sandbox.c 45 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947
  1. /* Copyright (c) 2001 Matej Pfajfar.
  2. * Copyright (c) 2001-2004, Roger Dingledine.
  3. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  4. * Copyright (c) 2007-2017, The Tor Project, Inc. */
  5. /* See LICENSE for licensing information */
  6. /**
  7. * \file sandbox.c
  8. * \brief Code to enable sandboxing.
  9. **/
  10. #include "orconfig.h"
  11. #ifndef _LARGEFILE64_SOURCE
  12. /**
  13. * Temporarily required for O_LARGEFILE flag. Needs to be removed
  14. * with the libevent fix.
  15. */
  16. #define _LARGEFILE64_SOURCE
  17. #endif
  18. /** Malloc mprotect limit in bytes. */
  19. #define MALLOC_MP_LIM (16*1024*1024)
  20. #include <stdio.h>
  21. #include <string.h>
  22. #include <stdlib.h>
  23. #include "sandbox.h"
  24. #include "container.h"
  25. #include "torlog.h"
  26. #include "torint.h"
  27. #include "util.h"
  28. #include "tor_queue.h"
  29. #include "ht.h"
  30. #define DEBUGGING_CLOSE
  31. #if defined(USE_LIBSECCOMP)
  32. #include <sys/mman.h>
  33. #include <sys/syscall.h>
  34. #include <sys/types.h>
  35. #include <sys/stat.h>
  36. #include <sys/epoll.h>
  37. #include <sys/prctl.h>
  38. #include <linux/futex.h>
  39. #include <sys/file.h>
  40. #include <stdarg.h>
  41. #include <seccomp.h>
  42. #include <signal.h>
  43. #include <unistd.h>
  44. #include <fcntl.h>
  45. #include <time.h>
  46. #include <poll.h>
  47. #ifdef HAVE_LINUX_NETFILTER_IPV4_H
  48. #include <linux/netfilter_ipv4.h>
  49. #endif
  50. #ifdef HAVE_LINUX_IF_H
  51. #include <linux/if.h>
  52. #endif
  53. #ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
  54. #include <linux/netfilter_ipv6/ip6_tables.h>
  55. #endif
  56. #if defined(HAVE_EXECINFO_H) && defined(HAVE_BACKTRACE) && \
  57. defined(HAVE_BACKTRACE_SYMBOLS_FD) && defined(HAVE_SIGACTION)
  58. #define USE_BACKTRACE
  59. #define EXPOSE_CLEAN_BACKTRACE
  60. #include "backtrace.h"
  61. #endif
  62. #ifdef USE_BACKTRACE
  63. #include <execinfo.h>
  64. #endif
  65. /**
  66. * Linux 32 bit definitions
  67. */
  68. #if defined(__i386__)
  69. #define REG_SYSCALL REG_EAX
  70. #define M_SYSCALL gregs[REG_SYSCALL]
  71. /**
  72. * Linux 64 bit definitions
  73. */
  74. #elif defined(__x86_64__)
  75. #define REG_SYSCALL REG_RAX
  76. #define M_SYSCALL gregs[REG_SYSCALL]
  77. #elif defined(__arm__)
  78. #define M_SYSCALL arm_r7
  79. #endif
  80. /**Determines if at least one sandbox is active.*/
  81. static int sandbox_active = 0;
  82. /** Holds the parameter list configuration for the sandbox.*/
  83. static sandbox_cfg_t *filter_dynamic = NULL;
  84. #undef SCMP_CMP
  85. #define SCMP_CMP(a,b,c) ((struct scmp_arg_cmp){(a),(b),(c),0})
  86. #define SCMP_CMP_STR(a,b,c) \
  87. ((struct scmp_arg_cmp) {(a),(b),(intptr_t)(void*)(c),0})
  88. #define SCMP_CMP4(a,b,c,d) ((struct scmp_arg_cmp){(a),(b),(c),(d)})
  89. /* We use a wrapper here because these masked comparisons seem to be pretty
  90. * verbose. Also, it's important to cast to scmp_datum_t before negating the
  91. * mask, since otherwise the negation might get applied to a 32 bit value, and
  92. * the high bits of the value might get masked out improperly. */
  93. #define SCMP_CMP_MASKED(a,b,c) \
  94. SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, ~(scmp_datum_t)(b), (c))
  95. /** Variable used for storing all syscall numbers that will be allowed with the
  96. * stage 1 general Tor sandbox.
  97. */
  98. static int filter_nopar_gen[] = {
  99. SCMP_SYS(access),
  100. SCMP_SYS(brk),
  101. SCMP_SYS(clock_gettime),
  102. SCMP_SYS(close),
  103. SCMP_SYS(clone),
  104. SCMP_SYS(epoll_create),
  105. SCMP_SYS(epoll_wait),
  106. #ifdef HAVE_EVENTFD
  107. SCMP_SYS(eventfd2),
  108. #endif
  109. #ifdef HAVE_PIPE2
  110. SCMP_SYS(pipe2),
  111. #endif
  112. #ifdef HAVE_PIPE
  113. SCMP_SYS(pipe),
  114. #endif
  115. #ifdef __NR_fchmod
  116. SCMP_SYS(fchmod),
  117. #endif
  118. SCMP_SYS(fcntl),
  119. SCMP_SYS(fstat),
  120. #ifdef __NR_fstat64
  121. SCMP_SYS(fstat64),
  122. #endif
  123. SCMP_SYS(futex),
  124. SCMP_SYS(getdents64),
  125. SCMP_SYS(getegid),
  126. #ifdef __NR_getegid32
  127. SCMP_SYS(getegid32),
  128. #endif
  129. SCMP_SYS(geteuid),
  130. #ifdef __NR_geteuid32
  131. SCMP_SYS(geteuid32),
  132. #endif
  133. SCMP_SYS(getgid),
  134. #ifdef __NR_getgid32
  135. SCMP_SYS(getgid32),
  136. #endif
  137. SCMP_SYS(getpid),
  138. #ifdef __NR_getrlimit
  139. SCMP_SYS(getrlimit),
  140. #endif
  141. SCMP_SYS(gettimeofday),
  142. SCMP_SYS(gettid),
  143. SCMP_SYS(getuid),
  144. #ifdef __NR_getuid32
  145. SCMP_SYS(getuid32),
  146. #endif
  147. SCMP_SYS(lseek),
  148. #ifdef __NR__llseek
  149. SCMP_SYS(_llseek),
  150. #endif
  151. SCMP_SYS(mkdir),
  152. SCMP_SYS(mlockall),
  153. #ifdef __NR_mmap
  154. /* XXXX restrict this in the same ways as mmap2 */
  155. SCMP_SYS(mmap),
  156. #endif
  157. SCMP_SYS(munmap),
  158. #ifdef __NR_prlimit
  159. SCMP_SYS(prlimit),
  160. #endif
  161. #ifdef __NR_prlimit64
  162. SCMP_SYS(prlimit64),
  163. #endif
  164. SCMP_SYS(read),
  165. SCMP_SYS(rt_sigreturn),
  166. SCMP_SYS(sched_getaffinity),
  167. #ifdef __NR_sched_yield
  168. SCMP_SYS(sched_yield),
  169. #endif
  170. SCMP_SYS(sendmsg),
  171. SCMP_SYS(set_robust_list),
  172. #ifdef __NR_setrlimit
  173. SCMP_SYS(setrlimit),
  174. #endif
  175. #ifdef __NR_sigaltstack
  176. SCMP_SYS(sigaltstack),
  177. #endif
  178. #ifdef __NR_sigreturn
  179. SCMP_SYS(sigreturn),
  180. #endif
  181. SCMP_SYS(stat),
  182. SCMP_SYS(uname),
  183. SCMP_SYS(wait4),
  184. SCMP_SYS(write),
  185. SCMP_SYS(writev),
  186. SCMP_SYS(exit_group),
  187. SCMP_SYS(exit),
  188. SCMP_SYS(madvise),
  189. #ifdef __NR_stat64
  190. // getaddrinfo uses this..
