Blob


1 /*
2 * Copyright (c) 2021 Omar Polo <op@omarpolo.com>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
17 #include "gmid.h"
19 #if DISABLE_SANDBOX
21 #warning "Sandbox disabled! Please report issues upstream instead of disabling the sandbox."
23 void
24 sandbox_server_process(void)
25 {
26 return;
27 }
29 void
30 sandbox_executor_process(void)
31 {
32 log_notice(NULL, "Sandbox disabled! "
33 "Please report issues upstream instead of disabling the sandbox.");
34 }
36 void
37 sandbox_logger_process(void)
38 {
39 return;
40 }
42 #elif defined(__FreeBSD__)
44 #include <sys/capsicum.h>
46 void
47 sandbox_server_process(void)
48 {
49 if (cap_enter() == -1)
50 fatal("cap_enter");
51 }
53 void
54 sandbox_executor_process(void)
55 {
56 /*
57 * We cannot capsicum the executor process because it needs to
58 * fork(2)+execve(2) cgi scripts
59 */
60 return;
61 }
63 void
64 sandbox_logger_process(void)
65 {
66 if (cap_enter() == -1)
67 fatal("cap_enter");
68 }
70 #elif defined(__linux__)
72 #include <sys/ioctl.h>
73 #include <sys/prctl.h>
74 #include <sys/syscall.h>
75 #include <sys/syscall.h>
76 #include <sys/types.h>
78 #include <linux/audit.h>
79 #include <linux/filter.h>
80 #include <linux/seccomp.h>
82 #include <errno.h>
83 #include <fcntl.h>
84 #include <stddef.h>
85 #include <stdio.h>
86 #include <string.h>
88 #if HAVE_LANDLOCK
89 # include "landlock_shim.h"
90 #endif
92 /* uncomment to enable debugging. ONLY FOR DEVELOPMENT */
93 /* #define SC_DEBUG */
95 #ifdef SC_DEBUG
96 # define SC_FAIL SECCOMP_RET_TRAP
97 #else
98 # define SC_FAIL SECCOMP_RET_KILL
99 #endif
101 #if (BYTE_ORDER == LITTLE_ENDIAN)
102 # define SC_ARG_LO 0
103 # define SC_ARG_HI sizeof(uint32_t)
104 #elif (BYTE_ORDER == BIG_ENDIAN)
105 # define SC_ARG_LO sizeof(uint32_t)
106 # define SC_ARG_HI 0
107 #else
108 # error "Uknown endian"
109 #endif
111 /* make the filter more readable */
112 #define SC_ALLOW(nr) \
113 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_##nr, 0, 1), \
114 BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
116 /*
117 * SC_ALLOW_ARG and the SECCOMP_AUDIT_ARCH below are courtesy of
118 * https://roy.marples.name/git/dhcpcd/blob/HEAD:/src/privsep-linux.c
119 */
120 #define SC_ALLOW_ARG(_nr, _arg, _val) \
121 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, (_nr), 0, 6), \
122 BPF_STMT(BPF_LD + BPF_W + BPF_ABS, \
123 offsetof(struct seccomp_data, args[(_arg)]) + SC_ARG_LO), \
124 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, \
125 ((_val) & 0xffffffff), 0, 3), \
126 BPF_STMT(BPF_LD + BPF_W + BPF_ABS, \
127 offsetof(struct seccomp_data, args[(_arg)]) + SC_ARG_HI), \
128 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, \
129 (((uint32_t)((uint64_t)(_val) >> 32)) & 0xffffffff), 0, 1), \
130 BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW), \
131 BPF_STMT(BPF_LD + BPF_W + BPF_ABS, \
132 offsetof(struct seccomp_data, nr))
134 /*
135 * I personally find this quite nutty. Why can a system header not
136 * define a default for this?
