sandbox.c 45 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943
  1. /* Copyright (c) 2001 Matej Pfajfar.
  2. * Copyright (c) 2001-2004, Roger Dingledine.
  3. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  4. * Copyright (c) 2007-2017, The Tor Project, Inc. */
  5. /* See LICENSE for licensing information */
  6. /**
  7. * \file sandbox.c
  8. * \brief Code to enable sandboxing.
  9. **/
  10. #include "orconfig.h"
  11. #ifndef _LARGEFILE64_SOURCE
  12. /**
  13. * Temporarily required for O_LARGEFILE flag. Needs to be removed
  14. * with the libevent fix.
  15. */
  16. #define _LARGEFILE64_SOURCE
  17. #endif
  18. /** Malloc mprotect limit in bytes. */
  19. #define MALLOC_MP_LIM (16*1024*1024)
  20. #include <stdio.h>
  21. #include <string.h>
  22. #include <stdlib.h>
  23. #include "sandbox.h"
  24. #include "container.h"
  25. #include "torlog.h"
  26. #include "torint.h"
  27. #include "util.h"
  28. #include "tor_queue.h"
  29. #include "ht.h"
  30. #define DEBUGGING_CLOSE
  31. #if defined(USE_LIBSECCOMP)
  32. #include <sys/mman.h>
  33. #include <sys/syscall.h>
  34. #include <sys/types.h>
  35. #include <sys/stat.h>
  36. #include <sys/epoll.h>
  37. #include <sys/prctl.h>
  38. #include <linux/futex.h>
  39. #include <sys/file.h>
  40. #include <stdarg.h>
  41. #include <seccomp.h>
  42. #include <signal.h>
  43. #include <unistd.h>
  44. #include <fcntl.h>
  45. #include <time.h>
  46. #include <poll.h>
  47. #ifdef HAVE_LINUX_NETFILTER_IPV4_H
  48. #include <linux/netfilter_ipv4.h>
  49. #endif
  50. #ifdef HAVE_LINUX_IF_H
  51. #include <linux/if.h>
  52. #endif
  53. #ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
  54. #include <linux/netfilter_ipv6/ip6_tables.h>
  55. #endif
  56. #if defined(HAVE_EXECINFO_H) && defined(HAVE_BACKTRACE) && \
  57. defined(HAVE_BACKTRACE_SYMBOLS_FD) && defined(HAVE_SIGACTION)
  58. #define USE_BACKTRACE
  59. #define EXPOSE_CLEAN_BACKTRACE
  60. #include "backtrace.h"
  61. #endif
  62. #ifdef USE_BACKTRACE
  63. #include <execinfo.h>
  64. #endif
  65. /**
  66. * Linux 32 bit definitions
  67. */
  68. #if defined(__i386__)
  69. #define REG_SYSCALL REG_EAX
  70. #define M_SYSCALL gregs[REG_SYSCALL]
  71. /**
  72. * Linux 64 bit definitions
  73. */
  74. #elif defined(__x86_64__)
  75. #define REG_SYSCALL REG_RAX
  76. #define M_SYSCALL gregs[REG_SYSCALL]
  77. #elif defined(__arm__)
  78. #define M_SYSCALL arm_r7
  79. #endif
  80. /**Determines if at least one sandbox is active.*/
  81. static int sandbox_active = 0;
  82. /** Holds the parameter list configuration for the sandbox.*/
  83. static sandbox_cfg_t *filter_dynamic = NULL;
  84. #undef SCMP_CMP
  85. #define SCMP_CMP(a,b,c) ((struct scmp_arg_cmp){(a),(b),(c),0})
  86. #define SCMP_CMP_STR(a,b,c) \
  87. ((struct scmp_arg_cmp) {(a),(b),(intptr_t)(void*)(c),0})
  88. #define SCMP_CMP4(a,b,c,d) ((struct scmp_arg_cmp){(a),(b),(c),(d)})
  89. /* We use a wrapper here because these masked comparisons seem to be pretty
  90. * verbose. Also, it's important to cast to scmp_datum_t before negating the
  91. * mask, since otherwise the negation might get applied to a 32 bit value, and
  92. * the high bits of the value might get masked out improperly. */
  93. #define SCMP_CMP_MASKED(a,b,c) \
  94. SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, ~(scmp_datum_t)(b), (c))
  95. /** Variable used for storing all syscall numbers that will be allowed with the
  96. * stage 1 general Tor sandbox.
  97. */
  98. static int filter_nopar_gen[] = {
  99. SCMP_SYS(access),
  100. SCMP_SYS(brk),
  101. SCMP_SYS(clock_gettime),
  102. SCMP_SYS(close),
  103. SCMP_SYS(clone),
  104. SCMP_SYS(epoll_create),
  105. SCMP_SYS(epoll_wait),
  106. #ifdef HAVE_EVENTFD
  107. SCMP_SYS(eventfd2),
  108. #endif
  109. #ifdef HAVE_PIPE2
  110. SCMP_SYS(pipe2),
  111. #endif
  112. #ifdef HAVE_PIPE
  113. SCMP_SYS(pipe),
  114. #endif
  115. SCMP_SYS(fcntl),
  116. SCMP_SYS(fstat),
  117. #ifdef __NR_fstat64
  118. SCMP_SYS(fstat64),
  119. #endif
  120. SCMP_SYS(futex),
  121. SCMP_SYS(getdents64),
  122. SCMP_SYS(getegid),
  123. #ifdef __NR_getegid32
  124. SCMP_SYS(getegid32),
  125. #endif
  126. SCMP_SYS(geteuid),
  127. #ifdef __NR_geteuid32
  128. SCMP_SYS(geteuid32),
  129. #endif
  130. SCMP_SYS(getgid),
  131. #ifdef __NR_getgid32
  132. SCMP_SYS(getgid32),
  133. #endif
  134. #ifdef __NR_getrlimit
  135. SCMP_SYS(getrlimit),
  136. #endif
  137. SCMP_SYS(gettimeofday),
  138. SCMP_SYS(gettid),
  139. SCMP_SYS(getuid),
  140. #ifdef __NR_getuid32
  141. SCMP_SYS(getuid32),
  142. #endif
  143. SCMP_SYS(lseek),
  144. #ifdef __NR__llseek
  145. SCMP_SYS(_llseek),
  146. #endif
  147. SCMP_SYS(mkdir),
  148. SCMP_SYS(mlockall),
  149. #ifdef __NR_mmap
  150. /* XXXX restrict this in the same ways as mmap2 */
  151. SCMP_SYS(mmap),
  152. #endif
  153. SCMP_SYS(munmap),
  154. #ifdef __NR_prlimit
  155. SCMP_SYS(prlimit),
  156. #endif
  157. #ifdef __NR_prlimit64
  158. SCMP_SYS(prlimit64),
  159. #endif
  160. SCMP_SYS(read),
  161. SCMP_SYS(rt_sigreturn),
  162. SCMP_SYS(sched_getaffinity),
  163. #ifdef __NR_sched_yield
  164. SCMP_SYS(sched_yield),
  165. #endif
  166. SCMP_SYS(sendmsg),
  167. SCMP_SYS(set_robust_list),
  168. #ifdef __NR_setrlimit
  169. SCMP_SYS(setrlimit),
  170. #endif
  171. #ifdef __NR_sigaltstack
  172. SCMP_SYS(sigaltstack),
  173. #endif
  174. #ifdef __NR_sigreturn
  175. SCMP_SYS(sigreturn),
  176. #endif
  177. SCMP_SYS(stat),
  178. SCMP_SYS(uname),
  179. SCMP_SYS(wait4),
  180. SCMP_SYS(write),
  181. SCMP_SYS(writev),
  182. SCMP_SYS(exit_group),
  183. SCMP_SYS(exit),
  184. SCMP_SYS(madvise),
  185. #ifdef __NR_stat64
  186. // getaddrinfo uses this..
