sandbox.c 47 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979
  1. /* Copyright (c) 2001 Matej Pfajfar.
  2. * Copyright (c) 2001-2004, Roger Dingledine.
  3. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  4. * Copyright (c) 2007-2018, The Tor Project, Inc. */
  5. /* See LICENSE for licensing information */
  6. /**
  7. * \file sandbox.c
  8. * \brief Code to enable sandboxing.
  9. **/
  10. #include "orconfig.h"
  11. #ifndef _LARGEFILE64_SOURCE
  12. /**
  13. * Temporarily required for O_LARGEFILE flag. Needs to be removed
  14. * with the libevent fix.
  15. */
  16. #define _LARGEFILE64_SOURCE
  17. #endif /* !defined(_LARGEFILE64_SOURCE) */
  18. /** Malloc mprotect limit in bytes.
  19. *
  20. * 28/06/2017: This value was increased from 16 MB to 20 MB after we introduced
  21. * LZMA support in Tor (0.3.1.1-alpha). We limit our LZMA coder to 16 MB, but
  22. * liblzma have a small overhead that we need to compensate for to avoid being
  23. * killed by the sandbox.
  24. */
  25. #define MALLOC_MP_LIM (20*1024*1024)
  26. #include <stdio.h>
  27. #include <string.h>
  28. #include <stdlib.h>
  29. #include "common/sandbox.h"
  30. #include "lib/container/map.h"
  31. #include "lib/err/torerr.h"
  32. #include "lib/log/torlog.h"
  33. #include "lib/cc/torint.h"
  34. #include "common/util.h"
  35. #include "tor_queue.h"
  36. #include "ht.h"
  37. #include "siphash.h"
  38. #define DEBUGGING_CLOSE
  39. #if defined(USE_LIBSECCOMP)
  40. #include <sys/mman.h>
  41. #include <sys/syscall.h>
  42. #include <sys/types.h>
  43. #include <sys/stat.h>
  44. #include <sys/epoll.h>
  45. #include <sys/prctl.h>
  46. #include <linux/futex.h>
  47. #include <sys/file.h>
  48. #include <stdarg.h>
  49. #include <seccomp.h>
  50. #include <signal.h>
  51. #include <unistd.h>
  52. #include <fcntl.h>
  53. #include <time.h>
  54. #include <poll.h>
  55. #ifdef HAVE_GNU_LIBC_VERSION_H
  56. #include <gnu/libc-version.h>
  57. #endif
  58. #ifdef HAVE_LINUX_NETFILTER_IPV4_H
  59. #include <linux/netfilter_ipv4.h>
  60. #endif
  61. #ifdef HAVE_LINUX_IF_H
  62. #include <linux/if.h>
  63. #endif
  64. #ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
  65. #include <linux/netfilter_ipv6/ip6_tables.h>
  66. #endif
  67. #if defined(HAVE_EXECINFO_H) && defined(HAVE_BACKTRACE) && \
  68. defined(HAVE_BACKTRACE_SYMBOLS_FD) && defined(HAVE_SIGACTION)
  69. #define USE_BACKTRACE
  70. #define EXPOSE_CLEAN_BACKTRACE
  71. #include "lib/err/backtrace.h"
  72. #endif /* defined(HAVE_EXECINFO_H) && defined(HAVE_BACKTRACE) && ... */
  73. #ifdef USE_BACKTRACE
  74. #include <execinfo.h>
  75. #endif
  76. /**
  77. * Linux 32 bit definitions
  78. */
  79. #if defined(__i386__)
  80. #define REG_SYSCALL REG_EAX
  81. #define M_SYSCALL gregs[REG_SYSCALL]
  82. /**
  83. * Linux 64 bit definitions
  84. */
  85. #elif defined(__x86_64__)
  86. #define REG_SYSCALL REG_RAX
  87. #define M_SYSCALL gregs[REG_SYSCALL]
  88. #elif defined(__arm__)
  89. #define M_SYSCALL arm_r7
  90. #elif defined(__aarch64__) && defined(__LP64__)
  91. #define REG_SYSCALL 8
  92. #define M_SYSCALL regs[REG_SYSCALL]
  93. #endif /* defined(__i386__) || ... */
  94. /**Determines if at least one sandbox is active.*/
  95. static int sandbox_active = 0;
  96. /** Holds the parameter list configuration for the sandbox.*/
  97. static sandbox_cfg_t *filter_dynamic = NULL;
  98. #undef SCMP_CMP
  99. #define SCMP_CMP(a,b,c) ((struct scmp_arg_cmp){(a),(b),(c),0})
  100. #define SCMP_CMP_STR(a,b,c) \
  101. ((struct scmp_arg_cmp) {(a),(b),(intptr_t)(void*)(c),0})
  102. #define SCMP_CMP4(a,b,c,d) ((struct scmp_arg_cmp){(a),(b),(c),(d)})
  103. /* We use a wrapper here because these masked comparisons seem to be pretty
  104. * verbose. Also, it's important to cast to scmp_datum_t before negating the
  105. * mask, since otherwise the negation might get applied to a 32 bit value, and
  106. * the high bits of the value might get masked out improperly. */
  107. #define SCMP_CMP_MASKED(a,b,c) \
  108. SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, ~(scmp_datum_t)(b), (c))
  109. /** Variable used for storing all syscall numbers that will be allowed with the
  110. * stage 1 general Tor sandbox.
  111. */
  112. static int filter_nopar_gen[] = {
  113. SCMP_SYS(access),
  114. SCMP_SYS(brk),
  115. SCMP_SYS(clock_gettime),
  116. SCMP_SYS(close),
  117. SCMP_SYS(clone),
  118. SCMP_SYS(epoll_create),
  119. SCMP_SYS(epoll_wait),
  120. #ifdef __NR_epoll_pwait
  121. SCMP_SYS(epoll_pwait),
  122. #endif
  123. #ifdef HAVE_EVENTFD
  124. SCMP_SYS(eventfd2),
  125. #endif
  126. #ifdef HAVE_PIPE2
  127. SCMP_SYS(pipe2),
  128. #endif
  129. #ifdef HAVE_PIPE
  130. SCMP_SYS(pipe),
  131. #endif
  132. #ifdef __NR_fchmod
  133. SCMP_SYS(fchmod),
  134. #endif
  135. SCMP_SYS(fcntl),
  136. SCMP_SYS(fstat),
  137. #ifdef __NR_fstat64
  138. SCMP_SYS(fstat64),
  139. #endif
  140. SCMP_SYS(futex),
  141. SCMP_SYS(getdents),
  142. SCMP_SYS(getdents64),
  143. SCMP_SYS(getegid),
  144. #ifdef __NR_getegid32
  145. SCMP_SYS(getegid32),
  146. #endif
  147. SCMP_SYS(geteuid),
  148. #ifdef __NR_geteuid32
  149. SCMP_SYS(geteuid32),
  150. #endif
  151. SCMP_SYS(getgid),
  152. #ifdef __NR_getgid32
  153. SCMP_SYS(getgid32),
  154. #endif
  155. SCMP_SYS(getpid),
  156. #ifdef __NR_getrlimit
  157. SCMP_SYS(getrlimit),
  158. #endif
  159. SCMP_SYS(gettimeofday),
  160. SCMP_SYS(gettid),
  161. SCMP_SYS(getuid),
  162. #ifdef __NR_getuid32
  163. SCMP_SYS(getuid32),
  164. #endif
  165. SCMP_SYS(lseek),
  166. #ifdef __NR__llseek
  167. SCMP_SYS(_llseek),
  168. #endif
  169. SCMP_SYS(mkdir),
  170. SCMP_SYS(mlockall),
  171. #ifdef __NR_mmap
  172. /* XXXX restrict this in the same ways as mmap2 */
  173. SCMP_SYS(mmap),
  174. #endif
  175. SCMP_SYS(munmap),
  176. #ifdef __NR_nanosleep
  177. SCMP_SYS(nanosleep),
  178. #endif
  179. #ifdef __NR_prlimit
  180. SCMP_SYS(prlimit),
  181. #endif
  182. #ifdef __NR_prlimit64
  183. SCMP_SYS(prlimit64),
  184. #endif
  185. SCMP_SYS(read),
  186. SCMP_SYS(rt_sigreturn),
  187. SCMP_SYS(sched_getaffinity),
  188. #ifdef __NR_sched_yield
  189. SCMP_SYS(sched_yield),
  190. #endif
  191. SCMP_SYS(sendmsg),
  192. SCMP_SYS(set_robust_list),
  193. #ifdef __NR_setrlimit
  194. SCMP_SYS(setrlimit),
  195. #endif
  196. #ifdef __NR_sigaltstack
  197. SCMP_SYS(sigaltstack),
  198. #endif
  199. #ifdef __NR_sigreturn
  200. SCMP_SYS(sigreturn),
  201. #endif
  202. SCMP_SYS(stat),
  203. SCMP_SYS(uname),
  204. SCMP_SYS(wait4),
  205. SCMP_SYS(write),
  206. SCMP_SYS(writev),
  207. SCMP_SYS(exit_group),
  208. SCMP_SYS(exit),
  209. SCMP_SYS(madvise),
  210. #ifdef __NR_stat64
  211. // getaddrinfo uses this..
