sandbox.c 41 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776
  1. /* Copyright (c) 2001 Matej Pfajfar.
  2. * Copyright (c) 2001-2004, Roger Dingledine.
  3. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  4. * Copyright (c) 2007-2015, The Tor Project, Inc. */
  5. /* See LICENSE for licensing information */
  6. /**
  7. * \file sandbox.c
  8. * \brief Code to enable sandboxing.
  9. **/
  10. #include "orconfig.h"
  11. #ifndef _LARGEFILE64_SOURCE
  12. /**
  13. * Temporarily required for O_LARGEFILE flag. Needs to be removed
  14. * with the libevent fix.
  15. */
  16. #define _LARGEFILE64_SOURCE
  17. #endif
  18. /** Malloc mprotect limit in bytes. */
  19. #define MALLOC_MP_LIM 1048576
  20. #include <stdio.h>
  21. #include <string.h>
  22. #include <stdlib.h>
  23. #include "sandbox.h"
  24. #include "container.h"
  25. #include "torlog.h"
  26. #include "torint.h"
  27. #include "util.h"
  28. #include "tor_queue.h"
  29. #include "ht.h"
  30. #define DEBUGGING_CLOSE
  31. #if defined(USE_LIBSECCOMP)
  32. #define _GNU_SOURCE
  33. #include <sys/mman.h>
  34. #include <sys/syscall.h>
  35. #include <sys/types.h>
  36. #include <sys/stat.h>
  37. #include <sys/epoll.h>
  38. #include <sys/prctl.h>
  39. #include <linux/futex.h>
  40. #include <bits/signum.h>
  41. #include <stdarg.h>
  42. #include <seccomp.h>
  43. #include <signal.h>
  44. #include <unistd.h>
  45. #include <fcntl.h>
  46. #include <time.h>
  47. #include <poll.h>
  48. #ifdef HAVE_LINUX_NETFILTER_IPV4_H
  49. #include <linux/netfilter_ipv4.h>
  50. #endif
  51. #ifdef HAVE_LINUX_IF_H
  52. #include <linux/if.h>
  53. #endif
  54. #ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
  55. #include <linux/netfilter_ipv6/ip6_tables.h>
  56. #endif
  57. #if defined(HAVE_EXECINFO_H) && defined(HAVE_BACKTRACE) && \
  58. defined(HAVE_BACKTRACE_SYMBOLS_FD) && defined(HAVE_SIGACTION)
  59. #define USE_BACKTRACE
  60. #define EXPOSE_CLEAN_BACKTRACE
  61. #include "backtrace.h"
  62. #endif
  63. #ifdef USE_BACKTRACE
  64. #include <execinfo.h>
  65. #endif
  66. /**
  67. * Linux 32 bit definitions
  68. */
  69. #if defined(__i386__)
  70. #define REG_SYSCALL REG_EAX
  71. #define M_SYSCALL gregs[REG_SYSCALL]
  72. /**
  73. * Linux 64 bit definitions
  74. */
  75. #elif defined(__x86_64__)
  76. #define REG_SYSCALL REG_RAX
  77. #define M_SYSCALL gregs[REG_SYSCALL]
  78. #elif defined(__arm__)
  79. #define M_SYSCALL arm_r7
  80. #endif
  81. /**Determines if at least one sandbox is active.*/
  82. static int sandbox_active = 0;
  83. /** Holds the parameter list configuration for the sandbox.*/
  84. static sandbox_cfg_t *filter_dynamic = NULL;
  85. #undef SCMP_CMP
  86. #define SCMP_CMP(a,b,c) ((struct scmp_arg_cmp){(a),(b),(c),0})
  87. #define SCMP_CMP_STR(a,b,c) \
  88. ((struct scmp_arg_cmp) {(a),(b),(intptr_t)(void*)(c),0})
  89. #define SCMP_CMP4(a,b,c,d) ((struct scmp_arg_cmp){(a),(b),(c),(d)})
  90. /* We use a wrapper here because these masked comparisons seem to be pretty
  91. * verbose. Also, it's important to cast to scmp_datum_t before negating the
  92. * mask, since otherwise the negation might get applied to a 32 bit value, and
  93. * the high bits of the value might get masked out improperly. */
  94. #define SCMP_CMP_MASKED(a,b,c) \
  95. SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, ~(scmp_datum_t)(b), (c))
  96. /** Variable used for storing all syscall numbers that will be allowed with the
  97. * stage 1 general Tor sandbox.
  98. */
  99. static int filter_nopar_gen[] = {
  100. SCMP_SYS(access),
  101. SCMP_SYS(brk),
  102. SCMP_SYS(clock_gettime),
  103. SCMP_SYS(close),
  104. SCMP_SYS(clone),
  105. SCMP_SYS(epoll_create),
  106. SCMP_SYS(epoll_wait),
  107. SCMP_SYS(fcntl),
  108. SCMP_SYS(fstat),
  109. #ifdef __NR_fstat64
  110. SCMP_SYS(fstat64),
  111. #endif
  112. SCMP_SYS(getdents64),
  113. SCMP_SYS(getegid),
  114. #ifdef __NR_getegid32
  115. SCMP_SYS(getegid32),
  116. #endif
  117. SCMP_SYS(geteuid),
  118. #ifdef __NR_geteuid32
  119. SCMP_SYS(geteuid32),
  120. #endif
  121. SCMP_SYS(getgid),
  122. #ifdef __NR_getgid32
  123. SCMP_SYS(getgid32),
  124. #endif
  125. #ifdef __NR_getrlimit
  126. SCMP_SYS(getrlimit),
  127. #endif
  128. SCMP_SYS(gettimeofday),
  129. SCMP_SYS(gettid),
  130. SCMP_SYS(getuid),
  131. #ifdef __NR_getuid32
  132. SCMP_SYS(getuid32),
  133. #endif
  134. SCMP_SYS(lseek),
  135. #ifdef __NR__llseek
  136. SCMP_SYS(_llseek),
  137. #endif
  138. SCMP_SYS(mkdir),
  139. SCMP_SYS(mlockall),
  140. #ifdef __NR_mmap
  141. /* XXXX restrict this in the same ways as mmap2 */
  142. SCMP_SYS(mmap),
  143. #endif
  144. SCMP_SYS(munmap),
  145. SCMP_SYS(read),
  146. SCMP_SYS(rt_sigreturn),
  147. SCMP_SYS(sched_getaffinity),
  148. SCMP_SYS(set_robust_list),
  149. #ifdef __NR_sigreturn
  150. SCMP_SYS(sigreturn),
  151. #endif
  152. SCMP_SYS(stat),
  153. SCMP_SYS(uname),
  154. SCMP_SYS(write),
  155. SCMP_SYS(writev),
  156. SCMP_SYS(exit_group),
  157. SCMP_SYS(exit),
  158. SCMP_SYS(madvise),
  159. #ifdef __NR_stat64
  160. // getaddrinfo uses this..
