op public repos

Blob

Date:: Sat Jul 3 18:30:07 2021 UTC
Message:: typo
Actions:: History | Blame | Raw File
1 /*
2  * Copyright (c) 2021 Omar Polo <op@omarpolo.com>
3  *
4  * Permission to use, copy, modify, and distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #include "gmid.h"
18 
19 #if DISABLE_SANDBOX
20 
21 #warning "Sandbox disabled! Please report issues upstream instead of disabling the sandbox."
22 
23 void
24 sandbox_server_process(void)
25 {
26 	return;
27 }
28 
29 void
30 sandbox_executor_process(void)
31 {
32         log_notice(NULL, "Sandbox disabled!  "
33 	    "Please report issues upstream instead of disabling the sandbox.");
34 }
35 
36 void
37 sandbox_logger_process(void)
38 {
39 	return;
40 }
41 
42 #elif defined(__FreeBSD__)
43 
44 #include <sys/capsicum.h>
45 
46 void
47 sandbox_server_process(void)
48 {
49 	if (cap_enter() == -1)
50 		fatal("cap_enter");
51 }
52 
53 void
54 sandbox_executor_process(void)
55 {
56 	/* We cannot capsicum the executor process because it needs
57 	 * to fork(2)+execve(2) cgi scripts */
58 	return;
59 }
60 
61 void
62 sandbox_logger_process(void)
63 {
64 	if (cap_enter() == -1)
65 		fatal("cap_enter");
66 }
67 
68 #elif defined(__linux__)
69 
70 #include <sys/prctl.h>
71 #include <sys/syscall.h>
72 #include <sys/syscall.h>
73 #include <sys/types.h>
74 
75 #include <linux/audit.h>
76 #include <linux/filter.h>
77 #include <linux/seccomp.h>
78 
79 #include <errno.h>
80 #include <fcntl.h>
81 #include <stddef.h>
82 #include <stdio.h>
83 #include <string.h>
84 
85 /* uncomment to enable debugging.  ONLY FOR DEVELOPMENT */
86 /* #define SC_DEBUG */
87 
88 #ifdef SC_DEBUG
89 # define SC_FAIL SECCOMP_RET_TRAP
90 #else
91 # define SC_FAIL SECCOMP_RET_KILL
92 #endif
93 
94 #if (BYTE_ORDER == LITTLE_ENDIAN)
95 # define SC_ARG_LO	0
96 # define SC_ARG_HI	sizeof(uint32_t)
97 #elif (BYTE_ORDER == BIG_ENDIAN)
98 # define SC_ARG_LO	sizeof(uint32_t)
99 # define SC_ARG_HI	0
100 #else
101 # error "Uknown endian"
102 #endif
103 
104 /* make the filter more readable */
105 #define SC_ALLOW(nr)						\
106 	BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_##nr, 0, 1),	\
107 	BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
108 
109 /*
110  * SC_ALLOW_ARG and the SECCOMP_AUDIT_ARCH below are courtesy of
111  * https://roy.marples.name/git/dhcpcd/blob/HEAD:/src/privsep-linux.c
112  */
113 #define SC_ALLOW_ARG(_nr, _arg, _val)						\
114 	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, (_nr), 0, 6),			\
115 	BPF_STMT(BPF_LD + BPF_W + BPF_ABS,					\
116 	    offsetof(struct seccomp_data, args[(_arg)]) + SC_ARG_LO),		\
117 	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K,					\
118 	    ((_val) & 0xffffffff), 0, 3),					\
119 	BPF_STMT(BPF_LD + BPF_W + BPF_ABS,					\
120 	    offsetof(struct seccomp_data, args[(_arg)]) + SC_ARG_HI),		\
121 	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K,					\
122 	    (((uint32_t)((uint64_t)(_val) >> 32)) & 0xffffffff), 0, 1),		\
123 	BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW),				\
124 	BPF_STMT(BPF_LD + BPF_W + BPF_ABS,					\
125 	    offsetof(struct seccomp_data, nr))
126 
127 /*
128  * I personally find this quite nutty.  Why can a system header not
129  * define a default for this?
