2 * Copyright (c) 2021 Omar Polo <op@omarpolo.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 #warning "Sandbox disabled! Please report issues upstream instead of disabling the sandbox."
24 sandbox_server_process(int can_open_sockets)
30 sandbox_logger_process(void)
35 #elif defined(__FreeBSD__)
37 #include <sys/capsicum.h>
40 sandbox_server_process(int can_open_sockets)
42 /* can't capsicum if fastcgi or proxying are used. */
46 if (cap_enter() == -1)
51 sandbox_logger_process(void)
53 if (cap_enter() == -1)
57 #elif defined(__linux__)
59 #include <sys/ioctl.h>
60 #include <sys/prctl.h>
61 #include <sys/syscall.h>
62 #include <sys/syscall.h>
63 #include <sys/types.h>
65 #include <linux/audit.h>
66 #include <linux/filter.h>
67 #include <linux/seccomp.h>
76 # include "landlock_shim.h"
79 /* uncomment to enable debugging. ONLY FOR DEVELOPMENT */
80 /* #define SC_DEBUG */
83 # define SC_FAIL SECCOMP_RET_TRAP
85 # define SC_FAIL SECCOMP_RET_KILL
88 #if (BYTE_ORDER == LITTLE_ENDIAN)
90 # define SC_ARG_HI sizeof(uint32_t)
91 #elif (BYTE_ORDER == BIG_ENDIAN)
92 # define SC_ARG_LO sizeof(uint32_t)
95 # error "Uknown endian"
98 /* make the filter more readable */
99 #define SC_ALLOW(nr) \
100 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_##nr, 0, 1), \
101 BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
104 * SC_ALLOW_ARG and the SECCOMP_AUDIT_ARCH below are courtesy of
105 * https://roy.marples.name/git/dhcpcd/blob/HEAD:/src/privsep-linux.c
107 #define SC_ALLOW_ARG(_nr, _arg, _val) \
108 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, (_nr), 0, 6), \
109 BPF_STMT(BPF_LD + BPF_W + BPF_ABS, \
110 offsetof(struct seccomp_data, args[(_arg)]) + SC_ARG_LO), \
111 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, \
112 ((_val) & 0xffffffff), 0, 3), \
113 BPF_STMT(BPF_LD + BPF_W + BPF_ABS, \
114 offsetof(struct seccomp_data, args[(_arg)]) + SC_ARG_HI), \
115 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, \
116 (((uint32_t)((uint64_t)(_val) >> 32)) & 0xffffffff), 0, 1), \
117 BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW), \
118 BPF_STMT(BPF_LD + BPF_W + BPF_ABS, \
119 offsetof(struct seccomp_data, nr))
122 * I personally find this quite nutty. Why can a system header not
123 * define a default for this?
125 #if defined(__i386__)
126 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
127 #elif defined(__x86_64__)
128 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
129 #elif defined(__arc__)
131 # if (BYTE_ORDER == LITTLE_ENDIAN)
132 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACT
134 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACTBE
136 # elif defined(__HS__)
137 # if (BYTE_ORDER == LITTLE_ENDIAN)
138 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2
140 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2BE
143 # error "Platform does not support seccomp filter yet"
145 #elif defined(__arm__)
149 # if (BYTE_ORDER == LITTLE_ENDIAN)
150 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM
152 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARMEB
154 #elif defined(__aarch64__)
155 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64
156 #elif defined(__alpha__)
157 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ALPHA
158 #elif defined(__hppa__)
159 # if defined(__LP64__)
160 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC64
162 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC
164 #elif defined(__ia64__)
165 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_IA64
166 #elif defined(__microblaze__)
167 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MICROBLAZE
168 #elif defined(__m68k__)
169 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_M68K
170 #elif defined(__mips__)
171 # if defined(__MIPSEL__)
172 # if defined(__LP64__)
173 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL64
175 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL
177 # elif defined(__LP64__)
