sandbox.c 43 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860
  1. /* Copyright (c) 2001 Matej Pfajfar.
  2. * Copyright (c) 2001-2004, Roger Dingledine.
  3. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  4. * Copyright (c) 2007-2013, The Tor Project, Inc. */
  5. /* See LICENSE for licensing information */
  6. /**
  7. * \file sandbox.c
  8. * \brief Code to enable sandboxing.
  9. **/
  10. #include "orconfig.h"
  11. #ifndef _LARGEFILE64_SOURCE
  12. /**
  13. * Temporarily required for O_LARGEFILE flag. Needs to be removed
  14. * with the libevent fix.
  15. */
  16. #define _LARGEFILE64_SOURCE
  17. #endif
  18. /** Malloc mprotect limit in bytes. */
  19. #define MALLOC_MP_LIM 1048576
  20. #include <stdio.h>
  21. #include <string.h>
  22. #include <stdlib.h>
  23. #include "sandbox.h"
  24. #include "container.h"
  25. #include "torlog.h"
  26. #include "torint.h"
  27. #include "util.h"
  28. #include "tor_queue.h"
  29. #include "ht.h"
  30. #define DEBUGGING_CLOSE
  31. #if defined(USE_LIBSECCOMP)
  32. #define _GNU_SOURCE
  33. #include <sys/mman.h>
  34. #include <sys/syscall.h>
  35. #include <sys/types.h>
  36. #include <sys/stat.h>
  37. #include <sys/epoll.h>
  38. #include <sys/prctl.h>
  39. #include <linux/futex.h>
  40. #include <bits/signum.h>
  41. #include <stdarg.h>
  42. #include <seccomp.h>
  43. #include <signal.h>
  44. #include <unistd.h>
  45. #include <fcntl.h>
  46. #include <time.h>
  47. #include <poll.h>
  48. #if defined(HAVE_EXECINFO_H) && defined(HAVE_BACKTRACE) && \
  49. defined(HAVE_BACKTRACE_SYMBOLS_FD) && defined(HAVE_SIGACTION)
  50. #define USE_BACKTRACE
  51. #define EXPOSE_CLEAN_BACKTRACE
  52. #include "backtrace.h"
  53. #endif
  54. #ifdef USE_BACKTRACE
  55. #include <execinfo.h>
  56. #endif
  57. /**
  58. * Linux 32 bit definitions
  59. */
  60. #if defined(__i386__)
  61. #define REG_SYSCALL REG_EAX
  62. #define M_SYSCALL gregs[REG_SYSCALL]
  63. /**
  64. * Linux 64 bit definitions
  65. */
  66. #elif defined(__x86_64__)
  67. #define REG_SYSCALL REG_RAX
  68. #define M_SYSCALL gregs[REG_SYSCALL]
  69. #elif defined(__arm__)
  70. #define M_SYSCALL arm_r7
  71. #endif
  72. /**Determines if at least one sandbox is active.*/
  73. static int sandbox_active = 0;
  74. /** Holds the parameter list configuration for the sandbox.*/
  75. static sandbox_cfg_t *filter_dynamic = NULL;
  76. #undef SCMP_CMP
  77. #define SCMP_CMP(a,b,c) ((struct scmp_arg_cmp){(a),(b),(c),0})
  78. #define SCMP_CMP4(a,b,c,d) ((struct scmp_arg_cmp){(a),(b),(c),(d)})
  79. /* We use a wrapper here because these masked comparisons seem to be pretty
  80. * verbose. Also, it's important to cast to scmp_datum_t before negating the
  81. * mask, since otherwise the negation might get applied to a 32 bit value, and
  82. * the high bits of the value might get masked out improperly. */
  83. #define SCMP_CMP_MASKED(a,b,c) \
  84. SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, ~(scmp_datum_t)(b), (c))
  85. /** Variable used for storing all syscall numbers that will be allowed with the
  86. * stage 1 general Tor sandbox.