130  */
131 #if defined(__i386__)
132 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
133 #elif defined(__x86_64__)
134 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
135 #elif defined(__arc__)
136 #  if defined(__A7__)
137 #    if (BYTE_ORDER == LITTLE_ENDIAN)
138 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACT
139 #    else
140 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACTBE
141 #    endif
142 #  elif defined(__HS__)
143 #    if (BYTE_ORDER == LITTLE_ENDIAN)
144 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2
145 #    else
146 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2BE
147 #    endif
148 #  else
149 #    error "Platform does not support seccomp filter yet"
150 #  endif
151 #elif defined(__arm__)
152 #  ifndef EM_ARM
153 #    define EM_ARM 40
154 #  endif
155 #  if (BYTE_ORDER == LITTLE_ENDIAN)
156 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM
157 #  else
158 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARMEB
159 #  endif
160 #elif defined(__aarch64__)
161 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64
162 #elif defined(__alpha__)
163 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ALPHA
164 #elif defined(__hppa__)
165 #  if defined(__LP64__)
166 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC64
167 #  else
168 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC
169 #  endif
170 #elif defined(__ia64__)
171 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_IA64
172 #elif defined(__microblaze__)
173 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MICROBLAZE
174 #elif defined(__m68k__)
175 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_M68K
176 #elif defined(__mips__)
177 #  if defined(__MIPSEL__)
178 #    if defined(__LP64__)
179 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL64
180 #    else
181 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL
182 #    endif
183 #  elif defined(__LP64__)
184 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS64
185 #  else
186 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS
187 #  endif
188 #elif defined(__nds32__)
189 #  if (BYTE_ORDER == LITTLE_ENDIAN)
190 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32
191 #else
192 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32BE
193 #endif
194 #elif defined(__nios2__)
195 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NIOS2
196 #elif defined(__or1k__)
197 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_OPENRISC
198 #elif defined(__powerpc64__)
199 #  if (BYTE_ORDER == LITTLE_ENDIAN)
200 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64LE
201 #  else
202 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64
203 #  endif
204 #elif defined(__powerpc__)
205 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC
206 #elif defined(__riscv)
207 #  if defined(__LP64__)
208 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV64
209 #  else
210 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV32
211 #  endif
212 #elif defined(__s390x__)
213 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390X
214 #elif defined(__s390__)
215 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390
216 #elif defined(__sh__)
217 #  if defined(__LP64__)
218 #    if (BYTE_ORDER == LITTLE_ENDIAN)
219 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL64
220 #    else
221 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH64
222 #    endif
223 #  else
224 #    if (BYTE_ORDER == LITTLE_ENDIAN)
225 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL
226 #    else
227 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH
228 #    endif
229 #  endif
230 #elif defined(__sparc__)
231 #  if defined(__arch64__)
232 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC64