137 */
138 #if defined(__i386__)
139 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
140 #elif defined(__x86_64__)
141 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
142 #elif defined(__arc__)
143 # if defined(__A7__)
144 # if (BYTE_ORDER == LITTLE_ENDIAN)
145 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACT
146 # else
147 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACTBE
148 # endif
149 # elif defined(__HS__)
150 # if (BYTE_ORDER == LITTLE_ENDIAN)
151 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2
152 # else
153 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2BE
154 # endif
155 # else
156 # error "Platform does not support seccomp filter yet"
157 # endif
158 #elif defined(__arm__)
159 # ifndef EM_ARM
160 # define EM_ARM 40
161 # endif
162 # if (BYTE_ORDER == LITTLE_ENDIAN)
163 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM
164 # else
165 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARMEB
166 # endif
167 #elif defined(__aarch64__)
168 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64
169 #elif defined(__alpha__)
170 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ALPHA
171 #elif defined(__hppa__)
172 # if defined(__LP64__)
173 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC64
174 # else
175 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC
176 # endif
177 #elif defined(__ia64__)
178 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_IA64
179 #elif defined(__microblaze__)
180 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MICROBLAZE
181 #elif defined(__m68k__)
182 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_M68K
183 #elif defined(__mips__)
184 # if defined(__MIPSEL__)
185 # if defined(__LP64__)
186 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL64
187 # else
188 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL
189 # endif
190 # elif defined(__LP64__)
191 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS64
192 # else
193 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS
194 # endif
195 #elif defined(__nds32__)
196 # if (BYTE_ORDER == LITTLE_ENDIAN)
197 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32
198 #else
199 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32BE
200 #endif
201 #elif defined(__nios2__)
202 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NIOS2
203 #elif defined(__or1k__)
204 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_OPENRISC
205 #elif defined(__powerpc64__)
206 # if (BYTE_ORDER == LITTLE_ENDIAN)
207 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64LE
208 # else
209 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64
210 # endif
211 #elif defined(__powerpc__)
212 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC
213 #elif defined(__riscv)
214 # if defined(__LP64__)
215 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV64
216 # else
217 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV32
218 # endif
219 #elif defined(__s390x__)
220 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390X
221 #elif defined(__s390__)
222 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390
223 #elif defined(__sh__)
224 # if defined(__LP64__)
225 # if (BYTE_ORDER == LITTLE_ENDIAN)
226 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL64
227 # else
228 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH64
229 # endif
230 # else
231 # if (BYTE_ORDER == LITTLE_ENDIAN)
