1 /*
2  * Copyright (c) 2021 Omar Polo <op@omarpolo.com>
3  *
4  * Permission to use, copy, modify, and distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #include "gmid.h"
18 
19 #if defined(__FreeBSD__)
20 
21 #include <sys/capsicum.h>
22 #include <err.h>
23 
24 void
25 sandbox()
26 {
27 	if (cap_enter() == -1)
28 		err(1, "cap_enter");
29 }
30 
31 #elif defined(__linux__)
32 
33 #include <sys/prctl.h>
34 #include <sys/syscall.h>
35 #include <sys/syscall.h>
36 #include <sys/types.h>
37 
38 #include <linux/audit.h>
39 #include <linux/filter.h>
40 #include <linux/seccomp.h>
41 
42 #include <errno.h>
43 #include <fcntl.h>
44 #include <stddef.h>
45 #include <stdio.h>
46 #include <string.h>
47 
48 /* thanks chromium' src/seccomp.c */
49 #if defined(__i386__)
50 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
51 #elif defined(__x86_64__)
52 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
53 #elif defined(__arm__)
54 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM
55 #elif defined(__aarch64__)
56 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64
57 #elif defined(__mips__)
58 #  if defined(__mips64)
59 #    if defined(__MIPSEB__)
60 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS64
61 #    else
62 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL64
63 #    endif
64 #  else
65 #    if defined(__MIPSEB__)
66 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS
67 #    else
68 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL
69 #    endif
70 #  endif
71 #else
72 #  error "Platform does not support seccomp filter yet"
73 #endif
74 
75 /* uncomment to enable debugging.  ONLY FOR DEVELOPMENT */
76 /* #define SC_DEBUG */
77 
78 #ifdef SC_DEBUG
79 # define SC_FAIL SECCOMP_RET_TRAP
80 #else
81 # define SC_FAIL SECCOMP_RET_KILL
82 #endif
83 
84 /* make the filter more readable */
85 #define SC_ALLOW(nr)						\
86 	BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_##nr, 0, 1),	\
87 	BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
88 
89 #ifdef SC_DEBUG
90 
91 #include <signal.h>
92 #include <unistd.h>
93 
94 static void
95 sandbox_seccomp_violation(int signum, siginfo_t *info, void *ctx)
96 {
97 	(void)signum;
98 	(void)ctx;
99 
100 	fprintf(stderr, "%s: unexpected system call (arch:0x%x,syscall:%d @ %p)\n",
101 	    __func__, info->si_arch, info->si_syscall, info->si_call_addr);
102 	_exit(1);
103 }
104 
105 static void
106 sandbox_seccomp_catch_sigsys(void)
107 {
108 	struct sigaction act;
109 	sigset_t mask;
110 
111 	memset(&act, 0, sizeof(act));
112 	sigemptyset(&mask);
113 	sigaddset(&mask, SIGSYS);
114 
115 	act.sa_sigaction = &sandbox_seccomp_violation;
116 	act.sa_flags = SA_SIGINFO;
117 	if (sigaction(SIGSYS, &act, NULL) == -1) {
118 		fprintf(stderr, "%s: sigaction(SIGSYS): %s\n",
119 		    __func__, strerror(errno));
120 		exit(1);
121 	}
122 	if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1) {
123 		fprintf(stderr, "%s: sigprocmask(SIGSYS): %s\n",
124 		    __func__, strerror(errno));
125 		exit(1);
126 	}
127 }
128 #endif	/* SC_DEBUG */
129 
130 void
131 sandbox()
132 {
133 	struct sock_filter filter[] = {
134 		/* load the *current* architecture */
135 		BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
136 		    (offsetof(struct seccomp_data, arch))),
137 		/* ensure it's the same that we've been compiled on */
138 		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,
139 		    SECCOMP_AUDIT_ARCH, 1, 0),
140 		/* if not, kill the program */
141 		BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
142 
143 		/* load the syscall number */
144 		BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
145 		    (offsetof(struct seccomp_data, nr))),
146 
147 		/* allow logging on stdout */
148 		SC_ALLOW(write),
149 		SC_ALLOW(writev),
150 		SC_ALLOW(readv),
151 
152 		/* these are used to serve the files.  note how we
153 		 * allow openat but not open. */
154 
155 #ifdef __aarch64__
156 		/* it seems that on aarch64 there isn't a poll(2)
157 		 * syscall, but instead it's implemented on top of
158 		 * ppoll(2). */
159 		SC_ALLOW(ppoll),
160 #else
161 		SC_ALLOW(poll),
162 #endif
163 		SC_ALLOW(accept),
164 		SC_ALLOW(read),
165 		SC_ALLOW(openat),
166 		SC_ALLOW(fstat),
167 		SC_ALLOW(close),
168 		SC_ALLOW(lseek),
169 		SC_ALLOW(brk),
170 		SC_ALLOW(mmap),
171 		SC_ALLOW(munmap),
172 
173 		/* we need recvmsg to receive fd */
174 		SC_ALLOW(recvmsg),
175 
176 		/* XXX: ??? */
177 		SC_ALLOW(getpid),
178 
179 		/* alpine on amd64 does a clock_gettime(2) */
180 		SC_ALLOW(clock_gettime),
181 
182 		SC_ALLOW(exit),
183 		SC_ALLOW(exit_group),
184 
185 		/* allow only F_GETFL and F_SETFL fcntl */
186 		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 6),
187 		BPF_STMT(BPF_LD  | BPF_W | BPF_ABS,
188 		    (offsetof(struct seccomp_data, args[1]))),
189 		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_GETFL, 0, 1),
190 		BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
191 		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFL, 0, 1),
192 		BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
193 		BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
194 
195 		/* re-load the syscall number */
196 		BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
197 		    (offsetof(struct seccomp_data, nr))),
198 
199 		/* allow ioctl but only on fd 1, glibc doing stuff? */
200 		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_ioctl, 0, 3),
201 		BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
202 		    (offsetof(struct seccomp_data, args[0]))),
203 		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 1, 0, 1),
204 		BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
205 
206 		/* disallow enything else */
207 		BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
208 	};
209 
210 	struct sock_fprog prog = {
211 		.len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
212 		.filter = filter,
213 	};
214 
215 #ifdef SC_DEBUG
216 	sandbox_seccomp_catch_sigsys();
217 #endif
218 
219 	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) {
220 		fprintf(stderr, "%s: prctl(PR_SET_NO_NEW_PRIVS): %s\n",
221 		    __func__, strerror(errno));
222 		exit(1);
223 	}
224 
225 	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1) {
226 		fprintf(stderr, "%s: prctl(PR_SET_SECCOMP): %s\n",
227 		    __func__, strerror(errno));
228 		exit(1);
229 	}
230 }
231 
232 #elif defined(__OpenBSD__)
233 
234 #include <err.h>
235 #include <unistd.h>
236 
237 void
238 sandbox()
239 {
240 	struct vhost *h;
241 
242 	for (h = hosts; h->domain != NULL; ++h) {
243 		if (unveil(h->dir, "rx") == -1)
244 			err(1, "unveil %s for domain %s", h->dir, h->domain);
245 	}
246 
247 	if (pledge("stdio recvfd rpath inet", NULL) == -1)
248 		err(1, "pledge");
249 }
250 
251 #else
252 
253 void
254 sandbox()
255 {
256         LOGN(NULL, "%s", "no sandbox method known for this OS");
257 }
258 
259 #endif