  187. SCMP_SYS(stat64),
  188. #endif
  189. #ifdef __NR_getrandom
  190. SCMP_SYS(getrandom),
  191. #endif
  192. #ifdef __NR_sysinfo
  193. // qsort uses this..
  194. SCMP_SYS(sysinfo),
  195. #endif
  196. /*
  197. * These socket syscalls are not required on x86_64 and not supported with
  198. * some libseccomp versions (eg: 1.0.1)
  199. */
  200. #if defined(__i386)
  201. SCMP_SYS(recv),
  202. SCMP_SYS(send),
  203. #endif
  204. // socket syscalls
  205. SCMP_SYS(bind),
  206. SCMP_SYS(listen),
  207. SCMP_SYS(connect),
  208. SCMP_SYS(getsockname),
  209. SCMP_SYS(recvmsg),
  210. SCMP_SYS(recvfrom),
  211. SCMP_SYS(sendto),
  212. SCMP_SYS(unlink)
  213. };
  214. /* These macros help avoid the error where the number of filters we add on a
  215. * single rule don't match the arg_cnt param. */
  216. #define seccomp_rule_add_0(ctx,act,call) \
  217. seccomp_rule_add((ctx),(act),(call),0)
  218. #define seccomp_rule_add_1(ctx,act,call,f1) \
  219. seccomp_rule_add((ctx),(act),(call),1,(f1))
  220. #define seccomp_rule_add_2(ctx,act,call,f1,f2) \
  221. seccomp_rule_add((ctx),(act),(call),2,(f1),(f2))
  222. #define seccomp_rule_add_3(ctx,act,call,f1,f2,f3) \
  223. seccomp_rule_add((ctx),(act),(call),3,(f1),(f2),(f3))
  224. #define seccomp_rule_add_4(ctx,act,call,f1,f2,f3,f4) \
  225. seccomp_rule_add((ctx),(act),(call),4,(f1),(f2),(f3),(f4))
  226. /**
  227. * Function responsible for setting up the rt_sigaction syscall for
  228. * the seccomp filter sandbox.
  229. */
  230. static int
  231. sb_rt_sigaction(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  232. {
  233. unsigned i;
  234. int rc;
  235. int param[] = { SIGINT, SIGTERM, SIGPIPE, SIGUSR1, SIGUSR2, SIGHUP, SIGCHLD,
  236. #ifdef SIGXFSZ
  237. SIGXFSZ
  238. #endif
  239. };
  240. (void) filter;
  241. for (i = 0; i < ARRAY_LENGTH(param); i++) {
  242. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigaction),
  243. SCMP_CMP(0, SCMP_CMP_EQ, param[i]));
  244. if (rc)
  245. break;
  246. }
  247. return rc;
  248. }
  249. #if 0
  250. /**
  251. * Function responsible for setting up the execve syscall for
  252. * the seccomp filter sandbox.
  253. */
  254. static int
  255. sb_execve(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  256. {
  257. int rc;
  258. sandbox_cfg_t *elem = NULL;
  259. // for each dynamic parameter filters
  260. for (elem = filter; elem != NULL; elem = elem->next) {
  261. smp_param_t *param = elem->param;
  262. if (param != NULL && param->prot == 1 && param->syscall
  263. == SCMP_SYS(execve)) {
  264. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve),
  265. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
  266. if (rc != 0) {
  267. log_err(LD_BUG,"(Sandbox) failed to add execve syscall, received "
  268. "libseccomp error %d", rc);
  269. return rc;
  270. }
  271. }
  272. }
  273. return 0;
  274. }
  275. #endif
  276. /**
  277. * Function responsible for setting up the time syscall for
  278. * the seccomp filter sandbox.
  279. */
  280. static int
  281. sb_time(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  282. {
  283. (void) filter;
  284. #ifdef __NR_time
  285. return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(time),
  286. SCMP_CMP(0, SCMP_CMP_EQ, 0));
  287. #else
  288. return 0;
  289. #endif
  290. }
  291. /**
  292. * Function responsible for setting up the accept4 syscall for
  293. * the seccomp filter sandbox.
  294. */
  295. static int
  296. sb_accept4(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  297. {
  298. int rc = 0;
  299. (void)filter;
  300. #ifdef __i386__
  301. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketcall),
  302. SCMP_CMP(0, SCMP_CMP_EQ, 18));
  303. if (rc) {
  304. return rc;
  305. }
  306. #endif
  307. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4),
  308. SCMP_CMP_MASKED(3, SOCK_CLOEXEC|SOCK_NONBLOCK, 0));
  309. if (rc) {
  310. return rc;
  311. }
  312. return 0;
  313. }
  314. #ifdef __NR_mmap2
  315. /**
  316. * Function responsible for setting up the mmap2 syscall for
  317. * the seccomp filter sandbox.
  318. */
  319. static int
  320. sb_mmap2(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  321. {
  322. int rc = 0;
  323. (void)filter;
  324. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  325. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ),
  326. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE));
  327. if (rc) {
  328. return rc;
  329. }
  330. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  331. SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE),
  332. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE));
  333. if (rc) {
  334. return rc;
  335. }
  336. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  337. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  338. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS));
  339. if (rc) {
  340. return rc;
  341. }
  342. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  343. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  344. SCMP_CMP(3, SCMP_CMP_EQ,MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK));
  345. if (rc) {
  346. return rc;
  347. }
  348. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  349. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  350. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE));
  351. if (rc) {
  352. return rc;
  353. }
  354. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  355. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  356. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS));
  357. if (rc) {
  358. return rc;
  359. }
  360. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  361. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_EXEC),
  362. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_DENYWRITE));
  363. if (rc) {
  364. return rc;
  365. }
  366. return 0;
  367. }
  368. #endif
  369. /**
  370. * Function responsible for setting up the open syscall for
  371. * the seccomp filter sandbox.