  87. */
  88. static int filter_nopar_gen[] = {
  89. SCMP_SYS(access),
  90. SCMP_SYS(brk),
  91. SCMP_SYS(clock_gettime),
  92. SCMP_SYS(close),
  93. SCMP_SYS(clone),
  94. SCMP_SYS(epoll_create),
  95. SCMP_SYS(epoll_wait),
  96. SCMP_SYS(fcntl),
  97. SCMP_SYS(fstat),
  98. #ifdef __NR_fstat64
  99. SCMP_SYS(fstat64),
  100. #endif
  101. SCMP_SYS(getdents64),
  102. SCMP_SYS(getegid),
  103. #ifdef __NR_getegid32
  104. SCMP_SYS(getegid32),
  105. #endif
  106. SCMP_SYS(geteuid),
  107. #ifdef __NR_geteuid32
  108. SCMP_SYS(geteuid32),
  109. #endif
  110. SCMP_SYS(getgid),
  111. #ifdef __NR_getgid32
  112. SCMP_SYS(getgid32),
  113. #endif
  114. #ifdef __NR_getrlimit
  115. SCMP_SYS(getrlimit),
  116. #endif
  117. SCMP_SYS(gettimeofday),
  118. SCMP_SYS(gettid),
  119. SCMP_SYS(getuid),
  120. #ifdef __NR_getuid32
  121. SCMP_SYS(getuid32),
  122. #endif
  123. SCMP_SYS(lseek),
  124. #ifdef __NR__llseek
  125. SCMP_SYS(_llseek),
  126. #endif
  127. SCMP_SYS(mkdir),
  128. SCMP_SYS(mlockall),
  129. #ifdef __NR_mmap
  130. /* XXXX restrict this in the same ways as mmap2 */
  131. SCMP_SYS(mmap),
  132. #endif
  133. SCMP_SYS(munmap),
  134. SCMP_SYS(read),
  135. SCMP_SYS(rt_sigreturn),
  136. SCMP_SYS(sched_getaffinity),
  137. SCMP_SYS(set_robust_list),
  138. #ifdef __NR_sigreturn
  139. SCMP_SYS(sigreturn),
  140. #endif
  141. SCMP_SYS(stat),
  142. SCMP_SYS(uname),
  143. SCMP_SYS(wait4),
  144. SCMP_SYS(write),
  145. SCMP_SYS(writev),
  146. SCMP_SYS(exit_group),
  147. SCMP_SYS(exit),
  148. SCMP_SYS(madvise),
  149. #ifdef __NR_stat64
  150. // getaddrinfo uses this..
  151. SCMP_SYS(stat64),
  152. #endif
  153. /*
  154. * These socket syscalls are not required on x86_64 and not supported with
  155. * some libseccomp versions (eg: 1.0.1)
  156. */
  157. #if defined(__i386)
  158. SCMP_SYS(recv),
  159. SCMP_SYS(send),
  160. #endif
  161. // socket syscalls
  162. SCMP_SYS(bind),
  163. SCMP_SYS(listen),
  164. SCMP_SYS(connect),
  165. SCMP_SYS(getsockname),
  166. SCMP_SYS(recvmsg),
  167. SCMP_SYS(recvfrom),
  168. SCMP_SYS(sendto),
  169. SCMP_SYS(unlink)
  170. };
  171. /* These macros help avoid the error where the number of filters we add on a
  172. * single rule don't match the arg_cnt param. */
  173. #define seccomp_rule_add_0(ctx,act,call) \
  174. seccomp_rule_add((ctx),(act),(call),0)
  175. #define seccomp_rule_add_1(ctx,act,call,f1) \
  176. seccomp_rule_add((ctx),(act),(call),1,(f1))
  177. #define seccomp_rule_add_2(ctx,act,call,f1,f2) \
  178. seccomp_rule_add((ctx),(act),(call),2,(f1),(f2))
  179. #define seccomp_rule_add_3(ctx,act,call,f1,f2,f3) \
  180. seccomp_rule_add((ctx),(act),(call),3,(f1),(f2),(f3))
  181. #define seccomp_rule_add_4(ctx,act,call,f1,f2,f3,f4) \
  182. seccomp_rule_add((ctx),(act),(call),4,(f1),(f2),(f3),(f4))
  183. /**
  184. * Function responsible for setting up the rt_sigaction syscall for
  185. * the seccomp filter sandbox.
  186. */
  187. static int
  188. sb_rt_sigaction(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  189. {
  190. unsigned i;
  191. int rc;
  192. int param[] = { SIGINT, SIGTERM, SIGPIPE, SIGUSR1, SIGUSR2, SIGHUP, SIGCHLD,
  193. #ifdef SIGXFSZ
  194. SIGXFSZ
  195. #endif
  196. };
  197. (void) filter;
  198. for (i = 0; i < ARRAY_LENGTH(param); i++) {
  199. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigaction),
  200. SCMP_CMP(0, SCMP_CMP_EQ, param[i]));
  201. if (rc)
  202. break;
  203. }
  204. return rc;
  205. }
  206. #if 0
  207. /**
  208. * Function responsible for setting up the execve syscall for
  209. * the seccomp filter sandbox.