  212. SCMP_SYS(stat64),
  213. #endif
  214. #ifdef __NR_getrandom
  215. SCMP_SYS(getrandom),
  216. #endif
  217. #ifdef __NR_sysinfo
  218. // qsort uses this..
  219. SCMP_SYS(sysinfo),
  220. #endif
  221. /*
  222. * These socket syscalls are not required on x86_64 and not supported with
  223. * some libseccomp versions (eg: 1.0.1)
  224. */
  225. #if defined(__i386)
  226. SCMP_SYS(recv),
  227. SCMP_SYS(send),
  228. #endif
  229. // socket syscalls
  230. SCMP_SYS(bind),
  231. SCMP_SYS(listen),
  232. SCMP_SYS(connect),
  233. SCMP_SYS(getsockname),
  234. SCMP_SYS(recvmsg),
  235. SCMP_SYS(recvfrom),
  236. SCMP_SYS(sendto),
  237. SCMP_SYS(unlink),
  238. SCMP_SYS(poll)
  239. };
  240. /* These macros help avoid the error where the number of filters we add on a
  241. * single rule don't match the arg_cnt param. */
  242. #define seccomp_rule_add_0(ctx,act,call) \
  243. seccomp_rule_add((ctx),(act),(call),0)
  244. #define seccomp_rule_add_1(ctx,act,call,f1) \
  245. seccomp_rule_add((ctx),(act),(call),1,(f1))
  246. #define seccomp_rule_add_2(ctx,act,call,f1,f2) \
  247. seccomp_rule_add((ctx),(act),(call),2,(f1),(f2))
  248. #define seccomp_rule_add_3(ctx,act,call,f1,f2,f3) \
  249. seccomp_rule_add((ctx),(act),(call),3,(f1),(f2),(f3))
  250. #define seccomp_rule_add_4(ctx,act,call,f1,f2,f3,f4) \
  251. seccomp_rule_add((ctx),(act),(call),4,(f1),(f2),(f3),(f4))
  252. /**
  253. * Function responsible for setting up the rt_sigaction syscall for
  254. * the seccomp filter sandbox.
  255. */
  256. static int
  257. sb_rt_sigaction(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  258. {
  259. unsigned i;
  260. int rc;
  261. int param[] = { SIGINT, SIGTERM, SIGPIPE, SIGUSR1, SIGUSR2, SIGHUP, SIGCHLD,
  262. #ifdef SIGXFSZ
  263. SIGXFSZ
  264. #endif
  265. };
  266. (void) filter;
  267. for (i = 0; i < ARRAY_LENGTH(param); i++) {
  268. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigaction),
  269. SCMP_CMP(0, SCMP_CMP_EQ, param[i]));
  270. if (rc)
  271. break;
  272. }
  273. return rc;
  274. }
  275. /**
  276. * Function responsible for setting up the time syscall for
  277. * the seccomp filter sandbox.
  278. */
  279. static int
  280. sb_time(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  281. {
  282. (void) filter;
  283. #ifdef __NR_time
  284. return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(time),
  285. SCMP_CMP(0, SCMP_CMP_EQ, 0));
  286. #else
  287. return 0;
  288. #endif /* defined(__NR_time) */
  289. }
  290. /**
  291. * Function responsible for setting up the accept4 syscall for
  292. * the seccomp filter sandbox.
  293. */
  294. static int
  295. sb_accept4(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  296. {
  297. int rc = 0;
  298. (void)filter;
  299. #ifdef __i386__
  300. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketcall),
  301. SCMP_CMP(0, SCMP_CMP_EQ, 18));
  302. if (rc) {
  303. return rc;
  304. }
  305. #endif /* defined(__i386__) */
  306. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4),
  307. SCMP_CMP_MASKED(3, SOCK_CLOEXEC|SOCK_NONBLOCK, 0));
  308. if (rc) {
  309. return rc;
  310. }
  311. return 0;
  312. }
  313. #ifdef __NR_mmap2
  314. /**
  315. * Function responsible for setting up the mmap2 syscall for
  316. * the seccomp filter sandbox.
  317. */
  318. static int
  319. sb_mmap2(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  320. {
  321. int rc = 0;
  322. (void)filter;
  323. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  324. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ),
  325. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE));
  326. if (rc) {
  327. return rc;
  328. }
  329. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  330. SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE),
  331. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE));
  332. if (rc) {
  333. return rc;
  334. }
  335. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  336. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  337. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS));
  338. if (rc) {
  339. return rc;
  340. }
  341. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  342. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  343. SCMP_CMP(3, SCMP_CMP_EQ,MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK));
  344. if (rc) {
  345. return rc;
  346. }
  347. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  348. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  349. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE));
  350. if (rc) {
  351. return rc;
  352. }
  353. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  354. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  355. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS));
  356. if (rc) {
  357. return rc;
  358. }
  359. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  360. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_EXEC),
  361. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_DENYWRITE));
  362. if (rc) {
  363. return rc;
  364. }
  365. return 0;
  366. }
  367. #endif /* defined(__NR_mmap2) */
  368. #ifdef HAVE_GNU_LIBC_VERSION_H
  369. #ifdef HAVE_GNU_GET_LIBC_VERSION
  370. #define CHECK_LIBC_VERSION
  371. #endif
  372. #endif
  373. /* Return true if we think we're running with a libc that always uses
  374. * openat on linux. */
  375. static int
  376. libc_uses_openat_for_everything(void)
  377. {
  378. #ifdef CHECK_LIBC_VERSION
  379. const char *version = gnu_get_libc_version();
  380. if (version == NULL)
  381. return 0;
  382. int major = -1;
  383. int minor = -1;
  384. tor_sscanf(version, "%d.%d", &major, &minor);
  385. if (major >= 3)
  386. return 1;
  387. else if (major == 2 && minor >= 26)
  388. return 1;
  389. else
  390. return 0;
  391. #else /* !(defined(CHECK_LIBC_VERSION)) */
  392. return 0;
  393. #endif /* defined(CHECK_LIBC_VERSION) */
  394. }
  395. /** Allow a single file to be opened. If <b>use_openat</b> is true,
  396. * we're using a libc that remaps all the opens into openats. */
  397. static int
  398. allow_file_open(scmp_filter_ctx ctx, int use_openat, const char *file)
  399. {
  400. if (use_openat) {
  401. return seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
  402. SCMP_CMP_STR(0, SCMP_CMP_EQ, AT_FDCWD),
  403. SCMP_CMP_STR(1, SCMP_CMP_EQ, file));
  404. } else {
  405. return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open),
  406. SCMP_CMP_STR(0, SCMP_CMP_EQ, file));
  407. }
  408. }
  409. /**
  410. * Function responsible for setting up the open syscall for
  411. * the seccomp filter sandbox.