  372. */
  373. static int
  374. sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  375. {
  376. int rc;
  377. sandbox_cfg_t *elem = NULL;
  378. // for each dynamic parameter filters
  379. for (elem = filter; elem != NULL; elem = elem->next) {
  380. smp_param_t *param = elem->param;
  381. if (param != NULL && param->prot == 1 && param->syscall
  382. == SCMP_SYS(open)) {
  383. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open),
  384. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
  385. if (rc != 0) {
  386. log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
  387. "libseccomp error %d", rc);
  388. return rc;
  389. }
  390. }
  391. }
  392. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open),
  393. SCMP_CMP_MASKED(1, O_CLOEXEC|O_NONBLOCK|O_NOCTTY|O_NOFOLLOW,
  394. O_RDONLY));
  395. if (rc != 0) {
  396. log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
  397. "error %d", rc);
  398. return rc;
  399. }
  400. return 0;
  401. }
  402. static int
  403. sb_chmod(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  404. {
  405. int rc;
  406. sandbox_cfg_t *elem = NULL;
  407. // for each dynamic parameter filters
  408. for (elem = filter; elem != NULL; elem = elem->next) {
  409. smp_param_t *param = elem->param;
  410. if (param != NULL && param->prot == 1 && param->syscall
  411. == SCMP_SYS(chmod)) {
  412. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chmod),
  413. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
  414. if (rc != 0) {
  415. log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
  416. "libseccomp error %d", rc);
  417. return rc;
  418. }
  419. }
  420. }
  421. return 0;
  422. }
  423. static int
  424. sb_chown(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  425. {
  426. int rc;
  427. sandbox_cfg_t *elem = NULL;
  428. // for each dynamic parameter filters
  429. for (elem = filter; elem != NULL; elem = elem->next) {
  430. smp_param_t *param = elem->param;
  431. if (param != NULL && param->prot == 1 && param->syscall
  432. == SCMP_SYS(chown)) {
  433. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chown),
  434. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
  435. if (rc != 0) {
  436. log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
  437. "libseccomp error %d", rc);
  438. return rc;
  439. }
  440. }
  441. }
  442. return 0;
  443. }
  444. static int
  445. sb__sysctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  446. {
  447. int rc;
  448. (void) filter;
  449. (void) ctx;
  450. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(_sysctl));
  451. if (rc != 0) {
  452. log_err(LD_BUG,"(Sandbox) failed to add _sysctl syscall, "
  453. "received libseccomp error %d", rc);
  454. return rc;
  455. }
  456. return 0;
  457. }
  458. /**
  459. * Function responsible for setting up the rename syscall for
  460. * the seccomp filter sandbox.
  461. */
  462. static int
  463. sb_rename(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  464. {
  465. int rc;
  466. sandbox_cfg_t *elem = NULL;
  467. // for each dynamic parameter filters
  468. for (elem = filter; elem != NULL; elem = elem->next) {
  469. smp_param_t *param = elem->param;
  470. if (param != NULL && param->prot == 1 &&
  471. param->syscall == SCMP_SYS(rename)) {
  472. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rename),
  473. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value),
  474. SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value2));
  475. if (rc != 0) {
  476. log_err(LD_BUG,"(Sandbox) failed to add rename syscall, received "
  477. "libseccomp error %d", rc);
  478. return rc;
  479. }
  480. }
  481. }
  482. return 0;
  483. }
  484. /**
  485. * Function responsible for setting up the openat syscall for
  486. * the seccomp filter sandbox.
  487. */
  488. static int
  489. sb_openat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  490. {
  491. int rc;
  492. sandbox_cfg_t *elem = NULL;
  493. // for each dynamic parameter filters
  494. for (elem = filter; elem != NULL; elem = elem->next) {
  495. smp_param_t *param = elem->param;
  496. if (param != NULL && param->prot == 1 && param->syscall
  497. == SCMP_SYS(openat)) {
  498. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
  499. SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
  500. SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value),
  501. SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|
  502. O_CLOEXEC));
  503. if (rc != 0) {
  504. log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received "
  505. "libseccomp error %d", rc);
  506. return rc;
  507. }
  508. }
  509. }
  510. return 0;
  511. }
  512. /**
  513. * Function responsible for setting up the socket syscall for
  514. * the seccomp filter sandbox.
  515. */
  516. static int
  517. sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  518. {
  519. int rc = 0;
  520. int i, j;
  521. (void) filter;
  522. #ifdef __i386__
  523. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket));
  524. if (rc)
  525. return rc;
  526. #endif
  527. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  528. SCMP_CMP(0, SCMP_CMP_EQ, PF_FILE),
  529. SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM));
  530. if (rc)
  531. return rc;
  532. for (i = 0; i < 2; ++i) {
  533. const int pf = i ? PF_INET : PF_INET6;
  534. for (j=0; j < 3; ++j) {
  535. const int type = (j == 0) ? SOCK_STREAM :
  536. SOCK_DGRAM;
  537. const int protocol = (j == 0) ? IPPROTO_TCP :
  538. (j == 1) ? IPPROTO_IP :
  539. IPPROTO_UDP;
  540. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  541. SCMP_CMP(0, SCMP_CMP_EQ, pf),
  542. SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, type),
  543. SCMP_CMP(2, SCMP_CMP_EQ, protocol));
  544. if (rc)
  545. return rc;
  546. }
  547. }
  548. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  549. SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
  550. SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
  551. SCMP_CMP(2, SCMP_CMP_EQ, 0));
  552. if (rc)
  553. return rc;
  554. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  555. SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
  556. SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM),
  557. SCMP_CMP(2, SCMP_CMP_EQ, 0));
  558. if (rc)
  559. return rc;
  560. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  561. SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK),
  562. SCMP_CMP(1, SCMP_CMP_EQ, SOCK_RAW),
  563. SCMP_CMP(2, SCMP_CMP_EQ, 0));
  564. if (rc)
  565. return rc;
  566. return 0;
  567. }
  568. /**
  569. * Function responsible for setting up the socketpair syscall for
  570. * the seccomp filter sandbox.
  571. */
  572. static int
  573. sb_socketpair(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  574. {
  575. int rc = 0;
  576. (void) filter;
  577. #ifdef __i386__
  578. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair));
  579. if (rc)
  580. return rc;
  581. #endif
  582. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair),
  583. SCMP_CMP(0, SCMP_CMP_EQ, PF_FILE),
  584. SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM|SOCK_CLOEXEC));
  585. if (rc)
  586. return rc;
  587. return 0;
  588. }
  589. /**
  590. * Function responsible for setting up the setsockopt syscall for
  591. * the seccomp filter sandbox.
  592. */
  593. static int
  594. sb_setsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  595. {
  596. int rc = 0;
  597. (void) filter;
  598. #ifdef __i386__
  599. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt));
  600. if (rc)
  601. return rc;
  602. #endif
  603. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  604. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  605. SCMP_CMP(2, SCMP_CMP_EQ, SO_REUSEADDR));
  606. if (rc)
  607. return rc;
  608. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  609. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  610. SCMP_CMP(2, SCMP_CMP_EQ, SO_SNDBUF));
  611. if (rc)
  612. return rc;
  613. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  614. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  615. SCMP_CMP(2, SCMP_CMP_EQ, SO_RCVBUF));
  616. if (rc)
  617. return rc;
  618. #ifdef HAVE_SYSTEMD
  619. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  620. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  621. SCMP_CMP(2, SCMP_CMP_EQ, SO_SNDBUFFORCE));
  622. if (rc)
  623. return rc;
  624. #endif
  625. #ifdef IP_TRANSPARENT
  626. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  627. SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
  628. SCMP_CMP(2, SCMP_CMP_EQ, IP_TRANSPARENT));
  629. if (rc)
  630. return rc;
  631. #endif
  632. return 0;
  633. }
  634. /**
  635. * Function responsible for setting up the getsockopt syscall for
  636. * the seccomp filter sandbox.
