sandbox.c 47 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977
  1. /* Copyright (c) 2001 Matej Pfajfar.
  2. * Copyright (c) 2001-2004, Roger Dingledine.
  3. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  4. * Copyright (c) 2007-2017, The Tor Project, Inc. */
  5. /* See LICENSE for licensing information */
  6. /**
  7. * \file sandbox.c
  8. * \brief Code to enable sandboxing.
  9. **/
  10. #include "orconfig.h"
  11. #ifndef _LARGEFILE64_SOURCE
  12. /**
  13. * Temporarily required for O_LARGEFILE flag. Needs to be removed
  14. * with the libevent fix.
  15. */
  16. #define _LARGEFILE64_SOURCE
  17. #endif /* !defined(_LARGEFILE64_SOURCE) */
  18. /** Malloc mprotect limit in bytes.
  19. *
  20. * 28/06/2017: This value was increased from 16 MB to 20 MB after we introduced
  21. * LZMA support in Tor (0.3.1.1-alpha). We limit our LZMA coder to 16 MB, but
  22. * liblzma have a small overhead that we need to compensate for to avoid being
  23. * killed by the sandbox.
  24. */
  25. #define MALLOC_MP_LIM (20*1024*1024)
  26. #include <stdio.h>
  27. #include <string.h>
  28. #include <stdlib.h>
  29. #include "sandbox.h"
  30. #include "container.h"
  31. #include "torlog.h"
  32. #include "torint.h"
  33. #include "util.h"
  34. #include "tor_queue.h"
  35. #include "ht.h"
  36. #define DEBUGGING_CLOSE
  37. #if defined(USE_LIBSECCOMP)
  38. #include <sys/mman.h>
  39. #include <sys/syscall.h>
  40. #include <sys/types.h>
  41. #include <sys/stat.h>
  42. #include <sys/epoll.h>
  43. #include <sys/prctl.h>
  44. #include <linux/futex.h>
  45. #include <sys/file.h>
  46. #include <stdarg.h>
  47. #include <seccomp.h>
  48. #include <signal.h>
  49. #include <unistd.h>
  50. #include <fcntl.h>
  51. #include <time.h>
  52. #include <poll.h>
  53. #ifdef HAVE_GNU_LIBC_VERSION_H
  54. #include <gnu/libc-version.h>
  55. #endif
  56. #ifdef HAVE_LINUX_NETFILTER_IPV4_H
  57. #include <linux/netfilter_ipv4.h>
  58. #endif
  59. #ifdef HAVE_LINUX_IF_H
  60. #include <linux/if.h>
  61. #endif
  62. #ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
  63. #include <linux/netfilter_ipv6/ip6_tables.h>
  64. #endif
  65. #if defined(HAVE_EXECINFO_H) && defined(HAVE_BACKTRACE) && \
  66. defined(HAVE_BACKTRACE_SYMBOLS_FD) && defined(HAVE_SIGACTION)
  67. #define USE_BACKTRACE
  68. #define EXPOSE_CLEAN_BACKTRACE
  69. #include "backtrace.h"
  70. #endif /* defined(HAVE_EXECINFO_H) && defined(HAVE_BACKTRACE) && ... */
  71. #ifdef USE_BACKTRACE
  72. #include <execinfo.h>
  73. #endif
  74. /**
  75. * Linux 32 bit definitions
  76. */
  77. #if defined(__i386__)
  78. #define REG_SYSCALL REG_EAX
  79. #define M_SYSCALL gregs[REG_SYSCALL]
  80. /**
  81. * Linux 64 bit definitions
  82. */
  83. #elif defined(__x86_64__)
  84. #define REG_SYSCALL REG_RAX
  85. #define M_SYSCALL gregs[REG_SYSCALL]
  86. #elif defined(__arm__)
  87. #define M_SYSCALL arm_r7
  88. #elif defined(__aarch64__) && defined(__LP64__)
  89. #define REG_SYSCALL 8
  90. #define M_SYSCALL regs[REG_SYSCALL]
  91. #endif /* defined(__i386__) || ... */
  92. /**Determines if at least one sandbox is active.*/
  93. static int sandbox_active = 0;
  94. /** Holds the parameter list configuration for the sandbox.*/
  95. static sandbox_cfg_t *filter_dynamic = NULL;
  96. #undef SCMP_CMP
  97. #define SCMP_CMP(a,b,c) ((struct scmp_arg_cmp){(a),(b),(c),0})
  98. #define SCMP_CMP_STR(a,b,c) \
  99. ((struct scmp_arg_cmp) {(a),(b),(intptr_t)(void*)(c),0})
  100. #define SCMP_CMP4(a,b,c,d) ((struct scmp_arg_cmp){(a),(b),(c),(d)})
  101. /* We use a wrapper here because these masked comparisons seem to be pretty
  102. * verbose. Also, it's important to cast to scmp_datum_t before negating the
  103. * mask, since otherwise the negation might get applied to a 32 bit value, and
  104. * the high bits of the value might get masked out improperly. */
  105. #define SCMP_CMP_MASKED(a,b,c) \
  106. SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, ~(scmp_datum_t)(b), (c))
  107. /** Variable used for storing all syscall numbers that will be allowed with the
  108. * stage 1 general Tor sandbox.
  109. */
  110. static int filter_nopar_gen[] = {
  111. SCMP_SYS(access),
  112. SCMP_SYS(brk),
  113. SCMP_SYS(clock_gettime),
  114. SCMP_SYS(close),
  115. SCMP_SYS(clone),
  116. SCMP_SYS(epoll_create),
  117. SCMP_SYS(epoll_wait),
  118. #ifdef __NR_epoll_pwait
  119. SCMP_SYS(epoll_pwait),
  120. #endif
  121. #ifdef HAVE_EVENTFD
  122. SCMP_SYS(eventfd2),
  123. #endif
  124. #ifdef HAVE_PIPE2
  125. SCMP_SYS(pipe2),
  126. #endif
  127. #ifdef HAVE_PIPE
  128. SCMP_SYS(pipe),
  129. #endif
  130. #ifdef __NR_fchmod
  131. SCMP_SYS(fchmod),
  132. #endif
  133. SCMP_SYS(fcntl),
  134. SCMP_SYS(fstat),
  135. #ifdef __NR_fstat64
  136. SCMP_SYS(fstat64),
  137. #endif
  138. SCMP_SYS(futex),
  139. SCMP_SYS(getdents),
  140. SCMP_SYS(getdents64),
  141. SCMP_SYS(getegid),
  142. #ifdef __NR_getegid32
  143. SCMP_SYS(getegid32),
  144. #endif
  145. SCMP_SYS(geteuid),
  146. #ifdef __NR_geteuid32
  147. SCMP_SYS(geteuid32),
  148. #endif
  149. SCMP_SYS(getgid),
  150. #ifdef __NR_getgid32
  151. SCMP_SYS(getgid32),
  152. #endif
  153. SCMP_SYS(getpid),
  154. #ifdef __NR_getrlimit
  155. SCMP_SYS(getrlimit),
  156. #endif
  157. SCMP_SYS(gettimeofday),
  158. SCMP_SYS(gettid),
  159. SCMP_SYS(getuid),
  160. #ifdef __NR_getuid32
  161. SCMP_SYS(getuid32),
  162. #endif
  163. SCMP_SYS(lseek),
  164. #ifdef __NR__llseek
  165. SCMP_SYS(_llseek),
  166. #endif
  167. SCMP_SYS(mkdir),
  168. SCMP_SYS(mlockall),
  169. #ifdef __NR_mmap
  170. /* XXXX restrict this in the same ways as mmap2 */
  171. SCMP_SYS(mmap),
  172. #endif
  173. SCMP_SYS(munmap),
  174. #ifdef __NR_nanosleep
  175. SCMP_SYS(nanosleep),
  176. #endif
  177. #ifdef __NR_prlimit
  178. SCMP_SYS(prlimit),
  179. #endif
  180. #ifdef __NR_prlimit64
  181. SCMP_SYS(prlimit64),
  182. #endif
  183. SCMP_SYS(read),
  184. SCMP_SYS(rt_sigreturn),
  185. SCMP_SYS(sched_getaffinity),
  186. #ifdef __NR_sched_yield
  187. SCMP_SYS(sched_yield),
  188. #endif
  189. SCMP_SYS(sendmsg),
  190. SCMP_SYS(set_robust_list),
  191. #ifdef __NR_setrlimit
  192. SCMP_SYS(setrlimit),
  193. #endif
  194. #ifdef __NR_sigaltstack
  195. SCMP_SYS(sigaltstack),
  196. #endif
  197. #ifdef __NR_sigreturn
  198. SCMP_SYS(sigreturn),
  199. #endif
  200. SCMP_SYS(stat),
  201. SCMP_SYS(uname),
  202. SCMP_SYS(wait4),
  203. SCMP_SYS(write),
  204. SCMP_SYS(writev),
  205. SCMP_SYS(exit_group),
  206. SCMP_SYS(exit),
  207. SCMP_SYS(madvise),
  208. #ifdef __NR_stat64
  209. // getaddrinfo uses this..