  161. SCMP_SYS(stat64),
  162. #endif
  163. /*
  164. * These socket syscalls are not required on x86_64 and not supported with
  165. * some libseccomp versions (eg: 1.0.1)
  166. */
  167. #if defined(__i386)
  168. SCMP_SYS(recv),
  169. SCMP_SYS(send),
  170. #endif
  171. // socket syscalls
  172. SCMP_SYS(bind),
  173. SCMP_SYS(listen),
  174. SCMP_SYS(connect),
  175. SCMP_SYS(getsockname),
  176. SCMP_SYS(recvmsg),
  177. SCMP_SYS(recvfrom),
  178. SCMP_SYS(sendto),
  179. SCMP_SYS(unlink)
  180. };
  181. /* These macros help avoid the error where the number of filters we add on a
  182. * single rule don't match the arg_cnt param. */
  183. #define seccomp_rule_add_0(ctx,act,call) \
  184. seccomp_rule_add((ctx),(act),(call),0)
  185. #define seccomp_rule_add_1(ctx,act,call,f1) \
  186. seccomp_rule_add((ctx),(act),(call),1,(f1))
  187. #define seccomp_rule_add_2(ctx,act,call,f1,f2) \
  188. seccomp_rule_add((ctx),(act),(call),2,(f1),(f2))
  189. #define seccomp_rule_add_3(ctx,act,call,f1,f2,f3) \
  190. seccomp_rule_add((ctx),(act),(call),3,(f1),(f2),(f3))
  191. #define seccomp_rule_add_4(ctx,act,call,f1,f2,f3,f4) \
  192. seccomp_rule_add((ctx),(act),(call),4,(f1),(f2),(f3),(f4))
  193. /**
  194. * Function responsible for setting up the rt_sigaction syscall for
  195. * the seccomp filter sandbox.
  196. */
  197. static int
  198. sb_rt_sigaction(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  199. {
  200. unsigned i;
  201. int rc;
  202. int param[] = { SIGINT, SIGTERM, SIGPIPE, SIGUSR1, SIGUSR2, SIGHUP, SIGCHLD,
  203. #ifdef SIGXFSZ
  204. SIGXFSZ
  205. #endif
  206. };
  207. (void) filter;
  208. for (i = 0; i < ARRAY_LENGTH(param); i++) {
  209. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigaction),
  210. SCMP_CMP(0, SCMP_CMP_EQ, param[i]));
  211. if (rc)
  212. break;
  213. }
  214. return rc;
  215. }
  216. #if 0
  217. /**
  218. * Function responsible for setting up the execve syscall for
  219. * the seccomp filter sandbox.
  220. */
  221. static int
  222. sb_execve(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  223. {
  224. int rc;
  225. sandbox_cfg_t *elem = NULL;
  226. // for each dynamic parameter filters
  227. for (elem = filter; elem != NULL; elem = elem->next) {
  228. smp_param_t *param = elem->param;
  229. if (param != NULL && param->prot == 1 && param->syscall
  230. == SCMP_SYS(execve)) {
  231. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve),
  232. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
  233. if (rc != 0) {
  234. log_err(LD_BUG,"(Sandbox) failed to add execve syscall, received "
  235. "libseccomp error %d", rc);
  236. return rc;
  237. }
  238. }
  239. }
  240. return 0;
  241. }
  242. #endif
  243. /**
  244. * Function responsible for setting up the time syscall for
  245. * the seccomp filter sandbox.
  246. */
  247. static int
  248. sb_time(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  249. {
  250. (void) filter;
  251. #ifdef __NR_time
  252. return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(time),
  253. SCMP_CMP(0, SCMP_CMP_EQ, 0));
  254. #else
  255. return 0;
  256. #endif
  257. }
  258. /**
  259. * Function responsible for setting up the accept4 syscall for
  260. * the seccomp filter sandbox.
  261. */
  262. static int
  263. sb_accept4(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  264. {
  265. int rc = 0;
  266. (void)filter;
  267. #ifdef __i386__
  268. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketcall),
  269. SCMP_CMP(0, SCMP_CMP_EQ, 18));
  270. if (rc) {
  271. return rc;
  272. }
  273. #endif
  274. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4),
  275. SCMP_CMP_MASKED(3, SOCK_CLOEXEC|SOCK_NONBLOCK, 0));
  276. if (rc) {
  277. return rc;
  278. }
  279. return 0;
  280. }
  281. #ifdef __NR_mmap2
  282. /**
  283. * Function responsible for setting up the mmap2 syscall for
  284. * the seccomp filter sandbox.
  285. */
  286. static int
  287. sb_mmap2(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  288. {
  289. int rc = 0;
  290. (void)filter;
  291. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  292. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ),
  293. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE));
  294. if (rc) {
  295. return rc;
  296. }
  297. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  298. SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE),
  299. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE));
  300. if (rc) {
  301. return rc;
  302. }
  303. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  304. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  305. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS));
  306. if (rc) {
  307. return rc;
  308. }
  309. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  310. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  311. SCMP_CMP(3, SCMP_CMP_EQ,MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK));
  312. if (rc) {
  313. return rc;
  314. }
  315. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  316. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  317. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE));
  318. if (rc) {
  319. return rc;
  320. }
  321. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  322. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  323. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS));
  324. if (rc) {
  325. return rc;
  326. }
  327. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  328. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_EXEC),
  329. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_DENYWRITE));
  330. if (rc) {
  331. return rc;
  332. }
  333. return 0;
  334. }
  335. #endif
  336. /**
  337. * Function responsible for setting up the open syscall for
  338. * the seccomp filter sandbox.
  339. */
  340. static int
  341. sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  342. {
  343. int rc;
  344. sandbox_cfg_t *elem = NULL;
  345. // for each dynamic parameter filters
  346. for (elem = filter; elem != NULL; elem = elem->next) {
  347. smp_param_t *param = elem->param;
  348. if (param != NULL && param->prot == 1 && param->syscall
  349. == SCMP_SYS(open)) {
  350. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open),
  351. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
  352. if (rc != 0) {
  353. log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
  354. "libseccomp error %d", rc);
  355. return rc;
  356. }
  357. }
  358. }
  359. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open),
  360. SCMP_CMP_MASKED(1, O_CLOEXEC|O_NONBLOCK|O_NOCTTY, O_RDONLY));
  361. if (rc != 0) {
  362. log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
  363. "error %d", rc);
  364. return rc;
  365. }
  366. return 0;
  367. }
  368. static int
  369. sb__sysctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  370. {
  371. int rc;
  372. (void) filter;
  373. (void) ctx;
  374. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(_sysctl));
  375. if (rc != 0) {
  376. log_err(LD_BUG,"(Sandbox) failed to add _sysctl syscall, "
  377. "received libseccomp error %d", rc);
  378. return rc;
  379. }
  380. return 0;
  381. }
  382. /**
  383. * Function responsible for setting up the rename syscall for
  384. * the seccomp filter sandbox.
