sandbox.c 42 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797
  1. /* Copyright (c) 2001 Matej Pfajfar.
  2. * Copyright (c) 2001-2004, Roger Dingledine.
  3. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  4. * Copyright (c) 2007-2015, The Tor Project, Inc. */
  5. /* See LICENSE for licensing information */
  6. /**
  7. * \file sandbox.c
  8. * \brief Code to enable sandboxing.
  9. **/
  10. #include "orconfig.h"
  11. #ifndef _LARGEFILE64_SOURCE
  12. /**
  13. * Temporarily required for O_LARGEFILE flag. Needs to be removed
  14. * with the libevent fix.
  15. */
  16. #define _LARGEFILE64_SOURCE
  17. #endif
  18. /** Malloc mprotect limit in bytes. */
  19. #define MALLOC_MP_LIM 1048576
  20. #include <stdio.h>
  21. #include <string.h>
  22. #include <stdlib.h>
  23. #include "sandbox.h"
  24. #include "container.h"
  25. #include "torlog.h"
  26. #include "torint.h"
  27. #include "util.h"
  28. #include "tor_queue.h"
  29. #include "ht.h"
  30. #define DEBUGGING_CLOSE
  31. #if defined(USE_LIBSECCOMP)
  32. #define _GNU_SOURCE
  33. #include <sys/mman.h>
  34. #include <sys/syscall.h>
  35. #include <sys/types.h>
  36. #include <sys/stat.h>
  37. #include <sys/epoll.h>
  38. #include <sys/prctl.h>
  39. #include <linux/futex.h>
  40. #include <bits/signum.h>
  41. #include <stdarg.h>
  42. #include <seccomp.h>
  43. #include <signal.h>
  44. #include <unistd.h>
  45. #include <fcntl.h>
  46. #include <time.h>
  47. #include <poll.h>
  48. #ifdef HAVE_LINUX_NETFILTER_IPV4_H
  49. #include <linux/netfilter_ipv4.h>
  50. #endif
  51. #ifdef HAVE_LINUX_IF_H
  52. #include <linux/if.h>
  53. #endif
  54. #ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
  55. #include <linux/netfilter_ipv6/ip6_tables.h>
  56. #endif
  57. #if defined(HAVE_EXECINFO_H) && defined(HAVE_BACKTRACE) && \
  58. defined(HAVE_BACKTRACE_SYMBOLS_FD) && defined(HAVE_SIGACTION)
  59. #define USE_BACKTRACE
  60. #define EXPOSE_CLEAN_BACKTRACE
  61. #include "backtrace.h"
  62. #endif
  63. #ifdef USE_BACKTRACE
  64. #include <execinfo.h>
  65. #endif
  66. /**
  67. * Linux 32 bit definitions
  68. */
  69. #if defined(__i386__)
  70. #define REG_SYSCALL REG_EAX
  71. #define M_SYSCALL gregs[REG_SYSCALL]
  72. /**
  73. * Linux 64 bit definitions
  74. */
  75. #elif defined(__x86_64__)
  76. #define REG_SYSCALL REG_RAX
  77. #define M_SYSCALL gregs[REG_SYSCALL]
  78. #elif defined(__arm__)
  79. #define M_SYSCALL arm_r7
  80. #endif
  81. /**Determines if at least one sandbox is active.*/
  82. static int sandbox_active = 0;
  83. /** Holds the parameter list configuration for the sandbox.*/
  84. static sandbox_cfg_t *filter_dynamic = NULL;
  85. #undef SCMP_CMP
  86. #define SCMP_CMP(a,b,c) ((struct scmp_arg_cmp){(a),(b),(c),0})
  87. #define SCMP_CMP_STR(a,b,c) \
  88. ((struct scmp_arg_cmp) {(a),(b),(intptr_t)(void*)(c),0})
  89. #define SCMP_CMP4(a,b,c,d) ((struct scmp_arg_cmp){(a),(b),(c),(d)})
  90. /* We use a wrapper here because these masked comparisons seem to be pretty
  91. * verbose. Also, it's important to cast to scmp_datum_t before negating the
  92. * mask, since otherwise the negation might get applied to a 32 bit value, and
  93. * the high bits of the value might get masked out improperly. */
  94. #define SCMP_CMP_MASKED(a,b,c) \
  95. SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, ~(scmp_datum_t)(b), (c))
  96. /** Variable used for storing all syscall numbers that will be allowed with the
  97. * stage 1 general Tor sandbox.
  98. */
  99. static int filter_nopar_gen[] = {
  100. SCMP_SYS(access),
  101. SCMP_SYS(brk),
  102. SCMP_SYS(clock_gettime),
  103. SCMP_SYS(close),
  104. SCMP_SYS(clone),
  105. SCMP_SYS(epoll_create),
  106. SCMP_SYS(epoll_wait),
  107. SCMP_SYS(eventfd2),
  108. SCMP_SYS(fcntl),
  109. SCMP_SYS(fstat),
  110. #ifdef __NR_fstat64
  111. SCMP_SYS(fstat64),
  112. #endif
  113. SCMP_SYS(futex),
  114. SCMP_SYS(getdents64),
  115. SCMP_SYS(getegid),
  116. #ifdef __NR_getegid32
  117. SCMP_SYS(getegid32),
  118. #endif
  119. SCMP_SYS(geteuid),
  120. #ifdef __NR_geteuid32
  121. SCMP_SYS(geteuid32),
  122. #endif
  123. SCMP_SYS(getgid),
  124. #ifdef __NR_getgid32
  125. SCMP_SYS(getgid32),
  126. #endif
  127. #ifdef __NR_getrlimit
  128. SCMP_SYS(getrlimit),
  129. #endif
  130. SCMP_SYS(gettimeofday),
  131. SCMP_SYS(gettid),
  132. SCMP_SYS(getuid),
  133. #ifdef __NR_getuid32
  134. SCMP_SYS(getuid32),
  135. #endif
  136. SCMP_SYS(lseek),
  137. #ifdef __NR__llseek
  138. SCMP_SYS(_llseek),
  139. #endif
  140. SCMP_SYS(mkdir),
  141. SCMP_SYS(mlockall),
  142. #ifdef __NR_mmap
  143. /* XXXX restrict this in the same ways as mmap2 */
  144. SCMP_SYS(mmap),
  145. #endif
  146. SCMP_SYS(munmap),
  147. SCMP_SYS(read),
  148. SCMP_SYS(rt_sigreturn),
  149. SCMP_SYS(sched_getaffinity),
  150. SCMP_SYS(sendmsg),
  151. SCMP_SYS(set_robust_list),
  152. #ifdef __NR_sigreturn
  153. SCMP_SYS(sigreturn),
  154. #endif
  155. SCMP_SYS(stat),
  156. SCMP_SYS(uname),
  157. SCMP_SYS(wait4),
  158. SCMP_SYS(write),
  159. SCMP_SYS(writev),
  160. SCMP_SYS(exit_group),
  161. SCMP_SYS(exit),
  162. SCMP_SYS(madvise),
  163. #ifdef __NR_stat64
  164. // getaddrinfo uses this..