  210. SCMP_SYS(stat64),
  211. #endif
  212. #ifdef __NR_getrandom
  213. SCMP_SYS(getrandom),
  214. #endif
  215. #ifdef __NR_sysinfo
  216. // qsort uses this..
  217. SCMP_SYS(sysinfo),
  218. #endif
  219. /*
  220. * These socket syscalls are not required on x86_64 and not supported with
  221. * some libseccomp versions (eg: 1.0.1)
  222. */
  223. #if defined(__i386)
  224. SCMP_SYS(recv),
  225. SCMP_SYS(send),
  226. #endif
  227. // socket syscalls
  228. SCMP_SYS(bind),
  229. SCMP_SYS(listen),
  230. SCMP_SYS(connect),
  231. SCMP_SYS(getsockname),
  232. SCMP_SYS(recvmsg),
  233. SCMP_SYS(recvfrom),
  234. SCMP_SYS(sendto),
  235. SCMP_SYS(unlink),
  236. SCMP_SYS(poll)
  237. };
  238. /* These macros help avoid the error where the number of filters we add on a
  239. * single rule don't match the arg_cnt param. */
  240. #define seccomp_rule_add_0(ctx,act,call) \
  241. seccomp_rule_add((ctx),(act),(call),0)
  242. #define seccomp_rule_add_1(ctx,act,call,f1) \
  243. seccomp_rule_add((ctx),(act),(call),1,(f1))
  244. #define seccomp_rule_add_2(ctx,act,call,f1,f2) \
  245. seccomp_rule_add((ctx),(act),(call),2,(f1),(f2))
  246. #define seccomp_rule_add_3(ctx,act,call,f1,f2,f3) \
  247. seccomp_rule_add((ctx),(act),(call),3,(f1),(f2),(f3))
  248. #define seccomp_rule_add_4(ctx,act,call,f1,f2,f3,f4) \
  249. seccomp_rule_add((ctx),(act),(call),4,(f1),(f2),(f3),(f4))
  250. /**
  251. * Function responsible for setting up the rt_sigaction syscall for
  252. * the seccomp filter sandbox.
  253. */
  254. static int
  255. sb_rt_sigaction(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  256. {
  257. unsigned i;
  258. int rc;
  259. int param[] = { SIGINT, SIGTERM, SIGPIPE, SIGUSR1, SIGUSR2, SIGHUP, SIGCHLD,
  260. #ifdef SIGXFSZ
  261. SIGXFSZ
  262. #endif
  263. };
  264. (void) filter;
  265. for (i = 0; i < ARRAY_LENGTH(param); i++) {
  266. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigaction),
  267. SCMP_CMP(0, SCMP_CMP_EQ, param[i]));
  268. if (rc)
  269. break;
  270. }
  271. return rc;
  272. }
  273. /**
  274. * Function responsible for setting up the time syscall for
  275. * the seccomp filter sandbox.
  276. */
  277. static int
  278. sb_time(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  279. {
  280. (void) filter;
  281. #ifdef __NR_time
  282. return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(time),
  283. SCMP_CMP(0, SCMP_CMP_EQ, 0));
  284. #else
  285. return 0;
  286. #endif /* defined(__NR_time) */
  287. }
  288. /**
  289. * Function responsible for setting up the accept4 syscall for
  290. * the seccomp filter sandbox.
  291. */
  292. static int
  293. sb_accept4(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  294. {
  295. int rc = 0;
  296. (void)filter;
  297. #ifdef __i386__
  298. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketcall),
  299. SCMP_CMP(0, SCMP_CMP_EQ, 18));
  300. if (rc) {
  301. return rc;
  302. }
  303. #endif /* defined(__i386__) */
  304. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4),
  305. SCMP_CMP_MASKED(3, SOCK_CLOEXEC|SOCK_NONBLOCK, 0));
  306. if (rc) {
  307. return rc;
  308. }
  309. return 0;
  310. }
  311. #ifdef __NR_mmap2
  312. /**
  313. * Function responsible for setting up the mmap2 syscall for
  314. * the seccomp filter sandbox.
  315. */
  316. static int
  317. sb_mmap2(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  318. {
  319. int rc = 0;
  320. (void)filter;
  321. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  322. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ),
  323. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE));
  324. if (rc) {
  325. return rc;
  326. }
  327. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  328. SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE),
  329. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE));
  330. if (rc) {
  331. return rc;
  332. }
  333. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  334. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  335. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS));
  336. if (rc) {
  337. return rc;
  338. }
  339. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  340. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  341. SCMP_CMP(3, SCMP_CMP_EQ,MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK));
  342. if (rc) {
  343. return rc;
  344. }
  345. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  346. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  347. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE));
  348. if (rc) {
  349. return rc;
  350. }
  351. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  352. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  353. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS));
  354. if (rc) {
  355. return rc;
  356. }
  357. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  358. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_EXEC),
  359. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_DENYWRITE));
  360. if (rc) {
  361. return rc;
  362. }
  363. return 0;
  364. }
  365. #endif /* defined(__NR_mmap2) */
  366. #ifdef HAVE_GNU_LIBC_VERSION_H
  367. #ifdef HAVE_GNU_GET_LIBC_VERSION
  368. #define CHECK_LIBC_VERSION
  369. #endif
  370. #endif
  371. /* Return true if we think we're running with a libc that always uses
  372. * openat on linux. */
  373. static int
  374. libc_uses_openat_for_everything(void)
  375. {
  376. #ifdef CHECK_LIBC_VERSION
  377. const char *version = gnu_get_libc_version();
  378. if (version == NULL)
  379. return 0;
  380. int major = -1;
  381. int minor = -1;
  382. tor_sscanf(version, "%d.%d", &major, &minor);
  383. if (major >= 3)
  384. return 1;
  385. else if (major == 2 && minor >= 26)
  386. return 1;
  387. else
  388. return 0;
  389. #else /* !(defined(CHECK_LIBC_VERSION)) */
  390. return 0;
  391. #endif /* defined(CHECK_LIBC_VERSION) */
  392. }
  393. /** Allow a single file to be opened. If <b>use_openat</b> is true,
  394. * we're using a libc that remaps all the opens into openats. */
  395. static int
  396. allow_file_open(scmp_filter_ctx ctx, int use_openat, const char *file)
  397. {
  398. if (use_openat) {
  399. return seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
  400. SCMP_CMP_STR(0, SCMP_CMP_EQ, AT_FDCWD),
  401. SCMP_CMP_STR(1, SCMP_CMP_EQ, file));
  402. } else {
  403. return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open),
  404. SCMP_CMP_STR(0, SCMP_CMP_EQ, file));
  405. }
  406. }
  407. /**
  408. * Function responsible for setting up the open syscall for
  409. * the seccomp filter sandbox.