  191. SCMP_SYS(stat64),
  192. #endif
  193. #ifdef __NR_getrandom
  194. SCMP_SYS(getrandom),
  195. #endif
  196. #ifdef __NR_sysinfo
  197. // qsort uses this..
  198. SCMP_SYS(sysinfo),
  199. #endif
  200. /*
  201. * These socket syscalls are not required on x86_64 and not supported with
  202. * some libseccomp versions (eg: 1.0.1)
  203. */
  204. #if defined(__i386)
  205. SCMP_SYS(recv),
  206. SCMP_SYS(send),
  207. #endif
  208. // socket syscalls
  209. SCMP_SYS(bind),
  210. SCMP_SYS(listen),
  211. SCMP_SYS(connect),
  212. SCMP_SYS(getsockname),
  213. SCMP_SYS(recvmsg),
  214. SCMP_SYS(recvfrom),
  215. SCMP_SYS(sendto),
  216. SCMP_SYS(unlink)
  217. };
  218. /* These macros help avoid the error where the number of filters we add on a
  219. * single rule don't match the arg_cnt param. */
  220. #define seccomp_rule_add_0(ctx,act,call) \
  221. seccomp_rule_add((ctx),(act),(call),0)
  222. #define seccomp_rule_add_1(ctx,act,call,f1) \
  223. seccomp_rule_add((ctx),(act),(call),1,(f1))
  224. #define seccomp_rule_add_2(ctx,act,call,f1,f2) \
  225. seccomp_rule_add((ctx),(act),(call),2,(f1),(f2))
  226. #define seccomp_rule_add_3(ctx,act,call,f1,f2,f3) \
  227. seccomp_rule_add((ctx),(act),(call),3,(f1),(f2),(f3))
  228. #define seccomp_rule_add_4(ctx,act,call,f1,f2,f3,f4) \
  229. seccomp_rule_add((ctx),(act),(call),4,(f1),(f2),(f3),(f4))
  230. /**
  231. * Function responsible for setting up the rt_sigaction syscall for
  232. * the seccomp filter sandbox.
  233. */
  234. static int
  235. sb_rt_sigaction(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  236. {
  237. unsigned i;
  238. int rc;
  239. int param[] = { SIGINT, SIGTERM, SIGPIPE, SIGUSR1, SIGUSR2, SIGHUP, SIGCHLD,
  240. #ifdef SIGXFSZ
  241. SIGXFSZ
  242. #endif
  243. };
  244. (void) filter;
  245. for (i = 0; i < ARRAY_LENGTH(param); i++) {
  246. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigaction),
  247. SCMP_CMP(0, SCMP_CMP_EQ, param[i]));
  248. if (rc)
  249. break;
  250. }
  251. return rc;
  252. }
  253. #if 0
  254. /**
  255. * Function responsible for setting up the execve syscall for
  256. * the seccomp filter sandbox.
  257. */
  258. static int
  259. sb_execve(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  260. {
  261. int rc;
  262. sandbox_cfg_t *elem = NULL;
  263. // for each dynamic parameter filters
  264. for (elem = filter; elem != NULL; elem = elem->next) {
  265. smp_param_t *param = elem->param;
  266. if (param != NULL && param->prot == 1 && param->syscall
  267. == SCMP_SYS(execve)) {
  268. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve),
  269. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
  270. if (rc != 0) {
  271. log_err(LD_BUG,"(Sandbox) failed to add execve syscall, received "
  272. "libseccomp error %d", rc);
  273. return rc;
  274. }
  275. }
  276. }
  277. return 0;
  278. }
  279. #endif
  280. /**
  281. * Function responsible for setting up the time syscall for
  282. * the seccomp filter sandbox.
  283. */
  284. static int
  285. sb_time(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  286. {
  287. (void) filter;
  288. #ifdef __NR_time
  289. return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(time),
  290. SCMP_CMP(0, SCMP_CMP_EQ, 0));
  291. #else
  292. return 0;
  293. #endif
  294. }
  295. /**
  296. * Function responsible for setting up the accept4 syscall for
  297. * the seccomp filter sandbox.
  298. */
  299. static int
  300. sb_accept4(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  301. {
  302. int rc = 0;
  303. (void)filter;
  304. #ifdef __i386__
  305. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketcall),
  306. SCMP_CMP(0, SCMP_CMP_EQ, 18));
  307. if (rc) {
  308. return rc;
  309. }
  310. #endif
  311. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4),
  312. SCMP_CMP_MASKED(3, SOCK_CLOEXEC|SOCK_NONBLOCK, 0));
  313. if (rc) {
  314. return rc;
  315. }
  316. return 0;
  317. }
  318. #ifdef __NR_mmap2
  319. /**
  320. * Function responsible for setting up the mmap2 syscall for
  321. * the seccomp filter sandbox.
  322. */
  323. static int
  324. sb_mmap2(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  325. {
  326. int rc = 0;
  327. (void)filter;
  328. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  329. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ),
  330. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE));
  331. if (rc) {
  332. return rc;
  333. }
  334. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  335. SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE),
  336. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE));
  337. if (rc) {
  338. return rc;
  339. }
  340. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  341. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  342. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS));
  343. if (rc) {
  344. return rc;
  345. }
  346. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  347. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  348. SCMP_CMP(3, SCMP_CMP_EQ,MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK));
  349. if (rc) {
  350. return rc;
  351. }
  352. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  353. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  354. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE));
  355. if (rc) {
  356. return rc;
  357. }
  358. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  359. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  360. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS));
  361. if (rc) {
  362. return rc;
  363. }
  364. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  365. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_EXEC),
  366. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_DENYWRITE));
  367. if (rc) {
  368. return rc;
  369. }
  370. return 0;
  371. }
  372. #endif
  373. /**
  374. * Function responsible for setting up the open syscall for
  375. * the seccomp filter sandbox.