  165. SCMP_SYS(stat64),
  166. #endif
  167. /*
  168. * These socket syscalls are not required on x86_64 and not supported with
  169. * some libseccomp versions (eg: 1.0.1)
  170. */
  171. #if defined(__i386)
  172. SCMP_SYS(recv),
  173. SCMP_SYS(send),
  174. #endif
  175. // socket syscalls
  176. SCMP_SYS(bind),
  177. SCMP_SYS(listen),
  178. SCMP_SYS(connect),
  179. SCMP_SYS(getsockname),
  180. SCMP_SYS(recvmsg),
  181. SCMP_SYS(recvfrom),
  182. SCMP_SYS(sendto),
  183. SCMP_SYS(unlink)
  184. };
  185. /* These macros help avoid the error where the number of filters we add on a
  186. * single rule don't match the arg_cnt param. */
  187. #define seccomp_rule_add_0(ctx,act,call) \
  188. seccomp_rule_add((ctx),(act),(call),0)
  189. #define seccomp_rule_add_1(ctx,act,call,f1) \
  190. seccomp_rule_add((ctx),(act),(call),1,(f1))
  191. #define seccomp_rule_add_2(ctx,act,call,f1,f2) \
  192. seccomp_rule_add((ctx),(act),(call),2,(f1),(f2))
  193. #define seccomp_rule_add_3(ctx,act,call,f1,f2,f3) \
  194. seccomp_rule_add((ctx),(act),(call),3,(f1),(f2),(f3))
  195. #define seccomp_rule_add_4(ctx,act,call,f1,f2,f3,f4) \
  196. seccomp_rule_add((ctx),(act),(call),4,(f1),(f2),(f3),(f4))
  197. /**
  198. * Function responsible for setting up the rt_sigaction syscall for
  199. * the seccomp filter sandbox.
  200. */
  201. static int
  202. sb_rt_sigaction(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  203. {
  204. unsigned i;
  205. int rc;
  206. int param[] = { SIGINT, SIGTERM, SIGPIPE, SIGUSR1, SIGUSR2, SIGHUP, SIGCHLD,
  207. #ifdef SIGXFSZ
  208. SIGXFSZ
  209. #endif
  210. };
  211. (void) filter;
  212. for (i = 0; i < ARRAY_LENGTH(param); i++) {
  213. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigaction),
  214. SCMP_CMP(0, SCMP_CMP_EQ, param[i]));
  215. if (rc)
  216. break;
  217. }
  218. return rc;
  219. }
  220. #if 0
  221. /**
  222. * Function responsible for setting up the execve syscall for
  223. * the seccomp filter sandbox.
  224. */
  225. static int
  226. sb_execve(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  227. {
  228. int rc;
  229. sandbox_cfg_t *elem = NULL;
  230. // for each dynamic parameter filters
  231. for (elem = filter; elem != NULL; elem = elem->next) {
  232. smp_param_t *param = elem->param;
  233. if (param != NULL && param->prot == 1 && param->syscall
  234. == SCMP_SYS(execve)) {
  235. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve),
  236. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
  237. if (rc != 0) {
  238. log_err(LD_BUG,"(Sandbox) failed to add execve syscall, received "
  239. "libseccomp error %d", rc);
  240. return rc;
  241. }
  242. }
  243. }
  244. return 0;
  245. }
  246. #endif
  247. /**
  248. * Function responsible for setting up the time syscall for
  249. * the seccomp filter sandbox.
  250. */
  251. static int
  252. sb_time(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  253. {
  254. (void) filter;
  255. #ifdef __NR_time
  256. return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(time),
  257. SCMP_CMP(0, SCMP_CMP_EQ, 0));
  258. #else
  259. return 0;
  260. #endif
  261. }
  262. /**
  263. * Function responsible for setting up the accept4 syscall for
  264. * the seccomp filter sandbox.
  265. */
  266. static int
  267. sb_accept4(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  268. {
  269. int rc = 0;
  270. (void)filter;
  271. #ifdef __i386__
  272. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketcall),
  273. SCMP_CMP(0, SCMP_CMP_EQ, 18));
  274. if (rc) {
  275. return rc;
  276. }
  277. #endif
  278. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4),
  279. SCMP_CMP_MASKED(3, SOCK_CLOEXEC|SOCK_NONBLOCK, 0));
  280. if (rc) {
  281. return rc;
  282. }
  283. return 0;
  284. }
  285. #ifdef __NR_mmap2
  286. /**
  287. * Function responsible for setting up the mmap2 syscall for
  288. * the seccomp filter sandbox.
  289. */
  290. static int
  291. sb_mmap2(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  292. {
  293. int rc = 0;
  294. (void)filter;
  295. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  296. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ),
  297. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE));
  298. if (rc) {
  299. return rc;
  300. }
  301. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  302. SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE),
  303. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE));
  304. if (rc) {
  305. return rc;
  306. }
  307. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  308. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  309. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS));
  310. if (rc) {
  311. return rc;
  312. }
  313. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  314. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  315. SCMP_CMP(3, SCMP_CMP_EQ,MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK));
  316. if (rc) {
  317. return rc;
  318. }
  319. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  320. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  321. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE));
  322. if (rc) {
  323. return rc;
  324. }
  325. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  326. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  327. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS));
  328. if (rc) {
  329. return rc;
  330. }
  331. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  332. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_EXEC),
  333. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_DENYWRITE));
  334. if (rc) {
  335. return rc;
  336. }
  337. return 0;
  338. }
  339. #endif
  340. /**
  341. * Function responsible for setting up the open syscall for
  342. * the seccomp filter sandbox.
  343. */
  344. static int
  345. sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  346. {
  347. int rc;
  348. sandbox_cfg_t *elem = NULL;
  349. // for each dynamic parameter filters
  350. for (elem = filter; elem != NULL; elem = elem->next) {
  351. smp_param_t *param = elem->param;
  352. if (param != NULL && param->prot == 1 && param->syscall
  353. == SCMP_SYS(open)) {
  354. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open),
  355. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
  356. if (rc != 0) {
  357. log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
  358. "libseccomp error %d", rc);
  359. return rc;
  360. }
  361. }
  362. }
  363. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open),
  364. SCMP_CMP_MASKED(1, O_CLOEXEC|O_NONBLOCK|O_NOCTTY, O_RDONLY));
  365. if (rc != 0) {
  366. log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
  367. "error %d", rc);
  368. return rc;
  369. }
  370. return 0;
  371. }
  372. static int
  373. sb__sysctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  374. {
  375. int rc;
  376. (void) filter;
  377. (void) ctx;
  378. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(_sysctl));
  379. if (rc != 0) {
  380. log_err(LD_BUG,"(Sandbox) failed to add _sysctl syscall, "
  381. "received libseccomp error %d", rc);
  382. return rc;
  383. }
  384. return 0;
  385. }
  386. /**
  387. * Function responsible for setting up the rename syscall for
  388. * the seccomp filter sandbox.