  410. */
  411. static int
  412. sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  413. {
  414. int rc;
  415. sandbox_cfg_t *elem = NULL;
  416. int use_openat = libc_uses_openat_for_everything();
  417. // for each dynamic parameter filters
  418. for (elem = filter; elem != NULL; elem = elem->next) {
  419. smp_param_t *param = elem->param;
  420. if (param != NULL && param->prot == 1 && param->syscall
  421. == SCMP_SYS(open)) {
  422. rc = allow_file_open(ctx, use_openat, param->value);
  423. if (rc != 0) {
  424. log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
  425. "libseccomp error %d", rc);
  426. return rc;
  427. }
  428. }
  429. }
  430. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open),
  431. SCMP_CMP_MASKED(1, O_CLOEXEC|O_NONBLOCK|O_NOCTTY|O_NOFOLLOW,
  432. O_RDONLY));
  433. if (rc != 0) {
  434. log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
  435. "error %d", rc);
  436. return rc;
  437. }
  438. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(openat),
  439. SCMP_CMP_MASKED(2, O_CLOEXEC|O_NONBLOCK|O_NOCTTY|O_NOFOLLOW,
  440. O_RDONLY));
  441. if (rc != 0) {
  442. log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received "
  443. "libseccomp error %d", rc);
  444. return rc;
  445. }
  446. return 0;
  447. }
  448. static int
  449. sb_chmod(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  450. {
  451. int rc;
  452. sandbox_cfg_t *elem = NULL;
  453. // for each dynamic parameter filters
  454. for (elem = filter; elem != NULL; elem = elem->next) {
  455. smp_param_t *param = elem->param;
  456. if (param != NULL && param->prot == 1 && param->syscall
  457. == SCMP_SYS(chmod)) {
  458. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chmod),
  459. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
  460. if (rc != 0) {
  461. log_err(LD_BUG,"(Sandbox) failed to add chmod syscall, received "
  462. "libseccomp error %d", rc);
  463. return rc;
  464. }
  465. }
  466. }
  467. return 0;
  468. }
  469. static int
  470. sb_chown(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  471. {
  472. int rc;
  473. sandbox_cfg_t *elem = NULL;
  474. // for each dynamic parameter filters
  475. for (elem = filter; elem != NULL; elem = elem->next) {
  476. smp_param_t *param = elem->param;
  477. if (param != NULL && param->prot == 1 && param->syscall
  478. == SCMP_SYS(chown)) {
  479. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chown),
  480. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
  481. if (rc != 0) {
  482. log_err(LD_BUG,"(Sandbox) failed to add chown syscall, received "
  483. "libseccomp error %d", rc);
  484. return rc;
  485. }
  486. }
  487. }
  488. return 0;
  489. }
  490. static int
  491. sb__sysctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  492. {
  493. int rc;
  494. (void) filter;
  495. (void) ctx;
  496. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(_sysctl));
  497. if (rc != 0) {
  498. log_err(LD_BUG,"(Sandbox) failed to add _sysctl syscall, "
  499. "received libseccomp error %d", rc);
  500. return rc;
  501. }
  502. return 0;
  503. }
  504. /**
  505. * Function responsible for setting up the rename syscall for
  506. * the seccomp filter sandbox.
  507. */
  508. static int
  509. sb_rename(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  510. {
  511. int rc;
  512. sandbox_cfg_t *elem = NULL;
  513. // for each dynamic parameter filters
  514. for (elem = filter; elem != NULL; elem = elem->next) {
  515. smp_param_t *param = elem->param;
  516. if (param != NULL && param->prot == 1 &&
  517. param->syscall == SCMP_SYS(rename)) {
  518. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rename),
  519. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value),
  520. SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value2));
  521. if (rc != 0) {
  522. log_err(LD_BUG,"(Sandbox) failed to add rename syscall, received "
  523. "libseccomp error %d", rc);
  524. return rc;
  525. }
  526. }
  527. }
  528. return 0;
  529. }
  530. /**
  531. * Function responsible for setting up the openat syscall for
  532. * the seccomp filter sandbox.
  533. */
  534. static int
  535. sb_openat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  536. {
  537. int rc;
  538. sandbox_cfg_t *elem = NULL;
  539. // for each dynamic parameter filters
  540. for (elem = filter; elem != NULL; elem = elem->next) {
  541. smp_param_t *param = elem->param;
  542. if (param != NULL && param->prot == 1 && param->syscall
  543. == SCMP_SYS(openat)) {
  544. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
  545. SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
  546. SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value),
  547. SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|
  548. O_CLOEXEC));
  549. if (rc != 0) {
  550. log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received "
  551. "libseccomp error %d", rc);
  552. return rc;
  553. }
  554. }
  555. }
  556. return 0;
  557. }
  558. /**
  559. * Function responsible for setting up the socket syscall for
  560. * the seccomp filter sandbox.
  561. */
  562. static int
  563. sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  564. {
  565. int rc = 0;
  566. int i, j;
  567. (void) filter;
  568. #ifdef __i386__
  569. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket));
  570. if (rc)
  571. return rc;
  572. #endif
  573. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  574. SCMP_CMP(0, SCMP_CMP_EQ, PF_FILE),
  575. SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM));
  576. if (rc)
  577. return rc;
  578. for (i = 0; i < 2; ++i) {
  579. const int pf = i ? PF_INET : PF_INET6;
  580. for (j=0; j < 3; ++j) {
  581. const int type = (j == 0) ? SOCK_STREAM :
  582. SOCK_DGRAM;
  583. const int protocol = (j == 0) ? IPPROTO_TCP :
  584. (j == 1) ? IPPROTO_IP :
  585. IPPROTO_UDP;
  586. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  587. SCMP_CMP(0, SCMP_CMP_EQ, pf),
  588. SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, type),
  589. SCMP_CMP(2, SCMP_CMP_EQ, protocol));
  590. if (rc)
  591. return rc;
  592. }
  593. }
  594. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  595. SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
  596. SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
  597. SCMP_CMP(2, SCMP_CMP_EQ, 0));
  598. if (rc)
  599. return rc;
  600. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  601. SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
  602. SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM),
  603. SCMP_CMP(2, SCMP_CMP_EQ, 0));
  604. if (rc)
  605. return rc;
  606. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  607. SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK),
  608. SCMP_CMP_MASKED(1, SOCK_CLOEXEC, SOCK_RAW),
  609. SCMP_CMP(2, SCMP_CMP_EQ, 0));
  610. if (rc)
  611. return rc;
  612. return 0;
  613. }
  614. /**
  615. * Function responsible for setting up the socketpair syscall for
  616. * the seccomp filter sandbox.
  617. */
  618. static int
  619. sb_socketpair(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  620. {
  621. int rc = 0;
  622. (void) filter;
  623. #ifdef __i386__
  624. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair));
  625. if (rc)
  626. return rc;
  627. #endif
  628. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair),
  629. SCMP_CMP(0, SCMP_CMP_EQ, PF_FILE),
  630. SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM|SOCK_CLOEXEC));
  631. if (rc)
  632. return rc;
  633. return 0;
  634. }
  635. #ifdef HAVE_KIST_SUPPORT
  636. #include <linux/sockios.h>
  637. static int
  638. sb_ioctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  639. {
  640. int rc;
  641. (void) filter;
  642. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl),
  643. SCMP_CMP(1, SCMP_CMP_EQ, SIOCOUTQNSD));
  644. if (rc)
  645. return rc;
  646. return 0;
  647. }
  648. #endif /* defined(HAVE_KIST_SUPPORT) */
  649. /**
  650. * Function responsible for setting up the setsockopt syscall for
  651. * the seccomp filter sandbox.