  385. */
  386. static int
  387. sb_rename(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  388. {
  389. int rc;
  390. sandbox_cfg_t *elem = NULL;
  391. // for each dynamic parameter filters
  392. for (elem = filter; elem != NULL; elem = elem->next) {
  393. smp_param_t *param = elem->param;
  394. if (param != NULL && param->prot == 1 &&
  395. param->syscall == SCMP_SYS(rename)) {
  396. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rename),
  397. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value),
  398. SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value2));
  399. if (rc != 0) {
  400. log_err(LD_BUG,"(Sandbox) failed to add rename syscall, received "
  401. "libseccomp error %d", rc);
  402. return rc;
  403. }
  404. }
  405. }
  406. return 0;
  407. }
  408. /**
  409. * Function responsible for setting up the openat syscall for
  410. * the seccomp filter sandbox.
  411. */
  412. static int
  413. sb_openat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  414. {
  415. int rc;
  416. sandbox_cfg_t *elem = NULL;
  417. // for each dynamic parameter filters
  418. for (elem = filter; elem != NULL; elem = elem->next) {
  419. smp_param_t *param = elem->param;
  420. if (param != NULL && param->prot == 1 && param->syscall
  421. == SCMP_SYS(openat)) {
  422. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
  423. SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
  424. SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value),
  425. SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|
  426. O_CLOEXEC));
  427. if (rc != 0) {
  428. log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received "
  429. "libseccomp error %d", rc);
  430. return rc;
  431. }
  432. }
  433. }
  434. return 0;
  435. }
  436. /**
  437. * Function responsible for setting up the socket syscall for
  438. * the seccomp filter sandbox.
  439. */
  440. static int
  441. sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  442. {
  443. int rc = 0;
  444. int i;
  445. (void) filter;
  446. #ifdef __i386__
  447. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket));
  448. if (rc)
  449. return rc;
  450. #endif
  451. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  452. SCMP_CMP(0, SCMP_CMP_EQ, PF_FILE),
  453. SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM));
  454. if (rc)
  455. return rc;
  456. for (i = 0; i < 2; ++i) {
  457. const int pf = i ? PF_INET : PF_INET6;
  458. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  459. SCMP_CMP(0, SCMP_CMP_EQ, pf),
  460. SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
  461. SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_TCP));
  462. if (rc)
  463. return rc;
  464. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  465. SCMP_CMP(0, SCMP_CMP_EQ, pf),
  466. SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM),
  467. SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_IP));
  468. if (rc)
  469. return rc;
  470. }
  471. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  472. SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK),
  473. SCMP_CMP(1, SCMP_CMP_EQ, SOCK_RAW),
  474. SCMP_CMP(2, SCMP_CMP_EQ, 0));
  475. if (rc)
  476. return rc;
  477. return 0;
  478. }
  479. /**
  480. * Function responsible for setting up the socketpair syscall for
  481. * the seccomp filter sandbox.
  482. */
  483. static int
  484. sb_socketpair(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  485. {
  486. int rc = 0;
  487. (void) filter;
  488. #ifdef __i386__
  489. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair));
  490. if (rc)
  491. return rc;
  492. #endif
  493. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair),
  494. SCMP_CMP(0, SCMP_CMP_EQ, PF_FILE),
  495. SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM|SOCK_CLOEXEC));
  496. if (rc)
  497. return rc;
  498. return 0;
  499. }
  500. /**
  501. * Function responsible for setting up the setsockopt syscall for
  502. * the seccomp filter sandbox.
  503. */
  504. static int
  505. sb_setsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  506. {
  507. int rc = 0;
  508. (void) filter;
  509. #ifdef __i386__
  510. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt));
  511. if (rc)
  512. return rc;
  513. #endif
  514. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  515. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  516. SCMP_CMP(2, SCMP_CMP_EQ, SO_REUSEADDR));
  517. if (rc)
  518. return rc;
  519. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  520. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  521. SCMP_CMP(2, SCMP_CMP_EQ, SO_SNDBUF));
  522. if (rc)
  523. return rc;
  524. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  525. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  526. SCMP_CMP(2, SCMP_CMP_EQ, SO_RCVBUF));
  527. if (rc)
  528. return rc;
  529. #ifdef IP_TRANSPARENT
  530. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  531. SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
  532. SCMP_CMP(2, SCMP_CMP_EQ, IP_TRANSPARENT));
  533. if (rc)
  534. return rc;
  535. #endif
  536. return 0;
  537. }
  538. /**
  539. * Function responsible for setting up the getsockopt syscall for
  540. * the seccomp filter sandbox.
  541. */
  542. static int
  543. sb_getsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  544. {
  545. int rc = 0;
  546. (void) filter;
  547. #ifdef __i386__
  548. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt));
  549. if (rc)
  550. return rc;
  551. #endif
  552. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
  553. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  554. SCMP_CMP(2, SCMP_CMP_EQ, SO_ERROR));
  555. if (rc)
  556. return rc;
  557. #ifdef HAVE_LINUX_NETFILTER_IPV4_H
  558. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
  559. SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
  560. SCMP_CMP(2, SCMP_CMP_EQ, SO_ORIGINAL_DST));
  561. if (rc)
  562. return rc;
  563. #endif
  564. #ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
  565. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
  566. SCMP_CMP(1, SCMP_CMP_EQ, SOL_IPV6),
  567. SCMP_CMP(2, SCMP_CMP_EQ, IP6T_SO_ORIGINAL_DST));
  568. if (rc)
  569. return rc;
  570. #endif
  571. return 0;
  572. }
  573. #ifdef __NR_fcntl64
  574. /**
  575. * Function responsible for setting up the fcntl64 syscall for
  576. * the seccomp filter sandbox.
  577. */
  578. static int
  579. sb_fcntl64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  580. {
  581. int rc = 0;
  582. (void) filter;
  583. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  584. SCMP_CMP(1, SCMP_CMP_EQ, F_GETFL));
  585. if (rc)
  586. return rc;
  587. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  588. SCMP_CMP(1, SCMP_CMP_EQ, F_SETFL),
  589. SCMP_CMP(2, SCMP_CMP_EQ, O_RDWR|O_NONBLOCK));
  590. if (rc)
  591. return rc;
  592. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  593. SCMP_CMP(1, SCMP_CMP_EQ, F_GETFD));
  594. if (rc)
  595. return rc;
  596. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  597. SCMP_CMP(1, SCMP_CMP_EQ, F_SETFD),
  598. SCMP_CMP(2, SCMP_CMP_EQ, FD_CLOEXEC));
  599. if (rc)
  600. return rc;
  601. return 0;
  602. }
  603. #endif
  604. /**
  605. * Function responsible for setting up the epoll_ctl syscall for
  606. * the seccomp filter sandbox.
