BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
250 	    (offsetof(struct seccomp_data, nr))),
251 
252 #ifdef __NR_accept
253 	SC_ALLOW(accept),
254 #endif
255 #ifdef __NR_accept4
256 	SC_ALLOW(accept4),
257 #endif
258 #ifdef __NR_brk
259 	SC_ALLOW(brk),
260 #endif
261 #ifdef __NR_clock_gettime
262 	SC_ALLOW(clock_gettime),
263 #endif
264 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
265 	SECCOMP_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
266 #endif
267 #ifdef __NR_clock_gettime64
268 	SC_ALLOW(clock_gettime64),
269 #endif
270 #ifdef __NR_close
271 	SC_ALLOW(close),
272 #endif
273 #ifdef __NR_epoll_ctl
274 	SC_ALLOW(epoll_ctl),
275 #endif
276 #ifdef __NR_epoll_pwait
277 	SC_ALLOW(epoll_pwait),
278 #endif
279 #ifdef __NR_epoll_wait
280 	SC_ALLOW(epoll_wait),
281 #endif
282 #ifdef __NR_exit
283 	SC_ALLOW(exit),
284 #endif
285 #ifdef __NR_exit_group
286 	SC_ALLOW(exit_group),
287 #endif
288 #ifdef __NR_fcntl
289 	SC_ALLOW(fcntl),
290 #endif
291 #ifdef __NR_fcntl64
292 	SC_ALLOW(fcntl64),
293 #endif
294 #ifdef __NR_fstat
295 	SC_ALLOW(fstat),
296 #endif
297 #ifdef __NR_getdents64
298 	SC_ALLOW(getdents64),
299 #endif
300 #ifdef __NR_getpid
301 	SC_ALLOW(getpid),
302 #endif
303 #ifdef __NR_getrandom
304 	SC_ALLOW(getrandom),
305 #endif
306 #ifdef __NR_gettimeofday
307 	SC_ALLOW(gettimeofday),
308 #endif
309 #ifdef __NR_ioctl
310 	/* allow ioctl only on fd 1, glibc doing stuff? */
311         SC_ALLOW_ARG(__NR_ioctl, 0, 1),
312 #endif
313 #ifdef __NR_lseek
314 	SC_ALLOW(lseek),
315 #endif
316 #ifdef __NR_madvise
317 	SC_ALLOW(madvise),
318 #endif
319 #ifdef __NR_mmap
320 	SC_ALLOW(mmap),
321 #endif
322 #ifdef __NR_mmap2
323 	SC_ALLOW(mmap2),
324 #endif
325 #ifdef __NR_munmap
326 	SC_ALLOW(munmap),
327 #endif
328 #ifdef __NR_newfstatat
329 	SC_ALLOW(newfstatat),
330 #endif
331 #ifdef __NR_oldfstat
332 	SC_ALLOW(oldfstat),
333 #endif
334 #ifdef __NR_openat
335 	SC_ALLOW(openat),
336 #endif
337 #ifdef __NR_prlimit64
338 	SC_ALLOW(prlimit64),
339 #endif
340 #ifdef __NR_read
341 	SC_ALLOW(read),
342 #endif
343 #ifdef __NR_recvmsg
344 	SC_ALLOW(recvmsg),
345 #endif
346 #ifdef __NR_redav
347 	SC_ALLOW(redav),
348 #endif
349 #ifdef __NR_rt_sigaction
350 	SC_ALLOW(rt_sigaction),
351 #endif
352 #ifdef __NR_rt_sigreturn
353 	SC_ALLOW(rt_sigreturn),
354 #endif
355 #ifdef __NR_sendmsg
356 	SC_ALLOW(sendmsg),
357 #endif
358 #ifdef __NR_statx
359 	SC_ALLOW(statx),
360 #endif
361 #ifdef __NR_write
362 	SC_ALLOW(write),
363 #endif
364 #ifdef __NR_writev
365 	SC_ALLOW(writev),
366 #endif
367 
368 	/* disallow enything else */
369 	BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
370 };
371 
372 #ifdef SC_DEBUG
373 
374 #include <signal.h>
375 #include <unistd.h>
376 
377 static void
378 sandbox_seccomp_violation(int signum, siginfo_t *info, void *ctx)
379 {
380 	(void)signum;
381 	(void)ctx;
382 
383 	fprintf(stderr, "%s: unexpected system call (arch:0x%x,syscall:%d @ %p)\n",
384 	    __func__, info->si_arch, info->si_syscall, info->si_call_addr);