  412. */
  413. static int
  414. sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  415. {
  416. int rc;
  417. sandbox_cfg_t *elem = NULL;
  418. int use_openat = libc_uses_openat_for_everything();
  419. // for each dynamic parameter filters
  420. for (elem = filter; elem != NULL; elem = elem->next) {
  421. smp_param_t *param = elem->param;
  422. if (param != NULL && param->prot == 1 && param->syscall
  423. == SCMP_SYS(open)) {
  424. rc = allow_file_open(ctx, use_openat, param->value);
  425. if (rc != 0) {
  426. log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
  427. "libseccomp error %d", rc);
  428. return rc;
  429. }
  430. }
  431. }
  432. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open),
  433. SCMP_CMP_MASKED(1, O_CLOEXEC|O_NONBLOCK|O_NOCTTY|O_NOFOLLOW,
  434. O_RDONLY));
  435. if (rc != 0) {
  436. log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
  437. "error %d", rc);
  438. return rc;
  439. }
  440. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(openat),
  441. SCMP_CMP_MASKED(2, O_CLOEXEC|O_NONBLOCK|O_NOCTTY|O_NOFOLLOW,
  442. O_RDONLY));
  443. if (rc != 0) {
  444. log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received "
  445. "libseccomp error %d", rc);
  446. return rc;
  447. }
  448. return 0;
  449. }
  450. static int
  451. sb_chmod(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  452. {
  453. int rc;
  454. sandbox_cfg_t *elem = NULL;
  455. // for each dynamic parameter filters
  456. for (elem = filter; elem != NULL; elem = elem->next) {
  457. smp_param_t *param = elem->param;
  458. if (param != NULL && param->prot == 1 && param->syscall
  459. == SCMP_SYS(chmod)) {
  460. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chmod),
  461. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
  462. if (rc != 0) {
  463. log_err(LD_BUG,"(Sandbox) failed to add chmod syscall, received "
  464. "libseccomp error %d", rc);
  465. return rc;
  466. }
  467. }
  468. }
  469. return 0;
  470. }
  471. static int
  472. sb_chown(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  473. {
  474. int rc;
  475. sandbox_cfg_t *elem = NULL;
  476. // for each dynamic parameter filters
  477. for (elem = filter; elem != NULL; elem = elem->next) {
  478. smp_param_t *param = elem->param;
  479. if (param != NULL && param->prot == 1 && param->syscall
  480. == SCMP_SYS(chown)) {
  481. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chown),
  482. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
  483. if (rc != 0) {
  484. log_err(LD_BUG,"(Sandbox) failed to add chown syscall, received "
  485. "libseccomp error %d", rc);
  486. return rc;
  487. }
  488. }
  489. }
  490. return 0;
  491. }
  492. static int
  493. sb__sysctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  494. {
  495. int rc;
  496. (void) filter;
  497. (void) ctx;
  498. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(_sysctl));
  499. if (rc != 0) {
  500. log_err(LD_BUG,"(Sandbox) failed to add _sysctl syscall, "
  501. "received libseccomp error %d", rc);
  502. return rc;
  503. }
  504. return 0;
  505. }
  506. /**
  507. * Function responsible for setting up the rename syscall for
  508. * the seccomp filter sandbox.
  509. */
  510. static int
  511. sb_rename(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  512. {
  513. int rc;
  514. sandbox_cfg_t *elem = NULL;
  515. // for each dynamic parameter filters
  516. for (elem = filter; elem != NULL; elem = elem->next) {
  517. smp_param_t *param = elem->param;
  518. if (param != NULL && param->prot == 1 &&
  519. param->syscall == SCMP_SYS(rename)) {
  520. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rename),
  521. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value),
  522. SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value2));
  523. if (rc != 0) {
  524. log_err(LD_BUG,"(Sandbox) failed to add rename syscall, received "
  525. "libseccomp error %d", rc);
  526. return rc;
  527. }
  528. }
  529. }
  530. return 0;
  531. }
  532. /**
  533. * Function responsible for setting up the openat syscall for
  534. * the seccomp filter sandbox.
  535. */
  536. static int
  537. sb_openat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  538. {
  539. int rc;
  540. sandbox_cfg_t *elem = NULL;
  541. // for each dynamic parameter filters
  542. for (elem = filter; elem != NULL; elem = elem->next) {
  543. smp_param_t *param = elem->param;
  544. if (param != NULL && param->prot == 1 && param->syscall
  545. == SCMP_SYS(openat)) {
  546. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
  547. SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
  548. SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value),
  549. SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|
  550. O_CLOEXEC));
  551. if (rc != 0) {
  552. log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received "
  553. "libseccomp error %d", rc);
  554. return rc;
  555. }
  556. }
  557. }
  558. return 0;
  559. }
  560. /**
  561. * Function responsible for setting up the socket syscall for
  562. * the seccomp filter sandbox.
  563. */
  564. static int
  565. sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  566. {
  567. int rc = 0;
  568. int i, j;
  569. (void) filter;
  570. #ifdef __i386__
  571. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket));
  572. if (rc)
  573. return rc;
  574. #endif
  575. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  576. SCMP_CMP(0, SCMP_CMP_EQ, PF_FILE),
  577. SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM));
  578. if (rc)
  579. return rc;
  580. for (i = 0; i < 2; ++i) {
  581. const int pf = i ? PF_INET : PF_INET6;
  582. for (j=0; j < 3; ++j) {
  583. const int type = (j == 0) ? SOCK_STREAM :
  584. SOCK_DGRAM;
  585. const int protocol = (j == 0) ? IPPROTO_TCP :
  586. (j == 1) ? IPPROTO_IP :
  587. IPPROTO_UDP;
  588. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  589. SCMP_CMP(0, SCMP_CMP_EQ, pf),
  590. SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, type),
  591. SCMP_CMP(2, SCMP_CMP_EQ, protocol));
  592. if (rc)
  593. return rc;
  594. }
  595. }
  596. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  597. SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
  598. SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
  599. SCMP_CMP(2, SCMP_CMP_EQ, 0));
  600. if (rc)
  601. return rc;
  602. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  603. SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
  604. SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM),
  605. SCMP_CMP(2, SCMP_CMP_EQ, 0));
  606. if (rc)
  607. return rc;
  608. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  609. SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK),
  610. SCMP_CMP_MASKED(1, SOCK_CLOEXEC, SOCK_RAW),
  611. SCMP_CMP(2, SCMP_CMP_EQ, 0));
  612. if (rc)
  613. return rc;
  614. return 0;
  615. }
  616. /**
  617. * Function responsible for setting up the socketpair syscall for
  618. * the seccomp filter sandbox.
  619. */
  620. static int
  621. sb_socketpair(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  622. {
  623. int rc = 0;
  624. (void) filter;
  625. #ifdef __i386__
  626. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair));
  627. if (rc)
  628. return rc;
  629. #endif
  630. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair),
  631. SCMP_CMP(0, SCMP_CMP_EQ, PF_FILE),
  632. SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM|SOCK_CLOEXEC));
  633. if (rc)
  634. return rc;
  635. return 0;
  636. }
  637. #ifdef HAVE_KIST_SUPPORT
  638. #include <linux/sockios.h>
  639. static int
  640. sb_ioctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  641. {
  642. int rc;
  643. (void) filter;
  644. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl),
  645. SCMP_CMP(1, SCMP_CMP_EQ, SIOCOUTQNSD));
  646. if (rc)
  647. return rc;
  648. return 0;
  649. }
  650. #endif /* defined(HAVE_KIST_SUPPORT) */
  651. /**
  652. * Function responsible for setting up the setsockopt syscall for
  653. * the seccomp filter sandbox.