  376. */
  377. static int
  378. sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  379. {
  380. int rc;
  381. sandbox_cfg_t *elem = NULL;
  382. // for each dynamic parameter filters
  383. for (elem = filter; elem != NULL; elem = elem->next) {
  384. smp_param_t *param = elem->param;
  385. if (param != NULL && param->prot == 1 && param->syscall
  386. == SCMP_SYS(open)) {
  387. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open),
  388. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
  389. if (rc != 0) {
  390. log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
  391. "libseccomp error %d", rc);
  392. return rc;
  393. }
  394. }
  395. }
  396. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open),
  397. SCMP_CMP_MASKED(1, O_CLOEXEC|O_NONBLOCK|O_NOCTTY|O_NOFOLLOW,
  398. O_RDONLY));
  399. if (rc != 0) {
  400. log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
  401. "error %d", rc);
  402. return rc;
  403. }
  404. return 0;
  405. }
  406. static int
  407. sb_chmod(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  408. {
  409. int rc;
  410. sandbox_cfg_t *elem = NULL;
  411. // for each dynamic parameter filters
  412. for (elem = filter; elem != NULL; elem = elem->next) {
  413. smp_param_t *param = elem->param;
  414. if (param != NULL && param->prot == 1 && param->syscall
  415. == SCMP_SYS(chmod)) {
  416. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chmod),
  417. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
  418. if (rc != 0) {
  419. log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
  420. "libseccomp error %d", rc);
  421. return rc;
  422. }
  423. }
  424. }
  425. return 0;
  426. }
  427. static int
  428. sb_chown(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  429. {
  430. int rc;
  431. sandbox_cfg_t *elem = NULL;
  432. // for each dynamic parameter filters
  433. for (elem = filter; elem != NULL; elem = elem->next) {
  434. smp_param_t *param = elem->param;
  435. if (param != NULL && param->prot == 1 && param->syscall
  436. == SCMP_SYS(chown)) {
  437. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chown),
  438. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
  439. if (rc != 0) {
  440. log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
  441. "libseccomp error %d", rc);
  442. return rc;
  443. }
  444. }
  445. }
  446. return 0;
  447. }
  448. static int
  449. sb__sysctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  450. {
  451. int rc;
  452. (void) filter;
  453. (void) ctx;
  454. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(_sysctl));
  455. if (rc != 0) {
  456. log_err(LD_BUG,"(Sandbox) failed to add _sysctl syscall, "
  457. "received libseccomp error %d", rc);
  458. return rc;
  459. }
  460. return 0;
  461. }
  462. /**
  463. * Function responsible for setting up the rename syscall for
  464. * the seccomp filter sandbox.
  465. */
  466. static int
  467. sb_rename(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  468. {
  469. int rc;
  470. sandbox_cfg_t *elem = NULL;
  471. // for each dynamic parameter filters
  472. for (elem = filter; elem != NULL; elem = elem->next) {
  473. smp_param_t *param = elem->param;
  474. if (param != NULL && param->prot == 1 &&
  475. param->syscall == SCMP_SYS(rename)) {
  476. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rename),
  477. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value),
  478. SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value2));
  479. if (rc != 0) {
  480. log_err(LD_BUG,"(Sandbox) failed to add rename syscall, received "
  481. "libseccomp error %d", rc);
  482. return rc;
  483. }
  484. }
  485. }
  486. return 0;
  487. }
  488. /**
  489. * Function responsible for setting up the openat syscall for
  490. * the seccomp filter sandbox.
  491. */
  492. static int
  493. sb_openat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  494. {
  495. int rc;
  496. sandbox_cfg_t *elem = NULL;
  497. // for each dynamic parameter filters
  498. for (elem = filter; elem != NULL; elem = elem->next) {
  499. smp_param_t *param = elem->param;
  500. if (param != NULL && param->prot == 1 && param->syscall
  501. == SCMP_SYS(openat)) {
  502. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
  503. SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
  504. SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value),
  505. SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|
  506. O_CLOEXEC));
  507. if (rc != 0) {
  508. log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received "
  509. "libseccomp error %d", rc);
  510. return rc;
  511. }
  512. }
  513. }
  514. return 0;
  515. }
  516. /**
  517. * Function responsible for setting up the socket syscall for
  518. * the seccomp filter sandbox.
  519. */
  520. static int
  521. sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  522. {
  523. int rc = 0;
  524. int i, j;
  525. (void) filter;
  526. #ifdef __i386__
  527. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket));
  528. if (rc)
  529. return rc;
  530. #endif
  531. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  532. SCMP_CMP(0, SCMP_CMP_EQ, PF_FILE),
  533. SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM));
  534. if (rc)
  535. return rc;
  536. for (i = 0; i < 2; ++i) {
  537. const int pf = i ? PF_INET : PF_INET6;
  538. for (j=0; j < 3; ++j) {
  539. const int type = (j == 0) ? SOCK_STREAM :
  540. SOCK_DGRAM;
  541. const int protocol = (j == 0) ? IPPROTO_TCP :
  542. (j == 1) ? IPPROTO_IP :
  543. IPPROTO_UDP;
  544. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  545. SCMP_CMP(0, SCMP_CMP_EQ, pf),
  546. SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, type),
  547. SCMP_CMP(2, SCMP_CMP_EQ, protocol));
  548. if (rc)
  549. return rc;
  550. }
  551. }
  552. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  553. SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
  554. SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
  555. SCMP_CMP(2, SCMP_CMP_EQ, 0));
  556. if (rc)
  557. return rc;
  558. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  559. SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
  560. SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM),
  561. SCMP_CMP(2, SCMP_CMP_EQ, 0));
  562. if (rc)
  563. return rc;
  564. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  565. SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK),
  566. SCMP_CMP(1, SCMP_CMP_EQ, SOCK_RAW),
  567. SCMP_CMP(2, SCMP_CMP_EQ, 0));
  568. if (rc)
  569. return rc;
  570. return 0;
  571. }
  572. /**
  573. * Function responsible for setting up the socketpair syscall for
  574. * the seccomp filter sandbox.
  575. */
  576. static int
  577. sb_socketpair(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  578. {
  579. int rc = 0;
  580. (void) filter;
  581. #ifdef __i386__
  582. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair));
  583. if (rc)
  584. return rc;
  585. #endif
  586. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair),
  587. SCMP_CMP(0, SCMP_CMP_EQ, PF_FILE),
  588. SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM|SOCK_CLOEXEC));
  589. if (rc)
  590. return rc;
  591. return 0;
  592. }
  593. /**
  594. * Function responsible for setting up the setsockopt syscall for
  595. * the seccomp filter sandbox.
  596. */
  597. static int
  598. sb_setsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  599. {
  600. int rc = 0;
  601. (void) filter;
  602. #ifdef __i386__
  603. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt));
  604. if (rc)
  605. return rc;
  606. #endif
  607. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  608. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  609. SCMP_CMP(2, SCMP_CMP_EQ, SO_REUSEADDR));
  610. if (rc)
  611. return rc;
  612. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  613. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  614. SCMP_CMP(2, SCMP_CMP_EQ, SO_SNDBUF));
  615. if (rc)
  616. return rc;
  617. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  618. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  619. SCMP_CMP(2, SCMP_CMP_EQ, SO_RCVBUF));
  620. if (rc)
  621. return rc;
  622. #ifdef HAVE_SYSTEMD
  623. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  624. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  625. SCMP_CMP(2, SCMP_CMP_EQ, SO_SNDBUFFORCE));
  626. if (rc)
  627. return rc;
  628. #endif
  629. #ifdef IP_TRANSPARENT
  630. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  631. SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
  632. SCMP_CMP(2, SCMP_CMP_EQ, IP_TRANSPARENT));
  633. if (rc)
  634. return rc;
  635. #endif
  636. return 0;
  637. }
  638. /**
  639. * Function responsible for setting up the getsockopt syscall for
  640. * the seccomp filter sandbox.