178 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS64
180 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS
182 #elif defined(__nds32__)
183 # if (BYTE_ORDER == LITTLE_ENDIAN)
184 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32
186 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32BE
188 #elif defined(__nios2__)
189 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NIOS2
190 #elif defined(__or1k__)
191 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_OPENRISC
192 #elif defined(__powerpc64__)
193 # if (BYTE_ORDER == LITTLE_ENDIAN)
194 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64LE
196 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64
198 #elif defined(__powerpc__)
199 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC
200 #elif defined(__riscv)
201 # if defined(__LP64__)
202 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV64
204 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV32
206 #elif defined(__s390x__)
207 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390X
208 #elif defined(__s390__)
209 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390
210 #elif defined(__sh__)
211 # if defined(__LP64__)
212 # if (BYTE_ORDER == LITTLE_ENDIAN)
213 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL64
215 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH64
218 # if (BYTE_ORDER == LITTLE_ENDIAN)
219 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL
221 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH
224 #elif defined(__sparc__)
225 # if defined(__arch64__)
226 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC64
228 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC
230 #elif defined(__xtensa__)
231 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_XTENSA
233 # error "Platform does not support seccomp filter yet"
236 static const struct sock_filter filter[] = {
237 /* load the *current* architecture */
238 BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
239 (offsetof(struct seccomp_data, arch))),
240 /* ensure it's the same that we've been compiled on */
241 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,
242 SECCOMP_AUDIT_ARCH, 1, 0),
243 /* if not, kill the program */
244 BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
246 /* load the syscall number */
247 BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
248 (offsetof(struct seccomp_data, nr))),
259 #ifdef __NR_clock_gettime
260 SC_ALLOW(clock_gettime),
262 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
263 SECCOMP_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
265 #ifdef __NR_clock_gettime64
266 SC_ALLOW(clock_gettime64),
271 #ifdef __NR_epoll_ctl
274 #ifdef __NR_epoll_pwait
275 SC_ALLOW(epoll_pwait),
277 #ifdef __NR_epoll_wait
278 SC_ALLOW(epoll_wait),
283 #ifdef __NR_exit_group
284 SC_ALLOW(exit_group),
298 #ifdef __NR_fstatat64
301 #ifdef __NR_getdents64
302 SC_ALLOW(getdents64),
307 #ifdef __NR_getrandom
310 #ifdef __NR_gettimeofday
311 SC_ALLOW(gettimeofday),
314 /* allow ioctl on fd 1, glibc doing stuff? */
315 SC_ALLOW_ARG(__NR_ioctl, 0, 1),
316 /* allow FIONREAD needed by libevent */
317 SC_ALLOW_ARG(__NR_ioctl, 1, FIONREAD),
337 #ifdef __NR_newfstatat
338 SC_ALLOW(newfstatat),
344 SC_ALLOW_ARG(__NR_openat, 3, O_RDONLY),
346 #ifdef __NR_prlimit64
358 #ifdef __NR_rt_sigaction
359 SC_ALLOW(rt_sigaction),
361 #ifdef __NR_rt_sigreturn
362 SC_ALLOW(rt_sigreturn),
367 #ifdef __NR_sigreturn
373 #ifdef __NR_ugetrlimit
374 SC_ALLOW(ugetrlimit),
383 /* disallow everything else */
384 BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
393 sandbox_seccomp_violation(int signum, siginfo_t *info, void *ctx)
395 fprintf(stderr, "%s: unexpected system call (arch:0x%x,syscall:%d @ %p)\n",
396 __func__, info->si_arch, info->si_syscall, info->si_call_addr);
401 sandbox_seccomp_catch_sigsys(void)
403 struct sigaction act;
406 memset(&act, 0, sizeof(act));
408 sigaddset(&mask, SIGSYS);