  607. *
  608. * Note: basically allows everything but will keep for now..
  609. */
  610. static int
  611. sb_epoll_ctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  612. {
  613. int rc = 0;
  614. (void) filter;
  615. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
  616. SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_ADD));
  617. if (rc)
  618. return rc;
  619. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
  620. SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_MOD));
  621. if (rc)
  622. return rc;
  623. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
  624. SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_DEL));
  625. if (rc)
  626. return rc;
  627. return 0;
  628. }
  629. /**
  630. * Function responsible for setting up the fcntl64 syscall for
  631. * the seccomp filter sandbox.
  632. *
  633. * NOTE: if multiple filters need to be added, the PR_SECCOMP parameter needs
  634. * to be whitelisted in this function.
  635. */
  636. static int
  637. sb_prctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  638. {
  639. int rc = 0;
  640. (void) filter;
  641. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl),
  642. SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_DUMPABLE));
  643. if (rc)
  644. return rc;
  645. return 0;
  646. }
  647. /**
  648. * Function responsible for setting up the fcntl64 syscall for
  649. * the seccomp filter sandbox.
  650. *
  651. * NOTE: does not NEED to be here.. currently only occurs before filter; will
  652. * keep just in case for the future.
  653. */
  654. static int
  655. sb_mprotect(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  656. {
  657. int rc = 0;
  658. (void) filter;
  659. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  660. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ));
  661. if (rc)
  662. return rc;
  663. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  664. SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE));
  665. if (rc)
  666. return rc;
  667. return 0;
  668. }
  669. /**
  670. * Function responsible for setting up the rt_sigprocmask syscall for
  671. * the seccomp filter sandbox.
  672. */
  673. static int
  674. sb_rt_sigprocmask(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  675. {
  676. int rc = 0;
  677. (void) filter;
  678. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
  679. SCMP_CMP(0, SCMP_CMP_EQ, SIG_UNBLOCK));
  680. if (rc)
  681. return rc;
  682. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
  683. SCMP_CMP(0, SCMP_CMP_EQ, SIG_SETMASK));
  684. if (rc)
  685. return rc;
  686. return 0;
  687. }
  688. /**
  689. * Function responsible for setting up the flock syscall for
  690. * the seccomp filter sandbox.
  691. *
  692. * NOTE: does not need to be here, occurs before filter is applied.
  693. */
  694. static int
  695. sb_flock(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  696. {
  697. int rc = 0;
  698. (void) filter;
  699. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock),
  700. SCMP_CMP(1, SCMP_CMP_EQ, LOCK_EX|LOCK_NB));
  701. if (rc)
  702. return rc;
  703. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock),
  704. SCMP_CMP(1, SCMP_CMP_EQ, LOCK_UN));
  705. if (rc)
  706. return rc;
  707. return 0;
  708. }
  709. /**
  710. * Function responsible for setting up the futex syscall for
  711. * the seccomp filter sandbox.
  712. */
  713. static int
  714. sb_futex(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  715. {
  716. int rc = 0;
  717. (void) filter;
  718. // can remove
  719. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
  720. SCMP_CMP(1, SCMP_CMP_EQ,
  721. FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME));
  722. if (rc)
  723. return rc;
  724. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
  725. SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAKE_PRIVATE));
  726. if (rc)
  727. return rc;
  728. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
  729. SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAIT_PRIVATE));
  730. if (rc)
  731. return rc;
  732. return 0;
  733. }
  734. /**
  735. * Function responsible for setting up the mremap syscall for
  736. * the seccomp filter sandbox.
  737. *
  738. * NOTE: so far only occurs before filter is applied.
  739. */
  740. static int
  741. sb_mremap(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  742. {
  743. int rc = 0;
  744. (void) filter;
  745. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mremap),
  746. SCMP_CMP(3, SCMP_CMP_EQ, MREMAP_MAYMOVE));
  747. if (rc)
  748. return rc;
  749. return 0;
  750. }
  751. /**
  752. * Function responsible for setting up the poll syscall for
  753. * the seccomp filter sandbox.
  754. */
  755. static int
  756. sb_poll(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  757. {
  758. int rc = 0;
  759. (void) filter;
  760. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(poll),
  761. SCMP_CMP(1, SCMP_CMP_EQ, 1),
  762. SCMP_CMP(2, SCMP_CMP_EQ, 10));
  763. if (rc)
  764. return rc;
  765. return 0;
  766. }
  767. #ifdef __NR_stat64
  768. /**
  769. * Function responsible for setting up the stat64 syscall for
  770. * the seccomp filter sandbox.
  771. */
  772. static int
  773. sb_stat64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  774. {
  775. int rc = 0;
  776. sandbox_cfg_t *elem = NULL;
  777. // for each dynamic parameter filters
  778. for (elem = filter; elem != NULL; elem = elem->next) {
  779. smp_param_t *param = elem->param;
  780. if (param != NULL && param->prot == 1 && (param->syscall == SCMP_SYS(open)
  781. || param->syscall == SCMP_SYS(stat64))) {
  782. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(stat64),
  783. SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
  784. if (rc != 0) {
  785. log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
  786. "libseccomp error %d", rc);
  787. return rc;
  788. }
  789. }
  790. }
  791. return 0;
  792. }
  793. #endif
  794. /**
  795. * Array of function pointers responsible for filtering different syscalls at
  796. * a parameter level.