  654. */
  655. static int
  656. sb_setsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  657. {
  658. int rc = 0;
  659. (void) filter;
  660. #ifdef __i386__
  661. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt));
  662. if (rc)
  663. return rc;
  664. #endif
  665. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  666. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  667. SCMP_CMP(2, SCMP_CMP_EQ, SO_REUSEADDR));
  668. if (rc)
  669. return rc;
  670. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  671. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  672. SCMP_CMP(2, SCMP_CMP_EQ, SO_SNDBUF));
  673. if (rc)
  674. return rc;
  675. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  676. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  677. SCMP_CMP(2, SCMP_CMP_EQ, SO_RCVBUF));
  678. if (rc)
  679. return rc;
  680. #ifdef HAVE_SYSTEMD
  681. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  682. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  683. SCMP_CMP(2, SCMP_CMP_EQ, SO_SNDBUFFORCE));
  684. if (rc)
  685. return rc;
  686. #endif /* defined(HAVE_SYSTEMD) */
  687. #ifdef IP_TRANSPARENT
  688. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  689. SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
  690. SCMP_CMP(2, SCMP_CMP_EQ, IP_TRANSPARENT));
  691. if (rc)
  692. return rc;
  693. #endif /* defined(IP_TRANSPARENT) */
  694. #ifdef IPV6_V6ONLY
  695. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  696. SCMP_CMP(1, SCMP_CMP_EQ, IPPROTO_IPV6),
  697. SCMP_CMP(2, SCMP_CMP_EQ, IPV6_V6ONLY));
  698. if (rc)
  699. return rc;
  700. #endif /* defined(IPV6_V6ONLY) */
  701. return 0;
  702. }
  703. /**
  704. * Function responsible for setting up the getsockopt syscall for
  705. * the seccomp filter sandbox.
  706. */
  707. static int
  708. sb_getsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  709. {
  710. int rc = 0;
  711. (void) filter;
  712. #ifdef __i386__
  713. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt));
  714. if (rc)
  715. return rc;
  716. #endif
  717. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
  718. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  719. SCMP_CMP(2, SCMP_CMP_EQ, SO_ERROR));
  720. if (rc)
  721. return rc;
  722. #ifdef HAVE_SYSTEMD
  723. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
  724. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  725. SCMP_CMP(2, SCMP_CMP_EQ, SO_SNDBUF));
  726. if (rc)
  727. return rc;
  728. #endif /* defined(HAVE_SYSTEMD) */
  729. #ifdef HAVE_LINUX_NETFILTER_IPV4_H
  730. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
  731. SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
  732. SCMP_CMP(2, SCMP_CMP_EQ, SO_ORIGINAL_DST));
  733. if (rc)
  734. return rc;
  735. #endif /* defined(HAVE_LINUX_NETFILTER_IPV4_H) */
  736. #ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
  737. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
  738. SCMP_CMP(1, SCMP_CMP_EQ, SOL_IPV6),
  739. SCMP_CMP(2, SCMP_CMP_EQ, IP6T_SO_ORIGINAL_DST));
  740. if (rc)
  741. return rc;
  742. #endif /* defined(HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H) */
  743. #ifdef HAVE_KIST_SUPPORT
  744. #include <netinet/tcp.h>
  745. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
  746. SCMP_CMP(1, SCMP_CMP_EQ, SOL_TCP),
  747. SCMP_CMP(2, SCMP_CMP_EQ, TCP_INFO));
  748. if (rc)
  749. return rc;
  750. #endif /* defined(HAVE_KIST_SUPPORT) */
  751. return 0;
  752. }
  753. #ifdef __NR_fcntl64
  754. /**
  755. * Function responsible for setting up the fcntl64 syscall for
  756. * the seccomp filter sandbox.
  757. */
  758. static int
  759. sb_fcntl64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  760. {
  761. int rc = 0;
  762. (void) filter;
  763. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  764. SCMP_CMP(1, SCMP_CMP_EQ, F_GETFL));
  765. if (rc)
  766. return rc;
  767. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  768. SCMP_CMP(1, SCMP_CMP_EQ, F_SETFL),
  769. SCMP_CMP(2, SCMP_CMP_EQ, O_RDWR|O_NONBLOCK));
  770. if (rc)
  771. return rc;
  772. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  773. SCMP_CMP(1, SCMP_CMP_EQ, F_GETFD));
  774. if (rc)
  775. return rc;
  776. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  777. SCMP_CMP(1, SCMP_CMP_EQ, F_SETFD),
  778. SCMP_CMP(2, SCMP_CMP_EQ, FD_CLOEXEC));
  779. if (rc)
  780. return rc;
  781. return 0;
  782. }
  783. #endif /* defined(__NR_fcntl64) */
  784. /**
  785. * Function responsible for setting up the epoll_ctl syscall for
  786. * the seccomp filter sandbox.
  787. *
  788. * Note: basically allows everything but will keep for now..
  789. */
  790. static int
  791. sb_epoll_ctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  792. {
  793. int rc = 0;
  794. (void) filter;
  795. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
  796. SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_ADD));
  797. if (rc)
  798. return rc;
  799. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
  800. SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_MOD));
  801. if (rc)
  802. return rc;
  803. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
  804. SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_DEL));
  805. if (rc)
  806. return rc;
  807. return 0;
  808. }
  809. /**
  810. * Function responsible for setting up the prctl syscall for
  811. * the seccomp filter sandbox.
  812. *
  813. * NOTE: if multiple filters need to be added, the PR_SECCOMP parameter needs
  814. * to be whitelisted in this function.
  815. */
  816. static int
  817. sb_prctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  818. {
  819. int rc = 0;
  820. (void) filter;
  821. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl),
  822. SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_DUMPABLE));
  823. if (rc)
  824. return rc;
  825. return 0;
  826. }
  827. /**
  828. * Function responsible for setting up the mprotect syscall for
  829. * the seccomp filter sandbox.
  830. *
  831. * NOTE: does not NEED to be here.. currently only occurs before filter; will
  832. * keep just in case for the future.
  833. */
  834. static int
  835. sb_mprotect(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  836. {
  837. int rc = 0;
  838. (void) filter;
  839. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  840. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ));
  841. if (rc)
  842. return rc;
  843. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  844. SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE));
  845. if (rc)
  846. return rc;
  847. return 0;
  848. }
  849. /**
  850. * Function responsible for setting up the rt_sigprocmask syscall for
  851. * the seccomp filter sandbox.
  852. */
  853. static int
  854. sb_rt_sigprocmask(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  855. {
  856. int rc = 0;
  857. (void) filter;
  858. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
  859. SCMP_CMP(0, SCMP_CMP_EQ, SIG_UNBLOCK));
  860. if (rc)
  861. return rc;
  862. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
  863. SCMP_CMP(0, SCMP_CMP_EQ, SIG_SETMASK));
  864. if (rc)
  865. return rc;
  866. return 0;
  867. }
  868. /**
  869. * Function responsible for setting up the flock syscall for
  870. * the seccomp filter sandbox.
  871. *
  872. * NOTE: does not need to be here, occurs before filter is applied.
  873. */
  874. static int
  875. sb_flock(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  876. {
  877. int rc = 0;
  878. (void) filter;
  879. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock),
  880. SCMP_CMP(1, SCMP_CMP_EQ, LOCK_EX|LOCK_NB));
  881. if (rc)
  882. return rc;
  883. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock),
  884. SCMP_CMP(1, SCMP_CMP_EQ, LOCK_UN));
  885. if (rc)
  886. return rc;
  887. return 0;
  888. }
  889. /**
  890. * Function responsible for setting up the futex syscall for
  891. * the seccomp filter sandbox.
