op public repos

Blob

Date:: Fri Jul 23 06:55:32 2021 UTC
Message:: typo Since there was 0 reports in a month can I assume it's not actually used anywhere?
Actions:: History | Blame | Raw File
1 /*
2  * Copyright (c) 2021 Omar Polo <op@omarpolo.com>
3  *
4  * Permission to use, copy, modify, and distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #include "gmid.h"
18 
19 #if DISABLE_SANDBOX
20 
21 #warning "Sandbox disabled! Please report issues upstream instead of disabling the sandbox."
22 
23 void
24 sandbox_server_process(void)
25 {
26 	return;
27 }
28 
29 void
30 sandbox_executor_process(void)
31 {
32         log_notice(NULL, "Sandbox disabled!  "
33 	    "Please report issues upstream instead of disabling the sandbox.");
34 }
35 
36 void
37 sandbox_logger_process(void)
38 {
39 	return;
40 }
41 
42 #elif defined(__FreeBSD__)
43 
44 #include <sys/capsicum.h>
45 
46 void
47 sandbox_server_process(void)
48 {
49 	if (cap_enter() == -1)
50 		fatal("cap_enter");
51 }
52 
53 void
54 sandbox_executor_process(void)
55 {
56 	/*
57 	 * We cannot capsicum the executor process because it needs to
58 	 * fork(2)+execve(2) cgi scripts
59 	 */
60 	return;
61 }
62 
63 void
64 sandbox_logger_process(void)
65 {
66 	if (cap_enter() == -1)
67 		fatal("cap_enter");
68 }
69 
70 #elif defined(__linux__)
71 
72 #include <sys/prctl.h>
73 #include <sys/syscall.h>
74 #include <sys/syscall.h>
75 #include <sys/types.h>
76 
77 #include <linux/audit.h>
78 #include <linux/filter.h>
79 #include <linux/seccomp.h>
80 
81 #include <errno.h>
82 #include <fcntl.h>
83 #include <stddef.h>
84 #include <stdio.h>
85 #include <string.h>
86 
87 /* uncomment to enable debugging.  ONLY FOR DEVELOPMENT */
88 /* #define SC_DEBUG */
89 
90 #ifdef SC_DEBUG
91 # define SC_FAIL SECCOMP_RET_TRAP
92 #else
93 # define SC_FAIL SECCOMP_RET_KILL
94 #endif
95 
96 #if (BYTE_ORDER == LITTLE_ENDIAN)
97 # define SC_ARG_LO	0
98 # define SC_ARG_HI	sizeof(uint32_t)
99 #elif (BYTE_ORDER == BIG_ENDIAN)
100 # define SC_ARG_LO	sizeof(uint32_t)
101 # define SC_ARG_HI	0
102 #else
103 # error "Uknown endian"
104 #endif
105 
106 /* make the filter more readable */
107 #define SC_ALLOW(nr)						\
108 	BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_##nr, 0, 1),	\
109 	BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
110 
111 /*
112  * SC_ALLOW_ARG and the SECCOMP_AUDIT_ARCH below are courtesy of
113  * https://roy.marples.name/git/dhcpcd/blob/HEAD:/src/privsep-linux.c
114  */
115 #define SC_ALLOW_ARG(_nr, _arg, _val)						\
116 	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, (_nr), 0, 6),			\
117 	BPF_STMT(BPF_LD + BPF_W + BPF_ABS,					\
118 	    offsetof(struct seccomp_data, args[(_arg)]) + SC_ARG_LO),		\
119 	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K,					\
120 	    ((_val) & 0xffffffff), 0, 3),					\
121 	BPF_STMT(BPF_LD + BPF_W + BPF_ABS,					\
122 	    offsetof(struct seccomp_data, args[(_arg)]) + SC_ARG_HI),		\
123 	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K,					\
124 	    (((uint32_t)((uint64_t)(_val) >> 32)) & 0xffffffff), 0, 1),		\
125 	BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW),				\
126 	BPF_STMT(BPF_LD + BPF_W + BPF_ABS,					\
127 	    offsetof(struct seccomp_data, nr))
128 
129 /*
130  * I personally find this quite nutty.  Why can a system header not
131  * define a default for this?