232 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL
233 # else
234 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH
235 # endif
236 # endif
237 #elif defined(__sparc__)
238 # if defined(__arch64__)
239 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC64
240 # else
241 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC
242 # endif
243 #elif defined(__xtensa__)
244 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_XTENSA
245 #else
246 # error "Platform does not support seccomp filter yet"
247 #endif
249 static const struct sock_filter filter[] = {
250 /* load the *current* architecture */
251 BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
252 (offsetof(struct seccomp_data, arch))),
253 /* ensure it's the same that we've been compiled on */
254 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,
255 SECCOMP_AUDIT_ARCH, 1, 0),
256 /* if not, kill the program */
257 BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
259 /* load the syscall number */
260 BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
261 (offsetof(struct seccomp_data, nr))),
263 #ifdef __NR_accept
264 SC_ALLOW(accept),
265 #endif
266 #ifdef __NR_accept4
267 SC_ALLOW(accept4),
268 #endif
269 #ifdef __NR_brk
270 SC_ALLOW(brk),
271 #endif
272 #ifdef __NR_clock_gettime
273 SC_ALLOW(clock_gettime),
274 #endif
275 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
276 SECCOMP_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
277 #endif
278 #ifdef __NR_clock_gettime64
279 SC_ALLOW(clock_gettime64),
280 #endif
281 #ifdef __NR_close
282 SC_ALLOW(close),
283 #endif
284 #ifdef __NR_epoll_ctl
285 SC_ALLOW(epoll_ctl),
286 #endif
287 #ifdef __NR_epoll_pwait
288 SC_ALLOW(epoll_pwait),
289 #endif
290 #ifdef __NR_epoll_wait
291 SC_ALLOW(epoll_wait),
292 #endif
293 #ifdef __NR_exit
294 SC_ALLOW(exit),
295 #endif
296 #ifdef __NR_exit_group
297 SC_ALLOW(exit_group),
298 #endif
299 #ifdef __NR_fcntl
300 SC_ALLOW(fcntl),
301 #endif
302 #ifdef __NR_fcntl64
303 SC_ALLOW(fcntl64),
304 #endif
305 #ifdef __NR_fstat
306 SC_ALLOW(fstat),
307 #endif
308 #ifdef __NR_fstat64
309 SC_ALLOW(fstat64),
310 #endif
311 #ifdef __NR_fstatat64
312 SC_ALLOW(fstatat64),
313 #endif
314 #ifdef __NR_getdents64
315 SC_ALLOW(getdents64),
316 #endif
317 #ifdef __NR_getpid
318 SC_ALLOW(getpid),
319 #endif
320 #ifdef __NR_getrandom
321 SC_ALLOW(getrandom),
322 #endif
323 #ifdef __NR_gettimeofday
324 SC_ALLOW(gettimeofday),
325 #endif
326 #ifdef __NR_ioctl
327 /* allow ioctl on fd 1, glibc doing stuff? */
328 SC_ALLOW_ARG(__NR_ioctl, 0, 1),
329 /* allow FIONREAD needed by libevent */
330 SC_ALLOW_ARG(__NR_ioctl, 1, FIONREAD),
331 #endif
332 #ifdef __NR__llseek
333 SC_ALLOW(_llseek),
334 #endif
335 #ifdef __NR_lseek
336 SC_ALLOW(lseek),
337 #endif
338 #ifdef __NR_madvise
339 SC_ALLOW(madvise),
340 #endif
341 #ifdef __NR_mmap
342 SC_ALLOW(mmap),
343 #endif
344 #ifdef __NR_mmap2
345 SC_ALLOW(mmap2),
346 #endif
347 #ifdef __NR_munmap
348 SC_ALLOW(munmap),
349 #endif
350 #ifdef __NR_newfstatat
351 SC_ALLOW(newfstatat),
352 #endif
353 #ifdef __NR_oldfstat
354 SC_ALLOW(oldfstat),
355 #endif
356 #ifdef __NR_openat
357 SC_ALLOW_ARG(__NR_openat, 3, O_RDONLY),
358 #endif
359 #ifdef __NR_prlimit64
360 SC_ALLOW(prlimit64),
361 #endif
362 #ifdef __NR_read
363 SC_ALLOW(read),
364 #endif
365 #ifdef __NR_recvmsg
366 SC_ALLOW(recvmsg),
367 #endif
368 #ifdef __NR_readv
369 SC_ALLOW(readv),
370 #endif
371 #ifdef __NR_rt_sigaction