  637. */
  638. static int
  639. sb_getsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  640. {
  641. int rc = 0;
  642. (void) filter;
  643. #ifdef __i386__
  644. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt));
  645. if (rc)
  646. return rc;
  647. #endif
  648. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
  649. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  650. SCMP_CMP(2, SCMP_CMP_EQ, SO_ERROR));
  651. if (rc)
  652. return rc;
  653. #ifdef HAVE_SYSTEMD
  654. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
  655. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  656. SCMP_CMP(2, SCMP_CMP_EQ, SO_SNDBUF));
  657. if (rc)
  658. return rc;
  659. #endif
  660. #ifdef HAVE_LINUX_NETFILTER_IPV4_H
  661. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
  662. SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
  663. SCMP_CMP(2, SCMP_CMP_EQ, SO_ORIGINAL_DST));
  664. if (rc)
  665. return rc;
  666. #endif
  667. #ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
  668. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
  669. SCMP_CMP(1, SCMP_CMP_EQ, SOL_IPV6),
  670. SCMP_CMP(2, SCMP_CMP_EQ, IP6T_SO_ORIGINAL_DST));
  671. if (rc)
  672. return rc;
  673. #endif
  674. return 0;
  675. }
  676. #ifdef __NR_fcntl64
  677. /**
  678. * Function responsible for setting up the fcntl64 syscall for
  679. * the seccomp filter sandbox.
  680. */
  681. static int
  682. sb_fcntl64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  683. {
  684. int rc = 0;
  685. (void) filter;
  686. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  687. SCMP_CMP(1, SCMP_CMP_EQ, F_GETFL));
  688. if (rc)
  689. return rc;
  690. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  691. SCMP_CMP(1, SCMP_CMP_EQ, F_SETFL),
  692. SCMP_CMP(2, SCMP_CMP_EQ, O_RDWR|O_NONBLOCK));
  693. if (rc)
  694. return rc;
  695. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  696. SCMP_CMP(1, SCMP_CMP_EQ, F_GETFD));
  697. if (rc)
  698. return rc;
  699. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  700. SCMP_CMP(1, SCMP_CMP_EQ, F_SETFD),
  701. SCMP_CMP(2, SCMP_CMP_EQ, FD_CLOEXEC));
  702. if (rc)
  703. return rc;
  704. return 0;
  705. }
  706. #endif
  707. /**
  708. * Function responsible for setting up the epoll_ctl syscall for
  709. * the seccomp filter sandbox.
  710. *
  711. * Note: basically allows everything but will keep for now..
  712. */
  713. static int
  714. sb_epoll_ctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  715. {
  716. int rc = 0;
  717. (void) filter;
  718. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
  719. SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_ADD));
  720. if (rc)
  721. return rc;
  722. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
  723. SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_MOD));
  724. if (rc)
  725. return rc;
  726. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
  727. SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_DEL));
  728. if (rc)
  729. return rc;
  730. return 0;
  731. }
  732. /**
  733. * Function responsible for setting up the prctl syscall for
  734. * the seccomp filter sandbox.
  735. *
  736. * NOTE: if multiple filters need to be added, the PR_SECCOMP parameter needs
  737. * to be whitelisted in this function.
  738. */
  739. static int
  740. sb_prctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  741. {
  742. int rc = 0;
  743. (void) filter;
  744. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl),
  745. SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_DUMPABLE));
  746. if (rc)
  747. return rc;
  748. return 0;
  749. }
  750. /**
  751. * Function responsible for setting up the mprotect syscall for
  752. * the seccomp filter sandbox.
  753. *
  754. * NOTE: does not NEED to be here.. currently only occurs before filter; will
  755. * keep just in case for the future.
  756. */
  757. static int
  758. sb_mprotect(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  759. {
  760. int rc = 0;
  761. (void) filter;
  762. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  763. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ));
  764. if (rc)
  765. return rc;
  766. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  767. SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE));
  768. if (rc)
  769. return rc;
  770. return 0;
  771. }
  772. /**
  773. * Function responsible for setting up the rt_sigprocmask syscall for
  774. * the seccomp filter sandbox.
  775. */
  776. static int
  777. sb_rt_sigprocmask(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  778. {
  779. int rc = 0;
  780. (void) filter;
  781. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
  782. SCMP_CMP(0, SCMP_CMP_EQ, SIG_UNBLOCK));
  783. if (rc)
  784. return rc;
  785. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
  786. SCMP_CMP(0, SCMP_CMP_EQ, SIG_SETMASK));
  787. if (rc)
  788. return rc;
  789. return 0;
  790. }
  791. /**
  792. * Function responsible for setting up the flock syscall for
  793. * the seccomp filter sandbox.
  794. *
  795. * NOTE: does not need to be here, occurs before filter is applied.
  796. */
  797. static int
  798. sb_flock(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  799. {
  800. int rc = 0;
  801. (void) filter;
  802. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock),
  803. SCMP_CMP(1, SCMP_CMP_EQ, LOCK_EX|LOCK_NB));
  804. if (rc)
  805. return rc;
  806. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock),
  807. SCMP_CMP(1, SCMP_CMP_EQ, LOCK_UN));
  808. if (rc)
  809. return rc;
  810. return 0;
  811. }
  812. /**
  813. * Function responsible for setting up the futex syscall for
  814. * the seccomp filter sandbox.
  815. */
  816. static int
  817. sb_futex(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  818. {
  819. int rc = 0;
  820. (void) filter;
  821. // can remove
  822. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
  823. SCMP_CMP(1, SCMP_CMP_EQ,
  824. FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME));
  825. if (rc)
  826. return rc;
  827. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
  828. SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAKE_PRIVATE));
  829. if (rc)
  830. return rc;
  831. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
  832. SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAIT_PRIVATE));
  833. if (rc)
  834. return rc;
  835. return 0;
  836. }
  837. /**
  838. * Function responsible for setting up the mremap syscall for
  839. * the seccomp filter sandbox.
  840. *
  841. * NOTE: so far only occurs before filter is applied.
  842. */
  843. static int
  844. sb_mremap(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  845. {
  846. int rc = 0;
  847. (void) filter;
  848. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mremap),
  849. SCMP_CMP(3, SCMP_CMP_EQ, MREMAP_MAYMOVE));
  850. if (rc)
  851. return rc;
  852. return 0;
  853. }
  854. /**
  855. * Function responsible for setting up the poll syscall for
  856. * the seccomp filter sandbox.
  857. */
  858. static int
  859. sb_poll(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  860. {
  861. int rc = 0;
  862. (void) filter;
  863. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(poll),
  864. SCMP_CMP(1, SCMP_CMP_EQ, 1),
  865. SCMP_CMP(2, SCMP_CMP_EQ, 10));
  866. if (rc)
  867. return rc;
  868. return 0;
  869. }
  870. #ifdef __NR_stat64
  871. /**
  872. * Function responsible for setting up the stat64 syscall for
  873. * the seccomp filter sandbox.
  874. */
  875. static int
  876. sb_stat64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  877. {
  878. int rc = 0;
  879. sandbox_cfg_t *elem = NULL;
  880. // for each dynamic parameter filters
  881. for (elem = filter; elem != NULL; elem = elem->next) {
  882. smp_param_t *param = elem->param;
  883. if (param != NULL && param->prot == 1 && (param->syscall == SCMP_SYS(open)
  884. || param->syscall == SCMP_SYS(stat64))) {
  885. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(stat64),
  886. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
  887. if (rc != 0) {
  888. log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
  889. "libseccomp error %d", rc);
  890. return rc;
  891. }
  892. }
  893. }
  894. return 0;
  895. }
  896. #endif
  897. /**
  898. * Array of function pointers responsible for filtering different syscalls at
  899. * a parameter level.