  892. */
  893. static int
  894. sb_futex(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  895. {
  896. int rc = 0;
  897. (void) filter;
  898. // can remove
  899. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
  900. SCMP_CMP(1, SCMP_CMP_EQ,
  901. FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME));
  902. if (rc)
  903. return rc;
  904. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
  905. SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAKE_PRIVATE));
  906. if (rc)
  907. return rc;
  908. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
  909. SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAIT_PRIVATE));
  910. if (rc)
  911. return rc;
  912. return 0;
  913. }
  914. /**
  915. * Function responsible for setting up the mremap syscall for
  916. * the seccomp filter sandbox.
  917. *
  918. * NOTE: so far only occurs before filter is applied.
  919. */
  920. static int
  921. sb_mremap(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  922. {
  923. int rc = 0;
  924. (void) filter;
  925. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mremap),
  926. SCMP_CMP(3, SCMP_CMP_EQ, MREMAP_MAYMOVE));
  927. if (rc)
  928. return rc;
  929. return 0;
  930. }
  931. #ifdef __NR_stat64
  932. /**
  933. * Function responsible for setting up the stat64 syscall for
  934. * the seccomp filter sandbox.
  935. */
  936. static int
  937. sb_stat64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  938. {
  939. int rc = 0;
  940. sandbox_cfg_t *elem = NULL;
  941. // for each dynamic parameter filters
  942. for (elem = filter; elem != NULL; elem = elem->next) {
  943. smp_param_t *param = elem->param;
  944. if (param != NULL && param->prot == 1 && (param->syscall == SCMP_SYS(open)
  945. || param->syscall == SCMP_SYS(stat64))) {
  946. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(stat64),
  947. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
  948. if (rc != 0) {
  949. log_err(LD_BUG,"(Sandbox) failed to add stat64 syscall, received "
  950. "libseccomp error %d", rc);
  951. return rc;
  952. }
  953. }
  954. }
  955. return 0;
  956. }
  957. #endif /* defined(__NR_stat64) */
  958. static int
  959. sb_kill(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  960. {
  961. (void) filter;
  962. #ifdef __NR_kill
  963. /* Allow killing anything with signal 0 -- it isn't really a kill. */
  964. return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(kill),
  965. SCMP_CMP(1, SCMP_CMP_EQ, 0));
  966. #else
  967. return 0;
  968. #endif /* defined(__NR_kill) */
  969. }
  970. /**
  971. * Array of function pointers responsible for filtering different syscalls at
  972. * a parameter level.
  973. */
  974. static sandbox_filter_func_t filter_func[] = {
  975. sb_rt_sigaction,
  976. sb_rt_sigprocmask,
  977. sb_time,
  978. sb_accept4,
  979. #ifdef __NR_mmap2
  980. sb_mmap2,
  981. #endif
  982. sb_chown,
  983. sb_chmod,
  984. sb_open,
  985. sb_openat,
  986. sb__sysctl,
  987. sb_rename,
  988. #ifdef __NR_fcntl64
  989. sb_fcntl64,
  990. #endif
  991. sb_epoll_ctl,
  992. sb_prctl,
  993. sb_mprotect,
  994. sb_flock,
  995. sb_futex,
  996. sb_mremap,
  997. #ifdef __NR_stat64
  998. sb_stat64,
  999. #endif
  1000. sb_socket,
  1001. sb_setsockopt,
  1002. sb_getsockopt,
  1003. sb_socketpair,
  1004. #ifdef HAVE_KIST_SUPPORT
  1005. sb_ioctl,
  1006. #endif
  1007. sb_kill
  1008. };
  1009. const char *
  1010. sandbox_intern_string(const char *str)
  1011. {
  1012. sandbox_cfg_t *elem;
  1013. if (str == NULL)
  1014. return NULL;
  1015. for (elem = filter_dynamic; elem != NULL; elem = elem->next) {
  1016. smp_param_t *param = elem->param;
  1017. if (param->prot) {
  1018. if (!strcmp(str, (char*)(param->value))) {
  1019. return (char*)param->value;
  1020. }
  1021. if (param->value2 && !strcmp(str, (char*)param->value2)) {
  1022. return (char*)param->value2;
  1023. }
  1024. }
  1025. }
  1026. if (sandbox_active)
  1027. log_warn(LD_BUG, "No interned sandbox parameter found for %s", str);
  1028. return str;
  1029. }
  1030. /* DOCDOC */
  1031. static int
  1032. prot_strings_helper(strmap_t *locations,
  1033. char **pr_mem_next_p,
  1034. size_t *pr_mem_left_p,
  1035. char **value_p)
  1036. {
  1037. char *param_val;
  1038. size_t param_size;
  1039. void *location;
  1040. if (*value_p == 0)
  1041. return 0;
  1042. param_val = (char*) *value_p;
  1043. param_size = strlen(param_val) + 1;
  1044. location = strmap_get(locations, param_val);
  1045. if (location) {
  1046. // We already interned this string.
  1047. tor_free(param_val);
  1048. *value_p = location;
  1049. return 0;
  1050. } else if (*pr_mem_left_p >= param_size) {
  1051. // copy to protected
  1052. location = *pr_mem_next_p;
  1053. memcpy(location, param_val, param_size);
  1054. // re-point el parameter to protected
  1055. tor_free(param_val);
  1056. *value_p = location;
  1057. strmap_set(locations, location, location); /* good real estate advice */
  1058. // move next available protected memory
  1059. *pr_mem_next_p += param_size;
  1060. *pr_mem_left_p -= param_size;
  1061. return 0;
  1062. } else {
  1063. log_err(LD_BUG,"(Sandbox) insufficient protected memory!");
  1064. return -1;
  1065. }
  1066. }
  1067. /**
  1068. * Protects all the strings in the sandbox's parameter list configuration. It
  1069. * works by calculating the total amount of memory required by the parameter
  1070. * list, allocating the memory using mmap, and protecting it from writes with
  1071. * mprotect().
  1072. */
  1073. static int
  1074. prot_strings(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
  1075. {
  1076. int ret = 0;
  1077. size_t pr_mem_size = 0, pr_mem_left = 0;
  1078. char *pr_mem_next = NULL, *pr_mem_base;
  1079. sandbox_cfg_t *el = NULL;
  1080. strmap_t *locations = NULL;
  1081. // get total number of bytes required to mmap. (Overestimate.)
  1082. for (el = cfg; el != NULL; el = el->next) {
  1083. pr_mem_size += strlen((char*) el->param->value) + 1;
  1084. if (el->param->value2)
  1085. pr_mem_size += strlen((char*) el->param->value2) + 1;
  1086. }
  1087. // allocate protected memory with MALLOC_MP_LIM canary
  1088. pr_mem_base = (char*) mmap(NULL, MALLOC_MP_LIM + pr_mem_size,
  1089. PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0);
  1090. if (pr_mem_base == MAP_FAILED) {
  1091. log_err(LD_BUG,"(Sandbox) failed allocate protected memory! mmap: %s",
  1092. strerror(errno));
  1093. ret = -1;
  1094. goto out;
  1095. }
  1096. pr_mem_next = pr_mem_base + MALLOC_MP_LIM;
  1097. pr_mem_left = pr_mem_size;
  1098. locations = strmap_new();
  1099. // change el value pointer to protected
  1100. for (el = cfg; el != NULL; el = el->next) {
  1101. if (prot_strings_helper(locations, &pr_mem_next, &pr_mem_left,
  1102. &el->param->value) < 0) {
  1103. ret = -2;
  1104. goto out;
  1105. }
  1106. if (prot_strings_helper(locations, &pr_mem_next, &pr_mem_left,
  1107. &el->param->value2) < 0) {
  1108. ret = -2;
  1109. goto out;
  1110. }
  1111. el->param->prot = 1;
  1112. }
  1113. // protecting from writes
  1114. if (mprotect(pr_mem_base, MALLOC_MP_LIM + pr_mem_size, PROT_READ)) {
  1115. log_err(LD_BUG,"(Sandbox) failed to protect memory! mprotect: %s",
  1116. strerror(errno));
  1117. ret = -3;
  1118. goto out;
  1119. }
  1120. /*
  1121. * Setting sandbox restrictions so the string memory cannot be tampered with
  1122. */
  1123. // no mremap of the protected base address
  1124. ret = seccomp_rule_add_1(ctx, SCMP_ACT_KILL, SCMP_SYS(mremap),
  1125. SCMP_CMP(0, SCMP_CMP_EQ, (intptr_t) pr_mem_base));
  1126. if (ret) {
  1127. log_err(LD_BUG,"(Sandbox) mremap protected memory filter fail!");
  1128. goto out;
  1129. }
  1130. // no munmap of the protected base address
  1131. ret = seccomp_rule_add_1(ctx, SCMP_ACT_KILL, SCMP_SYS(munmap),
  1132. SCMP_CMP(0, SCMP_CMP_EQ, (intptr_t) pr_mem_base));
  1133. if (ret) {
  1134. log_err(LD_BUG,"(Sandbox) munmap protected memory filter fail!");
  1135. goto out;
  1136. }
  1137. /*
  1138. * Allow mprotect with PROT_READ|PROT_WRITE because openssl uses it, but
  1139. * never over the memory region used by the protected strings.