  389. */
  390. static int
  391. sb_rename(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  392. {
  393. int rc;
  394. sandbox_cfg_t *elem = NULL;
  395. // for each dynamic parameter filters
  396. for (elem = filter; elem != NULL; elem = elem->next) {
  397. smp_param_t *param = elem->param;
  398. if (param != NULL && param->prot == 1 &&
  399. param->syscall == SCMP_SYS(rename)) {
  400. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rename),
  401. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value),
  402. SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value2));
  403. if (rc != 0) {
  404. log_err(LD_BUG,"(Sandbox) failed to add rename syscall, received "
  405. "libseccomp error %d", rc);
  406. return rc;
  407. }
  408. }
  409. }
  410. return 0;
  411. }
  412. /**
  413. * Function responsible for setting up the openat syscall for
  414. * the seccomp filter sandbox.
  415. */
  416. static int
  417. sb_openat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  418. {
  419. int rc;
  420. sandbox_cfg_t *elem = NULL;
  421. // for each dynamic parameter filters
  422. for (elem = filter; elem != NULL; elem = elem->next) {
  423. smp_param_t *param = elem->param;
  424. if (param != NULL && param->prot == 1 && param->syscall
  425. == SCMP_SYS(openat)) {
  426. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
  427. SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
  428. SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value),
  429. SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|
  430. O_CLOEXEC));
  431. if (rc != 0) {
  432. log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received "
  433. "libseccomp error %d", rc);
  434. return rc;
  435. }
  436. }
  437. }
  438. return 0;
  439. }
  440. /**
  441. * Function responsible for setting up the socket syscall for
  442. * the seccomp filter sandbox.
  443. */
  444. static int
  445. sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  446. {
  447. int rc = 0;
  448. int i;
  449. (void) filter;
  450. #ifdef __i386__
  451. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket));
  452. if (rc)
  453. return rc;
  454. #endif
  455. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  456. SCMP_CMP(0, SCMP_CMP_EQ, PF_FILE),
  457. SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM));
  458. if (rc)
  459. return rc;
  460. for (i = 0; i < 2; ++i) {
  461. const int pf = i ? PF_INET : PF_INET6;
  462. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  463. SCMP_CMP(0, SCMP_CMP_EQ, pf),
  464. SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
  465. SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_TCP));
  466. if (rc)
  467. return rc;
  468. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  469. SCMP_CMP(0, SCMP_CMP_EQ, pf),
  470. SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM),
  471. SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_IP));
  472. if (rc)
  473. return rc;
  474. }
  475. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  476. SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
  477. SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
  478. SCMP_CMP(2, SCMP_CMP_EQ, 0));
  479. if (rc)
  480. return rc;
  481. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  482. SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
  483. SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM),
  484. SCMP_CMP(2, SCMP_CMP_EQ, 0));
  485. if (rc)
  486. return rc;
  487. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  488. SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK),
  489. SCMP_CMP(1, SCMP_CMP_EQ, SOCK_RAW),
  490. SCMP_CMP(2, SCMP_CMP_EQ, 0));
  491. if (rc)
  492. return rc;
  493. return 0;
  494. }
  495. /**
  496. * Function responsible for setting up the socketpair syscall for
  497. * the seccomp filter sandbox.
  498. */
  499. static int
  500. sb_socketpair(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  501. {
  502. int rc = 0;
  503. (void) filter;
  504. #ifdef __i386__
  505. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair));
  506. if (rc)
  507. return rc;
  508. #endif
  509. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair),
  510. SCMP_CMP(0, SCMP_CMP_EQ, PF_FILE),
  511. SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM|SOCK_CLOEXEC));
  512. if (rc)
  513. return rc;
  514. return 0;
  515. }
  516. /**
  517. * Function responsible for setting up the setsockopt syscall for
  518. * the seccomp filter sandbox.
  519. */
  520. static int
  521. sb_setsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  522. {
  523. int rc = 0;
  524. (void) filter;
  525. #ifdef __i386__
  526. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt));
  527. if (rc)
  528. return rc;
  529. #endif
  530. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  531. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  532. SCMP_CMP(2, SCMP_CMP_EQ, SO_REUSEADDR));
  533. if (rc)
  534. return rc;
  535. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  536. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  537. SCMP_CMP(2, SCMP_CMP_EQ, SO_SNDBUF));
  538. if (rc)
  539. return rc;
  540. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  541. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  542. SCMP_CMP(2, SCMP_CMP_EQ, SO_RCVBUF));
  543. if (rc)
  544. return rc;
  545. #ifdef IP_TRANSPARENT
  546. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  547. SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
  548. SCMP_CMP(2, SCMP_CMP_EQ, IP_TRANSPARENT));
  549. if (rc)
  550. return rc;
  551. #endif
  552. return 0;
  553. }
  554. /**
  555. * Function responsible for setting up the getsockopt syscall for
  556. * the seccomp filter sandbox.
  557. */
  558. static int
  559. sb_getsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  560. {
  561. int rc = 0;
  562. (void) filter;
  563. #ifdef __i386__
  564. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt));
  565. if (rc)
  566. return rc;
  567. #endif
  568. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
  569. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  570. SCMP_CMP(2, SCMP_CMP_EQ, SO_ERROR));
  571. if (rc)
  572. return rc;
  573. #ifdef HAVE_LINUX_NETFILTER_IPV4_H
  574. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
  575. SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
  576. SCMP_CMP(2, SCMP_CMP_EQ, SO_ORIGINAL_DST));
  577. if (rc)
  578. return rc;
  579. #endif
  580. #ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
  581. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
  582. SCMP_CMP(1, SCMP_CMP_EQ, SOL_IPV6),
  583. SCMP_CMP(2, SCMP_CMP_EQ, IP6T_SO_ORIGINAL_DST));
  584. if (rc)
  585. return rc;
  586. #endif
  587. return 0;
  588. }
  589. #ifdef __NR_fcntl64
  590. /**
  591. * Function responsible for setting up the fcntl64 syscall for
  592. * the seccomp filter sandbox.