  797. */
  798. static sandbox_filter_func_t filter_func[] = {
  799. sb_rt_sigaction,
  800. sb_rt_sigprocmask,
  801. #if 0
  802. sb_execve,
  803. #endif
  804. sb_time,
  805. sb_accept4,
  806. #ifdef __NR_mmap2
  807. sb_mmap2,
  808. #endif
  809. sb_open,
  810. sb_openat,
  811. sb__sysctl,
  812. sb_rename,
  813. #ifdef __NR_fcntl64
  814. sb_fcntl64,
  815. #endif
  816. sb_epoll_ctl,
  817. sb_prctl,
  818. sb_mprotect,
  819. sb_flock,
  820. sb_futex,
  821. sb_mremap,
  822. sb_poll,
  823. #ifdef __NR_stat64
  824. sb_stat64,
  825. #endif
  826. sb_socket,
  827. sb_setsockopt,
  828. sb_getsockopt,
  829. sb_socketpair
  830. };
  831. const char *
  832. sandbox_intern_string(const char *str)
  833. {
  834. sandbox_cfg_t *elem;
  835. if (str == NULL)
  836. return NULL;
  837. for (elem = filter_dynamic; elem != NULL; elem = elem->next) {
  838. smp_param_t *param = elem->param;
  839. if (param->prot) {
  840. if (!strcmp(str, (char*)(param->value))) {
  841. return (char*)param->value;
  842. }
  843. if (param->value2 && !strcmp(str, (char*)param->value2)) {
  844. return (char*)param->value2;
  845. }
  846. }
  847. }
  848. if (sandbox_active)
  849. log_warn(LD_BUG, "No interned sandbox parameter found for %s", str);
  850. return str;
  851. }
  852. /** DOCDOC */
  853. static int
  854. prot_strings_helper(strmap_t *locations,
  855. char **pr_mem_next_p,
  856. size_t *pr_mem_left_p,
  857. char **value_p)
  858. {
  859. char *param_val;
  860. size_t param_size;
  861. void *location;
  862. if (*value_p == 0)
  863. return 0;
  864. param_val = (char*) *value_p;
  865. param_size = strlen(param_val) + 1;
  866. location = strmap_get(locations, param_val);
  867. if (location) {
  868. // We already interned this string.
  869. tor_free(param_val);
  870. *value_p = location;
  871. return 0;
  872. } else if (*pr_mem_left_p >= param_size) {
  873. // copy to protected
  874. location = *pr_mem_next_p;
  875. memcpy(location, param_val, param_size);
  876. // re-point el parameter to protected
  877. tor_free(param_val);
  878. *value_p = location;
  879. strmap_set(locations, location, location); /* good real estate advice */
  880. // move next available protected memory
  881. *pr_mem_next_p += param_size;
  882. *pr_mem_left_p -= param_size;
  883. return 0;
  884. } else {
  885. log_err(LD_BUG,"(Sandbox) insufficient protected memory!");
  886. return -1;
  887. }
  888. }
  889. /**
  890. * Protects all the strings in the sandbox's parameter list configuration. It
  891. * works by calculating the total amount of memory required by the parameter
  892. * list, allocating the memory using mmap, and protecting it from writes with
  893. * mprotect().
  894. */
  895. static int
  896. prot_strings(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
  897. {
  898. int ret = 0;
  899. size_t pr_mem_size = 0, pr_mem_left = 0;
  900. char *pr_mem_next = NULL, *pr_mem_base;
  901. sandbox_cfg_t *el = NULL;
  902. strmap_t *locations = NULL;
  903. // get total number of bytes required to mmap. (Overestimate.)
  904. for (el = cfg; el != NULL; el = el->next) {
  905. pr_mem_size += strlen((char*) el->param->value) + 1;
  906. if (el->param->value2)
  907. pr_mem_size += strlen((char*) el->param->value2) + 1;
  908. }
  909. // allocate protected memory with MALLOC_MP_LIM canary
  910. pr_mem_base = (char*) mmap(NULL, MALLOC_MP_LIM + pr_mem_size,
  911. PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0);
  912. if (pr_mem_base == MAP_FAILED) {
  913. log_err(LD_BUG,"(Sandbox) failed allocate protected memory! mmap: %s",
  914. strerror(errno));
  915. ret = -1;
  916. goto out;
  917. }
  918. pr_mem_next = pr_mem_base + MALLOC_MP_LIM;
  919. pr_mem_left = pr_mem_size;
  920. locations = strmap_new();
  921. // change el value pointer to protected
  922. for (el = cfg; el != NULL; el = el->next) {
  923. if (prot_strings_helper(locations, &pr_mem_next, &pr_mem_left,
  924. &el->param->value) < 0) {
  925. ret = -2;
  926. goto out;
  927. }
  928. if (prot_strings_helper(locations, &pr_mem_next, &pr_mem_left,
  929. &el->param->value2) < 0) {
  930. ret = -2;
  931. goto out;
  932. }
  933. el->param->prot = 1;
  934. }
  935. // protecting from writes
  936. if (mprotect(pr_mem_base, MALLOC_MP_LIM + pr_mem_size, PROT_READ)) {
  937. log_err(LD_BUG,"(Sandbox) failed to protect memory! mprotect: %s",
  938. strerror(errno));
  939. ret = -3;
  940. goto out;
  941. }
  942. /*
  943. * Setting sandbox restrictions so the string memory cannot be tampered with
  944. */
  945. // no mremap of the protected base address
  946. ret = seccomp_rule_add_1(ctx, SCMP_ACT_KILL, SCMP_SYS(mremap),
  947. SCMP_CMP(0, SCMP_CMP_EQ, (intptr_t) pr_mem_base));
  948. if (ret) {
  949. log_err(LD_BUG,"(Sandbox) mremap protected memory filter fail!");
  950. goto out;
  951. }
  952. // no munmap of the protected base address
  953. ret = seccomp_rule_add_1(ctx, SCMP_ACT_KILL, SCMP_SYS(munmap),
  954. SCMP_CMP(0, SCMP_CMP_EQ, (intptr_t) pr_mem_base));
  955. if (ret) {
  956. log_err(LD_BUG,"(Sandbox) munmap protected memory filter fail!");
  957. goto out;
  958. }
  959. /*
  960. * Allow mprotect with PROT_READ|PROT_WRITE because openssl uses it, but
  961. * never over the memory region used by the protected strings.
  962. *
  963. * PROT_READ|PROT_WRITE was originally fully allowed in sb_mprotect(), but
  964. * had to be removed due to limitation of libseccomp regarding intervals.
  965. *
  966. * There is a restriction on how much you can mprotect with R|W up to the
  967. * size of the canary.
  968. */
  969. ret = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  970. SCMP_CMP(0, SCMP_CMP_LT, (intptr_t) pr_mem_base),
  971. SCMP_CMP(1, SCMP_CMP_LE, MALLOC_MP_LIM),
  972. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE));
  973. if (ret) {
  974. log_err(LD_BUG,"(Sandbox) mprotect protected memory filter fail (LT)!");
  975. goto out;
  976. }
  977. ret = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  978. SCMP_CMP(0, SCMP_CMP_GT, (intptr_t) pr_mem_base + pr_mem_size +
  979. MALLOC_MP_LIM),
  980. SCMP_CMP(1, SCMP_CMP_LE, MALLOC_MP_LIM),
  981. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE));
  982. if (ret) {
  983. log_err(LD_BUG,"(Sandbox) mprotect protected memory filter fail (GT)!");
  984. goto out;
  985. }
  986. out:
  987. strmap_free(locations, NULL);
  988. return ret;
  989. }
  990. /**
  991. * Auxiliary function used in order to allocate a sandbox_cfg_t element and set
  992. * it's values according the the parameter list. All elements are initialised
  993. * with the 'prot' field set to false, as the pointer is not protected at this
  994. * point.