  1140. *
  1141. * PROT_READ|PROT_WRITE was originally fully allowed in sb_mprotect(), but
  1142. * had to be removed due to limitation of libseccomp regarding intervals.
  1143. *
  1144. * There is a restriction on how much you can mprotect with R|W up to the
  1145. * size of the canary.
  1146. */
  1147. ret = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  1148. SCMP_CMP(0, SCMP_CMP_LT, (intptr_t) pr_mem_base),
  1149. SCMP_CMP(1, SCMP_CMP_LE, MALLOC_MP_LIM),
  1150. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE));
  1151. if (ret) {
  1152. log_err(LD_BUG,"(Sandbox) mprotect protected memory filter fail (LT)!");
  1153. goto out;
  1154. }
  1155. ret = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  1156. SCMP_CMP(0, SCMP_CMP_GT, (intptr_t) pr_mem_base + pr_mem_size +
  1157. MALLOC_MP_LIM),
  1158. SCMP_CMP(1, SCMP_CMP_LE, MALLOC_MP_LIM),
  1159. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE));
  1160. if (ret) {
  1161. log_err(LD_BUG,"(Sandbox) mprotect protected memory filter fail (GT)!");
  1162. goto out;
  1163. }
  1164. out:
  1165. strmap_free(locations, NULL);
  1166. return ret;
  1167. }
  1168. /**
  1169. * Auxiliary function used in order to allocate a sandbox_cfg_t element and set
  1170. * its values according the parameter list. All elements are initialised
  1171. * with the 'prot' field set to false, as the pointer is not protected at this
  1172. * point.
  1173. */
  1174. static sandbox_cfg_t*
  1175. new_element2(int syscall, char *value, char *value2)
  1176. {
  1177. smp_param_t *param = NULL;
  1178. sandbox_cfg_t *elem = tor_malloc_zero(sizeof(sandbox_cfg_t));
  1179. param = elem->param = tor_malloc_zero(sizeof(smp_param_t));
  1180. param->syscall = syscall;
  1181. param->value = value;
  1182. param->value2 = value2;
  1183. param->prot = 0;
  1184. return elem;
  1185. }
  1186. static sandbox_cfg_t*
  1187. new_element(int syscall, char *value)
  1188. {
  1189. return new_element2(syscall, value, NULL);
  1190. }
  1191. #ifdef __NR_stat64
  1192. #define SCMP_stat SCMP_SYS(stat64)
  1193. #else
  1194. #define SCMP_stat SCMP_SYS(stat)
  1195. #endif
  1196. int
  1197. sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file)
  1198. {
  1199. sandbox_cfg_t *elem = NULL;
  1200. elem = new_element(SCMP_stat, file);
  1201. elem->next = *cfg;
  1202. *cfg = elem;
  1203. return 0;
  1204. }
  1205. int
  1206. sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
  1207. {
  1208. sandbox_cfg_t *elem = NULL;
  1209. elem = new_element(SCMP_SYS(open), file);
  1210. elem->next = *cfg;
  1211. *cfg = elem;
  1212. return 0;
  1213. }
  1214. int
  1215. sandbox_cfg_allow_chmod_filename(sandbox_cfg_t **cfg, char *file)
  1216. {
  1217. sandbox_cfg_t *elem = NULL;
  1218. elem = new_element(SCMP_SYS(chmod), file);
  1219. elem->next = *cfg;
  1220. *cfg = elem;
  1221. return 0;
  1222. }
  1223. int
  1224. sandbox_cfg_allow_chown_filename(sandbox_cfg_t **cfg, char *file)
  1225. {
  1226. sandbox_cfg_t *elem = NULL;
  1227. elem = new_element(SCMP_SYS(chown), file);
  1228. elem->next = *cfg;
  1229. *cfg = elem;
  1230. return 0;
  1231. }
  1232. int
  1233. sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2)
  1234. {
  1235. sandbox_cfg_t *elem = NULL;
  1236. elem = new_element2(SCMP_SYS(rename), file1, file2);
  1237. elem->next = *cfg;
  1238. *cfg = elem;
  1239. return 0;
  1240. }
  1241. int
  1242. sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file)
  1243. {
  1244. sandbox_cfg_t *elem = NULL;
  1245. elem = new_element(SCMP_SYS(openat), file);
  1246. elem->next = *cfg;
  1247. *cfg = elem;
  1248. return 0;
  1249. }
  1250. /** Cache entry for getaddrinfo results; used when sandboxing is implemented
  1251. * so that we can consult the cache when the sandbox prevents us from doing
  1252. * getaddrinfo.
  1253. *
  1254. * We support only a limited range of getaddrinfo calls, where servname is null
  1255. * and hints contains only socktype=SOCK_STREAM, family in INET,INET6,UNSPEC.