  593. */
  594. static int
  595. sb_fcntl64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  596. {
  597. int rc = 0;
  598. (void) filter;
  599. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  600. SCMP_CMP(1, SCMP_CMP_EQ, F_GETFL));
  601. if (rc)
  602. return rc;
  603. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  604. SCMP_CMP(1, SCMP_CMP_EQ, F_SETFL),
  605. SCMP_CMP(2, SCMP_CMP_EQ, O_RDWR|O_NONBLOCK));
  606. if (rc)
  607. return rc;
  608. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  609. SCMP_CMP(1, SCMP_CMP_EQ, F_GETFD));
  610. if (rc)
  611. return rc;
  612. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  613. SCMP_CMP(1, SCMP_CMP_EQ, F_SETFD),
  614. SCMP_CMP(2, SCMP_CMP_EQ, FD_CLOEXEC));
  615. if (rc)
  616. return rc;
  617. return 0;
  618. }
  619. #endif
  620. /**
  621. * Function responsible for setting up the epoll_ctl syscall for
  622. * the seccomp filter sandbox.
  623. *
  624. * Note: basically allows everything but will keep for now..
  625. */
  626. static int
  627. sb_epoll_ctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  628. {
  629. int rc = 0;
  630. (void) filter;
  631. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
  632. SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_ADD));
  633. if (rc)
  634. return rc;
  635. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
  636. SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_MOD));
  637. if (rc)
  638. return rc;
  639. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
  640. SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_DEL));
  641. if (rc)
  642. return rc;
  643. return 0;
  644. }
  645. /**
  646. * Function responsible for setting up the fcntl64 syscall for
  647. * the seccomp filter sandbox.
  648. *
  649. * NOTE: if multiple filters need to be added, the PR_SECCOMP parameter needs
  650. * to be whitelisted in this function.
  651. */
  652. static int
  653. sb_prctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  654. {
  655. int rc = 0;
  656. (void) filter;
  657. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl),
  658. SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_DUMPABLE));
  659. if (rc)
  660. return rc;
  661. return 0;
  662. }
  663. /**
  664. * Function responsible for setting up the fcntl64 syscall for
  665. * the seccomp filter sandbox.
  666. *
  667. * NOTE: does not NEED to be here.. currently only occurs before filter; will
  668. * keep just in case for the future.
  669. */
  670. static int
  671. sb_mprotect(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  672. {
  673. int rc = 0;
  674. (void) filter;
  675. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  676. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ));
  677. if (rc)
  678. return rc;
  679. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  680. SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE));
  681. if (rc)
  682. return rc;
  683. return 0;
  684. }
  685. /**
  686. * Function responsible for setting up the rt_sigprocmask syscall for
  687. * the seccomp filter sandbox.
  688. */
  689. static int
  690. sb_rt_sigprocmask(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  691. {
  692. int rc = 0;
  693. (void) filter;
  694. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
  695. SCMP_CMP(0, SCMP_CMP_EQ, SIG_UNBLOCK));
  696. if (rc)
  697. return rc;
  698. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
  699. SCMP_CMP(0, SCMP_CMP_EQ, SIG_SETMASK));
  700. if (rc)
  701. return rc;
  702. return 0;
  703. }
  704. /**
  705. * Function responsible for setting up the flock syscall for
  706. * the seccomp filter sandbox.
  707. *
  708. * NOTE: does not need to be here, occurs before filter is applied.
  709. */
  710. static int
  711. sb_flock(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  712. {
  713. int rc = 0;
  714. (void) filter;
  715. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock),
  716. SCMP_CMP(1, SCMP_CMP_EQ, LOCK_EX|LOCK_NB));
  717. if (rc)
  718. return rc;
  719. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock),
  720. SCMP_CMP(1, SCMP_CMP_EQ, LOCK_UN));
  721. if (rc)
  722. return rc;
  723. return 0;
  724. }
  725. /**
  726. * Function responsible for setting up the futex syscall for
  727. * the seccomp filter sandbox.
  728. */
  729. static int
  730. sb_futex(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  731. {
  732. int rc = 0;
  733. (void) filter;
  734. // can remove
  735. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
  736. SCMP_CMP(1, SCMP_CMP_EQ,
  737. FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME));
  738. if (rc)
  739. return rc;
  740. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
  741. SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAKE_PRIVATE));
  742. if (rc)
  743. return rc;
  744. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
  745. SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAIT_PRIVATE));
  746. if (rc)
  747. return rc;
  748. return 0;
  749. }
  750. /**
  751. * Function responsible for setting up the mremap syscall for
  752. * the seccomp filter sandbox.
  753. *
  754. * NOTE: so far only occurs before filter is applied.
  755. */
  756. static int
  757. sb_mremap(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  758. {
  759. int rc = 0;
  760. (void) filter;
  761. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mremap),
  762. SCMP_CMP(3, SCMP_CMP_EQ, MREMAP_MAYMOVE));
  763. if (rc)
  764. return rc;
  765. return 0;
  766. }
  767. /**
  768. * Function responsible for setting up the poll syscall for
  769. * the seccomp filter sandbox.
  770. */
  771. static int
  772. sb_poll(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  773. {
  774. int rc = 0;
  775. (void) filter;
  776. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(poll),
  777. SCMP_CMP(1, SCMP_CMP_EQ, 1),
  778. SCMP_CMP(2, SCMP_CMP_EQ, 10));
  779. if (rc)
  780. return rc;
  781. return 0;
  782. }
  783. #ifdef __NR_stat64
  784. /**
  785. * Function responsible for setting up the stat64 syscall for
  786. * the seccomp filter sandbox.
  787. */
  788. static int
  789. sb_stat64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  790. {
  791. int rc = 0;
  792. sandbox_cfg_t *elem = NULL;
  793. // for each dynamic parameter filters
  794. for (elem = filter; elem != NULL; elem = elem->next) {
  795. smp_param_t *param = elem->param;
  796. if (param != NULL && param->prot == 1 && (param->syscall == SCMP_SYS(open)
  797. || param->syscall == SCMP_SYS(stat64))) {
  798. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(stat64),
  799. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
  800. if (rc != 0) {
  801. log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
  802. "libseccomp error %d", rc);
  803. return rc;
  804. }
  805. }
  806. }
  807. return 0;
  808. }
  809. #endif
  810. /**
  811. * Array of function pointers responsible for filtering different syscalls at
  812. * a parameter level.