  995. */
  996. static sandbox_cfg_t*
  997. new_element2(int syscall, char *value, char *value2)
  998. {
  999. smp_param_t *param = NULL;
  1000. sandbox_cfg_t *elem = tor_malloc_zero(sizeof(sandbox_cfg_t));
  1001. param = elem->param = tor_malloc_zero(sizeof(smp_param_t));
  1002. param->syscall = syscall;
  1003. param->value = value;
  1004. param->value2 = value2;
  1005. param->prot = 0;
  1006. return elem;
  1007. }
  1008. static sandbox_cfg_t*
  1009. new_element(int syscall, char *value)
  1010. {
  1011. return new_element2(syscall, value, NULL);
  1012. }
  1013. #ifdef __NR_stat64
  1014. #define SCMP_stat SCMP_SYS(stat64)
  1015. #else
  1016. #define SCMP_stat SCMP_SYS(stat)
  1017. #endif
  1018. int
  1019. sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file)
  1020. {
  1021. sandbox_cfg_t *elem = NULL;
  1022. elem = new_element(SCMP_stat, file);
  1023. if (!elem) {
  1024. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1025. return -1;
  1026. }
  1027. elem->next = *cfg;
  1028. *cfg = elem;
  1029. return 0;
  1030. }
  1031. int
  1032. sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
  1033. {
  1034. sandbox_cfg_t *elem = NULL;
  1035. elem = new_element(SCMP_SYS(open), file);
  1036. if (!elem) {
  1037. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1038. return -1;
  1039. }
  1040. elem->next = *cfg;
  1041. *cfg = elem;
  1042. return 0;
  1043. }
  1044. int
  1045. sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2)
  1046. {
  1047. sandbox_cfg_t *elem = NULL;
  1048. elem = new_element2(SCMP_SYS(rename), file1, file2);
  1049. if (!elem) {
  1050. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1051. return -1;
  1052. }
  1053. elem->next = *cfg;
  1054. *cfg = elem;
  1055. return 0;
  1056. }
  1057. int
  1058. sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file)
  1059. {
  1060. sandbox_cfg_t *elem = NULL;
  1061. elem = new_element(SCMP_SYS(openat), file);
  1062. if (!elem) {
  1063. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1064. return -1;
  1065. }
  1066. elem->next = *cfg;
  1067. *cfg = elem;
  1068. return 0;
  1069. }
  1070. #if 0
  1071. int
  1072. sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com)
  1073. {
  1074. sandbox_cfg_t *elem = NULL;
  1075. elem = new_element(SCMP_SYS(execve), com);
  1076. if (!elem) {
  1077. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1078. return -1;
  1079. }
  1080. elem->next = *cfg;
  1081. *cfg = elem;
  1082. return 0;
  1083. }
  1084. #endif
  1085. /** Cache entry for getaddrinfo results; used when sandboxing is implemented
  1086. * so that we can consult the cache when the sandbox prevents us from doing
  1087. * getaddrinfo.
  1088. *
  1089. * We support only a limited range of getaddrinfo calls, where servname is null
  1090. * and hints contains only socktype=SOCK_STREAM, family in INET,INET6,UNSPEC.
  1091. */
  1092. typedef struct cached_getaddrinfo_item_t {
  1093. HT_ENTRY(cached_getaddrinfo_item_t) node;
  1094. char *name;
  1095. int family;
  1096. /** set if no error; otherwise NULL */
  1097. struct addrinfo *res;
  1098. /** 0 for no error; otherwise an EAI_* value */
  1099. int err;
  1100. } cached_getaddrinfo_item_t;
  1101. static unsigned
  1102. cached_getaddrinfo_item_hash(const cached_getaddrinfo_item_t *item)
  1103. {
  1104. return (unsigned)siphash24g(item->name, strlen(item->name)) + item->family;
  1105. }
  1106. static unsigned
  1107. cached_getaddrinfo_items_eq(const cached_getaddrinfo_item_t *a,
  1108. const cached_getaddrinfo_item_t *b)
  1109. {
  1110. return (a->family == b->family) && 0 == strcmp(a->name, b->name);
  1111. }
  1112. static void
  1113. cached_getaddrinfo_item_free(cached_getaddrinfo_item_t *item)
  1114. {
  1115. if (item == NULL)
  1116. return;
  1117. tor_free(item->name);
  1118. if (item->res)
  1119. freeaddrinfo(item->res);
  1120. tor_free(item);
  1121. }
  1122. static HT_HEAD(getaddrinfo_cache, cached_getaddrinfo_item_t)
  1123. getaddrinfo_cache = HT_INITIALIZER();
  1124. HT_PROTOTYPE(getaddrinfo_cache, cached_getaddrinfo_item_t, node,
  1125. cached_getaddrinfo_item_hash,
  1126. cached_getaddrinfo_items_eq);
  1127. HT_GENERATE2(getaddrinfo_cache, cached_getaddrinfo_item_t, node,
  1128. cached_getaddrinfo_item_hash,
  1129. cached_getaddrinfo_items_eq,
  1130. 0.6, tor_reallocarray_, tor_free_)
  1131. /** If true, don't try to cache getaddrinfo results. */
  1132. static int sandbox_getaddrinfo_cache_disabled = 0;
  1133. /** Tell the sandbox layer not to try to cache getaddrinfo results. Used as in
  1134. * tor-resolve, when we have no intention of initializing crypto or of
  1135. * installing the sandbox.*/
  1136. void
  1137. sandbox_disable_getaddrinfo_cache(void)
  1138. {
  1139. sandbox_getaddrinfo_cache_disabled = 1;
  1140. }
  1141. void
  1142. sandbox_freeaddrinfo(struct addrinfo *ai)
  1143. {
  1144. if (sandbox_getaddrinfo_cache_disabled)
  1145. freeaddrinfo(ai);
  1146. }
  1147. int
  1148. sandbox_getaddrinfo(const char *name, const char *servname,
  1149. const struct addrinfo *hints,
  1150. struct addrinfo **res)
  1151. {
  1152. int err;
  1153. struct cached_getaddrinfo_item_t search, *item;
  1154. if (sandbox_getaddrinfo_cache_disabled) {
  1155. return getaddrinfo(name, NULL, hints, res);
  1156. }
  1157. if (servname != NULL) {
  1158. log_warn(LD_BUG, "called with non-NULL servname");
  1159. return EAI_NONAME;
  1160. }
  1161. if (name == NULL) {
  1162. log_warn(LD_BUG, "called with NULL name");
  1163. return EAI_NONAME;
  1164. }
  1165. *res = NULL;
  1166. memset(&search, 0, sizeof(search));
  1167. search.name = (char *) name;