  210. */
  211. static int
  212. sb_execve(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  213. {
  214. int rc;
  215. sandbox_cfg_t *elem = NULL;
  216. // for each dynamic parameter filters
  217. for (elem = filter; elem != NULL; elem = elem->next) {
  218. smp_param_t *param = elem->param;
  219. if (param != NULL && param->prot == 1 && param->syscall
  220. == SCMP_SYS(execve)) {
  221. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve),
  222. SCMP_CMP(0, SCMP_CMP_EQ, param->value));
  223. if (rc != 0) {
  224. log_err(LD_BUG,"(Sandbox) failed to add execve syscall, received "
  225. "libseccomp error %d", rc);
  226. return rc;
  227. }
  228. }
  229. }
  230. return 0;
  231. }
  232. #endif
  233. /**
  234. * Function responsible for setting up the time syscall for
  235. * the seccomp filter sandbox.
  236. */
  237. static int
  238. sb_time(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  239. {
  240. (void) filter;
  241. #ifdef __NR_time
  242. return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(time),
  243. SCMP_CMP(0, SCMP_CMP_EQ, 0));
  244. #else
  245. return 0;
  246. #endif
  247. }
  248. /**
  249. * Function responsible for setting up the accept4 syscall for
  250. * the seccomp filter sandbox.
  251. */
  252. static int
  253. sb_accept4(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  254. {
  255. int rc = 0;
  256. (void)filter;
  257. #ifdef __i386__
  258. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketcall),
  259. SCMP_CMP(0, SCMP_CMP_EQ, 18));
  260. if (rc) {
  261. return rc;
  262. }
  263. #endif
  264. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4),
  265. SCMP_CMP_MASKED(3, SOCK_CLOEXEC|SOCK_NONBLOCK, 0));
  266. if (rc) {
  267. return rc;
  268. }
  269. return 0;
  270. }
  271. #ifdef __NR_mmap2
  272. /**
  273. * Function responsible for setting up the mmap2 syscall for
  274. * the seccomp filter sandbox.
  275. */
  276. static int
  277. sb_mmap2(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  278. {
  279. int rc = 0;
  280. (void)filter;
  281. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  282. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ),
  283. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE));
  284. if (rc) {
  285. return rc;
  286. }
  287. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  288. SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE),
  289. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE));
  290. if (rc) {
  291. return rc;
  292. }
  293. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  294. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  295. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS));
  296. if (rc) {
  297. return rc;
  298. }
  299. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  300. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  301. SCMP_CMP(3, SCMP_CMP_EQ,MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK));
  302. if (rc) {
  303. return rc;
  304. }
  305. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  306. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  307. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE));
  308. if (rc) {
  309. return rc;
  310. }
  311. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  312. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
  313. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS));
  314. if (rc) {
  315. return rc;
  316. }
  317. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
  318. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_EXEC),
  319. SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_DENYWRITE));
  320. if (rc) {
  321. return rc;
  322. }
  323. return 0;
  324. }
  325. #endif
  326. /**
  327. * Function responsible for setting up the open syscall for
  328. * the seccomp filter sandbox.
  329. */
  330. static int
  331. sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  332. {
  333. int rc;
  334. sandbox_cfg_t *elem = NULL;
  335. // for each dynamic parameter filters
  336. for (elem = filter; elem != NULL; elem = elem->next) {
  337. smp_param_t *param = elem->param;
  338. if (param != NULL && param->prot == 1 && param->syscall
  339. == SCMP_SYS(open)) {
  340. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open),
  341. SCMP_CMP(0, SCMP_CMP_EQ, param->value));
  342. if (rc != 0) {
  343. log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
  344. "libseccomp error %d", rc);
  345. return rc;
  346. }
  347. }
  348. }
  349. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open),
  350. SCMP_CMP_MASKED(1, O_CLOEXEC|O_NONBLOCK|O_NOCTTY, O_RDONLY));
  351. if (rc != 0) {
  352. log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
  353. "error %d", rc);
  354. return rc;
  355. }
  356. return 0;
  357. }
  358. static int
  359. sb__sysctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  360. {
  361. int rc;
  362. (void) filter;
  363. (void) ctx;
  364. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(_sysctl));
  365. if (rc != 0) {
  366. log_err(LD_BUG,"(Sandbox) failed to add _sysctl syscall, "
  367. "received libseccomp error %d", rc);
  368. return rc;
  369. }
  370. return 0;
  371. }
  372. /**
  373. * Function responsible for setting up the rename syscall for
  374. * the seccomp filter sandbox.