  652. */
  653. static int
  654. sb_setsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  655. {
  656. int rc = 0;
  657. (void) filter;
  658. #ifdef __i386__
  659. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt));
  660. if (rc)
  661. return rc;
  662. #endif
  663. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  664. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  665. SCMP_CMP(2, SCMP_CMP_EQ, SO_REUSEADDR));
  666. if (rc)
  667. return rc;
  668. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  669. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  670. SCMP_CMP(2, SCMP_CMP_EQ, SO_SNDBUF));
  671. if (rc)
  672. return rc;
  673. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  674. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  675. SCMP_CMP(2, SCMP_CMP_EQ, SO_RCVBUF));
  676. if (rc)
  677. return rc;
  678. #ifdef HAVE_SYSTEMD
  679. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  680. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  681. SCMP_CMP(2, SCMP_CMP_EQ, SO_SNDBUFFORCE));
  682. if (rc)
  683. return rc;
  684. #endif /* defined(HAVE_SYSTEMD) */
  685. #ifdef IP_TRANSPARENT
  686. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  687. SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
  688. SCMP_CMP(2, SCMP_CMP_EQ, IP_TRANSPARENT));
  689. if (rc)
  690. return rc;
  691. #endif /* defined(IP_TRANSPARENT) */
  692. #ifdef IPV6_V6ONLY
  693. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  694. SCMP_CMP(1, SCMP_CMP_EQ, IPPROTO_IPV6),
  695. SCMP_CMP(2, SCMP_CMP_EQ, IPV6_V6ONLY));
  696. if (rc)
  697. return rc;
  698. #endif /* defined(IPV6_V6ONLY) */
  699. return 0;
  700. }
  701. /**
  702. * Function responsible for setting up the getsockopt syscall for
  703. * the seccomp filter sandbox.
  704. */
  705. static int
  706. sb_getsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  707. {
  708. int rc = 0;
  709. (void) filter;
  710. #ifdef __i386__
  711. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt));
  712. if (rc)
  713. return rc;
  714. #endif
  715. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
  716. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  717. SCMP_CMP(2, SCMP_CMP_EQ, SO_ERROR));
  718. if (rc)
  719. return rc;
  720. #ifdef HAVE_SYSTEMD
  721. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
  722. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  723. SCMP_CMP(2, SCMP_CMP_EQ, SO_SNDBUF));
  724. if (rc)
  725. return rc;
  726. #endif /* defined(HAVE_SYSTEMD) */
  727. #ifdef HAVE_LINUX_NETFILTER_IPV4_H
  728. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
  729. SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
  730. SCMP_CMP(2, SCMP_CMP_EQ, SO_ORIGINAL_DST));
  731. if (rc)
  732. return rc;
  733. #endif /* defined(HAVE_LINUX_NETFILTER_IPV4_H) */
  734. #ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
  735. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
  736. SCMP_CMP(1, SCMP_CMP_EQ, SOL_IPV6),
  737. SCMP_CMP(2, SCMP_CMP_EQ, IP6T_SO_ORIGINAL_DST));
  738. if (rc)
  739. return rc;
  740. #endif /* defined(HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H) */
  741. #ifdef HAVE_KIST_SUPPORT
  742. #include <netinet/tcp.h>
  743. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
  744. SCMP_CMP(1, SCMP_CMP_EQ, SOL_TCP),
  745. SCMP_CMP(2, SCMP_CMP_EQ, TCP_INFO));
  746. if (rc)
  747. return rc;
  748. #endif /* defined(HAVE_KIST_SUPPORT) */
  749. return 0;
  750. }
  751. #ifdef __NR_fcntl64
  752. /**
  753. * Function responsible for setting up the fcntl64 syscall for
  754. * the seccomp filter sandbox.
  755. */
  756. static int
  757. sb_fcntl64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  758. {
  759. int rc = 0;
  760. (void) filter;
  761. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  762. SCMP_CMP(1, SCMP_CMP_EQ, F_GETFL));
  763. if (rc)
  764. return rc;
  765. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  766. SCMP_CMP(1, SCMP_CMP_EQ, F_SETFL),
  767. SCMP_CMP(2, SCMP_CMP_EQ, O_RDWR|O_NONBLOCK));
  768. if (rc)
  769. return rc;
  770. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  771. SCMP_CMP(1, SCMP_CMP_EQ, F_GETFD));
  772. if (rc)
  773. return rc;
  774. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  775. SCMP_CMP(1, SCMP_CMP_EQ, F_SETFD),
  776. SCMP_CMP(2, SCMP_CMP_EQ, FD_CLOEXEC));
  777. if (rc)
  778. return rc;
  779. return 0;
  780. }
  781. #endif /* defined(__NR_fcntl64) */
  782. /**
  783. * Function responsible for setting up the epoll_ctl syscall for
  784. * the seccomp filter sandbox.
  785. *
  786. * Note: basically allows everything but will keep for now..
  787. */
  788. static int
  789. sb_epoll_ctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  790. {
  791. int rc = 0;
  792. (void) filter;
  793. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
  794. SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_ADD));
  795. if (rc)
  796. return rc;
  797. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
  798. SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_MOD));
  799. if (rc)
  800. return rc;
  801. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
  802. SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_DEL));
  803. if (rc)
  804. return rc;
  805. return 0;
  806. }
  807. /**
  808. * Function responsible for setting up the prctl syscall for
  809. * the seccomp filter sandbox.
  810. *
  811. * NOTE: if multiple filters need to be added, the PR_SECCOMP parameter needs
  812. * to be whitelisted in this function.
  813. */
  814. static int
  815. sb_prctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  816. {
  817. int rc = 0;
  818. (void) filter;
  819. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl),
  820. SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_DUMPABLE));
  821. if (rc)
  822. return rc;
  823. return 0;
  824. }
  825. /**
  826. * Function responsible for setting up the mprotect syscall for
  827. * the seccomp filter sandbox.
  828. *
  829. * NOTE: does not NEED to be here.. currently only occurs before filter; will
  830. * keep just in case for the future.
  831. */
  832. static int
  833. sb_mprotect(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  834. {
  835. int rc = 0;
  836. (void) filter;
  837. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  838. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ));
  839. if (rc)
  840. return rc;
  841. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  842. SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE));
  843. if (rc)
  844. return rc;
  845. return 0;
  846. }
  847. /**
  848. * Function responsible for setting up the rt_sigprocmask syscall for
  849. * the seccomp filter sandbox.
  850. */
  851. static int
  852. sb_rt_sigprocmask(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  853. {
  854. int rc = 0;
  855. (void) filter;
  856. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
  857. SCMP_CMP(0, SCMP_CMP_EQ, SIG_UNBLOCK));
  858. if (rc)
  859. return rc;
  860. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
  861. SCMP_CMP(0, SCMP_CMP_EQ, SIG_SETMASK));
  862. if (rc)
  863. return rc;
  864. return 0;
  865. }
  866. /**
  867. * Function responsible for setting up the flock syscall for
  868. * the seccomp filter sandbox.
  869. *
  870. * NOTE: does not need to be here, occurs before filter is applied.
  871. */
  872. static int
  873. sb_flock(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  874. {
  875. int rc = 0;
  876. (void) filter;
  877. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock),
  878. SCMP_CMP(1, SCMP_CMP_EQ, LOCK_EX|LOCK_NB));
  879. if (rc)
  880. return rc;
  881. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock),
  882. SCMP_CMP(1, SCMP_CMP_EQ, LOCK_UN));
  883. if (rc)
  884. return rc;
  885. return 0;
  886. }
  887. /**
  888. * Function responsible for setting up the futex syscall for
  889. * the seccomp filter sandbox.