372 SC_ALLOW(rt_sigaction),
373 #endif
374 #ifdef __NR_rt_sigreturn
375 SC_ALLOW(rt_sigreturn),
376 #endif
377 #ifdef __NR_sendmsg
378 SC_ALLOW(sendmsg),
379 #endif
380 #ifdef __NR_sigreturn
381 SC_ALLOW(sigreturn),
382 #endif
383 #ifdef __NR_statx
384 SC_ALLOW(statx),
385 #endif
386 #ifdef __NR_ugetrlimit
387 SC_ALLOW(ugetrlimit),
388 #endif
389 #ifdef __NR_write
390 SC_ALLOW(write),
391 #endif
392 #ifdef __NR_writev
393 SC_ALLOW(writev),
394 #endif
396 /* disallow everything else */
397 BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
398 };
400 #ifdef SC_DEBUG
402 #include <signal.h>
403 #include <unistd.h>
405 static void
406 sandbox_seccomp_violation(int signum, siginfo_t *info, void *ctx)
408 fprintf(stderr, "%s: unexpected system call (arch:0x%x,syscall:%d @ %p)\n",
409 __func__, info->si_arch, info->si_syscall, info->si_call_addr);
410 _exit(1);
413 static void
414 sandbox_seccomp_catch_sigsys(void)
416 struct sigaction act;
417 sigset_t mask;
419 memset(&act, 0, sizeof(act));
420 sigemptyset(&mask);
421 sigaddset(&mask, SIGSYS);
423 act.sa_sigaction = &sandbox_seccomp_violation;
424 act.sa_flags = SA_SIGINFO;
425 if (sigaction(SIGSYS, &act, NULL) == -1)
426 fatal("%s: sigaction(SIGSYS): %s",
427 __func__, strerror(errno));
429 if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1)
430 fatal("%s: sigprocmask(SIGSYS): %s\n",
431 __func__, strerror(errno));
433 #endif /* SC_DEBUG */
435 #if HAVE_LANDLOCK
436 static inline int
437 open_landlock(void)
439 int fd;
441 const struct landlock_ruleset_attr attr = {
442 .handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE |
443 LANDLOCK_ACCESS_FS_READ_FILE |
444 LANDLOCK_ACCESS_FS_READ_DIR |
445 LANDLOCK_ACCESS_FS_WRITE_FILE |
446 LANDLOCK_ACCESS_FS_REMOVE_DIR |
447 LANDLOCK_ACCESS_FS_REMOVE_FILE |
448 LANDLOCK_ACCESS_FS_MAKE_CHAR |
449 LANDLOCK_ACCESS_FS_MAKE_DIR |
450 LANDLOCK_ACCESS_FS_MAKE_REG |
451 LANDLOCK_ACCESS_FS_MAKE_SOCK |
452 LANDLOCK_ACCESS_FS_MAKE_FIFO |
453 LANDLOCK_ACCESS_FS_MAKE_BLOCK |
454 LANDLOCK_ACCESS_FS_MAKE_SYM,
455 };
457 fd = landlock_create_ruleset(&attr, sizeof(attr), 0);
458 if (fd == -1) {
459 switch (errno) {
460 case ENOSYS:
461 fatal("%s: failed to create ruleset. "
462 "Landlock doesn't seem to be supported by the "
463 "current kernel.", __func__);
464 case EOPNOTSUPP:
465 log_warn(NULL, "%s: failed to create ruleset. "
466 "Landlock seems to be currently disabled; "
467 "continuing without it.", __func__);
468 break;
469 default:
470 fatal("%s: failed to create ruleset: %s",
471 __func__, strerror(errno));
475 return fd;
478 static int
479 landlock_unveil_path(int landlock_fd, const char *path, int perms)
481 struct landlock_path_beneath_attr pb;
482 int err, saved_errno;
484 pb.allowed_access = perms;
486 if ((pb.parent_fd = open(path, O_PATH)) == -1)
487 return -1;
489 err = landlock_add_rule(landlock_fd, LANDLOCK_RULE_PATH_BENEATH,
490 &pb, 0);
491 saved_errno = errno;
492 close(pb.parent_fd);
493 errno = saved_errno;
494 return err ? -1 : 0;
497 static int
498 landlock_apply(int fd)
500 int r, saved_errno;
502 if (fd == -1)
503 return 0;
505 r = landlock_restrict_self(fd, 0);
506 saved_errno = errno;
507 close(fd);
508 errno = saved_errno;
509 return r ? -1 : 0;
512 static int
513 server_landlock(void)
515 int fd, perms;
516 struct vhost *h;
517 struct location *l;
519 /*
520 * These are all the actions allowed for the root directories
521 * of the vhosts.