  375. */
  376. static int
  377. sb_rename(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  378. {
  379. int rc;
  380. sandbox_cfg_t *elem = NULL;
  381. // for each dynamic parameter filters
  382. for (elem = filter; elem != NULL; elem = elem->next) {
  383. smp_param_t *param = elem->param;
  384. if (param != NULL && param->prot == 1 &&
  385. param->syscall == SCMP_SYS(rename)) {
  386. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rename),
  387. SCMP_CMP(0, SCMP_CMP_EQ, param->value),
  388. SCMP_CMP(1, SCMP_CMP_EQ, param->value2));
  389. if (rc != 0) {
  390. log_err(LD_BUG,"(Sandbox) failed to add rename syscall, received "
  391. "libseccomp error %d", rc);
  392. return rc;
  393. }
  394. }
  395. }
  396. return 0;
  397. }
  398. /**
  399. * Function responsible for setting up the openat syscall for
  400. * the seccomp filter sandbox.
  401. */
  402. static int
  403. sb_openat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  404. {
  405. int rc;
  406. sandbox_cfg_t *elem = NULL;
  407. // for each dynamic parameter filters
  408. for (elem = filter; elem != NULL; elem = elem->next) {
  409. smp_param_t *param = elem->param;
  410. if (param != NULL && param->prot == 1 && param->syscall
  411. == SCMP_SYS(openat)) {
  412. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
  413. SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
  414. SCMP_CMP(1, SCMP_CMP_EQ, param->value),
  415. SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|
  416. O_CLOEXEC));
  417. if (rc != 0) {
  418. log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received "
  419. "libseccomp error %d", rc);
  420. return rc;
  421. }
  422. }
  423. }
  424. return 0;
  425. }
  426. /**
  427. * Function responsible for setting up the socket syscall for
  428. * the seccomp filter sandbox.
  429. */
  430. static int
  431. sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  432. {
  433. int rc = 0;
  434. int i;
  435. (void) filter;
  436. #ifdef __i386__
  437. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket));
  438. if (rc)
  439. return rc;
  440. #endif
  441. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  442. SCMP_CMP(0, SCMP_CMP_EQ, PF_FILE),
  443. SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM));
  444. if (rc)
  445. return rc;
  446. for (i = 0; i < 2; ++i) {
  447. const int pf = i ? PF_INET : PF_INET6;
  448. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  449. SCMP_CMP(0, SCMP_CMP_EQ, pf),
  450. SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
  451. SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_TCP));
  452. if (rc)
  453. return rc;
  454. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  455. SCMP_CMP(0, SCMP_CMP_EQ, pf),
  456. SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM),
  457. SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_IP));
  458. if (rc)
  459. return rc;
  460. }
  461. rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
  462. SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK),
  463. SCMP_CMP(1, SCMP_CMP_EQ, SOCK_RAW),
  464. SCMP_CMP(2, SCMP_CMP_EQ, 0));
  465. if (rc)
  466. return rc;
  467. return 0;
  468. }
  469. /**
  470. * Function responsible for setting up the socketpair syscall for
  471. * the seccomp filter sandbox.
  472. */
  473. static int
  474. sb_socketpair(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  475. {
  476. int rc = 0;
  477. (void) filter;
  478. #ifdef __i386__
  479. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair));
  480. if (rc)
  481. return rc;
  482. #endif
  483. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair),
  484. SCMP_CMP(0, SCMP_CMP_EQ, PF_FILE),
  485. SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM|SOCK_CLOEXEC));
  486. if (rc)
  487. return rc;
  488. return 0;
  489. }
  490. /**
  491. * Function responsible for setting up the setsockopt syscall for
  492. * the seccomp filter sandbox.
  493. */
  494. static int
  495. sb_setsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  496. {
  497. int rc = 0;
  498. (void) filter;
  499. #ifdef __i386__
  500. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt));
  501. if (rc)
  502. return rc;
  503. #endif
  504. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  505. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  506. SCMP_CMP(2, SCMP_CMP_EQ, SO_REUSEADDR));
  507. if (rc)
  508. return rc;
  509. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  510. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  511. SCMP_CMP(2, SCMP_CMP_EQ, SO_SNDBUF));
  512. if (rc)
  513. return rc;
  514. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  515. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  516. SCMP_CMP(2, SCMP_CMP_EQ, SO_RCVBUF));
  517. if (rc)
  518. return rc;
  519. #ifdef IP_TRANSPARENT
  520. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
  521. SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
  522. SCMP_CMP(2, SCMP_CMP_EQ, IP_TRANSPARENT));
  523. if (rc)
  524. return rc;
  525. #endif
  526. return 0;
  527. }
  528. /**
  529. * Function responsible for setting up the getsockopt syscall for
  530. * the seccomp filter sandbox.