  890. */
  891. static int
  892. sb_futex(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  893. {
  894. int rc = 0;
  895. (void) filter;
  896. // can remove
  897. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
  898. SCMP_CMP(1, SCMP_CMP_EQ,
  899. FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME));
  900. if (rc)
  901. return rc;
  902. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
  903. SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAKE_PRIVATE));
  904. if (rc)
  905. return rc;
  906. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
  907. SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAIT_PRIVATE));
  908. if (rc)
  909. return rc;
  910. return 0;
  911. }
  912. /**
  913. * Function responsible for setting up the mremap syscall for
  914. * the seccomp filter sandbox.
  915. *
  916. * NOTE: so far only occurs before filter is applied.
  917. */
  918. static int
  919. sb_mremap(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  920. {
  921. int rc = 0;
  922. (void) filter;
  923. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mremap),
  924. SCMP_CMP(3, SCMP_CMP_EQ, MREMAP_MAYMOVE));
  925. if (rc)
  926. return rc;
  927. return 0;
  928. }
  929. #ifdef __NR_stat64
  930. /**
  931. * Function responsible for setting up the stat64 syscall for
  932. * the seccomp filter sandbox.
  933. */
  934. static int
  935. sb_stat64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  936. {
  937. int rc = 0;
  938. sandbox_cfg_t *elem = NULL;
  939. // for each dynamic parameter filters
  940. for (elem = filter; elem != NULL; elem = elem->next) {
  941. smp_param_t *param = elem->param;
  942. if (param != NULL && param->prot == 1 && (param->syscall == SCMP_SYS(open)
  943. || param->syscall == SCMP_SYS(stat64))) {
  944. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(stat64),
  945. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
  946. if (rc != 0) {
  947. log_err(LD_BUG,"(Sandbox) failed to add stat64 syscall, received "
  948. "libseccomp error %d", rc);
  949. return rc;
  950. }
  951. }
  952. }
  953. return 0;
  954. }
  955. #endif /* defined(__NR_stat64) */
  956. static int
  957. sb_kill(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  958. {
  959. (void) filter;
  960. #ifdef __NR_kill
  961. /* Allow killing anything with signal 0 -- it isn't really a kill. */
  962. return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(kill),
  963. SCMP_CMP(1, SCMP_CMP_EQ, 0));
  964. #else
  965. return 0;
  966. #endif /* defined(__NR_kill) */
  967. }
  968. /**
  969. * Array of function pointers responsible for filtering different syscalls at
  970. * a parameter level.
  971. */
  972. static sandbox_filter_func_t filter_func[] = {
  973. sb_rt_sigaction,
  974. sb_rt_sigprocmask,
  975. sb_time,
  976. sb_accept4,
  977. #ifdef __NR_mmap2
  978. sb_mmap2,
  979. #endif
  980. sb_chown,
  981. sb_chmod,
  982. sb_open,
  983. sb_openat,
  984. sb__sysctl,
  985. sb_rename,
  986. #ifdef __NR_fcntl64
  987. sb_fcntl64,
  988. #endif
  989. sb_epoll_ctl,
  990. sb_prctl,
  991. sb_mprotect,
  992. sb_flock,
  993. sb_futex,
  994. sb_mremap,
  995. #ifdef __NR_stat64
  996. sb_stat64,
  997. #endif
  998. sb_socket,
  999. sb_setsockopt,
  1000. sb_getsockopt,
  1001. sb_socketpair,
  1002. #ifdef HAVE_KIST_SUPPORT
  1003. sb_ioctl,
  1004. #endif
  1005. sb_kill
  1006. };
  1007. const char *
  1008. sandbox_intern_string(const char *str)
  1009. {
  1010. sandbox_cfg_t *elem;
  1011. if (str == NULL)
  1012. return NULL;
  1013. for (elem = filter_dynamic; elem != NULL; elem = elem->next) {
  1014. smp_param_t *param = elem->param;
  1015. if (param->prot) {
  1016. if (!strcmp(str, (char*)(param->value))) {
  1017. return (char*)param->value;
  1018. }
  1019. if (param->value2 && !strcmp(str, (char*)param->value2)) {
  1020. return (char*)param->value2;
  1021. }
  1022. }
  1023. }
  1024. if (sandbox_active)
  1025. log_warn(LD_BUG, "No interned sandbox parameter found for %s", str);
  1026. return str;
  1027. }
  1028. /* DOCDOC */
  1029. static int
  1030. prot_strings_helper(strmap_t *locations,
  1031. char **pr_mem_next_p,
  1032. size_t *pr_mem_left_p,
  1033. char **value_p)
  1034. {
  1035. char *param_val;
  1036. size_t param_size;
  1037. void *location;
  1038. if (*value_p == 0)
  1039. return 0;
  1040. param_val = (char*) *value_p;
  1041. param_size = strlen(param_val) + 1;
  1042. location = strmap_get(locations, param_val);
  1043. if (location) {
  1044. // We already interned this string.
  1045. tor_free(param_val);
  1046. *value_p = location;
  1047. return 0;
  1048. } else if (*pr_mem_left_p >= param_size) {
  1049. // copy to protected
  1050. location = *pr_mem_next_p;
  1051. memcpy(location, param_val, param_size);
  1052. // re-point el parameter to protected
  1053. tor_free(param_val);
  1054. *value_p = location;
  1055. strmap_set(locations, location, location); /* good real estate advice */
  1056. // move next available protected memory
  1057. *pr_mem_next_p += param_size;
  1058. *pr_mem_left_p -= param_size;
  1059. return 0;
  1060. } else {
  1061. log_err(LD_BUG,"(Sandbox) insufficient protected memory!");
  1062. return -1;
  1063. }
  1064. }
  1065. /**
  1066. * Protects all the strings in the sandbox's parameter list configuration. It
  1067. * works by calculating the total amount of memory required by the parameter
  1068. * list, allocating the memory using mmap, and protecting it from writes with
  1069. * mprotect().
  1070. */
  1071. static int
  1072. prot_strings(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
  1073. {
  1074. int ret = 0;
  1075. size_t pr_mem_size = 0, pr_mem_left = 0;
  1076. char *pr_mem_next = NULL, *pr_mem_base;
  1077. sandbox_cfg_t *el = NULL;
  1078. strmap_t *locations = NULL;
  1079. // get total number of bytes required to mmap. (Overestimate.)
  1080. for (el = cfg; el != NULL; el = el->next) {
  1081. pr_mem_size += strlen((char*) el->param->value) + 1;
  1082. if (el->param->value2)
  1083. pr_mem_size += strlen((char*) el->param->value2) + 1;
  1084. }
  1085. // allocate protected memory with MALLOC_MP_LIM canary
  1086. pr_mem_base = (char*) mmap(NULL, MALLOC_MP_LIM + pr_mem_size,
  1087. PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0);
  1088. if (pr_mem_base == MAP_FAILED) {
  1089. log_err(LD_BUG,"(Sandbox) failed allocate protected memory! mmap: %s",
  1090. strerror(errno));
  1091. ret = -1;
  1092. goto out;
  1093. }
  1094. pr_mem_next = pr_mem_base + MALLOC_MP_LIM;
  1095. pr_mem_left = pr_mem_size;
  1096. locations = strmap_new();
  1097. // change el value pointer to protected
  1098. for (el = cfg; el != NULL; el = el->next) {
  1099. if (prot_strings_helper(locations, &pr_mem_next, &pr_mem_left,
  1100. &el->param->value) < 0) {
  1101. ret = -2;
  1102. goto out;
  1103. }
  1104. if (prot_strings_helper(locations, &pr_mem_next, &pr_mem_left,
  1105. &el->param->value2) < 0) {
  1106. ret = -2;
  1107. goto out;
  1108. }
  1109. el->param->prot = 1;
  1110. }
  1111. // protecting from writes
  1112. if (mprotect(pr_mem_base, MALLOC_MP_LIM + pr_mem_size, PROT_READ)) {
  1113. log_err(LD_BUG,"(Sandbox) failed to protect memory! mprotect: %s",
  1114. strerror(errno));
  1115. ret = -3;
  1116. goto out;
  1117. }
  1118. /*
  1119. * Setting sandbox restrictions so the string memory cannot be tampered with
  1120. */
  1121. // no mremap of the protected base address
  1122. ret = seccomp_rule_add_1(ctx, SCMP_ACT_KILL, SCMP_SYS(mremap),
  1123. SCMP_CMP(0, SCMP_CMP_EQ, (intptr_t) pr_mem_base));
  1124. if (ret) {
  1125. log_err(LD_BUG,"(Sandbox) mremap protected memory filter fail!");
  1126. goto out;
  1127. }
  1128. // no munmap of the protected base address
  1129. ret = seccomp_rule_add_1(ctx, SCMP_ACT_KILL, SCMP_SYS(munmap),
  1130. SCMP_CMP(0, SCMP_CMP_EQ, (intptr_t) pr_mem_base));
  1131. if (ret) {
  1132. log_err(LD_BUG,"(Sandbox) munmap protected memory filter fail!");
  1133. goto out;
  1134. }
  1135. /*
  1136. * Allow mprotect with PROT_READ|PROT_WRITE because openssl uses it, but
  1137. * never over the memory region used by the protected strings.