233 #  else
234 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC
235 #  endif
236 #elif defined(__xtensa__)
237 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_XTENSA
238 #else
239 #  error "Platform does not support seccomp filter yet"
240 #endif
241 
242 static struct sock_filter filter[] = {
243 	/* load the *current* architecture */
244 	BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
245 	    (offsetof(struct seccomp_data, arch))),
246 	/* ensure it's the same that we've been compiled on */
247 	BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,
248 	    SECCOMP_AUDIT_ARCH, 1, 0),
249 	/* if not, kill the program */
250 	BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
251 
252 	/* load the syscall number */
253 	BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
254 	    (offsetof(struct seccomp_data, nr))),
255 
256 #ifdef __NR_accept
257 	SC_ALLOW(accept),
258 #endif
259 #ifdef __NR_accept4
260 	SC_ALLOW(accept4),
261 #endif
262 #ifdef __NR_brk
263 	SC_ALLOW(brk),
264 #endif
265 #ifdef __NR_clock_gettime
266 	SC_ALLOW(clock_gettime),
267 #endif
268 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
269 	SECCOMP_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
270 #endif
271 #ifdef __NR_clock_gettime64
272 	SC_ALLOW(clock_gettime64),
273 #endif
274 #ifdef __NR_close
275 	SC_ALLOW(close),
276 #endif
277 #ifdef __NR_epoll_ctl
278 	SC_ALLOW(epoll_ctl),
279 #endif
280 #ifdef __NR_epoll_pwait
281 	SC_ALLOW(epoll_pwait),
282 #endif
283 #ifdef __NR_epoll_wait
284 	SC_ALLOW(epoll_wait),
285 #endif
286 #ifdef __NR_exit
287 	SC_ALLOW(exit),
288 #endif
289 #ifdef __NR_exit_group
290 	SC_ALLOW(exit_group),
291 #endif
292 #ifdef __NR_fcntl
293 	SC_ALLOW(fcntl),
294 #endif
295 #ifdef __NR_fcntl64
296 	SC_ALLOW(fcntl64),
297 #endif
298 #ifdef __NR_fstat
299 	SC_ALLOW(fstat),
300 #endif
301 #ifdef __NR_getdents64
302 	SC_ALLOW(getdents64),
303 #endif
304 #ifdef __NR_getpid
305 	SC_ALLOW(getpid),
306 #endif
307 #ifdef __NR_getrandom
308 	SC_ALLOW(getrandom),
309 #endif
310 #ifdef __NR_gettimeofday
311 	SC_ALLOW(gettimeofday),
312 #endif
313 #ifdef __NR_ioctl
314 	/* allow ioctl only on fd 1, glibc doing stuff? */
315         SC_ALLOW_ARG(__NR_ioctl, 0, 1),
316 #endif
317 #ifdef __NR_lseek
318 	SC_ALLOW(lseek),
319 #endif
320 #ifdef __NR_madvise
321 	SC_ALLOW(madvise),
322 #endif
323 #ifdef __NR_mmap
324 	SC_ALLOW(mmap),
325 #endif
326 #ifdef __NR_mmap2
327 	SC_ALLOW(mmap2),
328 #endif
329 #ifdef __NR_munmap
330 	SC_ALLOW(munmap),
331 #endif
332 #ifdef __NR_newfstatat
333 	SC_ALLOW(newfstatat),
334 #endif
335 #ifdef __NR_oldfstat
336 	SC_ALLOW(oldfstat),
337 #endif
338 #ifdef __NR_openat
339 	SC_ALLOW(openat),
340 #endif
341 #ifdef __NR_prlimit64
342 	SC_ALLOW(prlimit64),
343 #endif
344 #ifdef __NR_read
345 	SC_ALLOW(read),
346 #endif
347 #ifdef __NR_recvmsg
348 	SC_ALLOW(recvmsg),
349 #endif
350 #ifdef __NR_redav
351 	SC_ALLOW(redav),
352 #endif
353 #ifdef __NR_rt_sigaction
354 	SC_ALLOW(rt_sigaction),
355 #endif
356 #ifdef __NR_rt_sigreturn
357 	SC_ALLOW(rt_sigreturn),
358 #endif
359 #ifdef __NR_sendmsg
360 	SC_ALLOW(sendmsg),
361 #endif
362 #ifdef __NR_statx
363 	SC_ALLOW(statx),
364 #endif
365 #ifdef __NR_write
366 	SC_ALLOW(write),
367 #endif
368 #ifdef __NR_writev
369 	SC_ALLOW(writev),
370 #endif
371 
372 	/* disallow everything else */
373 	BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
374 };
375 
376 #ifdef SC_DEBUG
377 
378 #include <signal.h>
379 #include <unistd.h>
380 
381 static void
382 sandbox_seccomp_violation(int signum, siginfo_t *info, void *ctx)
383 {
384 	(void)signum;
385 	(void)ctx;
386 
387 	fprintf(stderr, "%s: unexpected system call (arch:0x%x,syscall:%d @ %p)\n",