  641. */
  642. static int
  643. sb_getsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  644. {
  645. int rc = 0;
  646. (void) filter;
  647. #ifdef __i386__
  648. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt));
  649. if (rc)
  650. return rc;
  651. #endif
  652. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
  653. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  654. SCMP_CMP(2, SCMP_CMP_EQ, SO_ERROR));
  655. if (rc)
  656. return rc;
  657. #ifdef HAVE_SYSTEMD
  658. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
  659. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  660. SCMP_CMP(2, SCMP_CMP_EQ, SO_SNDBUF));
  661. if (rc)
  662. return rc;
  663. #endif
  664. #ifdef HAVE_LINUX_NETFILTER_IPV4_H
  665. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
  666. SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
  667. SCMP_CMP(2, SCMP_CMP_EQ, SO_ORIGINAL_DST));
  668. if (rc)
  669. return rc;
  670. #endif
  671. #ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
  672. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
  673. SCMP_CMP(1, SCMP_CMP_EQ, SOL_IPV6),
  674. SCMP_CMP(2, SCMP_CMP_EQ, IP6T_SO_ORIGINAL_DST));
  675. if (rc)
  676. return rc;
  677. #endif
  678. return 0;
  679. }
  680. #ifdef __NR_fcntl64
  681. /**
  682. * Function responsible for setting up the fcntl64 syscall for
  683. * the seccomp filter sandbox.
  684. */
  685. static int
  686. sb_fcntl64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  687. {
  688. int rc = 0;
  689. (void) filter;
  690. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  691. SCMP_CMP(1, SCMP_CMP_EQ, F_GETFL));
  692. if (rc)
  693. return rc;
  694. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  695. SCMP_CMP(1, SCMP_CMP_EQ, F_SETFL),
  696. SCMP_CMP(2, SCMP_CMP_EQ, O_RDWR|O_NONBLOCK));
  697. if (rc)
  698. return rc;
  699. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  700. SCMP_CMP(1, SCMP_CMP_EQ, F_GETFD));
  701. if (rc)
  702. return rc;
  703. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  704. SCMP_CMP(1, SCMP_CMP_EQ, F_SETFD),
  705. SCMP_CMP(2, SCMP_CMP_EQ, FD_CLOEXEC));
  706. if (rc)
  707. return rc;
  708. return 0;
  709. }
  710. #endif
  711. /**
  712. * Function responsible for setting up the epoll_ctl syscall for
  713. * the seccomp filter sandbox.
  714. *
  715. * Note: basically allows everything but will keep for now..
  716. */
  717. static int
  718. sb_epoll_ctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  719. {
  720. int rc = 0;
  721. (void) filter;
  722. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
  723. SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_ADD));
  724. if (rc)
  725. return rc;
  726. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
  727. SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_MOD));
  728. if (rc)
  729. return rc;
  730. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
  731. SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_DEL));
  732. if (rc)
  733. return rc;
  734. return 0;
  735. }
  736. /**
  737. * Function responsible for setting up the prctl syscall for
  738. * the seccomp filter sandbox.
  739. *
  740. * NOTE: if multiple filters need to be added, the PR_SECCOMP parameter needs
  741. * to be whitelisted in this function.
  742. */
  743. static int
  744. sb_prctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  745. {
  746. int rc = 0;
  747. (void) filter;
  748. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl),
  749. SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_DUMPABLE));
  750. if (rc)
  751. return rc;
  752. return 0;
  753. }
  754. /**
  755. * Function responsible for setting up the mprotect syscall for
  756. * the seccomp filter sandbox.
  757. *
  758. * NOTE: does not NEED to be here.. currently only occurs before filter; will
  759. * keep just in case for the future.
  760. */
  761. static int
  762. sb_mprotect(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  763. {
  764. int rc = 0;
  765. (void) filter;
  766. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  767. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ));
  768. if (rc)
  769. return rc;
  770. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  771. SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE));
  772. if (rc)
  773. return rc;
  774. return 0;
  775. }
  776. /**
  777. * Function responsible for setting up the rt_sigprocmask syscall for
  778. * the seccomp filter sandbox.
  779. */
  780. static int
  781. sb_rt_sigprocmask(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  782. {
  783. int rc = 0;
  784. (void) filter;
  785. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
  786. SCMP_CMP(0, SCMP_CMP_EQ, SIG_UNBLOCK));
  787. if (rc)
  788. return rc;
  789. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
  790. SCMP_CMP(0, SCMP_CMP_EQ, SIG_SETMASK));
  791. if (rc)
  792. return rc;
  793. return 0;
  794. }
  795. /**
  796. * Function responsible for setting up the flock syscall for
  797. * the seccomp filter sandbox.
  798. *
  799. * NOTE: does not need to be here, occurs before filter is applied.
  800. */
  801. static int
  802. sb_flock(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  803. {
  804. int rc = 0;
  805. (void) filter;
  806. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock),
  807. SCMP_CMP(1, SCMP_CMP_EQ, LOCK_EX|LOCK_NB));
  808. if (rc)
  809. return rc;
  810. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock),
  811. SCMP_CMP(1, SCMP_CMP_EQ, LOCK_UN));
  812. if (rc)
  813. return rc;
  814. return 0;
  815. }
  816. /**
  817. * Function responsible for setting up the futex syscall for
  818. * the seccomp filter sandbox.
  819. */
  820. static int
  821. sb_futex(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  822. {
  823. int rc = 0;
  824. (void) filter;
  825. // can remove
  826. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
  827. SCMP_CMP(1, SCMP_CMP_EQ,
  828. FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME));
  829. if (rc)
  830. return rc;
  831. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
  832. SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAKE_PRIVATE));
  833. if (rc)
  834. return rc;
  835. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
  836. SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAIT_PRIVATE));
  837. if (rc)
  838. return rc;
  839. return 0;
  840. }
  841. /**
  842. * Function responsible for setting up the mremap syscall for
  843. * the seccomp filter sandbox.
  844. *
  845. * NOTE: so far only occurs before filter is applied.
  846. */
  847. static int
  848. sb_mremap(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  849. {
  850. int rc = 0;
  851. (void) filter;
  852. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mremap),
  853. SCMP_CMP(3, SCMP_CMP_EQ, MREMAP_MAYMOVE));
  854. if (rc)
  855. return rc;
  856. return 0;
  857. }
  858. /**
  859. * Function responsible for setting up the poll syscall for
  860. * the seccomp filter sandbox.
  861. */
  862. static int
  863. sb_poll(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  864. {
  865. int rc = 0;
  866. (void) filter;
  867. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(poll),
  868. SCMP_CMP(1, SCMP_CMP_EQ, 1),
  869. SCMP_CMP(2, SCMP_CMP_EQ, 10));
  870. if (rc)
  871. return rc;
  872. return 0;
  873. }
  874. #ifdef __NR_stat64
  875. /**
  876. * Function responsible for setting up the stat64 syscall for
  877. * the seccomp filter sandbox.
  878. */
  879. static int
  880. sb_stat64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  881. {
  882. int rc = 0;
  883. sandbox_cfg_t *elem = NULL;
  884. // for each dynamic parameter filters
  885. for (elem = filter; elem != NULL; elem = elem->next) {
  886. smp_param_t *param = elem->param;
  887. if (param != NULL && param->prot == 1 && (param->syscall == SCMP_SYS(open)
  888. || param->syscall == SCMP_SYS(stat64))) {
  889. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(stat64),
  890. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
  891. if (rc != 0) {
  892. log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
  893. "libseccomp error %d", rc);
  894. return rc;
  895. }
  896. }
  897. }
  898. return 0;
  899. }
  900. #endif
  901. /**
  902. * Array of function pointers responsible for filtering different syscalls at
  903. * a parameter level.