  531. */
  532. static int
  533. sb_getsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  534. {
  535. int rc = 0;
  536. (void) filter;
  537. #ifdef __i386__
  538. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt));
  539. if (rc)
  540. return rc;
  541. #endif
  542. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
  543. SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
  544. SCMP_CMP(2, SCMP_CMP_EQ, SO_ERROR));
  545. if (rc)
  546. return rc;
  547. return 0;
  548. }
  549. #ifdef __NR_fcntl64
  550. /**
  551. * Function responsible for setting up the fcntl64 syscall for
  552. * the seccomp filter sandbox.
  553. */
  554. static int
  555. sb_fcntl64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  556. {
  557. int rc = 0;
  558. (void) filter;
  559. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  560. SCMP_CMP(1, SCMP_CMP_EQ, F_GETFL));
  561. if (rc)
  562. return rc;
  563. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  564. SCMP_CMP(1, SCMP_CMP_EQ, F_SETFL),
  565. SCMP_CMP(2, SCMP_CMP_EQ, O_RDWR|O_NONBLOCK));
  566. if (rc)
  567. return rc;
  568. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  569. SCMP_CMP(1, SCMP_CMP_EQ, F_GETFD));
  570. if (rc)
  571. return rc;
  572. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
  573. SCMP_CMP(1, SCMP_CMP_EQ, F_SETFD),
  574. SCMP_CMP(2, SCMP_CMP_EQ, FD_CLOEXEC));
  575. if (rc)
  576. return rc;
  577. return 0;
  578. }
  579. #endif
  580. /**
  581. * Function responsible for setting up the epoll_ctl syscall for
  582. * the seccomp filter sandbox.
  583. *
  584. * Note: basically allows everything but will keep for now..
  585. */
  586. static int
  587. sb_epoll_ctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  588. {
  589. int rc = 0;
  590. (void) filter;
  591. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
  592. SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_ADD));
  593. if (rc)
  594. return rc;
  595. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
  596. SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_MOD));
  597. if (rc)
  598. return rc;
  599. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
  600. SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_DEL));
  601. if (rc)
  602. return rc;
  603. return 0;
  604. }
  605. /**
  606. * Function responsible for setting up the fcntl64 syscall for
  607. * the seccomp filter sandbox.
  608. *
  609. * NOTE: if multiple filters need to be added, the PR_SECCOMP parameter needs
  610. * to be whitelisted in this function.
  611. */
  612. static int
  613. sb_prctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  614. {
  615. int rc = 0;
  616. (void) filter;
  617. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl),
  618. SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_DUMPABLE));
  619. if (rc)
  620. return rc;
  621. return 0;
  622. }
  623. /**
  624. * Function responsible for setting up the fcntl64 syscall for
  625. * the seccomp filter sandbox.
  626. *
  627. * NOTE: does not NEED to be here.. currently only occurs before filter; will
  628. * keep just in case for the future.
  629. */
  630. static int
  631. sb_mprotect(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  632. {
  633. int rc = 0;
  634. (void) filter;
  635. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  636. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ));
  637. if (rc)
  638. return rc;
  639. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  640. SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE));
  641. if (rc)
  642. return rc;
  643. return 0;
  644. }
  645. /**
  646. * Function responsible for setting up the rt_sigprocmask syscall for
  647. * the seccomp filter sandbox.
  648. */
  649. static int
  650. sb_rt_sigprocmask(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  651. {
  652. int rc = 0;
  653. (void) filter;
  654. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
  655. SCMP_CMP(0, SCMP_CMP_EQ, SIG_UNBLOCK));
  656. if (rc)
  657. return rc;
  658. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
  659. SCMP_CMP(0, SCMP_CMP_EQ, SIG_SETMASK));
  660. if (rc)
  661. return rc;
  662. return 0;
  663. }
  664. /**
  665. * Function responsible for setting up the flock syscall for
  666. * the seccomp filter sandbox.
  667. *
  668. * NOTE: does not need to be here, occurs before filter is applied.
  669. */
  670. static int
  671. sb_flock(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  672. {
  673. int rc = 0;
  674. (void) filter;
  675. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock),
  676. SCMP_CMP(1, SCMP_CMP_EQ, LOCK_EX|LOCK_NB));
  677. if (rc)
  678. return rc;
  679. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock),
  680. SCMP_CMP(1, SCMP_CMP_EQ, LOCK_UN));
  681. if (rc)
  682. return rc;
  683. return 0;
  684. }
  685. /**
  686. * Function responsible for setting up the futex syscall for
  687. * the seccomp filter sandbox.