388 	    __func__, info->si_arch, info->si_syscall, info->si_call_addr);
389 	_exit(1);
390 }
391 
392 static void
393 sandbox_seccomp_catch_sigsys(void)
394 {
395 	struct sigaction act;
396 	sigset_t mask;
397 
398 	memset(&act, 0, sizeof(act));
399 	sigemptyset(&mask);
400 	sigaddset(&mask, SIGSYS);
401 
402 	act.sa_sigaction = &sandbox_seccomp_violation;
403 	act.sa_flags = SA_SIGINFO;
404 	if (sigaction(SIGSYS, &act, NULL) == -1)
405 		fatal("%s: sigaction(SIGSYS): %s",
406 		    __func__, strerror(errno));
407 
408 	if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1)
409 		fatal("%s: sigprocmask(SIGSYS): %s\n",
410 		    __func__, strerror(errno));
411 }
412 #endif	/* SC_DEBUG */
413 
414 void
415 sandbox_server_process(void)
416 {
417 	struct sock_fprog prog = {
418 		.len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
419 		.filter = filter,
420 	};
421 
422 #ifdef SC_DEBUG
423 	sandbox_seccomp_catch_sigsys();
424 #endif
425 
426 	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
427 		fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
428 		    __func__, strerror(errno));
429 
430 	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1)
431 		fatal("%s: prctl(PR_SET_SECCOMP): %s\n",
432 		    __func__, strerror(errno));
433 }
434 
435 void
436 sandbox_executor_process(void)
437 {
438 	/* We cannot use seccomp for the executor process because we
439 	 * don't know what the child will do.  Also, our filter will
440 	 * be inherited so the child cannot set its own seccomp
441 	 * policy. */
442 	return;
443 }
444 
445 void
446 sandbox_logger_process(void)
447 {
448 	/* To be honest, here we could use a seccomp policy to only
449 	 * allow writev(2) and memory allocations. */
450 	return;
451 }
452 
453 #elif defined(__OpenBSD__)
454 
455 #include <unistd.h>
456 
457 void
458 sandbox_server_process(void)
459 {
460 	struct vhost	*h;
461 	struct location	*l;
462 
463 	TAILQ_FOREACH(h, &hosts, vhosts) {
464 		TAILQ_FOREACH(l, &h->locations, locations) {
465 			if (l->dir == NULL)
466 				continue;
467 
468 			if (unveil(l->dir, "r") == -1)
469 				fatal("unveil %s for domain %s",
470 				    l->dir,
471 				    h->domain);
472 		}
473 	}
474 
475 	if (pledge("stdio recvfd rpath inet", NULL) == -1)
476 		fatal("pledge");
477 }
478 
479 void
480 sandbox_executor_process(void)
481 {
482 	struct vhost	*h;
483 	struct location	*l;
484 	struct fcgi	*f;
485 	size_t		 i;
486 
487 	TAILQ_FOREACH(h, &hosts, vhosts) {
488 		TAILQ_FOREACH(l, &h->locations, locations) {
489 			if (l->dir == NULL)
490 				continue;
491 
492 			/* r so we can chdir into the correct directory */
493 			if (unveil(l->dir, "rx") == -1)
494 				fatal("unveil %s for domain %s",
495 				    l->dir, h->domain);
496 		}
497 	}
498 
499 	for (i = 0; i < FCGI_MAX; i++) {
500                 f = &fcgi[i];
501 		if (f->path != NULL) {
502 			if (unveil(f->path, "rw") == -1)
503 				fatal("unveil %s", f->path);
504 		}
505 
506 		if (f->prog != NULL) {
507 			if (unveil(f->prog, "rx") == -1)
508 				fatal("unveil %s", f->prog);
509 		}
510 	}
511 
512 	/*
513 	 * rpath: to chdir into the correct directory
514 	 * proc exec: CGI
515 	 * dns inet unix: FastCGI
516 	 */
517 	if (pledge("stdio rpath sendfd proc exec dns inet unix", NULL))
518 		err(1, "pledge");
519 }
520 
521 void
522 sandbox_logger_process(void)
523 {
524 	if (pledge("stdio recvfd", NULL) == -1)
525 		err(1, "pledge");
526 }
527 
528 #else
529 
530 #warning "No sandbox method known for this OS"
531 
532 void
533 sandbox_server_process(void)
534 {
535 	return;
536 }
537 
538 void
539 sandbox_executor_process(void)
540 {
541 	log_notice(NULL, "no sandbox method known for this OS");
542 }
543 
544 void
545 sandbox_logger_process(void)
546 {
547 	return;
548 }
549 
550 #endif