  904. */
  905. static sandbox_filter_func_t filter_func[] = {
  906. sb_rt_sigaction,
  907. sb_rt_sigprocmask,
  908. #if 0
  909. sb_execve,
  910. #endif
  911. sb_time,
  912. sb_accept4,
  913. #ifdef __NR_mmap2
  914. sb_mmap2,
  915. #endif
  916. sb_chown,
  917. sb_chmod,
  918. sb_open,
  919. sb_openat,
  920. sb__sysctl,
  921. sb_rename,
  922. #ifdef __NR_fcntl64
  923. sb_fcntl64,
  924. #endif
  925. sb_epoll_ctl,
  926. sb_prctl,
  927. sb_mprotect,
  928. sb_flock,
  929. sb_futex,
  930. sb_mremap,
  931. sb_poll,
  932. #ifdef __NR_stat64
  933. sb_stat64,
  934. #endif
  935. sb_socket,
  936. sb_setsockopt,
  937. sb_getsockopt,
  938. sb_socketpair
  939. };
  940. const char *
  941. sandbox_intern_string(const char *str)
  942. {
  943. sandbox_cfg_t *elem;
  944. if (str == NULL)
  945. return NULL;
  946. for (elem = filter_dynamic; elem != NULL; elem = elem->next) {
  947. smp_param_t *param = elem->param;
  948. if (param->prot) {
  949. if (!strcmp(str, (char*)(param->value))) {
  950. return (char*)param->value;
  951. }
  952. if (param->value2 && !strcmp(str, (char*)param->value2)) {
  953. return (char*)param->value2;
  954. }
  955. }
  956. }
  957. if (sandbox_active)
  958. log_warn(LD_BUG, "No interned sandbox parameter found for %s", str);
  959. return str;
  960. }
  961. /* DOCDOC */
  962. static int
  963. prot_strings_helper(strmap_t *locations,
  964. char **pr_mem_next_p,
  965. size_t *pr_mem_left_p,
  966. char **value_p)
  967. {
  968. char *param_val;
  969. size_t param_size;
  970. void *location;
  971. if (*value_p == 0)
  972. return 0;
  973. param_val = (char*) *value_p;
  974. param_size = strlen(param_val) + 1;
  975. location = strmap_get(locations, param_val);
  976. if (location) {
  977. // We already interned this string.
  978. tor_free(param_val);
  979. *value_p = location;
  980. return 0;
  981. } else if (*pr_mem_left_p >= param_size) {
  982. // copy to protected
  983. location = *pr_mem_next_p;
  984. memcpy(location, param_val, param_size);
  985. // re-point el parameter to protected
  986. tor_free(param_val);
  987. *value_p = location;
  988. strmap_set(locations, location, location); /* good real estate advice */
  989. // move next available protected memory
  990. *pr_mem_next_p += param_size;
  991. *pr_mem_left_p -= param_size;
  992. return 0;
  993. } else {
  994. log_err(LD_BUG,"(Sandbox) insufficient protected memory!");
  995. return -1;
  996. }
  997. }
  998. /**
  999. * Protects all the strings in the sandbox's parameter list configuration. It
  1000. * works by calculating the total amount of memory required by the parameter
  1001. * list, allocating the memory using mmap, and protecting it from writes with
  1002. * mprotect().
  1003. */
  1004. static int
  1005. prot_strings(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
  1006. {
  1007. int ret = 0;
  1008. size_t pr_mem_size = 0, pr_mem_left = 0;
  1009. char *pr_mem_next = NULL, *pr_mem_base;
  1010. sandbox_cfg_t *el = NULL;
  1011. strmap_t *locations = NULL;
  1012. // get total number of bytes required to mmap. (Overestimate.)
  1013. for (el = cfg; el != NULL; el = el->next) {
  1014. pr_mem_size += strlen((char*) el->param->value) + 1;
  1015. if (el->param->value2)
  1016. pr_mem_size += strlen((char*) el->param->value2) + 1;
  1017. }
  1018. // allocate protected memory with MALLOC_MP_LIM canary
  1019. pr_mem_base = (char*) mmap(NULL, MALLOC_MP_LIM + pr_mem_size,
  1020. PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0);
  1021. if (pr_mem_base == MAP_FAILED) {
  1022. log_err(LD_BUG,"(Sandbox) failed allocate protected memory! mmap: %s",
  1023. strerror(errno));
  1024. ret = -1;
  1025. goto out;
  1026. }
  1027. pr_mem_next = pr_mem_base + MALLOC_MP_LIM;
  1028. pr_mem_left = pr_mem_size;
  1029. locations = strmap_new();
  1030. // change el value pointer to protected
  1031. for (el = cfg; el != NULL; el = el->next) {
  1032. if (prot_strings_helper(locations, &pr_mem_next, &pr_mem_left,
  1033. &el->param->value) < 0) {
  1034. ret = -2;
  1035. goto out;
  1036. }
  1037. if (prot_strings_helper(locations, &pr_mem_next, &pr_mem_left,
  1038. &el->param->value2) < 0) {
  1039. ret = -2;
  1040. goto out;
  1041. }
  1042. el->param->prot = 1;
  1043. }
  1044. // protecting from writes
  1045. if (mprotect(pr_mem_base, MALLOC_MP_LIM + pr_mem_size, PROT_READ)) {
  1046. log_err(LD_BUG,"(Sandbox) failed to protect memory! mprotect: %s",
  1047. strerror(errno));
  1048. ret = -3;
  1049. goto out;
  1050. }
  1051. /*
  1052. * Setting sandbox restrictions so the string memory cannot be tampered with
  1053. */
  1054. // no mremap of the protected base address
  1055. ret = seccomp_rule_add_1(ctx, SCMP_ACT_KILL, SCMP_SYS(mremap),
  1056. SCMP_CMP(0, SCMP_CMP_EQ, (intptr_t) pr_mem_base));
  1057. if (ret) {
  1058. log_err(LD_BUG,"(Sandbox) mremap protected memory filter fail!");
  1059. goto out;
  1060. }
  1061. // no munmap of the protected base address
  1062. ret = seccomp_rule_add_1(ctx, SCMP_ACT_KILL, SCMP_SYS(munmap),
  1063. SCMP_CMP(0, SCMP_CMP_EQ, (intptr_t) pr_mem_base));
  1064. if (ret) {
  1065. log_err(LD_BUG,"(Sandbox) munmap protected memory filter fail!");
  1066. goto out;
  1067. }
  1068. /*
  1069. * Allow mprotect with PROT_READ|PROT_WRITE because openssl uses it, but
  1070. * never over the memory region used by the protected strings.
  1071. *
  1072. * PROT_READ|PROT_WRITE was originally fully allowed in sb_mprotect(), but
  1073. * had to be removed due to limitation of libseccomp regarding intervals.
  1074. *
  1075. * There is a restriction on how much you can mprotect with R|W up to the
  1076. * size of the canary.