  688. */
  689. static int
  690. sb_futex(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  691. {
  692. int rc = 0;
  693. (void) filter;
  694. // can remove
  695. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
  696. SCMP_CMP(1, SCMP_CMP_EQ,
  697. FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME));
  698. if (rc)
  699. return rc;
  700. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
  701. SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAKE_PRIVATE));
  702. if (rc)
  703. return rc;
  704. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
  705. SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAIT_PRIVATE));
  706. if (rc)
  707. return rc;
  708. return 0;
  709. }
  710. /**
  711. * Function responsible for setting up the mremap syscall for
  712. * the seccomp filter sandbox.
  713. *
  714. * NOTE: so far only occurs before filter is applied.
  715. */
  716. static int
  717. sb_mremap(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  718. {
  719. int rc = 0;
  720. (void) filter;
  721. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mremap),
  722. SCMP_CMP(3, SCMP_CMP_EQ, MREMAP_MAYMOVE));
  723. if (rc)
  724. return rc;
  725. return 0;
  726. }
  727. /**
  728. * Function responsible for setting up the poll syscall for
  729. * the seccomp filter sandbox.
  730. */
  731. static int
  732. sb_poll(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  733. {
  734. int rc = 0;
  735. (void) filter;
  736. rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(poll),
  737. SCMP_CMP(1, SCMP_CMP_EQ, 1),
  738. SCMP_CMP(2, SCMP_CMP_EQ, 10));
  739. if (rc)
  740. return rc;
  741. return 0;
  742. }
  743. #ifdef __NR_stat64
  744. /**
  745. * Function responsible for setting up the stat64 syscall for
  746. * the seccomp filter sandbox.
  747. */
  748. static int
  749. sb_stat64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
  750. {
  751. int rc = 0;
  752. sandbox_cfg_t *elem = NULL;
  753. // for each dynamic parameter filters
  754. for (elem = filter; elem != NULL; elem = elem->next) {
  755. smp_param_t *param = elem->param;
  756. if (param != NULL && param->prot == 1 && (param->syscall == SCMP_SYS(open)
  757. || param->syscall == SCMP_SYS(stat64))) {
  758. rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(stat64),
  759. SCMP_CMP(0, SCMP_CMP_EQ, param->value));
  760. if (rc != 0) {
  761. log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
  762. "libseccomp error %d", rc);
  763. return rc;
  764. }
  765. }
  766. }
  767. return 0;
  768. }
  769. #endif
  770. /**
  771. * Array of function pointers responsible for filtering different syscalls at
  772. * a parameter level.
  773. */
  774. static sandbox_filter_func_t filter_func[] = {
  775. sb_rt_sigaction,
  776. sb_rt_sigprocmask,
  777. #if 0
  778. sb_execve,
  779. #endif
  780. sb_time,
  781. sb_accept4,
  782. #ifdef __NR_mmap2
  783. sb_mmap2,
  784. #endif
  785. sb_open,
  786. sb_openat,
  787. sb__sysctl,
  788. sb_rename,
  789. #ifdef __NR_fcntl64
  790. sb_fcntl64,
  791. #endif
  792. sb_epoll_ctl,
  793. sb_prctl,
  794. sb_mprotect,
  795. sb_flock,
  796. sb_futex,
  797. sb_mremap,
  798. sb_poll,
  799. #ifdef __NR_stat64
  800. sb_stat64,
  801. #endif
  802. sb_socket,
  803. sb_setsockopt,
  804. sb_getsockopt,
  805. sb_socketpair
  806. };
  807. const char *
  808. sandbox_intern_string(const char *str)
  809. {
  810. sandbox_cfg_t *elem;
  811. if (str == NULL)
  812. return NULL;
  813. for (elem = filter_dynamic; elem != NULL; elem = elem->next) {
  814. smp_param_t *param = elem->param;
  815. if (param->prot) {
  816. if (!strcmp(str, (char*)(param->value))) {
  817. return (char*)param->value;
  818. }
  819. if (param->value2 && !strcmp(str, (char*)param->value2)) {
  820. return (char*)param->value2;
  821. }
  822. }
  823. }
  824. if (sandbox_active)
  825. log_warn(LD_BUG, "No interned sandbox parameter found for %s", str);
  826. return str;
  827. }
  828. /** DOCDOC */
  829. static int
  830. prot_strings_helper(strmap_t *locations,
  831. char **pr_mem_next_p,
  832. size_t *pr_mem_left_p,
  833. intptr_t *value_p)
  834. {
  835. char *param_val;
  836. size_t param_size;
  837. void *location;
  838. if (*value_p == 0)
  839. return 0;
  840. param_val = (char*) *value_p;
  841. param_size = strlen(param_val) + 1;
  842. location = strmap_get(locations, param_val);
  843. if (location) {
  844. // We already interned this string.