  1168. search.family = hints ? hints->ai_family : AF_UNSPEC;
  1169. item = HT_FIND(getaddrinfo_cache, &getaddrinfo_cache, &search);
  1170. if (! sandbox_is_active()) {
  1171. /* If the sandbox is not turned on yet, then getaddrinfo and store the
  1172. result. */
  1173. err = getaddrinfo(name, NULL, hints, res);
  1174. log_info(LD_NET,"(Sandbox) getaddrinfo %s.", err ? "failed" : "succeeded");
  1175. if (! item) {
  1176. item = tor_malloc_zero(sizeof(*item));
  1177. item->name = tor_strdup(name);
  1178. item->family = hints ? hints->ai_family : AF_UNSPEC;
  1179. HT_INSERT(getaddrinfo_cache, &getaddrinfo_cache, item);
  1180. }
  1181. if (item->res) {
  1182. freeaddrinfo(item->res);
  1183. item->res = NULL;
  1184. }
  1185. item->res = *res;
  1186. item->err = err;
  1187. return err;
  1188. }
  1189. /* Otherwise, the sanbox is on. If we have an item, yield its cached
  1190. result. */
  1191. if (item) {
  1192. *res = item->res;
  1193. return item->err;
  1194. }
  1195. /* getting here means something went wrong */
  1196. log_err(LD_BUG,"(Sandbox) failed to get address %s!", name);
  1197. return EAI_NONAME;
  1198. }
  1199. int
  1200. sandbox_add_addrinfo(const char *name)
  1201. {
  1202. struct addrinfo *res;
  1203. struct addrinfo hints;
  1204. int i;
  1205. static const int families[] = { AF_INET, AF_INET6, AF_UNSPEC };
  1206. memset(&hints, 0, sizeof(hints));
  1207. hints.ai_socktype = SOCK_STREAM;
  1208. for (i = 0; i < 3; ++i) {
  1209. hints.ai_family = families[i];
  1210. res = NULL;
  1211. (void) sandbox_getaddrinfo(name, NULL, &hints, &res);
  1212. if (res)
  1213. sandbox_freeaddrinfo(res);
  1214. }
  1215. return 0;
  1216. }
  1217. void
  1218. sandbox_free_getaddrinfo_cache(void)
  1219. {
  1220. cached_getaddrinfo_item_t **next, **item;
  1221. for (item = HT_START(getaddrinfo_cache, &getaddrinfo_cache);
  1222. item;
  1223. item = next) {
  1224. next = HT_NEXT_RMV(getaddrinfo_cache, &getaddrinfo_cache, item);
  1225. cached_getaddrinfo_item_free(*item);
  1226. }
  1227. HT_CLEAR(getaddrinfo_cache, &getaddrinfo_cache);
  1228. }
  1229. /**
  1230. * Function responsible for going through the parameter syscall filters and
  1231. * call each function pointer in the list.
  1232. */
  1233. static int
  1234. add_param_filter(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
  1235. {
  1236. unsigned i;
  1237. int rc = 0;
  1238. // function pointer
  1239. for (i = 0; i < ARRAY_LENGTH(filter_func); i++) {
  1240. if ((filter_func[i])(ctx, cfg)) {
  1241. log_err(LD_BUG,"(Sandbox) failed to add syscall %d, received libseccomp "
  1242. "error %d", i, rc);
  1243. return rc;
  1244. }
  1245. }
  1246. return 0;
  1247. }
  1248. /**
  1249. * Function responsible of loading the libseccomp syscall filters which do not
  1250. * have parameter filtering.
  1251. */
  1252. static int
  1253. add_noparam_filter(scmp_filter_ctx ctx)
  1254. {
  1255. unsigned i;
  1256. int rc = 0;
  1257. // add general filters
  1258. for (i = 0; i < ARRAY_LENGTH(filter_nopar_gen); i++) {
  1259. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, filter_nopar_gen[i]);
  1260. if (rc != 0) {
  1261. log_err(LD_BUG,"(Sandbox) failed to add syscall index %d (NR=%d), "
  1262. "received libseccomp error %d", i, filter_nopar_gen[i], rc);
  1263. return rc;
  1264. }
  1265. }
  1266. return 0;
  1267. }
  1268. /**
  1269. * Function responsible for setting up and enabling a global syscall filter.
  1270. * The function is a prototype developed for stage 1 of sandboxing Tor.
  1271. * Returns 0 on success.
  1272. */
  1273. static int
  1274. install_syscall_filter(sandbox_cfg_t* cfg)
  1275. {
  1276. int rc = 0;
  1277. scmp_filter_ctx ctx;
  1278. ctx = seccomp_init(SCMP_ACT_TRAP);
  1279. if (ctx == NULL) {
  1280. log_err(LD_BUG,"(Sandbox) failed to initialise libseccomp context");
  1281. rc = -1;
  1282. goto end;
  1283. }
  1284. // protectign sandbox parameter strings
  1285. if ((rc = prot_strings(ctx, cfg))) {
  1286. goto end;
  1287. }
  1288. // add parameter filters
  1289. if ((rc = add_param_filter(ctx, cfg))) {
  1290. log_err(LD_BUG, "(Sandbox) failed to add param filters!");
  1291. goto end;
  1292. }
  1293. // adding filters with no parameters
  1294. if ((rc = add_noparam_filter(ctx))) {
  1295. log_err(LD_BUG, "(Sandbox) failed to add param filters!");
  1296. goto end;
  1297. }
  1298. // loading the seccomp2 filter
  1299. if ((rc = seccomp_load(ctx))) {
  1300. log_err(LD_BUG, "(Sandbox) failed to load: %d (%s)!", rc,
  1301. strerror(-rc));
  1302. goto end;
  1303. }
  1304. // marking the sandbox as active
  1305. sandbox_active = 1;
  1306. end:
  1307. seccomp_release(ctx);
  1308. return (rc < 0 ? -rc : rc);
  1309. }
  1310. #include "linux_syscalls.inc"
  1311. static const char *
  1312. get_syscall_name(int syscall_num)
  1313. {
  1314. int i;
  1315. for (i = 0; SYSCALLS_BY_NUMBER[i].syscall_name; ++i) {
  1316. if (SYSCALLS_BY_NUMBER[i].syscall_num == syscall_num)
  1317. return SYSCALLS_BY_NUMBER[i].syscall_name;
  1318. }
  1319. {
  1320. static char syscall_name_buf[64];
  1321. format_dec_number_sigsafe(syscall_num,
  1322. syscall_name_buf, sizeof(syscall_name_buf));
  1323. return syscall_name_buf;
  1324. }
  1325. }
  1326. #ifdef USE_BACKTRACE
  1327. #define MAX_DEPTH 256
  1328. static void *syscall_cb_buf[MAX_DEPTH];
  1329. #endif
  1330. /**
  1331. * Function called when a SIGSYS is caught by the application. It notifies the
  1332. * user that an error has occurred and either terminates or allows the
  1333. * application to continue execution, based on the DEBUGGING_CLOSE symbol.