  900. */
  901. static sandbox_filter_func_t filter_func[] = {
  902. sb_rt_sigaction,
  903. sb_rt_sigprocmask,
  904. #if 0
  905. sb_execve,
  906. #endif
  907. sb_time,
  908. sb_accept4,
  909. #ifdef __NR_mmap2
  910. sb_mmap2,
  911. #endif
  912. sb_chown,
  913. sb_chmod,
  914. sb_open,
  915. sb_openat,
  916. sb__sysctl,
  917. sb_rename,
  918. #ifdef __NR_fcntl64
  919. sb_fcntl64,
  920. #endif
  921. sb_epoll_ctl,
  922. sb_prctl,
  923. sb_mprotect,
  924. sb_flock,
  925. sb_futex,
  926. sb_mremap,
  927. sb_poll,
  928. #ifdef __NR_stat64
  929. sb_stat64,
  930. #endif
  931. sb_socket,
  932. sb_setsockopt,
  933. sb_getsockopt,
  934. sb_socketpair
  935. };
  936. const char *
  937. sandbox_intern_string(const char *str)
  938. {
  939. sandbox_cfg_t *elem;
  940. if (str == NULL)
  941. return NULL;
  942. for (elem = filter_dynamic; elem != NULL; elem = elem->next) {
  943. smp_param_t *param = elem->param;
  944. if (param->prot) {
  945. if (!strcmp(str, (char*)(param->value))) {
  946. return (char*)param->value;
  947. }
  948. if (param->value2 && !strcmp(str, (char*)param->value2)) {
  949. return (char*)param->value2;
  950. }
  951. }
  952. }
  953. if (sandbox_active)
  954. log_warn(LD_BUG, "No interned sandbox parameter found for %s", str);
  955. return str;
  956. }
  957. /* DOCDOC */
  958. static int
  959. prot_strings_helper(strmap_t *locations,
  960. char **pr_mem_next_p,
  961. size_t *pr_mem_left_p,
  962. char **value_p)
  963. {
  964. char *param_val;
  965. size_t param_size;
  966. void *location;
  967. if (*value_p == 0)
  968. return 0;
  969. param_val = (char*) *value_p;
  970. param_size = strlen(param_val) + 1;
  971. location = strmap_get(locations, param_val);
  972. if (location) {
  973. // We already interned this string.
  974. tor_free(param_val);
  975. *value_p = location;
  976. return 0;
  977. } else if (*pr_mem_left_p >= param_size) {
  978. // copy to protected
  979. location = *pr_mem_next_p;
  980. memcpy(location, param_val, param_size);
  981. // re-point el parameter to protected
  982. tor_free(param_val);
  983. *value_p = location;
  984. strmap_set(locations, location, location); /* good real estate advice */
  985. // move next available protected memory
  986. *pr_mem_next_p += param_size;
  987. *pr_mem_left_p -= param_size;
  988. return 0;
  989. } else {
  990. log_err(LD_BUG,"(Sandbox) insufficient protected memory!");
  991. return -1;
  992. }
  993. }
  994. /**
  995. * Protects all the strings in the sandbox's parameter list configuration. It
  996. * works by calculating the total amount of memory required by the parameter
  997. * list, allocating the memory using mmap, and protecting it from writes with
  998. * mprotect().
  999. */
  1000. static int
  1001. prot_strings(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
  1002. {
  1003. int ret = 0;
  1004. size_t pr_mem_size = 0, pr_mem_left = 0;
  1005. char *pr_mem_next = NULL, *pr_mem_base;
  1006. sandbox_cfg_t *el = NULL;
  1007. strmap_t *locations = NULL;
  1008. // get total number of bytes required to mmap. (Overestimate.)
  1009. for (el = cfg; el != NULL; el = el->next) {
  1010. pr_mem_size += strlen((char*) el->param->value) + 1;
  1011. if (el->param->value2)
  1012. pr_mem_size += strlen((char*) el->param->value2) + 1;
  1013. }
  1014. // allocate protected memory with MALLOC_MP_LIM canary
  1015. pr_mem_base = (char*) mmap(NULL, MALLOC_MP_LIM + pr_mem_size,
  1016. PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0);
  1017. if (pr_mem_base == MAP_FAILED) {
  1018. log_err(LD_BUG,"(Sandbox) failed allocate protected memory! mmap: %s",
  1019. strerror(errno));
  1020. ret = -1;
  1021. goto out;
  1022. }
  1023. pr_mem_next = pr_mem_base + MALLOC_MP_LIM;
  1024. pr_mem_left = pr_mem_size;
  1025. locations = strmap_new();
  1026. // change el value pointer to protected
  1027. for (el = cfg; el != NULL; el = el->next) {
  1028. if (prot_strings_helper(locations, &pr_mem_next, &pr_mem_left,
  1029. &el->param->value) < 0) {
  1030. ret = -2;
  1031. goto out;
  1032. }
  1033. if (prot_strings_helper(locations, &pr_mem_next, &pr_mem_left,
  1034. &el->param->value2) < 0) {
  1035. ret = -2;
  1036. goto out;
  1037. }
  1038. el->param->prot = 1;
  1039. }
  1040. // protecting from writes
  1041. if (mprotect(pr_mem_base, MALLOC_MP_LIM + pr_mem_size, PROT_READ)) {
  1042. log_err(LD_BUG,"(Sandbox) failed to protect memory! mprotect: %s",
  1043. strerror(errno));
  1044. ret = -3;
  1045. goto out;
  1046. }
  1047. /*
  1048. * Setting sandbox restrictions so the string memory cannot be tampered with
  1049. */
  1050. // no mremap of the protected base address
  1051. ret = seccomp_rule_add_1(ctx, SCMP_ACT_KILL, SCMP_SYS(mremap),
  1052. SCMP_CMP(0, SCMP_CMP_EQ, (intptr_t) pr_mem_base));
  1053. if (ret) {
  1054. log_err(LD_BUG,"(Sandbox) mremap protected memory filter fail!");
  1055. goto out;
  1056. }
  1057. // no munmap of the protected base address
  1058. ret = seccomp_rule_add_1(ctx, SCMP_ACT_KILL, SCMP_SYS(munmap),
  1059. SCMP_CMP(0, SCMP_CMP_EQ, (intptr_t) pr_mem_base));
  1060. if (ret) {
  1061. log_err(LD_BUG,"(Sandbox) munmap protected memory filter fail!");
  1062. goto out;
  1063. }
  1064. /*
  1065. * Allow mprotect with PROT_READ|PROT_WRITE because openssl uses it, but
  1066. * never over the memory region used by the protected strings.
  1067. *
  1068. * PROT_READ|PROT_WRITE was originally fully allowed in sb_mprotect(), but
  1069. * had to be removed due to limitation of libseccomp regarding intervals.
  1070. *
  1071. * There is a restriction on how much you can mprotect with R|W up to the
  1072. * size of the canary.
