restrict.c 9.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285
  1. /* Copyright (c) 2003-2004, Roger Dingledine
  2. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  3. * Copyright (c) 2007-2019, The Tor Project, Inc. */
  4. /* See LICENSE for licensing information */
  5. /**
  6. * \file restrict.c
  7. * \brief Drop privileges from the current process.
  8. **/
  9. #include "orconfig.h"
  10. #include "lib/process/restrict.h"
  11. #include "lib/intmath/cmp.h"
  12. #include "lib/log/log.h"
  13. #include "lib/log/util_bug.h"
  14. #include "lib/net/socket.h"
  15. #ifdef HAVE_SYS_MMAN_H
  16. #include <sys/mman.h>
  17. #endif
  18. #include <errno.h>
  19. #include <stdlib.h>
  20. #include <string.h>
  21. /* We only use the linux prctl for now. There is no Win32 support; this may
  22. * also work on various BSD systems and Mac OS X - send testing feedback!
  23. *
  24. * On recent Gnu/Linux kernels it is possible to create a system-wide policy
  25. * that will prevent non-root processes from attaching to other processes
  26. * unless they are the parent process; thus gdb can attach to programs that
  27. * they execute but they cannot attach to other processes running as the same
  28. * user. The system wide policy may be set with the sysctl
  29. * kernel.yama.ptrace_scope or by inspecting
  30. * /proc/sys/kernel/yama/ptrace_scope and it is 1 by default on Ubuntu 11.04.
  31. *
  32. * This ptrace scope will be ignored on Gnu/Linux for users with
  33. * CAP_SYS_PTRACE and so it is very likely that root will still be able to
  34. * attach to the Tor process.
  35. */
  36. /** Attempt to disable debugger attachment: return 1 on success, -1 on
  37. * failure, and 0 if we don't know how to try on this platform. */
  38. int
  39. tor_disable_debugger_attach(void)
  40. {
  41. int r = -1;
  42. log_debug(LD_CONFIG,
  43. "Attemping to disable debugger attachment to Tor for "
  44. "unprivileged users.");
  45. #if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) \
  46. && defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
  47. #define TRIED_TO_DISABLE
  48. r = prctl(PR_SET_DUMPABLE, 0);
  49. #elif defined(__APPLE__) && defined(PT_DENY_ATTACH)
  50. #define TRIED_TO_ATTACH
  51. r = ptrace(PT_DENY_ATTACH, 0, 0, 0);
  52. #endif /* defined(__linux__) && defined(HAVE_SYS_PRCTL_H) ... || ... */
  53. // XXX: TODO - Mac OS X has dtrace and this may be disabled.
  54. // XXX: TODO - Windows probably has something similar
  55. #ifdef TRIED_TO_DISABLE
  56. if (r == 0) {
  57. log_debug(LD_CONFIG,"Debugger attachment disabled for "
  58. "unprivileged users.");
  59. return 1;
  60. } else {
  61. log_warn(LD_CONFIG, "Unable to disable debugger attaching: %s",
  62. strerror(errno));
  63. }
  64. #endif /* defined(TRIED_TO_DISABLE) */
  65. #undef TRIED_TO_DISABLE
  66. return r;
  67. }
  68. #if defined(HAVE_MLOCKALL) && HAVE_DECL_MLOCKALL && defined(RLIMIT_MEMLOCK)
  69. #define HAVE_UNIX_MLOCKALL
  70. #endif
  71. #ifdef HAVE_UNIX_MLOCKALL
  72. /** Attempt to raise the current and max rlimit to infinity for our process.
  73. * This only needs to be done once and can probably only be done when we have
  74. * not already dropped privileges.
  75. */
  76. static int
  77. tor_set_max_memlock(void)
  78. {
  79. /* Future consideration for Windows is probably SetProcessWorkingSetSize
  80. * This is similar to setting the memory rlimit of RLIMIT_MEMLOCK
  81. * http://msdn.microsoft.com/en-us/library/ms686234(VS.85).aspx
  82. */
  83. struct rlimit limit;
  84. /* RLIM_INFINITY is -1 on some platforms. */
  85. limit.rlim_cur = RLIM_INFINITY;
  86. limit.rlim_max = RLIM_INFINITY;
  87. if (setrlimit(RLIMIT_MEMLOCK, &limit) == -1) {
  88. if (errno == EPERM) {
  89. log_warn(LD_GENERAL, "You appear to lack permissions to change memory "
  90. "limits. Are you root?");
  91. }
  92. log_warn(LD_GENERAL, "Unable to raise RLIMIT_MEMLOCK: %s",
  93. strerror(errno));
  94. return -1;
  95. }
  96. return 0;
  97. }
  98. #endif /* defined(HAVE_UNIX_MLOCKALL) */
  99. /** Attempt to lock all current and all future memory pages.