  1334. */
  1335. static void
  1336. sigsys_debugging(int nr, siginfo_t *info, void *void_context)
  1337. {
  1338. ucontext_t *ctx = (ucontext_t *) (void_context);
  1339. const char *syscall_name;
  1340. int syscall;
  1341. #ifdef USE_BACKTRACE
  1342. int depth;
  1343. int n_fds, i;
  1344. const int *fds = NULL;
  1345. #endif
  1346. (void) nr;
  1347. if (info->si_code != SYS_SECCOMP)
  1348. return;
  1349. if (!ctx)
  1350. return;
  1351. syscall = (int) ctx->uc_mcontext.M_SYSCALL;
  1352. #ifdef USE_BACKTRACE
  1353. depth = backtrace(syscall_cb_buf, MAX_DEPTH);
  1354. /* Clean up the top stack frame so we get the real function
  1355. * name for the most recently failing function. */
  1356. clean_backtrace(syscall_cb_buf, depth, ctx);
  1357. #endif
  1358. syscall_name = get_syscall_name(syscall);
  1359. tor_log_err_sigsafe("(Sandbox) Caught a bad syscall attempt (syscall ",
  1360. syscall_name,
  1361. ")\n",
  1362. NULL);
  1363. #ifdef USE_BACKTRACE
  1364. n_fds = tor_log_get_sigsafe_err_fds(&fds);
  1365. for (i=0; i < n_fds; ++i)
  1366. backtrace_symbols_fd(syscall_cb_buf, depth, fds[i]);
  1367. #endif
  1368. #if defined(DEBUGGING_CLOSE)
  1369. _exit(1);
  1370. #endif // DEBUGGING_CLOSE
  1371. }
  1372. /**
  1373. * Function that adds a handler for SIGSYS, which is the signal thrown
  1374. * when the application is issuing a syscall which is not allowed. The
  1375. * main purpose of this function is to help with debugging by identifying
  1376. * filtered syscalls.
  1377. */
  1378. static int
  1379. install_sigsys_debugging(void)
  1380. {
  1381. struct sigaction act;
  1382. sigset_t mask;
  1383. memset(&act, 0, sizeof(act));
  1384. sigemptyset(&mask);
  1385. sigaddset(&mask, SIGSYS);
  1386. act.sa_sigaction = &sigsys_debugging;
  1387. act.sa_flags = SA_SIGINFO;
  1388. if (sigaction(SIGSYS, &act, NULL) < 0) {
  1389. log_err(LD_BUG,"(Sandbox) Failed to register SIGSYS signal handler");
  1390. return -1;
  1391. }
  1392. if (sigprocmask(SIG_UNBLOCK, &mask, NULL)) {
  1393. log_err(LD_BUG,"(Sandbox) Failed call to sigprocmask()");
  1394. return -2;
  1395. }
  1396. return 0;
  1397. }
  1398. /**
  1399. * Function responsible of registering the sandbox_cfg_t list of parameter
  1400. * syscall filters to the existing parameter list. This is used for incipient
  1401. * multiple-sandbox support.
  1402. */
  1403. static int
  1404. register_cfg(sandbox_cfg_t* cfg)
  1405. {
  1406. sandbox_cfg_t *elem = NULL;
  1407. if (filter_dynamic == NULL) {
  1408. filter_dynamic = cfg;
  1409. return 0;
  1410. }
  1411. for (elem = filter_dynamic; elem->next != NULL; elem = elem->next)
  1412. ;
  1413. elem->next = cfg;
  1414. return 0;
  1415. }
  1416. #endif // USE_LIBSECCOMP
  1417. #ifdef USE_LIBSECCOMP
  1418. /**
  1419. * Initialises the syscall sandbox filter for any linux architecture, taking
  1420. * into account various available features for different linux flavours.
  1421. */
  1422. static int
  1423. initialise_libseccomp_sandbox(sandbox_cfg_t* cfg)
  1424. {
  1425. if (install_sigsys_debugging())
  1426. return -1;
  1427. if (install_syscall_filter(cfg))
  1428. return -2;
  1429. if (register_cfg(cfg))
  1430. return -3;
  1431. return 0;
  1432. }
  1433. int
  1434. sandbox_is_active(void)
  1435. {
  1436. return sandbox_active != 0;
  1437. }
  1438. #endif // USE_LIBSECCOMP
  1439. sandbox_cfg_t*
  1440. sandbox_cfg_new(void)
  1441. {
  1442. return NULL;
  1443. }
  1444. int
  1445. sandbox_init(sandbox_cfg_t *cfg)
  1446. {
  1447. #if defined(USE_LIBSECCOMP)
  1448. return initialise_libseccomp_sandbox(cfg);
  1449. #elif defined(__linux__)
  1450. (void)cfg;
  1451. log_warn(LD_GENERAL,
  1452. "This version of Tor was built without support for sandboxing. To "
  1453. "build with support for sandboxing on Linux, you must have "
  1454. "libseccomp and its necessary header files (e.g. seccomp.h).");
  1455. return 0;
  1456. #else
  1457. (void)cfg;
  1458. log_warn(LD_GENERAL,
  1459. "Currently, sandboxing is only implemented on Linux. The feature "
  1460. "is disabled on your platform.");
  1461. return 0;
  1462. #endif
  1463. }
  1464. #ifndef USE_LIBSECCOMP
  1465. int
  1466. sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
  1467. {
  1468. (void)cfg; (void)file;
  1469. return 0;
  1470. }
  1471. int
  1472. sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file)
  1473. {
  1474. (void)cfg; (void)file;
  1475. return 0;
  1476. }
  1477. #if 0
  1478. int
  1479. sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com)
  1480. {
  1481. (void)cfg; (void)com;
  1482. return 0;
  1483. }
  1484. #endif
  1485. int
  1486. sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file)
  1487. {
  1488. (void)cfg; (void)file;
  1489. return 0;
  1490. }
  1491. int
  1492. sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2)
  1493. {
  1494. (void)cfg; (void)file1; (void)file2;
  1495. return 0;
  1496. }
  1497. int
  1498. sandbox_is_active(void)
  1499. {
  1500. return 0;
  1501. }
  1502. void
  1503. sandbox_disable_getaddrinfo_cache(void)
  1504. {
  1505. }
  1506. #endif