  813. */
  814. static sandbox_filter_func_t filter_func[] = {
  815. sb_rt_sigaction,
  816. sb_rt_sigprocmask,
  817. #if 0
  818. sb_execve,
  819. #endif
  820. sb_time,
  821. sb_accept4,
  822. #ifdef __NR_mmap2
  823. sb_mmap2,
  824. #endif
  825. sb_open,
  826. sb_openat,
  827. sb__sysctl,
  828. sb_rename,
  829. #ifdef __NR_fcntl64
  830. sb_fcntl64,
  831. #endif
  832. sb_epoll_ctl,
  833. sb_prctl,
  834. sb_mprotect,
  835. sb_flock,
  836. sb_futex,
  837. sb_mremap,
  838. sb_poll,
  839. #ifdef __NR_stat64
  840. sb_stat64,
  841. #endif
  842. sb_socket,
  843. sb_setsockopt,
  844. sb_getsockopt,
  845. sb_socketpair
  846. };
  847. const char *
  848. sandbox_intern_string(const char *str)
  849. {
  850. sandbox_cfg_t *elem;
  851. if (str == NULL)
  852. return NULL;
  853. for (elem = filter_dynamic; elem != NULL; elem = elem->next) {
  854. smp_param_t *param = elem->param;
  855. if (param->prot) {
  856. if (!strcmp(str, (char*)(param->value))) {
  857. return (char*)param->value;
  858. }
  859. if (param->value2 && !strcmp(str, (char*)param->value2)) {
  860. return (char*)param->value2;
  861. }
  862. }
  863. }
  864. if (sandbox_active)
  865. log_warn(LD_BUG, "No interned sandbox parameter found for %s", str);
  866. return str;
  867. }
  868. /** DOCDOC */
  869. static int
  870. prot_strings_helper(strmap_t *locations,
  871. char **pr_mem_next_p,
  872. size_t *pr_mem_left_p,
  873. char **value_p)
  874. {
  875. char *param_val;
  876. size_t param_size;
  877. void *location;
  878. if (*value_p == 0)
  879. return 0;
  880. param_val = (char*) *value_p;
  881. param_size = strlen(param_val) + 1;
  882. location = strmap_get(locations, param_val);
  883. if (location) {
  884. // We already interned this string.
  885. tor_free(param_val);
  886. *value_p = location;
  887. return 0;
  888. } else if (*pr_mem_left_p >= param_size) {
  889. // copy to protected
  890. location = *pr_mem_next_p;
  891. memcpy(location, param_val, param_size);
  892. // re-point el parameter to protected
  893. tor_free(param_val);
  894. *value_p = location;
  895. strmap_set(locations, location, location); /* good real estate advice */
  896. // move next available protected memory
  897. *pr_mem_next_p += param_size;
  898. *pr_mem_left_p -= param_size;
  899. return 0;
  900. } else {
  901. log_err(LD_BUG,"(Sandbox) insufficient protected memory!");
  902. return -1;
  903. }
  904. }
  905. /**
  906. * Protects all the strings in the sandbox's parameter list configuration. It
  907. * works by calculating the total amount of memory required by the parameter
  908. * list, allocating the memory using mmap, and protecting it from writes with
  909. * mprotect().
  910. */
  911. static int
  912. prot_strings(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
  913. {
  914. int ret = 0;
  915. size_t pr_mem_size = 0, pr_mem_left = 0;
  916. char *pr_mem_next = NULL, *pr_mem_base;
  917. sandbox_cfg_t *el = NULL;
  918. strmap_t *locations = NULL;
  919. // get total number of bytes required to mmap. (Overestimate.)
  920. for (el = cfg; el != NULL; el = el->next) {
  921. pr_mem_size += strlen((char*) el->param->value) + 1;
  922. if (el->param->value2)
  923. pr_mem_size += strlen((char*) el->param->value2) + 1;
  924. }
  925. // allocate protected memory with MALLOC_MP_LIM canary
  926. pr_mem_base = (char*) mmap(NULL, MALLOC_MP_LIM + pr_mem_size,
  927. PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0);
  928. if (pr_mem_base == MAP_FAILED) {
  929. log_err(LD_BUG,"(Sandbox) failed allocate protected memory! mmap: %s",
  930. strerror(errno));
  931. ret = -1;
  932. goto out;
  933. }
  934. pr_mem_next = pr_mem_base + MALLOC_MP_LIM;
  935. pr_mem_left = pr_mem_size;
  936. locations = strmap_new();
  937. // change el value pointer to protected
  938. for (el = cfg; el != NULL; el = el->next) {
  939. if (prot_strings_helper(locations, &pr_mem_next, &pr_mem_left,
  940. &el->param->value) < 0) {
  941. ret = -2;
  942. goto out;
  943. }
  944. if (prot_strings_helper(locations, &pr_mem_next, &pr_mem_left,
  945. &el->param->value2) < 0) {
  946. ret = -2;
  947. goto out;
  948. }
  949. el->param->prot = 1;
  950. }
  951. // protecting from writes
  952. if (mprotect(pr_mem_base, MALLOC_MP_LIM + pr_mem_size, PROT_READ)) {
  953. log_err(LD_BUG,"(Sandbox) failed to protect memory! mprotect: %s",
  954. strerror(errno));
  955. ret = -3;
  956. goto out;
  957. }
  958. /*
  959. * Setting sandbox restrictions so the string memory cannot be tampered with
  960. */
  961. // no mremap of the protected base address
  962. ret = seccomp_rule_add_1(ctx, SCMP_ACT_KILL, SCMP_SYS(mremap),
  963. SCMP_CMP(0, SCMP_CMP_EQ, (intptr_t) pr_mem_base));
  964. if (ret) {
  965. log_err(LD_BUG,"(Sandbox) mremap protected memory filter fail!");
  966. goto out;
  967. }
  968. // no munmap of the protected base address
  969. ret = seccomp_rule_add_1(ctx, SCMP_ACT_KILL, SCMP_SYS(munmap),
  970. SCMP_CMP(0, SCMP_CMP_EQ, (intptr_t) pr_mem_base));
  971. if (ret) {
  972. log_err(LD_BUG,"(Sandbox) munmap protected memory filter fail!");
  973. goto out;
  974. }
  975. /*
  976. * Allow mprotect with PROT_READ|PROT_WRITE because openssl uses it, but
  977. * never over the memory region used by the protected strings.
  978. *
  979. * PROT_READ|PROT_WRITE was originally fully allowed in sb_mprotect(), but
  980. * had to be removed due to limitation of libseccomp regarding intervals.
  981. *
  982. * There is a restriction on how much you can mprotect with R|W up to the
  983. * size of the canary.
  984. */
  985. ret = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  986. SCMP_CMP(0, SCMP_CMP_LT, (intptr_t) pr_mem_base),
  987. SCMP_CMP(1, SCMP_CMP_LE, MALLOC_MP_LIM),
  988. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE));
  989. if (ret) {
  990. log_err(LD_BUG,"(Sandbox) mprotect protected memory filter fail (LT)!");
  991. goto out;
  992. }
  993. ret = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  994. SCMP_CMP(0, SCMP_CMP_GT, (intptr_t) pr_mem_base + pr_mem_size +
  995. MALLOC_MP_LIM),
  996. SCMP_CMP(1, SCMP_CMP_LE, MALLOC_MP_LIM),
  997. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE));
  998. if (ret) {
  999. log_err(LD_BUG,"(Sandbox) mprotect protected memory filter fail (GT)!");
  1000. goto out;
  1001. }
  1002. out:
  1003. strmap_free(locations, NULL);
  1004. return ret;
  1005. }
  1006. /**
  1007. * Auxiliary function used in order to allocate a sandbox_cfg_t element and set
  1008. * it's values according the the parameter list. All elements are initialised
  1009. * with the 'prot' field set to false, as the pointer is not protected at this
  1010. * point.