132  */
133 #if defined(__i386__)
134 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
135 #elif defined(__x86_64__)
136 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
137 #elif defined(__arc__)
138 #  if defined(__A7__)
139 #    if (BYTE_ORDER == LITTLE_ENDIAN)
140 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACT
141 #    else
142 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACTBE
143 #    endif
144 #  elif defined(__HS__)
145 #    if (BYTE_ORDER == LITTLE_ENDIAN)
146 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2
147 #    else
148 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2BE
149 #    endif
150 #  else
151 #    error "Platform does not support seccomp filter yet"
152 #  endif
153 #elif defined(__arm__)
154 #  ifndef EM_ARM
155 #    define EM_ARM 40
156 #  endif
157 #  if (BYTE_ORDER == LITTLE_ENDIAN)
158 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM
159 #  else
160 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARMEB
161 #  endif
162 #elif defined(__aarch64__)
163 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64
164 #elif defined(__alpha__)
165 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ALPHA
166 #elif defined(__hppa__)
167 #  if defined(__LP64__)
168 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC64
169 #  else
170 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC
171 #  endif
172 #elif defined(__ia64__)
173 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_IA64
174 #elif defined(__microblaze__)
175 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MICROBLAZE
176 #elif defined(__m68k__)
177 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_M68K
178 #elif defined(__mips__)
179 #  if defined(__MIPSEL__)
180 #    if defined(__LP64__)
181 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL64
182 #    else
183 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL
184 #    endif
185 #  elif defined(__LP64__)
186 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS64
187 #  else
188 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS
189 #  endif
190 #elif defined(__nds32__)
191 #  if (BYTE_ORDER == LITTLE_ENDIAN)
192 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32
193 #else
194 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32BE
195 #endif
196 #elif defined(__nios2__)
197 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NIOS2
198 #elif defined(__or1k__)
199 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_OPENRISC
200 #elif defined(__powerpc64__)
201 #  if (BYTE_ORDER == LITTLE_ENDIAN)
202 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64LE
203 #  else
204 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64
205 #  endif
206 #elif defined(__powerpc__)
207 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC
208 #elif defined(__riscv)
209 #  if defined(__LP64__)
210 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV64
211 #  else
212 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV32
213 #  endif
214 #elif defined(__s390x__)
215 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390X
216 #elif defined(__s390__)
217 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390
218 #elif defined(__sh__)
219 #  if defined(__LP64__)
220 #    if (BYTE_ORDER == LITTLE_ENDIAN)
221 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL64
222 #    else
223 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH64
224 #    endif
225 #  else
226 #    if (BYTE_ORDER == LITTLE_ENDIAN)
227 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL
228 #    else
229 #      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH
230 #    endif
231 #  endif
232 #elif defined(__sparc__)
233 #  if defined(__arch64__)
234 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC64
235 #  else
236 #    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC
237 #  endif
238 #elif defined(__xtensa__)
239 #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_XTENSA
240 #else
241 #  error "Platform does not support seccomp filter yet"
242 #endif
243 
244 static struct sock_filter filter[] = {
245 	/* load the *current* architecture */
246 	BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
247 	    (offsetof(struct seccomp_data, arch))),
248 	/* ensure it's the same that we've been compiled on */
249 	BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,
250 	    SECCOMP_AUDIT_ARCH, 1, 0),
251 	/* if not, kill the program */
252 	BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
253 
254 	/* load the syscall number */