  100. * This should only be called once and while we're privileged.
  101. * Like mlockall() we return 0 when we're successful and -1 when we're not.
  102. * Unlike mlockall() we return 1 if we've already attempted to lock memory.
  103. */
  104. int
  105. tor_mlockall(void)
  106. {
  107. static int memory_lock_attempted = 0;
  108. if (memory_lock_attempted) {
  109. return 1;
  110. }
  111. memory_lock_attempted = 1;
  112. /*
  113. * Future consideration for Windows may be VirtualLock
  114. * VirtualLock appears to implement mlock() but not mlockall()
  115. *
  116. * http://msdn.microsoft.com/en-us/library/aa366895(VS.85).aspx
  117. */
  118. #ifdef HAVE_UNIX_MLOCKALL
  119. if (tor_set_max_memlock() == 0) {
  120. log_debug(LD_GENERAL, "RLIMIT_MEMLOCK is now set to RLIM_INFINITY.");
  121. }
  122. if (mlockall(MCL_CURRENT|MCL_FUTURE) == 0) {
  123. log_info(LD_GENERAL, "Insecure OS paging is effectively disabled.");
  124. return 0;
  125. } else {
  126. if (errno == ENOSYS) {
  127. /* Apple - it's 2009! I'm looking at you. Grrr. */
  128. log_notice(LD_GENERAL, "It appears that mlockall() is not available on "
  129. "your platform.");
  130. } else if (errno == EPERM) {
  131. log_notice(LD_GENERAL, "It appears that you lack the permissions to "
  132. "lock memory. Are you root?");
  133. }
  134. log_notice(LD_GENERAL, "Unable to lock all current and future memory "
  135. "pages: %s", strerror(errno));
  136. return -1;
  137. }
  138. #else /* !(defined(HAVE_UNIX_MLOCKALL)) */
  139. log_warn(LD_GENERAL, "Unable to lock memory pages. mlockall() unsupported?");
  140. return -1;
  141. #endif /* defined(HAVE_UNIX_MLOCKALL) */
  142. }
  143. /** Number of extra file descriptors to keep in reserve beyond those that we
  144. * tell Tor it's allowed to use. */
  145. #define ULIMIT_BUFFER 32 /* keep 32 extra fd's beyond ConnLimit_ */
  146. /** Learn the maximum allowed number of file descriptors, and tell the
  147. * system we want to use up to that number. (Some systems have a low soft
  148. * limit, and let us set it higher.) We compute this by finding the largest
  149. * number that we can use.
  150. *
  151. * If the limit is below the reserved file descriptor value (ULIMIT_BUFFER),
  152. * return -1 and <b>max_out</b> is untouched.
  153. *
  154. * If we can't find a number greater than or equal to <b>limit</b>, then we
  155. * fail by returning -1 and <b>max_out</b> is untouched.
  156. *
  157. * If we are unable to set the limit value because of setrlimit() failing,
  158. * return 0 and <b>max_out</b> is set to the current maximum value returned
  159. * by getrlimit().