  1077. */
  1078. ret = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  1079. SCMP_CMP(0, SCMP_CMP_LT, (intptr_t) pr_mem_base),
  1080. SCMP_CMP(1, SCMP_CMP_LE, MALLOC_MP_LIM),
  1081. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE));
  1082. if (ret) {
  1083. log_err(LD_BUG,"(Sandbox) mprotect protected memory filter fail (LT)!");
  1084. goto out;
  1085. }
  1086. ret = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  1087. SCMP_CMP(0, SCMP_CMP_GT, (intptr_t) pr_mem_base + pr_mem_size +
  1088. MALLOC_MP_LIM),
  1089. SCMP_CMP(1, SCMP_CMP_LE, MALLOC_MP_LIM),
  1090. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE));
  1091. if (ret) {
  1092. log_err(LD_BUG,"(Sandbox) mprotect protected memory filter fail (GT)!");
  1093. goto out;
  1094. }
  1095. out:
  1096. strmap_free(locations, NULL);
  1097. return ret;
  1098. }
  1099. /**
  1100. * Auxiliary function used in order to allocate a sandbox_cfg_t element and set
  1101. * its values according the parameter list. All elements are initialised
  1102. * with the 'prot' field set to false, as the pointer is not protected at this
  1103. * point.
  1104. */
  1105. static sandbox_cfg_t*
  1106. new_element2(int syscall, char *value, char *value2)
  1107. {
  1108. smp_param_t *param = NULL;
  1109. sandbox_cfg_t *elem = tor_malloc_zero(sizeof(sandbox_cfg_t));
  1110. param = elem->param = tor_malloc_zero(sizeof(smp_param_t));
  1111. param->syscall = syscall;
  1112. param->value = value;
  1113. param->value2 = value2;
  1114. param->prot = 0;
  1115. return elem;
  1116. }
  1117. static sandbox_cfg_t*
  1118. new_element(int syscall, char *value)
  1119. {
  1120. return new_element2(syscall, value, NULL);
  1121. }
  1122. #ifdef __NR_stat64
  1123. #define SCMP_stat SCMP_SYS(stat64)
  1124. #else
  1125. #define SCMP_stat SCMP_SYS(stat)
  1126. #endif
  1127. int
  1128. sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file)
  1129. {
  1130. sandbox_cfg_t *elem = NULL;
  1131. elem = new_element(SCMP_stat, file);
  1132. if (!elem) {
  1133. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1134. return -1;
  1135. }
  1136. elem->next = *cfg;
  1137. *cfg = elem;
  1138. return 0;
  1139. }
  1140. int
  1141. sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
  1142. {
  1143. sandbox_cfg_t *elem = NULL;
  1144. elem = new_element(SCMP_SYS(open), file);
  1145. if (!elem) {
  1146. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1147. return -1;
  1148. }
  1149. elem->next = *cfg;
  1150. *cfg = elem;
  1151. return 0;
  1152. }
  1153. int
  1154. sandbox_cfg_allow_chmod_filename(sandbox_cfg_t **cfg, char *file)
  1155. {
  1156. sandbox_cfg_t *elem = NULL;
  1157. elem = new_element(SCMP_SYS(chmod), file);
  1158. if (!elem) {
  1159. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1160. return -1;
  1161. }
  1162. elem->next = *cfg;
  1163. *cfg = elem;
  1164. return 0;
  1165. }
  1166. int
  1167. sandbox_cfg_allow_chown_filename(sandbox_cfg_t **cfg, char *file)
  1168. {
  1169. sandbox_cfg_t *elem = NULL;
  1170. elem = new_element(SCMP_SYS(chown), file);
  1171. if (!elem) {
  1172. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1173. return -1;
  1174. }
  1175. elem->next = *cfg;
  1176. *cfg = elem;
  1177. return 0;
  1178. }
  1179. int
  1180. sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2)
  1181. {
  1182. sandbox_cfg_t *elem = NULL;
  1183. elem = new_element2(SCMP_SYS(rename), file1, file2);
  1184. if (!elem) {
  1185. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1186. return -1;
  1187. }
  1188. elem->next = *cfg;
  1189. *cfg = elem;
  1190. return 0;
  1191. }
  1192. int
  1193. sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file)
  1194. {
  1195. sandbox_cfg_t *elem = NULL;
  1196. elem = new_element(SCMP_SYS(openat), file);
  1197. if (!elem) {
  1198. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1199. return -1;
  1200. }
  1201. elem->next = *cfg;
  1202. *cfg = elem;
  1203. return 0;
  1204. }
  1205. #if 0
  1206. int
  1207. sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com)
  1208. {
  1209. sandbox_cfg_t *elem = NULL;
  1210. elem = new_element(SCMP_SYS(execve), com);
  1211. if (!elem) {
  1212. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1213. return -1;
  1214. }
  1215. elem->next = *cfg;
  1216. *cfg = elem;
  1217. return 0;
  1218. }
  1219. #endif
  1220. /** Cache entry for getaddrinfo results; used when sandboxing is implemented
  1221. * so that we can consult the cache when the sandbox prevents us from doing
  1222. * getaddrinfo.
  1223. *
  1224. * We support only a limited range of getaddrinfo calls, where servname is null
  1225. * and hints contains only socktype=SOCK_STREAM, family in INET,INET6,UNSPEC.
  1226. */
  1227. typedef struct cached_getaddrinfo_item_t {
  1228. HT_ENTRY(cached_getaddrinfo_item_t) node;
  1229. char *name;
  1230. int family;
  1231. /** set if no error; otherwise NULL */
  1232. struct addrinfo *res;
  1233. /** 0 for no error; otherwise an EAI_* value */
  1234. int err;
  1235. } cached_getaddrinfo_item_t;
  1236. static unsigned
  1237. cached_getaddrinfo_item_hash(const cached_getaddrinfo_item_t *item)
  1238. {
  1239. return (unsigned)siphash24g(item->name, strlen(item->name)) + item->family;
  1240. }
  1241. static unsigned
  1242. cached_getaddrinfo_items_eq(const cached_getaddrinfo_item_t *a,
  1243. const cached_getaddrinfo_item_t *b)
  1244. {
  1245. return (a->family == b->family) && 0 == strcmp(a->name, b->name);
  1246. }
  1247. static void
  1248. cached_getaddrinfo_item_free(cached_getaddrinfo_item_t *item)
  1249. {
  1250. if (item == NULL)
  1251. return;
  1252. tor_free(item->name);
  1253. if (item->res)
  1254. freeaddrinfo(item->res);
  1255. tor_free(item);
  1256. }
  1257. static HT_HEAD(getaddrinfo_cache, cached_getaddrinfo_item_t)
  1258. getaddrinfo_cache = HT_INITIALIZER();
  1259. HT_PROTOTYPE(getaddrinfo_cache, cached_getaddrinfo_item_t, node,
  1260. cached_getaddrinfo_item_hash,
  1261. cached_getaddrinfo_items_eq)
  1262. HT_GENERATE2(getaddrinfo_cache, cached_getaddrinfo_item_t, node,
  1263. cached_getaddrinfo_item_hash,
  1264. cached_getaddrinfo_items_eq,
  1265. 0.6, tor_reallocarray_, tor_free_)
  1266. /** If true, don't try to cache getaddrinfo results. */
  1267. static int sandbox_getaddrinfo_cache_disabled = 0;
  1268. /** Tell the sandbox layer not to try to cache getaddrinfo results. Used as in
  1269. * tor-resolve, when we have no intention of initializing crypto or of
  1270. * installing the sandbox.*/
  1271. void