  1138. *
  1139. * PROT_READ|PROT_WRITE was originally fully allowed in sb_mprotect(), but
  1140. * had to be removed due to limitation of libseccomp regarding intervals.
  1141. *
  1142. * There is a restriction on how much you can mprotect with R|W up to the
  1143. * size of the canary.
  1144. */
  1145. ret = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  1146. SCMP_CMP(0, SCMP_CMP_LT, (intptr_t) pr_mem_base),
  1147. SCMP_CMP(1, SCMP_CMP_LE, MALLOC_MP_LIM),
  1148. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE));
  1149. if (ret) {
  1150. log_err(LD_BUG,"(Sandbox) mprotect protected memory filter fail (LT)!");
  1151. goto out;
  1152. }
  1153. ret = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  1154. SCMP_CMP(0, SCMP_CMP_GT, (intptr_t) pr_mem_base + pr_mem_size +
  1155. MALLOC_MP_LIM),
  1156. SCMP_CMP(1, SCMP_CMP_LE, MALLOC_MP_LIM),
  1157. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE));
  1158. if (ret) {
  1159. log_err(LD_BUG,"(Sandbox) mprotect protected memory filter fail (GT)!");
  1160. goto out;
  1161. }
  1162. out:
  1163. strmap_free(locations, NULL);
  1164. return ret;
  1165. }
  1166. /**
  1167. * Auxiliary function used in order to allocate a sandbox_cfg_t element and set
  1168. * its values according the parameter list. All elements are initialised
  1169. * with the 'prot' field set to false, as the pointer is not protected at this
  1170. * point.
  1171. */
  1172. static sandbox_cfg_t*
  1173. new_element2(int syscall, char *value, char *value2)
  1174. {
  1175. smp_param_t *param = NULL;
  1176. sandbox_cfg_t *elem = tor_malloc_zero(sizeof(sandbox_cfg_t));
  1177. param = elem->param = tor_malloc_zero(sizeof(smp_param_t));
  1178. param->syscall = syscall;
  1179. param->value = value;
  1180. param->value2 = value2;
  1181. param->prot = 0;
  1182. return elem;
  1183. }
  1184. static sandbox_cfg_t*
  1185. new_element(int syscall, char *value)
  1186. {
  1187. return new_element2(syscall, value, NULL);
  1188. }
  1189. #ifdef __NR_stat64
  1190. #define SCMP_stat SCMP_SYS(stat64)
  1191. #else
  1192. #define SCMP_stat SCMP_SYS(stat)
  1193. #endif
  1194. int
  1195. sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file)
  1196. {
  1197. sandbox_cfg_t *elem = NULL;
  1198. elem = new_element(SCMP_stat, file);
  1199. elem->next = *cfg;
  1200. *cfg = elem;
  1201. return 0;
  1202. }
  1203. int
  1204. sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
  1205. {
  1206. sandbox_cfg_t *elem = NULL;
  1207. elem = new_element(SCMP_SYS(open), file);
  1208. elem->next = *cfg;
  1209. *cfg = elem;
  1210. return 0;
  1211. }
  1212. int
  1213. sandbox_cfg_allow_chmod_filename(sandbox_cfg_t **cfg, char *file)
  1214. {
  1215. sandbox_cfg_t *elem = NULL;
  1216. elem = new_element(SCMP_SYS(chmod), file);
  1217. elem->next = *cfg;
  1218. *cfg = elem;
  1219. return 0;
  1220. }
  1221. int
  1222. sandbox_cfg_allow_chown_filename(sandbox_cfg_t **cfg, char *file)
  1223. {
  1224. sandbox_cfg_t *elem = NULL;
  1225. elem = new_element(SCMP_SYS(chown), file);
  1226. elem->next = *cfg;
  1227. *cfg = elem;
  1228. return 0;
  1229. }
  1230. int
  1231. sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2)
  1232. {
  1233. sandbox_cfg_t *elem = NULL;
  1234. elem = new_element2(SCMP_SYS(rename), file1, file2);
  1235. elem->next = *cfg;
  1236. *cfg = elem;
  1237. return 0;
  1238. }
  1239. int
  1240. sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file)
  1241. {
  1242. sandbox_cfg_t *elem = NULL;
  1243. elem = new_element(SCMP_SYS(openat), file);
  1244. elem->next = *cfg;
  1245. *cfg = elem;
  1246. return 0;
  1247. }
  1248. /** Cache entry for getaddrinfo results; used when sandboxing is implemented
  1249. * so that we can consult the cache when the sandbox prevents us from doing
  1250. * getaddrinfo.
  1251. *
  1252. * We support only a limited range of getaddrinfo calls, where servname is null
  1253. * and hints contains only socktype=SOCK_STREAM, family in INET,INET6,UNSPEC.