  1011. */
  1012. static sandbox_cfg_t*
  1013. new_element2(int syscall, char *value, char *value2)
  1014. {
  1015. smp_param_t *param = NULL;
  1016. sandbox_cfg_t *elem = tor_malloc_zero(sizeof(sandbox_cfg_t));
  1017. param = elem->param = tor_malloc_zero(sizeof(smp_param_t));
  1018. param->syscall = syscall;
  1019. param->value = value;
  1020. param->value2 = value2;
  1021. param->prot = 0;
  1022. return elem;
  1023. }
  1024. static sandbox_cfg_t*
  1025. new_element(int syscall, char *value)
  1026. {
  1027. return new_element2(syscall, value, NULL);
  1028. }
  1029. #ifdef __NR_stat64
  1030. #define SCMP_stat SCMP_SYS(stat64)
  1031. #else
  1032. #define SCMP_stat SCMP_SYS(stat)
  1033. #endif
  1034. int
  1035. sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file)
  1036. {
  1037. sandbox_cfg_t *elem = NULL;
  1038. elem = new_element(SCMP_stat, file);
  1039. if (!elem) {
  1040. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1041. return -1;
  1042. }
  1043. elem->next = *cfg;
  1044. *cfg = elem;
  1045. return 0;
  1046. }
  1047. int
  1048. sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
  1049. {
  1050. sandbox_cfg_t *elem = NULL;
  1051. elem = new_element(SCMP_SYS(open), file);
  1052. if (!elem) {
  1053. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1054. return -1;
  1055. }
  1056. elem->next = *cfg;
  1057. *cfg = elem;
  1058. return 0;
  1059. }
  1060. int
  1061. sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2)
  1062. {
  1063. sandbox_cfg_t *elem = NULL;
  1064. elem = new_element2(SCMP_SYS(rename), file1, file2);
  1065. if (!elem) {
  1066. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1067. return -1;
  1068. }
  1069. elem->next = *cfg;
  1070. *cfg = elem;
  1071. return 0;
  1072. }
  1073. int
  1074. sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file)
  1075. {
  1076. sandbox_cfg_t *elem = NULL;
  1077. elem = new_element(SCMP_SYS(openat), file);
  1078. if (!elem) {
  1079. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1080. return -1;
  1081. }
  1082. elem->next = *cfg;
  1083. *cfg = elem;
  1084. return 0;
  1085. }
  1086. #if 0
  1087. int
  1088. sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com)
  1089. {
  1090. sandbox_cfg_t *elem = NULL;
  1091. elem = new_element(SCMP_SYS(execve), com);
  1092. if (!elem) {
  1093. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1094. return -1;
  1095. }
  1096. elem->next = *cfg;
  1097. *cfg = elem;
  1098. return 0;
  1099. }
  1100. #endif
  1101. /** Cache entry for getaddrinfo results; used when sandboxing is implemented
  1102. * so that we can consult the cache when the sandbox prevents us from doing
  1103. * getaddrinfo.
  1104. *
  1105. * We support only a limited range of getaddrinfo calls, where servname is null
  1106. * and hints contains only socktype=SOCK_STREAM, family in INET,INET6,UNSPEC.
  1107. */
  1108. typedef struct cached_getaddrinfo_item_t {
  1109. HT_ENTRY(cached_getaddrinfo_item_t) node;
  1110. char *name;
  1111. int family;
  1112. /** set if no error; otherwise NULL */
  1113. struct addrinfo *res;
  1114. /** 0 for no error; otherwise an EAI_* value */
  1115. int err;
  1116. } cached_getaddrinfo_item_t;
  1117. static unsigned
  1118. cached_getaddrinfo_item_hash(const cached_getaddrinfo_item_t *item)
  1119. {
  1120. return (unsigned)siphash24g(item->name, strlen(item->name)) + item->family;
  1121. }
  1122. static unsigned
  1123. cached_getaddrinfo_items_eq(const cached_getaddrinfo_item_t *a,
  1124. const cached_getaddrinfo_item_t *b)
  1125. {
  1126. return (a->family == b->family) && 0 == strcmp(a->name, b->name);
  1127. }
  1128. static void
  1129. cached_getaddrinfo_item_free(cached_getaddrinfo_item_t *item)
  1130. {
  1131. if (item == NULL)
  1132. return;
  1133. tor_free(item->name);
  1134. if (item->res)
  1135. freeaddrinfo(item->res);
  1136. tor_free(item);
  1137. }
  1138. static HT_HEAD(getaddrinfo_cache, cached_getaddrinfo_item_t)
  1139. getaddrinfo_cache = HT_INITIALIZER();
  1140. HT_PROTOTYPE(getaddrinfo_cache, cached_getaddrinfo_item_t, node,
  1141. cached_getaddrinfo_item_hash,
  1142. cached_getaddrinfo_items_eq);
  1143. HT_GENERATE2(getaddrinfo_cache, cached_getaddrinfo_item_t, node,
  1144. cached_getaddrinfo_item_hash,
  1145. cached_getaddrinfo_items_eq,
  1146. 0.6, tor_reallocarray_, tor_free_)
  1147. /** If true, don't try to cache getaddrinfo results. */
  1148. static int sandbox_getaddrinfo_cache_disabled = 0;
  1149. /** Tell the sandbox layer not to try to cache getaddrinfo results. Used as in
  1150. * tor-resolve, when we have no intention of initializing crypto or of
  1151. * installing the sandbox.*/
  1152. void
  1153. sandbox_disable_getaddrinfo_cache(void)
  1154. {
  1155. sandbox_getaddrinfo_cache_disabled = 1;
  1156. }
  1157. void
  1158. sandbox_freeaddrinfo(struct addrinfo *ai)
  1159. {
  1160. if (sandbox_getaddrinfo_cache_disabled)
  1161. freeaddrinfo(ai);
  1162. }
  1163. int
  1164. sandbox_getaddrinfo(const char *name, const char *servname,
  1165. const struct addrinfo *hints,
  1166. struct addrinfo **res)
  1167. {
  1168. int err;
  1169. struct cached_getaddrinfo_item_t search, *item;
  1170. if (sandbox_getaddrinfo_cache_disabled) {
  1171. return getaddrinfo(name, NULL, hints, res);
  1172. }
  1173. if (servname != NULL) {
  1174. log_warn(LD_BUG, "called with non-NULL servname");
  1175. return EAI_NONAME;
  1176. }
  1177. if (name == NULL) {
  1178. log_warn(LD_BUG, "called with NULL name");
  1179. return EAI_NONAME;
  1180. }
  1181. *res = NULL;
  1182. memset(&search, 0, sizeof(search));
  1183. search.name = (char *) name;