  845. tor_free(param_val);
  846. *value_p = (intptr_t) location;
  847. return 0;
  848. } else if (*pr_mem_left_p >= param_size) {
  849. // copy to protected
  850. location = *pr_mem_next_p;
  851. memcpy(location, param_val, param_size);
  852. // re-point el parameter to protected
  853. tor_free(param_val);
  854. *value_p = (intptr_t) location;
  855. strmap_set(locations, location, location); /* good real estate advice */
  856. // move next available protected memory
  857. *pr_mem_next_p += param_size;
  858. *pr_mem_left_p -= param_size;
  859. return 0;
  860. } else {
  861. log_err(LD_BUG,"(Sandbox) insufficient protected memory!");
  862. return -1;
  863. }
  864. }
  865. /**
  866. * Protects all the strings in the sandbox's parameter list configuration. It
  867. * works by calculating the total amount of memory required by the parameter
  868. * list, allocating the memory using mmap, and protecting it from writes with
  869. * mprotect().
  870. */
  871. static int
  872. prot_strings(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
  873. {
  874. int ret = 0;
  875. size_t pr_mem_size = 0, pr_mem_left = 0;
  876. char *pr_mem_next = NULL, *pr_mem_base;
  877. sandbox_cfg_t *el = NULL;
  878. strmap_t *locations = NULL;
  879. // get total number of bytes required to mmap. (Overestimate.)
  880. for (el = cfg; el != NULL; el = el->next) {
  881. pr_mem_size += strlen((char*) el->param->value) + 1;
  882. if (el->param->value2)
  883. pr_mem_size += strlen((char*) el->param->value2) + 1;
  884. }
  885. // allocate protected memory with MALLOC_MP_LIM canary
  886. pr_mem_base = (char*) mmap(NULL, MALLOC_MP_LIM + pr_mem_size,
  887. PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0);
  888. if (pr_mem_base == MAP_FAILED) {
  889. log_err(LD_BUG,"(Sandbox) failed allocate protected memory! mmap: %s",
  890. strerror(errno));
  891. ret = -1;
  892. goto out;
  893. }
  894. pr_mem_next = pr_mem_base + MALLOC_MP_LIM;
  895. pr_mem_left = pr_mem_size;
  896. locations = strmap_new();
  897. // change el value pointer to protected
  898. for (el = cfg; el != NULL; el = el->next) {
  899. if (prot_strings_helper(locations, &pr_mem_next, &pr_mem_left,
  900. &el->param->value) < 0) {
  901. ret = -2;
  902. goto out;
  903. }
  904. if (prot_strings_helper(locations, &pr_mem_next, &pr_mem_left,
  905. &el->param->value2) < 0) {
  906. ret = -2;
  907. goto out;
  908. }
  909. el->param->prot = 1;
  910. }
  911. // protecting from writes
  912. if (mprotect(pr_mem_base, MALLOC_MP_LIM + pr_mem_size, PROT_READ)) {
  913. log_err(LD_BUG,"(Sandbox) failed to protect memory! mprotect: %s",
  914. strerror(errno));
  915. ret = -3;
  916. goto out;
  917. }
  918. /*
  919. * Setting sandbox restrictions so the string memory cannot be tampered with
  920. */
  921. // no mremap of the protected base address
  922. ret = seccomp_rule_add_1(ctx, SCMP_ACT_KILL, SCMP_SYS(mremap),
  923. SCMP_CMP(0, SCMP_CMP_EQ, (intptr_t) pr_mem_base));
  924. if (ret) {
  925. log_err(LD_BUG,"(Sandbox) mremap protected memory filter fail!");
  926. return ret;
  927. }
  928. // no munmap of the protected base address
  929. ret = seccomp_rule_add_1(ctx, SCMP_ACT_KILL, SCMP_SYS(munmap),
  930. SCMP_CMP(0, SCMP_CMP_EQ, (intptr_t) pr_mem_base));
  931. if (ret) {
  932. log_err(LD_BUG,"(Sandbox) munmap protected memory filter fail!");
  933. return ret;
  934. }
  935. /*
  936. * Allow mprotect with PROT_READ|PROT_WRITE because openssl uses it, but
  937. * never over the memory region used by the protected strings.
  938. *
  939. * PROT_READ|PROT_WRITE was originally fully allowed in sb_mprotect(), but
  940. * had to be removed due to limitation of libseccomp regarding intervals.
  941. *
  942. * There is a restriction on how much you can mprotect with R|W up to the
  943. * size of the canary.