  1073. */
  1074. ret = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  1075. SCMP_CMP(0, SCMP_CMP_LT, (intptr_t) pr_mem_base),
  1076. SCMP_CMP(1, SCMP_CMP_LE, MALLOC_MP_LIM),
  1077. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE));
  1078. if (ret) {
  1079. log_err(LD_BUG,"(Sandbox) mprotect protected memory filter fail (LT)!");
  1080. goto out;
  1081. }
  1082. ret = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  1083. SCMP_CMP(0, SCMP_CMP_GT, (intptr_t) pr_mem_base + pr_mem_size +
  1084. MALLOC_MP_LIM),
  1085. SCMP_CMP(1, SCMP_CMP_LE, MALLOC_MP_LIM),
  1086. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE));
  1087. if (ret) {
  1088. log_err(LD_BUG,"(Sandbox) mprotect protected memory filter fail (GT)!");
  1089. goto out;
  1090. }
  1091. out:
  1092. strmap_free(locations, NULL);
  1093. return ret;
  1094. }
  1095. /**
  1096. * Auxiliary function used in order to allocate a sandbox_cfg_t element and set
  1097. * its values according the parameter list. All elements are initialised
  1098. * with the 'prot' field set to false, as the pointer is not protected at this
  1099. * point.
  1100. */
  1101. static sandbox_cfg_t*
  1102. new_element2(int syscall, char *value, char *value2)
  1103. {
  1104. smp_param_t *param = NULL;
  1105. sandbox_cfg_t *elem = tor_malloc_zero(sizeof(sandbox_cfg_t));
  1106. param = elem->param = tor_malloc_zero(sizeof(smp_param_t));
  1107. param->syscall = syscall;
  1108. param->value = value;
  1109. param->value2 = value2;
  1110. param->prot = 0;
  1111. return elem;
  1112. }
  1113. static sandbox_cfg_t*
  1114. new_element(int syscall, char *value)
  1115. {
  1116. return new_element2(syscall, value, NULL);
  1117. }
  1118. #ifdef __NR_stat64
  1119. #define SCMP_stat SCMP_SYS(stat64)
  1120. #else
  1121. #define SCMP_stat SCMP_SYS(stat)
  1122. #endif
  1123. int
  1124. sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file)
  1125. {
  1126. sandbox_cfg_t *elem = NULL;
  1127. elem = new_element(SCMP_stat, file);
  1128. if (!elem) {
  1129. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1130. return -1;
  1131. }
  1132. elem->next = *cfg;
  1133. *cfg = elem;
  1134. return 0;
  1135. }
  1136. int
  1137. sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
  1138. {
  1139. sandbox_cfg_t *elem = NULL;
  1140. elem = new_element(SCMP_SYS(open), file);
  1141. if (!elem) {
  1142. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1143. return -1;
  1144. }
  1145. elem->next = *cfg;
  1146. *cfg = elem;
  1147. return 0;
  1148. }
  1149. int
  1150. sandbox_cfg_allow_chmod_filename(sandbox_cfg_t **cfg, char *file)
  1151. {
  1152. sandbox_cfg_t *elem = NULL;
  1153. elem = new_element(SCMP_SYS(chmod), file);
  1154. if (!elem) {
  1155. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1156. return -1;
  1157. }
  1158. elem->next = *cfg;
  1159. *cfg = elem;
  1160. return 0;
  1161. }
  1162. int
  1163. sandbox_cfg_allow_chown_filename(sandbox_cfg_t **cfg, char *file)
  1164. {
  1165. sandbox_cfg_t *elem = NULL;
  1166. elem = new_element(SCMP_SYS(chown), file);
  1167. if (!elem) {
  1168. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1169. return -1;
  1170. }
  1171. elem->next = *cfg;
  1172. *cfg = elem;
  1173. return 0;
  1174. }
  1175. int
  1176. sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2)
  1177. {
  1178. sandbox_cfg_t *elem = NULL;
  1179. elem = new_element2(SCMP_SYS(rename), file1, file2);
  1180. if (!elem) {
  1181. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1182. return -1;
  1183. }
  1184. elem->next = *cfg;
  1185. *cfg = elem;
  1186. return 0;
  1187. }
  1188. int
  1189. sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file)
  1190. {
  1191. sandbox_cfg_t *elem = NULL;
  1192. elem = new_element(SCMP_SYS(openat), file);
  1193. if (!elem) {
  1194. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1195. return -1;
  1196. }
  1197. elem->next = *cfg;
  1198. *cfg = elem;
  1199. return 0;
  1200. }
  1201. #if 0
  1202. int
  1203. sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com)
  1204. {
  1205. sandbox_cfg_t *elem = NULL;
  1206. elem = new_element(SCMP_SYS(execve), com);
  1207. if (!elem) {
  1208. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1209. return -1;
  1210. }
  1211. elem->next = *cfg;
  1212. *cfg = elem;
  1213. return 0;
  1214. }
  1215. #endif
  1216. /** Cache entry for getaddrinfo results; used when sandboxing is implemented
  1217. * so that we can consult the cache when the sandbox prevents us from doing
  1218. * getaddrinfo.
  1219. *
  1220. * We support only a limited range of getaddrinfo calls, where servname is null
  1221. * and hints contains only socktype=SOCK_STREAM, family in INET,INET6,UNSPEC.
  1222. */
  1223. typedef struct cached_getaddrinfo_item_t {
  1224. HT_ENTRY(cached_getaddrinfo_item_t) node;
  1225. char *name;
  1226. int family;
  1227. /** set if no error; otherwise NULL */
  1228. struct addrinfo *res;
  1229. /** 0 for no error; otherwise an EAI_* value */
  1230. int err;
  1231. } cached_getaddrinfo_item_t;
  1232. static unsigned
  1233. cached_getaddrinfo_item_hash(const cached_getaddrinfo_item_t *item)
  1234. {
  1235. return (unsigned)siphash24g(item->name, strlen(item->name)) + item->family;
  1236. }
  1237. static unsigned
  1238. cached_getaddrinfo_items_eq(const cached_getaddrinfo_item_t *a,
  1239. const cached_getaddrinfo_item_t *b)
  1240. {
  1241. return (a->family == b->family) && 0 == strcmp(a->name, b->name);
  1242. }
  1243. static void
  1244. cached_getaddrinfo_item_free(cached_getaddrinfo_item_t *item)
  1245. {
  1246. if (item == NULL)
  1247. return;
  1248. tor_free(item->name);
  1249. if (item->res)
  1250. freeaddrinfo(item->res);
  1251. tor_free(item);
  1252. }
  1253. static HT_HEAD(getaddrinfo_cache, cached_getaddrinfo_item_t)
  1254. getaddrinfo_cache = HT_INITIALIZER();
  1255. HT_PROTOTYPE(getaddrinfo_cache, cached_getaddrinfo_item_t, node,
  1256. cached_getaddrinfo_item_hash,
  1257. cached_getaddrinfo_items_eq)
  1258. HT_GENERATE2(getaddrinfo_cache, cached_getaddrinfo_item_t, node,
  1259. cached_getaddrinfo_item_hash,
  1260. cached_getaddrinfo_items_eq,
  1261. 0.6, tor_reallocarray_, tor_free_)
  1262. /** If true, don't try to cache getaddrinfo results. */
  1263. static int sandbox_getaddrinfo_cache_disabled = 0;
  1264. /** Tell the sandbox layer not to try to cache getaddrinfo results. Used as in
  1265. * tor-resolve, when we have no intention of initializing crypto or of
  1266. * installing the sandbox.*/
  1267. void