  1254. */
  1255. typedef struct cached_getaddrinfo_item_t {
  1256. HT_ENTRY(cached_getaddrinfo_item_t) node;
  1257. char *name;
  1258. int family;
  1259. /** set if no error; otherwise NULL */
  1260. struct addrinfo *res;
  1261. /** 0 for no error; otherwise an EAI_* value */
  1262. int err;
  1263. } cached_getaddrinfo_item_t;
  1264. static unsigned
  1265. cached_getaddrinfo_item_hash(const cached_getaddrinfo_item_t *item)
  1266. {
  1267. return (unsigned)siphash24g(item->name, strlen(item->name)) + item->family;
  1268. }
  1269. static unsigned
  1270. cached_getaddrinfo_items_eq(const cached_getaddrinfo_item_t *a,
  1271. const cached_getaddrinfo_item_t *b)
  1272. {
  1273. return (a->family == b->family) && 0 == strcmp(a->name, b->name);
  1274. }
  1275. #define cached_getaddrinfo_item_free(item) \
  1276. FREE_AND_NULL(cached_getaddrinfo_item_t, \
  1277. cached_getaddrinfo_item_free_, (item))
  1278. static void
  1279. cached_getaddrinfo_item_free_(cached_getaddrinfo_item_t *item)
  1280. {
  1281. if (item == NULL)
  1282. return;
  1283. tor_free(item->name);
  1284. if (item->res)
  1285. freeaddrinfo(item->res);
  1286. tor_free(item);
  1287. }
  1288. static HT_HEAD(getaddrinfo_cache, cached_getaddrinfo_item_t)
  1289. getaddrinfo_cache = HT_INITIALIZER();
  1290. HT_PROTOTYPE(getaddrinfo_cache, cached_getaddrinfo_item_t, node,
  1291. cached_getaddrinfo_item_hash,
  1292. cached_getaddrinfo_items_eq)
  1293. HT_GENERATE2(getaddrinfo_cache, cached_getaddrinfo_item_t, node,
  1294. cached_getaddrinfo_item_hash,
  1295. cached_getaddrinfo_items_eq,
  1296. 0.6, tor_reallocarray_, tor_free_)
  1297. /** If true, don't try to cache getaddrinfo results. */
  1298. static int sandbox_getaddrinfo_cache_disabled = 0;
  1299. /** Tell the sandbox layer not to try to cache getaddrinfo results. Used as in
  1300. * tor-resolve, when we have no intention of initializing crypto or of
  1301. * installing the sandbox.*/
  1302. void
  1303. sandbox_disable_getaddrinfo_cache(void)
  1304. {
  1305. sandbox_getaddrinfo_cache_disabled = 1;
  1306. }
  1307. void
  1308. sandbox_freeaddrinfo(struct addrinfo *ai)
  1309. {
  1310. if (sandbox_getaddrinfo_cache_disabled)
  1311. freeaddrinfo(ai);
  1312. }
  1313. int
  1314. sandbox_getaddrinfo(const char *name, const char *servname,
  1315. const struct addrinfo *hints,
  1316. struct addrinfo **res)
  1317. {
  1318. int err;
  1319. struct cached_getaddrinfo_item_t search, *item;
  1320. if (sandbox_getaddrinfo_cache_disabled) {
  1321. return getaddrinfo(name, NULL, hints, res);
  1322. }
  1323. if (servname != NULL) {
  1324. log_warn(LD_BUG, "called with non-NULL servname");
  1325. return EAI_NONAME;
  1326. }
  1327. if (name == NULL) {
  1328. log_warn(LD_BUG, "called with NULL name");
  1329. return EAI_NONAME;
  1330. }
  1331. *res = NULL;
  1332. memset(&search, 0, sizeof(search));
  1333. search.name = (char *) name;
  1334. search.family = hints ? hints->ai_family : AF_UNSPEC;
  1335. item = HT_FIND(getaddrinfo_cache, &getaddrinfo_cache, &search);
  1336. if (! sandbox_is_active()) {
  1337. /* If the sandbox is not turned on yet, then getaddrinfo and store the
  1338. result. */
  1339. err = getaddrinfo(name, NULL, hints, res);
  1340. log_info(LD_NET,"(Sandbox) getaddrinfo %s.", err ? "failed" : "succeeded");
  1341. if (! item) {
  1342. item = tor_malloc_zero(sizeof(*item));
  1343. item->name = tor_strdup(name);
  1344. item->family = hints ? hints->ai_family : AF_UNSPEC;
  1345. HT_INSERT(getaddrinfo_cache, &getaddrinfo_cache, item);
  1346. }
  1347. if (item->res) {
  1348. freeaddrinfo(item->res);
  1349. item->res = NULL;
  1350. }
  1351. item->res = *res;
  1352. item->err = err;
  1353. return err;
  1354. }
  1355. /* Otherwise, the sandbox is on. If we have an item, yield its cached
  1356. result. */
  1357. if (item) {
  1358. *res = item->res;
  1359. return item->err;
  1360. }
  1361. /* getting here means something went wrong */
  1362. log_err(LD_BUG,"(Sandbox) failed to get address %s!", name);
  1363. return EAI_NONAME;
  1364. }
  1365. int
  1366. sandbox_add_addrinfo(const char *name)
  1367. {
  1368. struct addrinfo *res;
  1369. struct addrinfo hints;
  1370. int i;
  1371. static const int families[] = { AF_INET, AF_INET6, AF_UNSPEC };
  1372. memset(&hints, 0, sizeof(hints));
  1373. hints.ai_socktype = SOCK_STREAM;
  1374. for (i = 0; i < 3; ++i) {
  1375. hints.ai_family = families[i];
  1376. res = NULL;
  1377. (void) sandbox_getaddrinfo(name, NULL, &hints, &res);
  1378. if (res)
  1379. sandbox_freeaddrinfo(res);
  1380. }
  1381. return 0;
  1382. }
  1383. void
  1384. sandbox_free_getaddrinfo_cache(void)
  1385. {
  1386. cached_getaddrinfo_item_t **next, **item, *this;
  1387. for (item = HT_START(getaddrinfo_cache, &getaddrinfo_cache);
  1388. item;
  1389. item = next) {
  1390. this = *item;
  1391. next = HT_NEXT_RMV(getaddrinfo_cache, &getaddrinfo_cache, item);
  1392. cached_getaddrinfo_item_free(this);
  1393. }
  1394. HT_CLEAR(getaddrinfo_cache, &getaddrinfo_cache);
  1395. }
  1396. /**
  1397. * Function responsible for going through the parameter syscall filters and
  1398. * call each function pointer in the list.
  1399. */
  1400. static int
  1401. add_param_filter(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
  1402. {
  1403. unsigned i;
  1404. int rc = 0;
  1405. // function pointer
  1406. for (i = 0; i < ARRAY_LENGTH(filter_func); i++) {
  1407. rc = filter_func[i](ctx, cfg);
  1408. if (rc) {
  1409. log_err(LD_BUG,"(Sandbox) failed to add syscall %d, received libseccomp "
  1410. "error %d", i, rc);
  1411. return rc;
  1412. }
  1413. }
  1414. return 0;
  1415. }
  1416. /**
  1417. * Function responsible of loading the libseccomp syscall filters which do not
  1418. * have parameter filtering.
  1419. */
  1420. static int
  1421. add_noparam_filter(scmp_filter_ctx ctx)
  1422. {
  1423. unsigned i;
  1424. int rc = 0;
  1425. // add general filters
  1426. for (i = 0; i < ARRAY_LENGTH(filter_nopar_gen); i++) {
  1427. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, filter_nopar_gen[i]);
  1428. if (rc != 0) {
  1429. log_err(LD_BUG,"(Sandbox) failed to add syscall index %d (NR=%d), "
  1430. "received libseccomp error %d", i, filter_nopar_gen[i], rc);
  1431. return rc;
  1432. }
  1433. }
  1434. return 0;
  1435. }
  1436. /**
  1437. * Function responsible for setting up and enabling a global syscall filter.
  1438. * The function is a prototype developed for stage 1 of sandboxing Tor.
  1439. * Returns 0 on success.
  1440. */
  1441. static int
  1442. install_syscall_filter(sandbox_cfg_t* cfg)
  1443. {
  1444. int rc = 0;
  1445. scmp_filter_ctx ctx;
  1446. ctx = seccomp_init(SCMP_ACT_TRAP);
  1447. if (ctx == NULL) {
  1448. log_err(LD_BUG,"(Sandbox) failed to initialise libseccomp context");
  1449. rc = -1;
  1450. goto end;
  1451. }
  1452. // protectign sandbox parameter strings
  1453. if ((rc = prot_strings(ctx, cfg))) {
  1454. goto end;
  1455. }
  1456. // add parameter filters
  1457. if ((rc = add_param_filter(ctx, cfg))) {
  1458. log_err(LD_BUG, "(Sandbox) failed to add param filters!");
  1459. goto end;
  1460. }
  1461. // adding filters with no parameters
  1462. if ((rc = add_noparam_filter(ctx))) {
  1463. log_err(LD_BUG, "(Sandbox) failed to add param filters!");
  1464. goto end;
  1465. }
  1466. // loading the seccomp2 filter
  1467. if ((rc = seccomp_load(ctx))) {
  1468. log_err(LD_BUG, "(Sandbox) failed to load: %d (%s)! "
  1469. "Are you sure that your kernel has seccomp2 support? The "
  1470. "sandbox won't work without it.", rc,
  1471. strerror(-rc));
  1472. goto end;
  1473. }
  1474. // marking the sandbox as active
  1475. sandbox_active = 1;
  1476. end:
  1477. seccomp_release(ctx);
  1478. return (rc < 0 ? -rc : rc);
  1479. }
  1480. #include "linux_syscalls.inc"
  1481. static const char *
  1482. get_syscall_name(int syscall_num)
  1483. {
  1484. int i;
  1485. for (i = 0; SYSCALLS_BY_NUMBER[i].syscall_name; ++i) {
  1486. if (SYSCALLS_BY_NUMBER[i].syscall_num == syscall_num)
  1487. return SYSCALLS_BY_NUMBER[i].syscall_name;
  1488. }
  1489. {
  1490. static char syscall_name_buf[64];
  1491. format_dec_number_sigsafe(syscall_num,
  1492. syscall_name_buf, sizeof(syscall_name_buf));
  1493. return syscall_name_buf;
  1494. }
  1495. }
  1496. #ifdef USE_BACKTRACE
  1497. #define MAX_DEPTH 256
  1498. static void *syscall_cb_buf[MAX_DEPTH];
  1499. #endif
  1500. /**
  1501. * Function called when a SIGSYS is caught by the application. It notifies the
  1502. * user that an error has occurred and either terminates or allows the
  1503. * application to continue execution, based on the DEBUGGING_CLOSE symbol.