  1184. search.family = hints ? hints->ai_family : AF_UNSPEC;
  1185. item = HT_FIND(getaddrinfo_cache, &getaddrinfo_cache, &search);
  1186. if (! sandbox_is_active()) {
  1187. /* If the sandbox is not turned on yet, then getaddrinfo and store the
  1188. result. */
  1189. err = getaddrinfo(name, NULL, hints, res);
  1190. log_info(LD_NET,"(Sandbox) getaddrinfo %s.", err ? "failed" : "succeeded");
  1191. if (! item) {
  1192. item = tor_malloc_zero(sizeof(*item));
  1193. item->name = tor_strdup(name);
  1194. item->family = hints ? hints->ai_family : AF_UNSPEC;
  1195. HT_INSERT(getaddrinfo_cache, &getaddrinfo_cache, item);
  1196. }
  1197. if (item->res) {
  1198. freeaddrinfo(item->res);
  1199. item->res = NULL;
  1200. }
  1201. item->res = *res;
  1202. item->err = err;
  1203. return err;
  1204. }
  1205. /* Otherwise, the sanbox is on. If we have an item, yield its cached
  1206. result. */
  1207. if (item) {
  1208. *res = item->res;
  1209. return item->err;
  1210. }
  1211. /* getting here means something went wrong */
  1212. log_err(LD_BUG,"(Sandbox) failed to get address %s!", name);
  1213. return EAI_NONAME;
  1214. }
  1215. int
  1216. sandbox_add_addrinfo(const char *name)
  1217. {
  1218. struct addrinfo *res;
  1219. struct addrinfo hints;
  1220. int i;
  1221. static const int families[] = { AF_INET, AF_INET6, AF_UNSPEC };
  1222. memset(&hints, 0, sizeof(hints));
  1223. hints.ai_socktype = SOCK_STREAM;
  1224. for (i = 0; i < 3; ++i) {
  1225. hints.ai_family = families[i];
  1226. res = NULL;
  1227. (void) sandbox_getaddrinfo(name, NULL, &hints, &res);
  1228. if (res)
  1229. sandbox_freeaddrinfo(res);
  1230. }
  1231. return 0;
  1232. }
  1233. void
  1234. sandbox_free_getaddrinfo_cache(void)
  1235. {
  1236. cached_getaddrinfo_item_t **next, **item;
  1237. for (item = HT_START(getaddrinfo_cache, &getaddrinfo_cache);
  1238. item;
  1239. item = next) {
  1240. next = HT_NEXT_RMV(getaddrinfo_cache, &getaddrinfo_cache, item);
  1241. cached_getaddrinfo_item_free(*item);
  1242. }
  1243. HT_CLEAR(getaddrinfo_cache, &getaddrinfo_cache);
  1244. }
  1245. /**
  1246. * Function responsible for going through the parameter syscall filters and
  1247. * call each function pointer in the list.
  1248. */
  1249. static int
  1250. add_param_filter(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
  1251. {
  1252. unsigned i;
  1253. int rc = 0;
  1254. // function pointer
  1255. for (i = 0; i < ARRAY_LENGTH(filter_func); i++) {
  1256. if ((filter_func[i])(ctx, cfg)) {
  1257. log_err(LD_BUG,"(Sandbox) failed to add syscall %d, received libseccomp "
  1258. "error %d", i, rc);
  1259. return rc;
  1260. }
  1261. }
  1262. return 0;
  1263. }
  1264. /**
  1265. * Function responsible of loading the libseccomp syscall filters which do not
  1266. * have parameter filtering.
  1267. */
  1268. static int
  1269. add_noparam_filter(scmp_filter_ctx ctx)
  1270. {
  1271. unsigned i;
  1272. int rc = 0;
  1273. // add general filters
  1274. for (i = 0; i < ARRAY_LENGTH(filter_nopar_gen); i++) {
  1275. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, filter_nopar_gen[i]);
  1276. if (rc != 0) {
  1277. log_err(LD_BUG,"(Sandbox) failed to add syscall index %d (NR=%d), "
  1278. "received libseccomp error %d", i, filter_nopar_gen[i], rc);
  1279. return rc;
  1280. }
  1281. }
  1282. return 0;
  1283. }
  1284. /**
  1285. * Function responsible for setting up and enabling a global syscall filter.
  1286. * The function is a prototype developed for stage 1 of sandboxing Tor.
  1287. * Returns 0 on success.
  1288. */
  1289. static int
  1290. install_syscall_filter(sandbox_cfg_t* cfg)
  1291. {
  1292. int rc = 0;
  1293. scmp_filter_ctx ctx;
  1294. ctx = seccomp_init(SCMP_ACT_TRAP);
  1295. if (ctx == NULL) {
  1296. log_err(LD_BUG,"(Sandbox) failed to initialise libseccomp context");
  1297. rc = -1;
  1298. goto end;
  1299. }
  1300. // protectign sandbox parameter strings
  1301. if ((rc = prot_strings(ctx, cfg))) {
  1302. goto end;
  1303. }
  1304. // add parameter filters
  1305. if ((rc = add_param_filter(ctx, cfg))) {
  1306. log_err(LD_BUG, "(Sandbox) failed to add param filters!");
  1307. goto end;
  1308. }
  1309. // adding filters with no parameters
  1310. if ((rc = add_noparam_filter(ctx))) {
  1311. log_err(LD_BUG, "(Sandbox) failed to add param filters!");
  1312. goto end;
  1313. }
  1314. // loading the seccomp2 filter
  1315. if ((rc = seccomp_load(ctx))) {
  1316. log_err(LD_BUG, "(Sandbox) failed to load: %d (%s)!", rc,
  1317. strerror(-rc));
  1318. goto end;
  1319. }
  1320. // marking the sandbox as active
  1321. sandbox_active = 1;
  1322. end:
  1323. seccomp_release(ctx);
  1324. return (rc < 0 ? -rc : rc);
  1325. }
  1326. #include "linux_syscalls.inc"
  1327. static const char *
  1328. get_syscall_name(int syscall_num)
  1329. {
  1330. int i;
  1331. for (i = 0; SYSCALLS_BY_NUMBER[i].syscall_name; ++i) {
  1332. if (SYSCALLS_BY_NUMBER[i].syscall_num == syscall_num)
  1333. return SYSCALLS_BY_NUMBER[i].syscall_name;
  1334. }
  1335. {
  1336. static char syscall_name_buf[64];
  1337. format_dec_number_sigsafe(syscall_num,
  1338. syscall_name_buf, sizeof(syscall_name_buf));
  1339. return syscall_name_buf;
  1340. }
  1341. }
  1342. #ifdef USE_BACKTRACE
  1343. #define MAX_DEPTH 256
  1344. static void *syscall_cb_buf[MAX_DEPTH];
  1345. #endif
  1346. /**
  1347. * Function called when a SIGSYS is caught by the application. It notifies the
  1348. * user that an error has occurred and either terminates or allows the
  1349. * application to continue execution, based on the DEBUGGING_CLOSE symbol.