  1272. sandbox_disable_getaddrinfo_cache(void)
  1273. {
  1274. sandbox_getaddrinfo_cache_disabled = 1;
  1275. }
  1276. void
  1277. sandbox_freeaddrinfo(struct addrinfo *ai)
  1278. {
  1279. if (sandbox_getaddrinfo_cache_disabled)
  1280. freeaddrinfo(ai);
  1281. }
  1282. int
  1283. sandbox_getaddrinfo(const char *name, const char *servname,
  1284. const struct addrinfo *hints,
  1285. struct addrinfo **res)
  1286. {
  1287. int err;
  1288. struct cached_getaddrinfo_item_t search, *item;
  1289. if (sandbox_getaddrinfo_cache_disabled) {
  1290. return getaddrinfo(name, NULL, hints, res);
  1291. }
  1292. if (servname != NULL) {
  1293. log_warn(LD_BUG, "called with non-NULL servname");
  1294. return EAI_NONAME;
  1295. }
  1296. if (name == NULL) {
  1297. log_warn(LD_BUG, "called with NULL name");
  1298. return EAI_NONAME;
  1299. }
  1300. *res = NULL;
  1301. memset(&search, 0, sizeof(search));
  1302. search.name = (char *) name;
  1303. search.family = hints ? hints->ai_family : AF_UNSPEC;
  1304. item = HT_FIND(getaddrinfo_cache, &getaddrinfo_cache, &search);
  1305. if (! sandbox_is_active()) {
  1306. /* If the sandbox is not turned on yet, then getaddrinfo and store the
  1307. result. */
  1308. err = getaddrinfo(name, NULL, hints, res);
  1309. log_info(LD_NET,"(Sandbox) getaddrinfo %s.", err ? "failed" : "succeeded");
  1310. if (! item) {
  1311. item = tor_malloc_zero(sizeof(*item));
  1312. item->name = tor_strdup(name);
  1313. item->family = hints ? hints->ai_family : AF_UNSPEC;
  1314. HT_INSERT(getaddrinfo_cache, &getaddrinfo_cache, item);
  1315. }
  1316. if (item->res) {
  1317. freeaddrinfo(item->res);
  1318. item->res = NULL;
  1319. }
  1320. item->res = *res;
  1321. item->err = err;
  1322. return err;
  1323. }
  1324. /* Otherwise, the sandbox is on. If we have an item, yield its cached
  1325. result. */
  1326. if (item) {
  1327. *res = item->res;
  1328. return item->err;
  1329. }
  1330. /* getting here means something went wrong */
  1331. log_err(LD_BUG,"(Sandbox) failed to get address %s!", name);
  1332. return EAI_NONAME;
  1333. }
  1334. int
  1335. sandbox_add_addrinfo(const char *name)
  1336. {
  1337. struct addrinfo *res;
  1338. struct addrinfo hints;
  1339. int i;
  1340. static const int families[] = { AF_INET, AF_INET6, AF_UNSPEC };
  1341. memset(&hints, 0, sizeof(hints));
  1342. hints.ai_socktype = SOCK_STREAM;
  1343. for (i = 0; i < 3; ++i) {
  1344. hints.ai_family = families[i];
  1345. res = NULL;
  1346. (void) sandbox_getaddrinfo(name, NULL, &hints, &res);
  1347. if (res)
  1348. sandbox_freeaddrinfo(res);
  1349. }
  1350. return 0;
  1351. }
  1352. void
  1353. sandbox_free_getaddrinfo_cache(void)
  1354. {
  1355. cached_getaddrinfo_item_t **next, **item, *this;
  1356. for (item = HT_START(getaddrinfo_cache, &getaddrinfo_cache);
  1357. item;
  1358. item = next) {
  1359. this = *item;
  1360. next = HT_NEXT_RMV(getaddrinfo_cache, &getaddrinfo_cache, item);
  1361. cached_getaddrinfo_item_free(this);
  1362. }
  1363. HT_CLEAR(getaddrinfo_cache, &getaddrinfo_cache);
  1364. }
  1365. /**
  1366. * Function responsible for going through the parameter syscall filters and
  1367. * call each function pointer in the list.
  1368. */
  1369. static int
  1370. add_param_filter(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
  1371. {
  1372. unsigned i;
  1373. int rc = 0;
  1374. // function pointer
  1375. for (i = 0; i < ARRAY_LENGTH(filter_func); i++) {
  1376. if ((filter_func[i])(ctx, cfg)) {
  1377. log_err(LD_BUG,"(Sandbox) failed to add syscall %d, received libseccomp "
  1378. "error %d", i, rc);
  1379. return rc;
  1380. }
  1381. }
  1382. return 0;
  1383. }
  1384. /**
  1385. * Function responsible of loading the libseccomp syscall filters which do not
  1386. * have parameter filtering.
  1387. */
  1388. static int
  1389. add_noparam_filter(scmp_filter_ctx ctx)
  1390. {
  1391. unsigned i;
  1392. int rc = 0;
  1393. // add general filters
  1394. for (i = 0; i < ARRAY_LENGTH(filter_nopar_gen); i++) {
  1395. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, filter_nopar_gen[i]);
  1396. if (rc != 0) {
  1397. log_err(LD_BUG,"(Sandbox) failed to add syscall index %d (NR=%d), "
  1398. "received libseccomp error %d", i, filter_nopar_gen[i], rc);
  1399. return rc;
  1400. }
  1401. }
  1402. return 0;
  1403. }
  1404. /**
  1405. * Function responsible for setting up and enabling a global syscall filter.
  1406. * The function is a prototype developed for stage 1 of sandboxing Tor.
  1407. * Returns 0 on success.
  1408. */
  1409. static int
  1410. install_syscall_filter(sandbox_cfg_t* cfg)
  1411. {
  1412. int rc = 0;
  1413. scmp_filter_ctx ctx;
  1414. ctx = seccomp_init(SCMP_ACT_TRAP);
  1415. if (ctx == NULL) {
  1416. log_err(LD_BUG,"(Sandbox) failed to initialise libseccomp context");
  1417. rc = -1;
  1418. goto end;
  1419. }
  1420. // protectign sandbox parameter strings
  1421. if ((rc = prot_strings(ctx, cfg))) {
  1422. goto end;
  1423. }
  1424. // add parameter filters
  1425. if ((rc = add_param_filter(ctx, cfg))) {
  1426. log_err(LD_BUG, "(Sandbox) failed to add param filters!");
  1427. goto end;
  1428. }
  1429. // adding filters with no parameters
  1430. if ((rc = add_noparam_filter(ctx))) {
  1431. log_err(LD_BUG, "(Sandbox) failed to add param filters!");
  1432. goto end;
  1433. }
  1434. // loading the seccomp2 filter
  1435. if ((rc = seccomp_load(ctx))) {
  1436. log_err(LD_BUG, "(Sandbox) failed to load: %d (%s)!", rc,
  1437. strerror(-rc));
  1438. goto end;
  1439. }
  1440. // marking the sandbox as active
  1441. sandbox_active = 1;
  1442. end:
  1443. seccomp_release(ctx);
  1444. return (rc < 0 ? -rc : rc);
  1445. }
  1446. #include "linux_syscalls.inc"
  1447. static const char *
  1448. get_syscall_name(int syscall_num)
  1449. {
  1450. int i;
  1451. for (i = 0; SYSCALLS_BY_NUMBER[i].syscall_name; ++i) {
  1452. if (SYSCALLS_BY_NUMBER[i].syscall_num == syscall_num)
  1453. return SYSCALLS_BY_NUMBER[i].syscall_name;
  1454. }
  1455. {
  1456. static char syscall_name_buf[64];
  1457. format_dec_number_sigsafe(syscall_num,
  1458. syscall_name_buf, sizeof(syscall_name_buf));
  1459. return syscall_name_buf;
  1460. }
  1461. }
  1462. #ifdef USE_BACKTRACE
  1463. #define MAX_DEPTH 256
  1464. static void *syscall_cb_buf[MAX_DEPTH];
  1465. #endif
  1466. /**
  1467. * Function called when a SIGSYS is caught by the application. It notifies the
  1468. * user that an error has occurred and either terminates or allows the
  1469. * application to continue execution, based on the DEBUGGING_CLOSE symbol.