  1256. */
  1257. typedef struct cached_getaddrinfo_item_t {
  1258. HT_ENTRY(cached_getaddrinfo_item_t) node;
  1259. char *name;
  1260. int family;
  1261. /** set if no error; otherwise NULL */
  1262. struct addrinfo *res;
  1263. /** 0 for no error; otherwise an EAI_* value */
  1264. int err;
  1265. } cached_getaddrinfo_item_t;
  1266. static unsigned
  1267. cached_getaddrinfo_item_hash(const cached_getaddrinfo_item_t *item)
  1268. {
  1269. return (unsigned)siphash24g(item->name, strlen(item->name)) + item->family;
  1270. }
  1271. static unsigned
  1272. cached_getaddrinfo_items_eq(const cached_getaddrinfo_item_t *a,
  1273. const cached_getaddrinfo_item_t *b)
  1274. {
  1275. return (a->family == b->family) && 0 == strcmp(a->name, b->name);
  1276. }
  1277. #define cached_getaddrinfo_item_free(item) \
  1278. FREE_AND_NULL(cached_getaddrinfo_item_t, \
  1279. cached_getaddrinfo_item_free_, (item))
  1280. static void
  1281. cached_getaddrinfo_item_free_(cached_getaddrinfo_item_t *item)
  1282. {
  1283. if (item == NULL)
  1284. return;
  1285. tor_free(item->name);
  1286. if (item->res)
  1287. freeaddrinfo(item->res);
  1288. tor_free(item);
  1289. }
  1290. static HT_HEAD(getaddrinfo_cache, cached_getaddrinfo_item_t)
  1291. getaddrinfo_cache = HT_INITIALIZER();
  1292. HT_PROTOTYPE(getaddrinfo_cache, cached_getaddrinfo_item_t, node,
  1293. cached_getaddrinfo_item_hash,
  1294. cached_getaddrinfo_items_eq)
  1295. HT_GENERATE2(getaddrinfo_cache, cached_getaddrinfo_item_t, node,
  1296. cached_getaddrinfo_item_hash,
  1297. cached_getaddrinfo_items_eq,
  1298. 0.6, tor_reallocarray_, tor_free_)
  1299. /** If true, don't try to cache getaddrinfo results. */
  1300. static int sandbox_getaddrinfo_cache_disabled = 0;
  1301. /** Tell the sandbox layer not to try to cache getaddrinfo results. Used as in
  1302. * tor-resolve, when we have no intention of initializing crypto or of
  1303. * installing the sandbox.*/
  1304. void
  1305. sandbox_disable_getaddrinfo_cache(void)
  1306. {
  1307. sandbox_getaddrinfo_cache_disabled = 1;
  1308. }
  1309. void
  1310. sandbox_freeaddrinfo(struct addrinfo *ai)
  1311. {
  1312. if (sandbox_getaddrinfo_cache_disabled)
  1313. freeaddrinfo(ai);
  1314. }
  1315. int
  1316. sandbox_getaddrinfo(const char *name, const char *servname,
  1317. const struct addrinfo *hints,
  1318. struct addrinfo **res)
  1319. {
  1320. int err;
  1321. struct cached_getaddrinfo_item_t search, *item;
  1322. if (sandbox_getaddrinfo_cache_disabled) {
  1323. return getaddrinfo(name, NULL, hints, res);
  1324. }
  1325. if (servname != NULL) {
  1326. log_warn(LD_BUG, "called with non-NULL servname");
  1327. return EAI_NONAME;
  1328. }
  1329. if (name == NULL) {
  1330. log_warn(LD_BUG, "called with NULL name");
  1331. return EAI_NONAME;
  1332. }
  1333. *res = NULL;
  1334. memset(&search, 0, sizeof(search));
  1335. search.name = (char *) name;
  1336. search.family = hints ? hints->ai_family : AF_UNSPEC;
  1337. item = HT_FIND(getaddrinfo_cache, &getaddrinfo_cache, &search);
  1338. if (! sandbox_is_active()) {
  1339. /* If the sandbox is not turned on yet, then getaddrinfo and store the
  1340. result. */
  1341. err = getaddrinfo(name, NULL, hints, res);
  1342. log_info(LD_NET,"(Sandbox) getaddrinfo %s.", err ? "failed" : "succeeded");
  1343. if (! item) {
  1344. item = tor_malloc_zero(sizeof(*item));
  1345. item->name = tor_strdup(name);
  1346. item->family = hints ? hints->ai_family : AF_UNSPEC;
  1347. HT_INSERT(getaddrinfo_cache, &getaddrinfo_cache, item);
  1348. }
  1349. if (item->res) {
  1350. freeaddrinfo(item->res);
  1351. item->res = NULL;
  1352. }
  1353. item->res = *res;
  1354. item->err = err;
  1355. return err;
  1356. }
  1357. /* Otherwise, the sandbox is on. If we have an item, yield its cached
  1358. result. */
  1359. if (item) {
  1360. *res = item->res;
  1361. return item->err;
  1362. }
  1363. /* getting here means something went wrong */
  1364. log_err(LD_BUG,"(Sandbox) failed to get address %s!", name);
  1365. return EAI_NONAME;
  1366. }
  1367. int
  1368. sandbox_add_addrinfo(const char *name)
  1369. {
  1370. struct addrinfo *res;
  1371. struct addrinfo hints;
  1372. int i;
  1373. static const int families[] = { AF_INET, AF_INET6, AF_UNSPEC };
  1374. memset(&hints, 0, sizeof(hints));
  1375. hints.ai_socktype = SOCK_STREAM;
  1376. for (i = 0; i < 3; ++i) {
  1377. hints.ai_family = families[i];
  1378. res = NULL;
  1379. (void) sandbox_getaddrinfo(name, NULL, &hints, &res);
  1380. if (res)
  1381. sandbox_freeaddrinfo(res);
  1382. }
  1383. return 0;
  1384. }
  1385. void
  1386. sandbox_free_getaddrinfo_cache(void)
  1387. {
  1388. cached_getaddrinfo_item_t **next, **item, *this;
  1389. for (item = HT_START(getaddrinfo_cache, &getaddrinfo_cache);
  1390. item;
  1391. item = next) {
  1392. this = *item;
  1393. next = HT_NEXT_RMV(getaddrinfo_cache, &getaddrinfo_cache, item);
  1394. cached_getaddrinfo_item_free(this);
  1395. }
  1396. HT_CLEAR(getaddrinfo_cache, &getaddrinfo_cache);
  1397. }
  1398. /**
  1399. * Function responsible for going through the parameter syscall filters and
  1400. * call each function pointer in the list.
  1401. */
  1402. static int
  1403. add_param_filter(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
  1404. {
  1405. unsigned i;
  1406. int rc = 0;
  1407. // function pointer
  1408. for (i = 0; i < ARRAY_LENGTH(filter_func); i++) {
  1409. rc = filter_func[i](ctx, cfg);
  1410. if (rc) {
  1411. log_err(LD_BUG,"(Sandbox) failed to add syscall %d, received libseccomp "
  1412. "error %d", i, rc);
  1413. return rc;
  1414. }
  1415. }
  1416. return 0;
  1417. }
  1418. /**
  1419. * Function responsible of loading the libseccomp syscall filters which do not
  1420. * have parameter filtering.
  1421. */
  1422. static int
  1423. add_noparam_filter(scmp_filter_ctx ctx)
  1424. {
  1425. unsigned i;
  1426. int rc = 0;
  1427. // add general filters
  1428. for (i = 0; i < ARRAY_LENGTH(filter_nopar_gen); i++) {
  1429. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, filter_nopar_gen[i]);
  1430. if (rc != 0) {
  1431. log_err(LD_BUG,"(Sandbox) failed to add syscall index %d (NR=%d), "
  1432. "received libseccomp error %d", i, filter_nopar_gen[i], rc);
  1433. return rc;
  1434. }
  1435. }
  1436. return 0;
  1437. }
  1438. /**
  1439. * Function responsible for setting up and enabling a global syscall filter.
  1440. * The function is a prototype developed for stage 1 of sandboxing Tor.
  1441. * Returns 0 on success.
  1442. */
  1443. static int
  1444. install_syscall_filter(sandbox_cfg_t* cfg)
  1445. {
  1446. int rc = 0;
  1447. scmp_filter_ctx ctx;
  1448. ctx = seccomp_init(SCMP_ACT_TRAP);
  1449. if (ctx == NULL) {
  1450. log_err(LD_BUG,"(Sandbox) failed to initialise libseccomp context");
  1451. rc = -1;
  1452. goto end;
  1453. }
  1454. // protectign sandbox parameter strings
  1455. if ((rc = prot_strings(ctx, cfg))) {
  1456. goto end;
  1457. }
  1458. // add parameter filters
  1459. if ((rc = add_param_filter(ctx, cfg))) {
  1460. log_err(LD_BUG, "(Sandbox) failed to add param filters!");
  1461. goto end;
  1462. }
  1463. // adding filters with no parameters
  1464. if ((rc = add_noparam_filter(ctx))) {
  1465. log_err(LD_BUG, "(Sandbox) failed to add param filters!");
  1466. goto end;
  1467. }
  1468. // loading the seccomp2 filter
  1469. if ((rc = seccomp_load(ctx))) {
  1470. log_err(LD_BUG, "(Sandbox) failed to load: %d (%s)! "
  1471. "Are you sure that your kernel has seccomp2 support? The "
  1472. "sandbox won't work without it.", rc,
  1473. strerror(-rc));
  1474. goto end;
  1475. }
  1476. // marking the sandbox as active
  1477. sandbox_active = 1;
  1478. end:
  1479. seccomp_release(ctx);
  1480. return (rc < 0 ? -rc : rc);
  1481. }
  1482. #include "linux_syscalls.inc"
  1483. static const char *
  1484. get_syscall_name(int syscall_num)
  1485. {
  1486. int i;
  1487. for (i = 0; SYSCALLS_BY_NUMBER[i].syscall_name; ++i) {
  1488. if (SYSCALLS_BY_NUMBER[i].syscall_num == syscall_num)
  1489. return SYSCALLS_BY_NUMBER[i].syscall_name;
  1490. }
  1491. {
  1492. static char syscall_name_buf[64];
  1493. format_dec_number_sigsafe(syscall_num,
  1494. syscall_name_buf, sizeof(syscall_name_buf));
  1495. return syscall_name_buf;
  1496. }
  1497. }
  1498. #ifdef USE_BACKTRACE
  1499. #define MAX_DEPTH 256
  1500. static void *syscall_cb_buf[MAX_DEPTH];
  1501. #endif
  1502. /**
  1503. * Function called when a SIGSYS is caught by the application. It notifies the
  1504. * user that an error has occurred and either terminates or allows the
  1505. * application to continue execution, based on the DEBUGGING_CLOSE symbol.