  1350. */
  1351. static void
  1352. sigsys_debugging(int nr, siginfo_t *info, void *void_context)
  1353. {
  1354. ucontext_t *ctx = (ucontext_t *) (void_context);
  1355. const char *syscall_name;
  1356. int syscall;
  1357. #ifdef USE_BACKTRACE
  1358. int depth;
  1359. int n_fds, i;
  1360. const int *fds = NULL;
  1361. #endif
  1362. (void) nr;
  1363. if (info->si_code != SYS_SECCOMP)
  1364. return;
  1365. if (!ctx)
  1366. return;
  1367. syscall = (int) ctx->uc_mcontext.M_SYSCALL;
  1368. #ifdef USE_BACKTRACE
  1369. depth = backtrace(syscall_cb_buf, MAX_DEPTH);
  1370. /* Clean up the top stack frame so we get the real function
  1371. * name for the most recently failing function. */
  1372. clean_backtrace(syscall_cb_buf, depth, ctx);
  1373. #endif
  1374. syscall_name = get_syscall_name(syscall);
  1375. tor_log_err_sigsafe("(Sandbox) Caught a bad syscall attempt (syscall ",
  1376. syscall_name,
  1377. ")\n",
  1378. NULL);
  1379. #ifdef USE_BACKTRACE
  1380. n_fds = tor_log_get_sigsafe_err_fds(&fds);
  1381. for (i=0; i < n_fds; ++i)
  1382. backtrace_symbols_fd(syscall_cb_buf, depth, fds[i]);
  1383. #endif
  1384. #if defined(DEBUGGING_CLOSE)
  1385. _exit(1);
  1386. #endif // DEBUGGING_CLOSE
  1387. }
  1388. /**
  1389. * Function that adds a handler for SIGSYS, which is the signal thrown
  1390. * when the application is issuing a syscall which is not allowed. The
  1391. * main purpose of this function is to help with debugging by identifying
  1392. * filtered syscalls.
  1393. */
  1394. static int
  1395. install_sigsys_debugging(void)
  1396. {
  1397. struct sigaction act;
  1398. sigset_t mask;
  1399. memset(&act, 0, sizeof(act));
  1400. sigemptyset(&mask);
  1401. sigaddset(&mask, SIGSYS);
  1402. act.sa_sigaction = &sigsys_debugging;
  1403. act.sa_flags = SA_SIGINFO;
  1404. if (sigaction(SIGSYS, &act, NULL) < 0) {
  1405. log_err(LD_BUG,"(Sandbox) Failed to register SIGSYS signal handler");
  1406. return -1;
  1407. }
  1408. if (sigprocmask(SIG_UNBLOCK, &mask, NULL)) {
  1409. log_err(LD_BUG,"(Sandbox) Failed call to sigprocmask()");
  1410. return -2;
  1411. }
  1412. return 0;
  1413. }
  1414. /**
  1415. * Function responsible of registering the sandbox_cfg_t list of parameter
  1416. * syscall filters to the existing parameter list. This is used for incipient
  1417. * multiple-sandbox support.
  1418. */
  1419. static int
  1420. register_cfg(sandbox_cfg_t* cfg)
  1421. {
  1422. sandbox_cfg_t *elem = NULL;
  1423. if (filter_dynamic == NULL) {
  1424. filter_dynamic = cfg;
  1425. return 0;
  1426. }
  1427. for (elem = filter_dynamic; elem->next != NULL; elem = elem->next)
  1428. ;
  1429. elem->next = cfg;
  1430. return 0;
  1431. }
  1432. #endif // USE_LIBSECCOMP
  1433. #ifdef USE_LIBSECCOMP
  1434. /**
  1435. * Initialises the syscall sandbox filter for any linux architecture, taking
  1436. * into account various available features for different linux flavours.
  1437. */
  1438. static int
  1439. initialise_libseccomp_sandbox(sandbox_cfg_t* cfg)
  1440. {
  1441. /* Prevent glibc from trying to open /dev/tty on fatal error */
  1442. setenv("LIBC_FATAL_STDERR_", "1", 1);
  1443. if (install_sigsys_debugging())
  1444. return -1;
  1445. if (install_syscall_filter(cfg))
  1446. return -2;
  1447. if (register_cfg(cfg))
  1448. return -3;
  1449. return 0;
  1450. }
  1451. int
  1452. sandbox_is_active(void)
  1453. {
  1454. return sandbox_active != 0;
  1455. }
  1456. #endif // USE_LIBSECCOMP
  1457. sandbox_cfg_t*
  1458. sandbox_cfg_new(void)
  1459. {
  1460. return NULL;
  1461. }
  1462. int
  1463. sandbox_init(sandbox_cfg_t *cfg)
  1464. {
  1465. #if defined(USE_LIBSECCOMP)
  1466. return initialise_libseccomp_sandbox(cfg);
  1467. #elif defined(__linux__)
  1468. (void)cfg;
  1469. log_warn(LD_GENERAL,
  1470. "This version of Tor was built without support for sandboxing. To "
  1471. "build with support for sandboxing on Linux, you must have "
  1472. "libseccomp and its necessary header files (e.g. seccomp.h).");
  1473. return 0;
  1474. #else
  1475. (void)cfg;
  1476. log_warn(LD_GENERAL,
  1477. "Currently, sandboxing is only implemented on Linux. The feature "
  1478. "is disabled on your platform.");
  1479. return 0;
  1480. #endif
  1481. }
  1482. #ifndef USE_LIBSECCOMP
  1483. int
  1484. sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
  1485. {
  1486. (void)cfg; (void)file;
  1487. return 0;
  1488. }
  1489. int
  1490. sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file)
  1491. {
  1492. (void)cfg; (void)file;
  1493. return 0;
  1494. }
  1495. #if 0
  1496. int
  1497. sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com)
  1498. {
  1499. (void)cfg; (void)com;
  1500. return 0;
  1501. }
  1502. #endif
  1503. int
  1504. sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file)
  1505. {
  1506. (void)cfg; (void)file;
  1507. return 0;
  1508. }
  1509. int
  1510. sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2)
  1511. {
  1512. (void)cfg; (void)file1; (void)file2;
  1513. return 0;
  1514. }
  1515. int
  1516. sandbox_is_active(void)
  1517. {
  1518. return 0;
  1519. }
  1520. void
  1521. sandbox_disable_getaddrinfo_cache(void)
  1522. {
  1523. }
  1524. #endif