410 act.sa_sigaction = &sandbox_seccomp_violation;
411 act.sa_flags = SA_SIGINFO;
412 if (sigaction(SIGSYS, &act, NULL) == -1)
413 fatal("%s: sigaction(SIGSYS): %s",
414 __func__, strerror(errno));
416 if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1)
417 fatal("%s: sigprocmask(SIGSYS): %s\n",
418 __func__, strerror(errno));
420 #endif /* SC_DEBUG */
428 const struct landlock_ruleset_attr attr = {
429 .handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE |
430 LANDLOCK_ACCESS_FS_READ_FILE |
431 LANDLOCK_ACCESS_FS_READ_DIR |
432 LANDLOCK_ACCESS_FS_WRITE_FILE |
433 LANDLOCK_ACCESS_FS_REMOVE_DIR |
434 LANDLOCK_ACCESS_FS_REMOVE_FILE |
435 LANDLOCK_ACCESS_FS_MAKE_CHAR |
436 LANDLOCK_ACCESS_FS_MAKE_DIR |
437 LANDLOCK_ACCESS_FS_MAKE_REG |
438 LANDLOCK_ACCESS_FS_MAKE_SOCK |
439 LANDLOCK_ACCESS_FS_MAKE_FIFO |
440 LANDLOCK_ACCESS_FS_MAKE_BLOCK |
441 LANDLOCK_ACCESS_FS_MAKE_SYM,
444 fd = landlock_create_ruleset(&attr, sizeof(attr), 0);
448 fatal("%s: failed to create ruleset. "
449 "Landlock doesn't seem to be supported by the "
450 "current kernel.", __func__);
452 log_warn(NULL, "%s: failed to create ruleset. "
453 "Landlock seems to be currently disabled; "
454 "continuing without it.", __func__);
457 fatal("%s: failed to create ruleset: %s",
458 __func__, strerror(errno));
466 landlock_unveil_path(int landlock_fd, const char *path, int perms)
468 struct landlock_path_beneath_attr pb;
469 int err, saved_errno;
471 pb.allowed_access = perms;
473 if ((pb.parent_fd = open(path, O_PATH)) == -1)
476 err = landlock_add_rule(landlock_fd, LANDLOCK_RULE_PATH_BENEATH,
485 landlock_apply(int fd)
492 r = landlock_restrict_self(fd, 0);
500 server_landlock(void)
507 * These are all the actions allowed for the root directories
510 perms = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR;
512 if ((fd = open_landlock()) == -1)
515 TAILQ_FOREACH(h, &hosts, vhosts) {
516 TAILQ_FOREACH(l, &h->locations, locations) {
520 if (landlock_unveil_path(fd, l->dir, perms) == -1)
521 fatal("%s: landlock_unveil_path(%s): %s",
522 __func__, l->dir, strerror(errno));
526 return landlock_apply(fd);
530 logger_landlock(void)
534 if ((fd = open_landlock()) == -1)
537 /* no rules. the logger doesn't need fs access at all. */
539 return landlock_apply(fd);
544 sandbox_server_process(int can_open_sockets)
546 const struct sock_fprog prog = {
547 .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
551 /* can't seccomp/landlock if fastcgi or proxying are used. */
552 if (can_open_sockets)
557 sandbox_seccomp_catch_sigsys();
560 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
561 fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
562 __func__, strerror(errno));
565 if (server_landlock() == -1)
566 fatal("%s: server_landlock: %s",
567 __func__, strerror(errno));
570 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1)
571 fatal("%s: prctl(PR_SET_SECCOMP): %s\n",
572 __func__, strerror(errno));
576 sandbox_logger_process(void)
579 * Here we could use a seccomp filter to allow only recvfd,
580 * write/writev and memory allocations, but syslog is a beast
581 * and I don't know what syscalls it could end up doing.
582 * Landlock is a simpler beast, use it to disallow any file
586 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
587 fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
588 __func__, strerror(errno));
591 if (logger_landlock() == -1)
592 fatal("%s: logger_landlock: %s",
593 __func__, strerror(errno));
599 #elif defined(__OpenBSD__)
604 sandbox_server_process(int can_open_sockets)
609 TAILQ_FOREACH(h, &hosts, vhosts) {
610 TAILQ_FOREACH(l, &h->locations, locations) {
614 if (unveil(l->dir, "r") == -1)
615 fatal("unveil %s for domain %s",
621 if (pledge("stdio recvfd rpath inet dns", NULL) == -1)
626 sandbox_logger_process(void)
628 if (pledge("stdio recvfd", NULL) == -1)
634 #warning "No sandbox method known for this OS"
637 sandbox_server_process(int can_open_sockets)
643 sandbox_logger_process(void)