  1504. */
  1505. static void
  1506. sigsys_debugging(int nr, siginfo_t *info, void *void_context)
  1507. {
  1508. ucontext_t *ctx = (ucontext_t *) (void_context);
  1509. const char *syscall_name;
  1510. int syscall;
  1511. #ifdef USE_BACKTRACE
  1512. size_t depth;
  1513. int n_fds, i;
  1514. const int *fds = NULL;
  1515. #endif
  1516. (void) nr;
  1517. if (info->si_code != SYS_SECCOMP)
  1518. return;
  1519. if (!ctx)
  1520. return;
  1521. syscall = (int) ctx->uc_mcontext.M_SYSCALL;
  1522. #ifdef USE_BACKTRACE
  1523. depth = backtrace(syscall_cb_buf, MAX_DEPTH);
  1524. /* Clean up the top stack frame so we get the real function
  1525. * name for the most recently failing function. */
  1526. clean_backtrace(syscall_cb_buf, depth, ctx);
  1527. #endif /* defined(USE_BACKTRACE) */
  1528. syscall_name = get_syscall_name(syscall);
  1529. tor_log_err_sigsafe("(Sandbox) Caught a bad syscall attempt (syscall ",
  1530. syscall_name,
  1531. ")\n",
  1532. NULL);
  1533. #ifdef USE_BACKTRACE
  1534. n_fds = tor_log_get_sigsafe_err_fds(&fds);
  1535. for (i=0; i < n_fds; ++i)
  1536. backtrace_symbols_fd(syscall_cb_buf, (int)depth, fds[i]);
  1537. #endif
  1538. #if defined(DEBUGGING_CLOSE)
  1539. _exit(1); // exit ok: programming error has led to sandbox failure.
  1540. #endif // DEBUGGING_CLOSE
  1541. }
  1542. /**
  1543. * Function that adds a handler for SIGSYS, which is the signal thrown
  1544. * when the application is issuing a syscall which is not allowed. The
  1545. * main purpose of this function is to help with debugging by identifying
  1546. * filtered syscalls.
  1547. */
  1548. static int
  1549. install_sigsys_debugging(void)
  1550. {
  1551. struct sigaction act;
  1552. sigset_t mask;
  1553. memset(&act, 0, sizeof(act));
  1554. sigemptyset(&mask);
  1555. sigaddset(&mask, SIGSYS);
  1556. act.sa_sigaction = &sigsys_debugging;
  1557. act.sa_flags = SA_SIGINFO;
  1558. if (sigaction(SIGSYS, &act, NULL) < 0) {
  1559. log_err(LD_BUG,"(Sandbox) Failed to register SIGSYS signal handler");
  1560. return -1;
  1561. }
  1562. if (sigprocmask(SIG_UNBLOCK, &mask, NULL)) {
  1563. log_err(LD_BUG,"(Sandbox) Failed call to sigprocmask()");
  1564. return -2;
  1565. }
  1566. return 0;
  1567. }
  1568. /**
  1569. * Function responsible of registering the sandbox_cfg_t list of parameter
  1570. * syscall filters to the existing parameter list. This is used for incipient
  1571. * multiple-sandbox support.
  1572. */
  1573. static int
  1574. register_cfg(sandbox_cfg_t* cfg)
  1575. {
  1576. sandbox_cfg_t *elem = NULL;
  1577. if (filter_dynamic == NULL) {
  1578. filter_dynamic = cfg;
  1579. return 0;
  1580. }
  1581. for (elem = filter_dynamic; elem->next != NULL; elem = elem->next)
  1582. ;
  1583. elem->next = cfg;
  1584. return 0;
  1585. }
  1586. #endif /* defined(USE_LIBSECCOMP) */
  1587. #ifdef USE_LIBSECCOMP
  1588. /**
  1589. * Initialises the syscall sandbox filter for any linux architecture, taking
  1590. * into account various available features for different linux flavours.
  1591. */
  1592. static int
  1593. initialise_libseccomp_sandbox(sandbox_cfg_t* cfg)
  1594. {
  1595. /* Prevent glibc from trying to open /dev/tty on fatal error */
  1596. setenv("LIBC_FATAL_STDERR_", "1", 1);
  1597. if (install_sigsys_debugging())
  1598. return -1;
  1599. if (install_syscall_filter(cfg))
  1600. return -2;
  1601. if (register_cfg(cfg))
  1602. return -3;
  1603. return 0;
  1604. }
  1605. int
  1606. sandbox_is_active(void)
  1607. {
  1608. return sandbox_active != 0;
  1609. }
  1610. #endif /* defined(USE_LIBSECCOMP) */
  1611. sandbox_cfg_t*
  1612. sandbox_cfg_new(void)
  1613. {
  1614. return NULL;
  1615. }
  1616. int
  1617. sandbox_init(sandbox_cfg_t *cfg)
  1618. {
  1619. #if defined(USE_LIBSECCOMP)
  1620. return initialise_libseccomp_sandbox(cfg);
  1621. #elif defined(__linux__)
  1622. (void)cfg;
  1623. log_warn(LD_GENERAL,
  1624. "This version of Tor was built without support for sandboxing. To "
  1625. "build with support for sandboxing on Linux, you must have "
  1626. "libseccomp and its necessary header files (e.g. seccomp.h).");
  1627. return 0;
  1628. #else
  1629. (void)cfg;
  1630. log_warn(LD_GENERAL,
  1631. "Currently, sandboxing is only implemented on Linux. The feature "
  1632. "is disabled on your platform.");
  1633. return 0;
  1634. #endif /* defined(USE_LIBSECCOMP) || ... */
  1635. }
  1636. #ifndef USE_LIBSECCOMP
  1637. int
  1638. sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
  1639. {
  1640. (void)cfg; (void)file;
  1641. return 0;
  1642. }
  1643. int
  1644. sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file)
  1645. {
  1646. (void)cfg; (void)file;
  1647. return 0;
  1648. }
  1649. int
  1650. sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file)
  1651. {
  1652. (void)cfg; (void)file;
  1653. return 0;
  1654. }
  1655. int
  1656. sandbox_cfg_allow_chown_filename(sandbox_cfg_t **cfg, char *file)
  1657. {
  1658. (void)cfg; (void)file;
  1659. return 0;
  1660. }
  1661. int
  1662. sandbox_cfg_allow_chmod_filename(sandbox_cfg_t **cfg, char *file)
  1663. {
  1664. (void)cfg; (void)file;
  1665. return 0;
  1666. }
  1667. int
  1668. sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2)
  1669. {
  1670. (void)cfg; (void)file1; (void)file2;
  1671. return 0;
  1672. }
  1673. int
  1674. sandbox_is_active(void)
  1675. {
  1676. return 0;
  1677. }
  1678. void
  1679. sandbox_disable_getaddrinfo_cache(void)
  1680. {
  1681. }
  1682. #endif /* !defined(USE_LIBSECCOMP) */