  1268. sandbox_disable_getaddrinfo_cache(void)
  1269. {
  1270. sandbox_getaddrinfo_cache_disabled = 1;
  1271. }
  1272. void
  1273. sandbox_freeaddrinfo(struct addrinfo *ai)
  1274. {
  1275. if (sandbox_getaddrinfo_cache_disabled)
  1276. freeaddrinfo(ai);
  1277. }
  1278. int
  1279. sandbox_getaddrinfo(const char *name, const char *servname,
  1280. const struct addrinfo *hints,
  1281. struct addrinfo **res)
  1282. {
  1283. int err;
  1284. struct cached_getaddrinfo_item_t search, *item;
  1285. if (sandbox_getaddrinfo_cache_disabled) {
  1286. return getaddrinfo(name, NULL, hints, res);
  1287. }
  1288. if (servname != NULL) {
  1289. log_warn(LD_BUG, "called with non-NULL servname");
  1290. return EAI_NONAME;
  1291. }
  1292. if (name == NULL) {
  1293. log_warn(LD_BUG, "called with NULL name");
  1294. return EAI_NONAME;
  1295. }
  1296. *res = NULL;
  1297. memset(&search, 0, sizeof(search));
  1298. search.name = (char *) name;
  1299. search.family = hints ? hints->ai_family : AF_UNSPEC;
  1300. item = HT_FIND(getaddrinfo_cache, &getaddrinfo_cache, &search);
  1301. if (! sandbox_is_active()) {
  1302. /* If the sandbox is not turned on yet, then getaddrinfo and store the
  1303. result. */
  1304. err = getaddrinfo(name, NULL, hints, res);
  1305. log_info(LD_NET,"(Sandbox) getaddrinfo %s.", err ? "failed" : "succeeded");
  1306. if (! item) {
  1307. item = tor_malloc_zero(sizeof(*item));
  1308. item->name = tor_strdup(name);
  1309. item->family = hints ? hints->ai_family : AF_UNSPEC;
  1310. HT_INSERT(getaddrinfo_cache, &getaddrinfo_cache, item);
  1311. }
  1312. if (item->res) {
  1313. freeaddrinfo(item->res);
  1314. item->res = NULL;
  1315. }
  1316. item->res = *res;
  1317. item->err = err;
  1318. return err;
  1319. }
  1320. /* Otherwise, the sandbox is on. If we have an item, yield its cached
  1321. result. */
  1322. if (item) {
  1323. *res = item->res;
  1324. return item->err;
  1325. }
  1326. /* getting here means something went wrong */
  1327. log_err(LD_BUG,"(Sandbox) failed to get address %s!", name);
  1328. return EAI_NONAME;
  1329. }
  1330. int
  1331. sandbox_add_addrinfo(const char *name)
  1332. {
  1333. struct addrinfo *res;
  1334. struct addrinfo hints;
  1335. int i;
  1336. static const int families[] = { AF_INET, AF_INET6, AF_UNSPEC };
  1337. memset(&hints, 0, sizeof(hints));
  1338. hints.ai_socktype = SOCK_STREAM;
  1339. for (i = 0; i < 3; ++i) {
  1340. hints.ai_family = families[i];
  1341. res = NULL;
  1342. (void) sandbox_getaddrinfo(name, NULL, &hints, &res);
  1343. if (res)
  1344. sandbox_freeaddrinfo(res);
  1345. }
  1346. return 0;
  1347. }
  1348. void
  1349. sandbox_free_getaddrinfo_cache(void)
  1350. {
  1351. cached_getaddrinfo_item_t **next, **item, *this;
  1352. for (item = HT_START(getaddrinfo_cache, &getaddrinfo_cache);
  1353. item;
  1354. item = next) {
  1355. this = *item;
  1356. next = HT_NEXT_RMV(getaddrinfo_cache, &getaddrinfo_cache, item);
  1357. cached_getaddrinfo_item_free(this);
  1358. }
  1359. HT_CLEAR(getaddrinfo_cache, &getaddrinfo_cache);
  1360. }
  1361. /**
  1362. * Function responsible for going through the parameter syscall filters and
  1363. * call each function pointer in the list.
  1364. */
  1365. static int
  1366. add_param_filter(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
  1367. {
  1368. unsigned i;
  1369. int rc = 0;
  1370. // function pointer
  1371. for (i = 0; i < ARRAY_LENGTH(filter_func); i++) {
  1372. if ((filter_func[i])(ctx, cfg)) {
  1373. log_err(LD_BUG,"(Sandbox) failed to add syscall %d, received libseccomp "
  1374. "error %d", i, rc);
  1375. return rc;
  1376. }
  1377. }
  1378. return 0;
  1379. }
  1380. /**
  1381. * Function responsible of loading the libseccomp syscall filters which do not
  1382. * have parameter filtering.
  1383. */
  1384. static int
  1385. add_noparam_filter(scmp_filter_ctx ctx)
  1386. {
  1387. unsigned i;
  1388. int rc = 0;
  1389. // add general filters
  1390. for (i = 0; i < ARRAY_LENGTH(filter_nopar_gen); i++) {
  1391. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, filter_nopar_gen[i]);
  1392. if (rc != 0) {
  1393. log_err(LD_BUG,"(Sandbox) failed to add syscall index %d (NR=%d), "
  1394. "received libseccomp error %d", i, filter_nopar_gen[i], rc);
  1395. return rc;
  1396. }
  1397. }
  1398. return 0;
  1399. }
  1400. /**
  1401. * Function responsible for setting up and enabling a global syscall filter.
  1402. * The function is a prototype developed for stage 1 of sandboxing Tor.
  1403. * Returns 0 on success.
  1404. */
  1405. static int
  1406. install_syscall_filter(sandbox_cfg_t* cfg)
  1407. {
  1408. int rc = 0;
  1409. scmp_filter_ctx ctx;
  1410. ctx = seccomp_init(SCMP_ACT_TRAP);
  1411. if (ctx == NULL) {
  1412. log_err(LD_BUG,"(Sandbox) failed to initialise libseccomp context");
  1413. rc = -1;
  1414. goto end;
  1415. }
  1416. // protectign sandbox parameter strings
  1417. if ((rc = prot_strings(ctx, cfg))) {
  1418. goto end;
  1419. }
  1420. // add parameter filters
  1421. if ((rc = add_param_filter(ctx, cfg))) {
  1422. log_err(LD_BUG, "(Sandbox) failed to add param filters!");
  1423. goto end;
  1424. }
  1425. // adding filters with no parameters
  1426. if ((rc = add_noparam_filter(ctx))) {
  1427. log_err(LD_BUG, "(Sandbox) failed to add param filters!");
  1428. goto end;
  1429. }
  1430. // loading the seccomp2 filter
  1431. if ((rc = seccomp_load(ctx))) {
  1432. log_err(LD_BUG, "(Sandbox) failed to load: %d (%s)!", rc,
  1433. strerror(-rc));
  1434. goto end;
  1435. }
  1436. // marking the sandbox as active
  1437. sandbox_active = 1;
  1438. end:
  1439. seccomp_release(ctx);
  1440. return (rc < 0 ? -rc : rc);
  1441. }
  1442. #include "linux_syscalls.inc"
  1443. static const char *
  1444. get_syscall_name(int syscall_num)
  1445. {
  1446. int i;
  1447. for (i = 0; SYSCALLS_BY_NUMBER[i].syscall_name; ++i) {
  1448. if (SYSCALLS_BY_NUMBER[i].syscall_num == syscall_num)
  1449. return SYSCALLS_BY_NUMBER[i].syscall_name;
  1450. }
  1451. {
  1452. static char syscall_name_buf[64];
  1453. format_dec_number_sigsafe(syscall_num,
  1454. syscall_name_buf, sizeof(syscall_name_buf));
  1455. return syscall_name_buf;
  1456. }
  1457. }
  1458. #ifdef USE_BACKTRACE
  1459. #define MAX_DEPTH 256
  1460. static void *syscall_cb_buf[MAX_DEPTH];
  1461. #endif
  1462. /**
  1463. * Function called when a SIGSYS is caught by the application. It notifies the
  1464. * user that an error has occurred and either terminates or allows the
  1465. * application to continue execution, based on the DEBUGGING_CLOSE symbol.