255 	BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
256 	    (offsetof(struct seccomp_data, nr))),
257 
258 #ifdef __NR_accept
259 	SC_ALLOW(accept),
260 #endif
261 #ifdef __NR_accept4
262 	SC_ALLOW(accept4),
263 #endif
264 #ifdef __NR_brk
265 	SC_ALLOW(brk),
266 #endif
267 #ifdef __NR_clock_gettime
268 	SC_ALLOW(clock_gettime),
269 #endif
270 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
271 	SECCOMP_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
272 #endif
273 #ifdef __NR_clock_gettime64
274 	SC_ALLOW(clock_gettime64),
275 #endif
276 #ifdef __NR_close
277 	SC_ALLOW(close),
278 #endif
279 #ifdef __NR_epoll_ctl
280 	SC_ALLOW(epoll_ctl),
281 #endif
282 #ifdef __NR_epoll_pwait
283 	SC_ALLOW(epoll_pwait),
284 #endif
285 #ifdef __NR_epoll_wait
286 	SC_ALLOW(epoll_wait),
287 #endif
288 #ifdef __NR_exit
289 	SC_ALLOW(exit),
290 #endif
291 #ifdef __NR_exit_group
292 	SC_ALLOW(exit_group),
293 #endif
294 #ifdef __NR_fcntl
295 	SC_ALLOW(fcntl),
296 #endif
297 #ifdef __NR_fcntl64
298 	SC_ALLOW(fcntl64),
299 #endif
300 #ifdef __NR_fstat
301 	SC_ALLOW(fstat),
302 #endif
303 #ifdef __NR_fstat64
304 	SC_ALLOW(fstat64),
305 #endif
306 #ifdef __NR_getdents64
307 	SC_ALLOW(getdents64),
308 #endif
309 #ifdef __NR_getpid
310 	SC_ALLOW(getpid),
311 #endif
312 #ifdef __NR_getrandom
313 	SC_ALLOW(getrandom),
314 #endif
315 #ifdef __NR_gettimeofday
316 	SC_ALLOW(gettimeofday),
317 #endif
318 #ifdef __NR_ioctl
319 	/* allow ioctl only on fd 1, glibc doing stuff? */
320         SC_ALLOW_ARG(__NR_ioctl, 0, 1),
321 #endif
322 #ifdef __NR_lseek
323 	SC_ALLOW(lseek),
324 #endif
325 #ifdef __NR_madvise
326 	SC_ALLOW(madvise),
327 #endif
328 #ifdef __NR_mmap
329 	SC_ALLOW(mmap),
330 #endif
331 #ifdef __NR_mmap2
332 	SC_ALLOW(mmap2),
333 #endif
334 #ifdef __NR_munmap
335 	SC_ALLOW(munmap),
336 #endif
337 #ifdef __NR_newfstatat
338 	SC_ALLOW(newfstatat),
339 #endif
340 #ifdef __NR_oldfstat
341 	SC_ALLOW(oldfstat),
342 #endif
343 #ifdef __NR_openat
344 	SC_ALLOW(openat),
345 #endif
346 #ifdef __NR_prlimit64
347 	SC_ALLOW(prlimit64),
348 #endif
349 #ifdef __NR_read
350 	SC_ALLOW(read),
351 #endif
352 #ifdef __NR_recvmsg
353 	SC_ALLOW(recvmsg),
354 #endif
355 #ifdef __NR_readv
356 	SC_ALLOW(readv),
357 #endif
358 #ifdef __NR_rt_sigaction
359 	SC_ALLOW(rt_sigaction),
360 #endif
361 #ifdef __NR_rt_sigreturn
362 	SC_ALLOW(rt_sigreturn),
363 #endif
364 #ifdef __NR_sendmsg
365 	SC_ALLOW(sendmsg),
366 #endif
367 #ifdef __NR_statx
368 	SC_ALLOW(statx),
369 #endif
370 #ifdef __NR_write
371 	SC_ALLOW(write),
372 #endif
373 #ifdef __NR_writev
374 	SC_ALLOW(writev),
375 #endif
376 
377 	/* disallow everything else */
378 	BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
379 };
380 
381 #ifdef SC_DEBUG
382 
383 #include <signal.h>
384 #include <unistd.h>
385 
386 static void
387 sandbox_seccomp_violation(int signum, siginfo_t *info, void *ctx)
388 {
389 	(void)signum;
390 	(void)ctx;
391 
392 	fprintf(stderr, "%s: unexpected system call (arch:0x%x,syscall:%d @ %p)\n",
393 	    __func__, info->si_arch, info->si_syscall, info->si_call_addr);
394 	_exit(1);
395 }
396 
397 static void
398 sandbox_seccomp_catch_sigsys(void)
399 {
400 	struct sigaction act;
401 	sigset_t mask;
402 
403 	memset(&act, 0, sizeof(act));
404 	sigemptyset(&mask);
405 	sigaddset(&mask, SIGSYS);
406 
407 	act.sa_sigaction = &sandbox_seccomp_violation;
408 	act.sa_flags = SA_SIGINFO;
409 	if (sigaction(SIGSYS, &act, NULL) == -1)
410 		fatal("%s: sigaction(SIGSYS): %s",
411 		    __func__, strerror(errno));
412 
413 	if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1)
414 		fatal("%s: sigprocmask(SIGSYS): %s\n",
415 		    __func__, strerror(errno));
416 }
417 #endif	/* SC_DEBUG */
418 
419 void
420 sandbox_server_process(void)
421 {
422 	struct sock_fprog prog = {
423 		.len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
424 		.filter = filter,
425 	};
426 
427 #ifdef SC_DEBUG
428 	sandbox_seccomp_catch_sigsys();
429 #endif
430 
431 	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
432 		fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
433 		    __func__, strerror(errno));
434 
435 	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1)
436 		fatal("%s: prctl(PR_SET_SECCOMP): %s\n",
437 		    __func__, strerror(errno));
438 }
439 
440 void
441 sandbox_executor_process(void)
442 {
443 	/*
444 	 * We cannot use seccomp for the executor process because we
445 	 * don't know what the child will do.  Also, our filter will
446 	 * be inherited so the child cannot set its own seccomp
447 	 * policy.