  1506. */
  1507. static void
  1508. sigsys_debugging(int nr, siginfo_t *info, void *void_context)
  1509. {
  1510. ucontext_t *ctx = (ucontext_t *) (void_context);
  1511. const char *syscall_name;
  1512. int syscall;
  1513. #ifdef USE_BACKTRACE
  1514. size_t depth;
  1515. int n_fds, i;
  1516. const int *fds = NULL;
  1517. #endif
  1518. (void) nr;
  1519. if (info->si_code != SYS_SECCOMP)
  1520. return;
  1521. if (!ctx)
  1522. return;
  1523. syscall = (int) ctx->uc_mcontext.M_SYSCALL;
  1524. #ifdef USE_BACKTRACE
  1525. depth = backtrace(syscall_cb_buf, MAX_DEPTH);
  1526. /* Clean up the top stack frame so we get the real function
  1527. * name for the most recently failing function. */
  1528. clean_backtrace(syscall_cb_buf, depth, ctx);
  1529. #endif /* defined(USE_BACKTRACE) */
  1530. syscall_name = get_syscall_name(syscall);
  1531. tor_log_err_sigsafe("(Sandbox) Caught a bad syscall attempt (syscall ",
  1532. syscall_name,
  1533. ")\n",
  1534. NULL);
  1535. #ifdef USE_BACKTRACE
  1536. n_fds = tor_log_get_sigsafe_err_fds(&fds);
  1537. for (i=0; i < n_fds; ++i)
  1538. backtrace_symbols_fd(syscall_cb_buf, (int)depth, fds[i]);
  1539. #endif
  1540. #if defined(DEBUGGING_CLOSE)
  1541. _exit(1); // exit ok: programming error has led to sandbox failure.
  1542. #endif // DEBUGGING_CLOSE
  1543. }
  1544. /**
  1545. * Function that adds a handler for SIGSYS, which is the signal thrown
  1546. * when the application is issuing a syscall which is not allowed. The
  1547. * main purpose of this function is to help with debugging by identifying
  1548. * filtered syscalls.
  1549. */
  1550. static int
  1551. install_sigsys_debugging(void)
  1552. {
  1553. struct sigaction act;
  1554. sigset_t mask;
  1555. memset(&act, 0, sizeof(act));
  1556. sigemptyset(&mask);
  1557. sigaddset(&mask, SIGSYS);
  1558. act.sa_sigaction = &sigsys_debugging;
  1559. act.sa_flags = SA_SIGINFO;
  1560. if (sigaction(SIGSYS, &act, NULL) < 0) {
  1561. log_err(LD_BUG,"(Sandbox) Failed to register SIGSYS signal handler");
  1562. return -1;
  1563. }
  1564. if (sigprocmask(SIG_UNBLOCK, &mask, NULL)) {
  1565. log_err(LD_BUG,"(Sandbox) Failed call to sigprocmask()");
  1566. return -2;
  1567. }
  1568. return 0;
  1569. }
  1570. /**
  1571. * Function responsible of registering the sandbox_cfg_t list of parameter
  1572. * syscall filters to the existing parameter list. This is used for incipient
  1573. * multiple-sandbox support.
  1574. */
  1575. static int
  1576. register_cfg(sandbox_cfg_t* cfg)
  1577. {
  1578. sandbox_cfg_t *elem = NULL;
  1579. if (filter_dynamic == NULL) {
  1580. filter_dynamic = cfg;
  1581. return 0;
  1582. }
  1583. for (elem = filter_dynamic; elem->next != NULL; elem = elem->next)
  1584. ;
  1585. elem->next = cfg;
  1586. return 0;
  1587. }
  1588. #endif /* defined(USE_LIBSECCOMP) */
  1589. #ifdef USE_LIBSECCOMP
  1590. /**
  1591. * Initialises the syscall sandbox filter for any linux architecture, taking
  1592. * into account various available features for different linux flavours.
  1593. */
  1594. static int
  1595. initialise_libseccomp_sandbox(sandbox_cfg_t* cfg)
  1596. {
  1597. /* Prevent glibc from trying to open /dev/tty on fatal error */
  1598. setenv("LIBC_FATAL_STDERR_", "1", 1);
  1599. if (install_sigsys_debugging())
  1600. return -1;
  1601. if (install_syscall_filter(cfg))
  1602. return -2;
  1603. if (register_cfg(cfg))
  1604. return -3;
  1605. return 0;
  1606. }
  1607. int
  1608. sandbox_is_active(void)
  1609. {
  1610. return sandbox_active != 0;
  1611. }
  1612. #endif /* defined(USE_LIBSECCOMP) */
  1613. sandbox_cfg_t*
  1614. sandbox_cfg_new(void)
  1615. {
  1616. return NULL;
  1617. }
  1618. int
  1619. sandbox_init(sandbox_cfg_t *cfg)
  1620. {
  1621. #if defined(USE_LIBSECCOMP)
  1622. return initialise_libseccomp_sandbox(cfg);
  1623. #elif defined(__linux__)
  1624. (void)cfg;
  1625. log_warn(LD_GENERAL,
  1626. "This version of Tor was built without support for sandboxing. To "
  1627. "build with support for sandboxing on Linux, you must have "
  1628. "libseccomp and its necessary header files (e.g. seccomp.h).");
  1629. return 0;
  1630. #else
  1631. (void)cfg;
  1632. log_warn(LD_GENERAL,
  1633. "Currently, sandboxing is only implemented on Linux. The feature "
  1634. "is disabled on your platform.");
  1635. return 0;
  1636. #endif /* defined(USE_LIBSECCOMP) || ... */
  1637. }
  1638. #ifndef USE_LIBSECCOMP
  1639. int
  1640. sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
  1641. {
  1642. (void)cfg; (void)file;
  1643. return 0;
  1644. }
  1645. int
  1646. sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file)
  1647. {
  1648. (void)cfg; (void)file;
  1649. return 0;
  1650. }
  1651. int
  1652. sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file)
  1653. {
  1654. (void)cfg; (void)file;
  1655. return 0;
  1656. }
  1657. int
  1658. sandbox_cfg_allow_chown_filename(sandbox_cfg_t **cfg, char *file)
  1659. {
  1660. (void)cfg; (void)file;
  1661. return 0;
  1662. }
  1663. int
  1664. sandbox_cfg_allow_chmod_filename(sandbox_cfg_t **cfg, char *file)
  1665. {
  1666. (void)cfg; (void)file;
  1667. return 0;
  1668. }
  1669. int
  1670. sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2)
  1671. {
  1672. (void)cfg; (void)file1; (void)file2;
  1673. return 0;
  1674. }
  1675. int
  1676. sandbox_is_active(void)
  1677. {
  1678. return 0;
  1679. }
  1680. void
  1681. sandbox_disable_getaddrinfo_cache(void)
  1682. {
  1683. }
  1684. #endif /* !defined(USE_LIBSECCOMP) */