  1470. */
  1471. static void
  1472. sigsys_debugging(int nr, siginfo_t *info, void *void_context)
  1473. {
  1474. ucontext_t *ctx = (ucontext_t *) (void_context);
  1475. const char *syscall_name;
  1476. int syscall;
  1477. #ifdef USE_BACKTRACE
  1478. size_t depth;
  1479. int n_fds, i;
  1480. const int *fds = NULL;
  1481. #endif
  1482. (void) nr;
  1483. if (info->si_code != SYS_SECCOMP)
  1484. return;
  1485. if (!ctx)
  1486. return;
  1487. syscall = (int) ctx->uc_mcontext.M_SYSCALL;
  1488. #ifdef USE_BACKTRACE
  1489. depth = backtrace(syscall_cb_buf, MAX_DEPTH);
  1490. /* Clean up the top stack frame so we get the real function
  1491. * name for the most recently failing function. */
  1492. clean_backtrace(syscall_cb_buf, depth, ctx);
  1493. #endif
  1494. syscall_name = get_syscall_name(syscall);
  1495. tor_log_err_sigsafe("(Sandbox) Caught a bad syscall attempt (syscall ",
  1496. syscall_name,
  1497. ")\n",
  1498. NULL);
  1499. #ifdef USE_BACKTRACE
  1500. n_fds = tor_log_get_sigsafe_err_fds(&fds);
  1501. for (i=0; i < n_fds; ++i)
  1502. backtrace_symbols_fd(syscall_cb_buf, (int)depth, fds[i]);
  1503. #endif
  1504. #if defined(DEBUGGING_CLOSE)
  1505. _exit(1);
  1506. #endif // DEBUGGING_CLOSE
  1507. }
  1508. /**
  1509. * Function that adds a handler for SIGSYS, which is the signal thrown
  1510. * when the application is issuing a syscall which is not allowed. The
  1511. * main purpose of this function is to help with debugging by identifying
  1512. * filtered syscalls.
  1513. */
  1514. static int
  1515. install_sigsys_debugging(void)
  1516. {
  1517. struct sigaction act;
  1518. sigset_t mask;
  1519. memset(&act, 0, sizeof(act));
  1520. sigemptyset(&mask);
  1521. sigaddset(&mask, SIGSYS);
  1522. act.sa_sigaction = &sigsys_debugging;
  1523. act.sa_flags = SA_SIGINFO;
  1524. if (sigaction(SIGSYS, &act, NULL) < 0) {
  1525. log_err(LD_BUG,"(Sandbox) Failed to register SIGSYS signal handler");
  1526. return -1;
  1527. }
  1528. if (sigprocmask(SIG_UNBLOCK, &mask, NULL)) {
  1529. log_err(LD_BUG,"(Sandbox) Failed call to sigprocmask()");
  1530. return -2;
  1531. }
  1532. return 0;
  1533. }
  1534. /**
  1535. * Function responsible of registering the sandbox_cfg_t list of parameter
  1536. * syscall filters to the existing parameter list. This is used for incipient
  1537. * multiple-sandbox support.
  1538. */
  1539. static int
  1540. register_cfg(sandbox_cfg_t* cfg)
  1541. {
  1542. sandbox_cfg_t *elem = NULL;
  1543. if (filter_dynamic == NULL) {
  1544. filter_dynamic = cfg;
  1545. return 0;
  1546. }
  1547. for (elem = filter_dynamic; elem->next != NULL; elem = elem->next)
  1548. ;
  1549. elem->next = cfg;
  1550. return 0;
  1551. }
  1552. #endif // USE_LIBSECCOMP
  1553. #ifdef USE_LIBSECCOMP
  1554. /**
  1555. * Initialises the syscall sandbox filter for any linux architecture, taking
  1556. * into account various available features for different linux flavours.
  1557. */
  1558. static int
  1559. initialise_libseccomp_sandbox(sandbox_cfg_t* cfg)
  1560. {
  1561. /* Prevent glibc from trying to open /dev/tty on fatal error */
  1562. setenv("LIBC_FATAL_STDERR_", "1", 1);
  1563. if (install_sigsys_debugging())
  1564. return -1;
  1565. if (install_syscall_filter(cfg))
  1566. return -2;
  1567. if (register_cfg(cfg))
  1568. return -3;
  1569. return 0;
  1570. }
  1571. int
  1572. sandbox_is_active(void)
  1573. {
  1574. return sandbox_active != 0;
  1575. }
  1576. #endif // USE_LIBSECCOMP
  1577. sandbox_cfg_t*
  1578. sandbox_cfg_new(void)
  1579. {
  1580. return NULL;
  1581. }
  1582. int
  1583. sandbox_init(sandbox_cfg_t *cfg)
  1584. {
  1585. #if defined(USE_LIBSECCOMP)
  1586. return initialise_libseccomp_sandbox(cfg);
  1587. #elif defined(__linux__)
  1588. (void)cfg;
  1589. log_warn(LD_GENERAL,
  1590. "This version of Tor was built without support for sandboxing. To "
  1591. "build with support for sandboxing on Linux, you must have "
  1592. "libseccomp and its necessary header files (e.g. seccomp.h).");
  1593. return 0;
  1594. #else
  1595. (void)cfg;
  1596. log_warn(LD_GENERAL,
  1597. "Currently, sandboxing is only implemented on Linux. The feature "
  1598. "is disabled on your platform.");
  1599. return 0;
  1600. #endif
  1601. }
  1602. #ifndef USE_LIBSECCOMP
  1603. int
  1604. sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
  1605. {
  1606. (void)cfg; (void)file;
  1607. return 0;
  1608. }
  1609. int
  1610. sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file)
  1611. {
  1612. (void)cfg; (void)file;
  1613. return 0;
  1614. }
  1615. #if 0
  1616. int
  1617. sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com)
  1618. {
  1619. (void)cfg; (void)com;
  1620. return 0;
  1621. }
  1622. #endif
  1623. int
  1624. sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file)
  1625. {
  1626. (void)cfg; (void)file;
  1627. return 0;
  1628. }
  1629. int
  1630. sandbox_cfg_allow_chown_filename(sandbox_cfg_t **cfg, char *file)
  1631. {
  1632. (void)cfg; (void)file;
  1633. return 0;
  1634. }
  1635. int
  1636. sandbox_cfg_allow_chmod_filename(sandbox_cfg_t **cfg, char *file)
  1637. {
  1638. (void)cfg; (void)file;
  1639. return 0;
  1640. }
  1641. int
  1642. sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2)
  1643. {
  1644. (void)cfg; (void)file1; (void)file2;
  1645. return 0;
  1646. }
  1647. int
  1648. sandbox_is_active(void)
  1649. {
  1650. return 0;
  1651. }
  1652. void
  1653. sandbox_disable_getaddrinfo_cache(void)
  1654. {
  1655. }
  1656. #endif