448 	 */
449 	return;
450 }
451 
452 void
453 sandbox_logger_process(void)
454 {
455 	/*
456 	 * To be honest, here we could use a seccomp policy to only
457 	 * allow writev(2) and memory allocations.
458 	 */
459 	return;
460 }
461 
462 #elif defined(__OpenBSD__)
463 
464 #include <unistd.h>
465 
466 void
467 sandbox_server_process(void)
468 {
469 	struct vhost	*h;
470 	struct location	*l;
471 
472 	TAILQ_FOREACH(h, &hosts, vhosts) {
473 		TAILQ_FOREACH(l, &h->locations, locations) {
474 			if (l->dir == NULL)
475 				continue;
476 
477 			if (unveil(l->dir, "r") == -1)
478 				fatal("unveil %s for domain %s",
479 				    l->dir,
480 				    h->domain);
481 		}
482 	}
483 
484 	if (pledge("stdio recvfd rpath inet", NULL) == -1)
485 		fatal("pledge");
486 }
487 
488 void
489 sandbox_executor_process(void)
490 {
491 	struct vhost	*h;
492 	struct location	*l;
493 	struct fcgi	*f;
494 	size_t		 i;
495 
496 	TAILQ_FOREACH(h, &hosts, vhosts) {
497 		TAILQ_FOREACH(l, &h->locations, locations) {
498 			if (l->dir == NULL)
499 				continue;
500 
501 			/* r so we can chdir into the directory */
502 			if (unveil(l->dir, "rx") == -1)
503 				fatal("unveil %s for domain %s",
504 				    l->dir, h->domain);
505 		}
506 	}
507 
508 	for (i = 0; i < FCGI_MAX; i++) {
509                 f = &fcgi[i];
510 		if (f->path != NULL) {
511 			if (unveil(f->path, "rw") == -1)
512 				fatal("unveil %s", f->path);
513 		}
514 
515 		if (f->prog != NULL) {
516 			if (unveil(f->prog, "rx") == -1)
517 				fatal("unveil %s", f->prog);
518 		}
519 	}
520 
521 	/*
522 	 * rpath: to chdir into the correct directory
523 	 * proc exec: CGI
524 	 * dns inet unix: FastCGI
525 	 */
526 	if (pledge("stdio rpath sendfd proc exec dns inet unix", NULL))
527 		err(1, "pledge");
528 }
529 
530 void
531 sandbox_logger_process(void)
532 {
533 	if (pledge("stdio recvfd", NULL) == -1)
534 		err(1, "pledge");
535 }
536 
537 #else
538 
539 #warning "No sandbox method known for this OS"
540 
541 void
542 sandbox_server_process(void)
543 {
544 	return;
545 }
546 
547 void
548 sandbox_executor_process(void)
549 {
550 	log_notice(NULL, "no sandbox method known for this OS");
551 }
552 
553 void
554 sandbox_logger_process(void)
555 {
556 	return;
557 }
558 
559 #endif