  160. *
  161. * Otherwise, return 0 and store the maximum we found inside <b>max_out</b>
  162. * and set <b>max_sockets</b> with that value as well.*/
  163. int
  164. set_max_file_descriptors(rlim_t limit, int *max_out)
  165. {
  166. if (limit < ULIMIT_BUFFER) {
  167. log_warn(LD_CONFIG,
  168. "ConnLimit must be at least %d. Failing.", ULIMIT_BUFFER);
  169. return -1;
  170. }
  171. /* Define some maximum connections values for systems where we cannot
  172. * automatically determine a limit. Re Cygwin, see
  173. * http://archives.seul.org/or/talk/Aug-2006/msg00210.html
  174. * For an iPhone, 9999 should work. For Windows and all other unknown
  175. * systems we use 15000 as the default. */
  176. #ifndef HAVE_GETRLIMIT
  177. #if defined(CYGWIN) || defined(__CYGWIN__)
  178. const char *platform = "Cygwin";
  179. const unsigned long MAX_CONNECTIONS = 3200;
  180. #elif defined(_WIN32)
  181. const char *platform = "Windows";
  182. const unsigned long MAX_CONNECTIONS = 15000;
  183. #else
  184. const char *platform = "unknown platforms with no getrlimit()";
  185. const unsigned long MAX_CONNECTIONS = 15000;
  186. #endif /* defined(CYGWIN) || defined(__CYGWIN__) || ... */
  187. log_fn(LOG_INFO, LD_NET,
  188. "This platform is missing getrlimit(). Proceeding.");
  189. if (limit > MAX_CONNECTIONS) {
  190. log_warn(LD_CONFIG,
  191. "We do not support more than %lu file descriptors "
  192. "on %s. Tried to raise to %lu.",
  193. (unsigned long)MAX_CONNECTIONS, platform, (unsigned long)limit);
  194. return -1;
  195. }
  196. limit = MAX_CONNECTIONS;
  197. #else /* !(!defined(HAVE_GETRLIMIT)) */
  198. struct rlimit rlim;
  199. if (getrlimit(RLIMIT_NOFILE, &rlim) != 0) {
  200. log_warn(LD_NET, "Could not get maximum number of file descriptors: %s",
  201. strerror(errno));
  202. return -1;
  203. }
  204. if (rlim.rlim_max < limit) {
  205. log_warn(LD_CONFIG,"We need %lu file descriptors available, and we're "
  206. "limited to %lu. Please change your ulimit -n.",
  207. (unsigned long)limit, (unsigned long)rlim.rlim_max);
  208. return -1;
  209. }
  210. if (rlim.rlim_max > rlim.rlim_cur) {
  211. log_info(LD_NET,"Raising max file descriptors from %lu to %lu.",
  212. (unsigned long)rlim.rlim_cur, (unsigned long)rlim.rlim_max);
  213. }
  214. /* Set the current limit value so if the attempt to set the limit to the
  215. * max fails at least we'll have a valid value of maximum sockets. */
  216. *max_out = (int)rlim.rlim_cur - ULIMIT_BUFFER;
  217. set_max_sockets(*max_out);
  218. rlim.rlim_cur = rlim.rlim_max;
  219. if (setrlimit(RLIMIT_NOFILE, &rlim) != 0) {
  220. int couldnt_set = 1;
  221. const int setrlimit_errno = errno;
  222. #ifdef OPEN_MAX
  223. uint64_t try_limit = OPEN_MAX - ULIMIT_BUFFER;
  224. if (errno == EINVAL && try_limit < (uint64_t) rlim.rlim_cur) {
  225. /* On some platforms, OPEN_MAX is the real limit, and getrlimit() is
  226. * full of nasty lies. I'm looking at you, OSX 10.5.... */
  227. rlim.rlim_cur = MIN((rlim_t) try_limit, rlim.rlim_cur);
  228. if (setrlimit(RLIMIT_NOFILE, &rlim) == 0) {
  229. if (rlim.rlim_cur < (rlim_t)limit) {
  230. log_warn(LD_CONFIG, "We are limited to %lu file descriptors by "
  231. "OPEN_MAX (%lu), and ConnLimit is %lu. Changing "
  232. "ConnLimit; sorry.",
  233. (unsigned long)try_limit, (unsigned long)OPEN_MAX,
  234. (unsigned long)limit);
  235. } else {
  236. log_info(LD_CONFIG, "Dropped connection limit to %lu based on "
  237. "OPEN_MAX (%lu); Apparently, %lu was too high and rlimit "
  238. "lied to us.",
  239. (unsigned long)try_limit, (unsigned long)OPEN_MAX,
  240. (unsigned long)rlim.rlim_max);
  241. }
  242. couldnt_set = 0;
  243. }
  244. }
  245. #endif /* defined(OPEN_MAX) */
  246. if (couldnt_set) {
  247. log_warn(LD_CONFIG,"Couldn't set maximum number of file descriptors: %s",
  248. strerror(setrlimit_errno));
  249. }
  250. }
  251. /* leave some overhead for logs, etc, */
  252. limit = rlim.rlim_cur;
  253. #endif /* !defined(HAVE_GETRLIMIT) */
  254. if (limit > INT_MAX)
  255. limit = INT_MAX;
  256. tor_assert(max_out);
  257. *max_out = (int)limit - ULIMIT_BUFFER;
  258. set_max_sockets(*max_out);
  259. return 0;
  260. }