522 */
523 perms = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR;
525 if ((fd = open_landlock()) == -1)
526 return 0;
528 TAILQ_FOREACH(h, &hosts, vhosts) {
529 TAILQ_FOREACH(l, &h->locations, locations) {
530 if (l->dir == NULL)
531 continue;
533 if (landlock_unveil_path(fd, l->dir, perms) == -1)
534 fatal("%s: landlock_unveil_path(%s): %s",
535 __func__, l->dir, strerror(errno));
539 return landlock_apply(fd);
542 static int
543 logger_landlock(void)
545 int fd;
547 if ((fd = open_landlock()) == -1)
548 return 0;
550 /* no rules. the logger doesn't need fs access at all. */
552 return landlock_apply(fd);
554 #endif
556 void
557 sandbox_server_process(void)
559 const struct sock_fprog prog = {
560 .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
561 .filter = filter,
562 };
564 #ifdef SC_DEBUG
565 sandbox_seccomp_catch_sigsys();
566 #endif
568 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
569 fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
570 __func__, strerror(errno));
572 #if HAVE_LANDLOCK
573 if (server_landlock() == -1)
574 fatal("%s: server_landlock: %s",
575 __func__, strerror(errno));
576 #endif
578 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1)
579 fatal("%s: prctl(PR_SET_SECCOMP): %s\n",
580 __func__, strerror(errno));
583 void
584 sandbox_executor_process(void)
586 /*
587 * We cannot use seccomp for the executor process because we
588 * don't know what the child will do. Also, our filter will
589 * be inherited so the child cannot set its own seccomp
590 * policy.
591 */
592 return;
595 void
596 sandbox_logger_process(void)
598 /*
599 * Here we could use a seccomp filter to allow only recvfd,
600 * write/writev and memory allocations, but syslog is a beast
601 * and I don't know what syscalls it could end up doing.
602 * Landlock is a simpler beast, use it to disallow any file
603 * sytsem access.
604 */
606 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
607 fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
608 __func__, strerror(errno));
610 #if HAVE_LANDLOCK
611 if (logger_landlock() == -1)
612 fatal("%s: logger_landlock: %s",
613 __func__, strerror(errno));
614 #endif
616 return;
619 #elif defined(__OpenBSD__)
621 #include <unistd.h>
623 void
624 sandbox_server_process(void)
626 struct vhost *h;
627 struct location *l;
629 TAILQ_FOREACH(h, &hosts, vhosts) {
630 TAILQ_FOREACH(l, &h->locations, locations) {
631 if (l->dir == NULL)
632 continue;
634 if (unveil(l->dir, "r") == -1)
635 fatal("unveil %s for domain %s",
636 l->dir,
637 h->domain);
641 if (pledge("stdio recvfd rpath inet dns", NULL) == -1)
642 fatal("pledge");
645 void
646 sandbox_executor_process(void)
648 struct vhost *h;
649 struct location *l;
650 struct fcgi *f;
651 size_t i;
653 TAILQ_FOREACH(h, &hosts, vhosts) {
654 TAILQ_FOREACH(l, &h->locations, locations) {
655 if (l->dir == NULL)
656 continue;
658 /* r so we can chdir into the directory */
659 if (unveil(l->dir, "rx") == -1)
660 fatal("unveil %s for domain %s",
661 l->dir, h->domain);
665 for (i = 0; i < FCGI_MAX; i++) {
666 f = &fcgi[i];
667 if (f->path != NULL) {
668 if (unveil(f->path, "rw") == -1)
669 fatal("unveil %s", f->path);
672 if (f->prog != NULL) {
673 if (unveil(f->prog, "rx") == -1)
674 fatal("unveil %s", f->prog);
678 /*
679 * rpath: to chdir into the correct directory
680 * proc exec: CGI
681 * dns inet unix: FastCGI
682 */
683 if (pledge("stdio rpath sendfd proc exec dns inet unix", NULL))
684 err(1, "pledge");
687 void
688 sandbox_logger_process(void)
690 if (pledge("stdio recvfd", NULL) == -1)
691 err(1, "pledge");
694 #else
696 #warning "No sandbox method known for this OS"
698 void
699 sandbox_server_process(void)
701 return;
704 void
705 sandbox_executor_process(void)
707 log_notice(NULL, "no sandbox method known for this OS");
710 void
711 sandbox_logger_process(void)
713 return;
716 #endif