  1466. */
  1467. static void
  1468. sigsys_debugging(int nr, siginfo_t *info, void *void_context)
  1469. {
  1470. ucontext_t *ctx = (ucontext_t *) (void_context);
  1471. const char *syscall_name;
  1472. int syscall;
  1473. #ifdef USE_BACKTRACE
  1474. size_t depth;
  1475. int n_fds, i;
  1476. const int *fds = NULL;
  1477. #endif
  1478. (void) nr;
  1479. if (info->si_code != SYS_SECCOMP)
  1480. return;
  1481. if (!ctx)
  1482. return;
  1483. syscall = (int) ctx->uc_mcontext.M_SYSCALL;
  1484. #ifdef USE_BACKTRACE
  1485. depth = backtrace(syscall_cb_buf, MAX_DEPTH);
  1486. /* Clean up the top stack frame so we get the real function
  1487. * name for the most recently failing function. */
  1488. clean_backtrace(syscall_cb_buf, depth, ctx);
  1489. #endif
  1490. syscall_name = get_syscall_name(syscall);
  1491. tor_log_err_sigsafe("(Sandbox) Caught a bad syscall attempt (syscall ",
  1492. syscall_name,
  1493. ")\n",
  1494. NULL);
  1495. #ifdef USE_BACKTRACE
  1496. n_fds = tor_log_get_sigsafe_err_fds(&fds);
  1497. for (i=0; i < n_fds; ++i)
  1498. backtrace_symbols_fd(syscall_cb_buf, (int)depth, fds[i]);
  1499. #endif
  1500. #if defined(DEBUGGING_CLOSE)
  1501. _exit(1);
  1502. #endif // DEBUGGING_CLOSE
  1503. }
  1504. /**
  1505. * Function that adds a handler for SIGSYS, which is the signal thrown
  1506. * when the application is issuing a syscall which is not allowed. The
  1507. * main purpose of this function is to help with debugging by identifying
  1508. * filtered syscalls.
  1509. */
  1510. static int
  1511. install_sigsys_debugging(void)
  1512. {
  1513. struct sigaction act;
  1514. sigset_t mask;
  1515. memset(&act, 0, sizeof(act));
  1516. sigemptyset(&mask);
  1517. sigaddset(&mask, SIGSYS);
  1518. act.sa_sigaction = &sigsys_debugging;
  1519. act.sa_flags = SA_SIGINFO;
  1520. if (sigaction(SIGSYS, &act, NULL) < 0) {
  1521. log_err(LD_BUG,"(Sandbox) Failed to register SIGSYS signal handler");
  1522. return -1;
  1523. }
  1524. if (sigprocmask(SIG_UNBLOCK, &mask, NULL)) {
  1525. log_err(LD_BUG,"(Sandbox) Failed call to sigprocmask()");
  1526. return -2;
  1527. }
  1528. return 0;
  1529. }
  1530. /**
  1531. * Function responsible of registering the sandbox_cfg_t list of parameter
  1532. * syscall filters to the existing parameter list. This is used for incipient
  1533. * multiple-sandbox support.
  1534. */
  1535. static int
  1536. register_cfg(sandbox_cfg_t* cfg)
  1537. {
  1538. sandbox_cfg_t *elem = NULL;
  1539. if (filter_dynamic == NULL) {
  1540. filter_dynamic = cfg;
  1541. return 0;
  1542. }
  1543. for (elem = filter_dynamic; elem->next != NULL; elem = elem->next)
  1544. ;
  1545. elem->next = cfg;
  1546. return 0;
  1547. }
  1548. #endif // USE_LIBSECCOMP
  1549. #ifdef USE_LIBSECCOMP
  1550. /**
  1551. * Initialises the syscall sandbox filter for any linux architecture, taking
  1552. * into account various available features for different linux flavours.
  1553. */
  1554. static int
  1555. initialise_libseccomp_sandbox(sandbox_cfg_t* cfg)
  1556. {
  1557. /* Prevent glibc from trying to open /dev/tty on fatal error */
  1558. setenv("LIBC_FATAL_STDERR_", "1", 1);
  1559. if (install_sigsys_debugging())
  1560. return -1;
  1561. if (install_syscall_filter(cfg))
  1562. return -2;
  1563. if (register_cfg(cfg))
  1564. return -3;
  1565. return 0;
  1566. }
  1567. int
  1568. sandbox_is_active(void)
  1569. {
  1570. return sandbox_active != 0;
  1571. }
  1572. #endif // USE_LIBSECCOMP
  1573. sandbox_cfg_t*
  1574. sandbox_cfg_new(void)
  1575. {
  1576. return NULL;
  1577. }
  1578. int
  1579. sandbox_init(sandbox_cfg_t *cfg)
  1580. {
  1581. #if defined(USE_LIBSECCOMP)
  1582. return initialise_libseccomp_sandbox(cfg);
  1583. #elif defined(__linux__)
  1584. (void)cfg;
  1585. log_warn(LD_GENERAL,
  1586. "This version of Tor was built without support for sandboxing. To "
  1587. "build with support for sandboxing on Linux, you must have "
  1588. "libseccomp and its necessary header files (e.g. seccomp.h).");
  1589. return 0;
  1590. #else
  1591. (void)cfg;
  1592. log_warn(LD_GENERAL,
  1593. "Currently, sandboxing is only implemented on Linux. The feature "
  1594. "is disabled on your platform.");
  1595. return 0;
  1596. #endif
  1597. }
  1598. #ifndef USE_LIBSECCOMP
  1599. int
  1600. sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
  1601. {
  1602. (void)cfg; (void)file;
  1603. return 0;
  1604. }
  1605. int
  1606. sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file)
  1607. {
  1608. (void)cfg; (void)file;
  1609. return 0;
  1610. }
  1611. #if 0
  1612. int
  1613. sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com)
  1614. {
  1615. (void)cfg; (void)com;
  1616. return 0;
  1617. }
  1618. #endif
  1619. int
  1620. sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file)
  1621. {
  1622. (void)cfg; (void)file;
  1623. return 0;
  1624. }
  1625. int
  1626. sandbox_cfg_allow_chown_filename(sandbox_cfg_t **cfg, char *file)
  1627. {
  1628. (void)cfg; (void)file;
  1629. return 0;
  1630. }
  1631. int
  1632. sandbox_cfg_allow_chmod_filename(sandbox_cfg_t **cfg, char *file)
  1633. {
  1634. (void)cfg; (void)file;
  1635. return 0;
  1636. }
  1637. int
  1638. sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2)
  1639. {
  1640. (void)cfg; (void)file1; (void)file2;
  1641. return 0;
  1642. }
  1643. int
  1644. sandbox_is_active(void)
  1645. {
  1646. return 0;
  1647. }
  1648. void
  1649. sandbox_disable_getaddrinfo_cache(void)
  1650. {
  1651. }
  1652. #endif