385 	_exit(1);
386 }
387 
388 static void
389 sandbox_seccomp_catch_sigsys(void)
390 {
391 	struct sigaction act;
392 	sigset_t mask;
393 
394 	memset(&act, 0, sizeof(act));
395 	sigemptyset(&mask);
396 	sigaddset(&mask, SIGSYS);
397 
398 	act.sa_sigaction = &sandbox_seccomp_violation;
399 	act.sa_flags = SA_SIGINFO;
400 	if (sigaction(SIGSYS, &act, NULL) == -1)
401 		fatal("%s: sigaction(SIGSYS): %s",
402 		    __func__, strerror(errno));
403 
404 	if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1)
405 		fatal("%s: sigprocmask(SIGSYS): %s\n",
406 		    __func__, strerror(errno));
407 }
408 #endif	/* SC_DEBUG */
409 
410 void
411 sandbox_server_process(void)
412 {
413 	struct sock_fprog prog = {
414 		.len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
415 		.filter = filter,
416 	};
417 
418 #ifdef SC_DEBUG
419 	sandbox_seccomp_catch_sigsys();
420 #endif
421 
422 	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
423 		fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
424 		    __func__, strerror(errno));
425 
426 	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1)
427 		fatal("%s: prctl(PR_SET_SECCOMP): %s\n",
428 		    __func__, strerror(errno));
429 }
430 
431 void
432 sandbox_executor_process(void)
433 {
434 	/* We cannot use seccomp for the executor process because we
435 	 * don't know what the child will do.  Also, our filter will
436 	 * be inherited so the child cannot set its own seccomp
437 	 * policy. */
438 	return;
439 }
440 
441 void
442 sandbox_logger_process(void)
443 {
444 	/* To be honest, here we could use a seccomp policy to only
445 	 * allow writev(2) and memory allocations. */
446 	return;
447 }
448 
449 #elif defined(__OpenBSD__)
450 
451 #include <unistd.h>
452 
453 void
454 sandbox_server_process(void)
455 {
456 	struct vhost *h;
457 
458 	for (h = hosts; h->domain != NULL; ++h) {
459 		if (unveil(h->dir, "r") == -1)
460 			fatal("unveil %s for domain %s", h->dir, h->domain);
461 	}
462 
463 	if (pledge("stdio recvfd rpath inet", NULL) == -1)
464 		fatal("pledge");
465 }
466 
467 void
468 sandbox_executor_process(void)
469 {
470 	struct vhost	*vhost;
471 
472 	for (vhost = hosts; vhost->domain != NULL; ++vhost) {
473 		/* r so we can chdir into the correct directory */
474 		if (unveil(vhost->dir, "rx") == -1)
475 			err(1, "unveil %s for domain %s",
476 			    vhost->dir, vhost->domain);
477 	}
478 
479 	/* rpath to chdir into the correct directory */
480 	if (pledge("stdio rpath sendfd proc exec", NULL))
481 		err(1, "pledge");
482 }
483 
484 void
485 sandbox_logger_process(void)
486 {
487 	if (pledge("stdio", NULL) == -1)
488 		err(1, "pledge");
489 }
490 
491 #else
492 
493 #warning "No sandbox method known for this OS"
494 
495 void
496 sandbox_server_process(void)
497 {
498 	return;
499 }
500 
501 void
502 sandbox_executor_process(void)
503 {
504 	log_notice(NULL, "no sandbox method known for this OS");
505 }
506 
507 void
508 sandbox_logger_process(void)
509 {
510 	return;
511 }
512 
513 #endif