  944. */
  945. ret = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  946. SCMP_CMP(0, SCMP_CMP_LT, (intptr_t) pr_mem_base),
  947. SCMP_CMP(1, SCMP_CMP_LE, MALLOC_MP_LIM),
  948. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE));
  949. if (ret) {
  950. log_err(LD_BUG,"(Sandbox) mprotect protected memory filter fail (LT)!");
  951. return ret;
  952. }
  953. ret = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
  954. SCMP_CMP(0, SCMP_CMP_GT, (intptr_t) pr_mem_base + pr_mem_size +
  955. MALLOC_MP_LIM),
  956. SCMP_CMP(1, SCMP_CMP_LE, MALLOC_MP_LIM),
  957. SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE));
  958. if (ret) {
  959. log_err(LD_BUG,"(Sandbox) mprotect protected memory filter fail (GT)!");
  960. return ret;
  961. }
  962. out:
  963. strmap_free(locations, NULL);
  964. return ret;
  965. }
  966. /**
  967. * Auxiliary function used in order to allocate a sandbox_cfg_t element and set
  968. * it's values according the the parameter list. All elements are initialised
  969. * with the 'prot' field set to false, as the pointer is not protected at this
  970. * point.
  971. */
  972. static sandbox_cfg_t*
  973. new_element2(int syscall, intptr_t value, intptr_t value2)
  974. {
  975. smp_param_t *param = NULL;
  976. sandbox_cfg_t *elem = tor_malloc_zero(sizeof(sandbox_cfg_t));
  977. param = elem->param = tor_malloc_zero(sizeof(smp_param_t));
  978. param->syscall = syscall;
  979. param->value = value;
  980. param->value2 = value2;
  981. param->prot = 0;
  982. return elem;
  983. }
  984. static sandbox_cfg_t*
  985. new_element(int syscall, intptr_t value)
  986. {
  987. return new_element2(syscall, value, 0);
  988. }
  989. #ifdef __NR_stat64
  990. #define SCMP_stat SCMP_SYS(stat64)
  991. #else
  992. #define SCMP_stat SCMP_SYS(stat)
  993. #endif
  994. int
  995. sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file)
  996. {
  997. sandbox_cfg_t *elem = NULL;
  998. elem = new_element(SCMP_stat, (intptr_t)(void*) file);
  999. if (!elem) {
  1000. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1001. return -1;
  1002. }
  1003. elem->next = *cfg;
  1004. *cfg = elem;
  1005. return 0;
  1006. }
  1007. int
  1008. sandbox_cfg_allow_stat_filename_array(sandbox_cfg_t **cfg, ...)
  1009. {
  1010. int rc = 0;
  1011. char *fn = NULL;
  1012. va_list ap;
  1013. va_start(ap, cfg);
  1014. while ((fn = va_arg(ap, char*)) != NULL) {
  1015. rc = sandbox_cfg_allow_stat_filename(cfg, fn);
  1016. if (rc) {
  1017. log_err(LD_BUG,"(Sandbox) sandbox_cfg_allow_stat_filename_array fail");
  1018. goto end;
  1019. }
  1020. }
  1021. end:
  1022. va_end(ap);
  1023. return 0;
  1024. }
  1025. int
  1026. sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
  1027. {
  1028. sandbox_cfg_t *elem = NULL;
  1029. elem = new_element(SCMP_SYS(open), (intptr_t)(void *) file);
  1030. if (!elem) {
  1031. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1032. return -1;
  1033. }
  1034. elem->next = *cfg;
  1035. *cfg = elem;
  1036. return 0;
  1037. }
  1038. int
  1039. sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2)
  1040. {
  1041. sandbox_cfg_t *elem = NULL;
  1042. elem = new_element2(SCMP_SYS(rename),
  1043. (intptr_t)(void *) file1,
  1044. (intptr_t)(void *) file2);
  1045. if (!elem) {
  1046. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1047. return -1;
  1048. }
  1049. elem->next = *cfg;
  1050. *cfg = elem;
  1051. return 0;
  1052. }
  1053. int
  1054. sandbox_cfg_allow_open_filename_array(sandbox_cfg_t **cfg, ...)
  1055. {
  1056. int rc = 0;
  1057. char *fn = NULL;
  1058. va_list ap;
  1059. va_start(ap, cfg);
  1060. while ((fn = va_arg(ap, char*)) != NULL) {
  1061. rc = sandbox_cfg_allow_open_filename(cfg, fn);
  1062. if (rc) {
  1063. log_err(LD_BUG,"(Sandbox) sandbox_cfg_allow_open_filename_array fail");
  1064. goto end;
  1065. }
  1066. }
  1067. end:
  1068. va_end(ap);
  1069. return 0;
  1070. }
  1071. int
  1072. sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file)
  1073. {
  1074. sandbox_cfg_t *elem = NULL;
  1075. elem = new_element(SCMP_SYS(openat), (intptr_t)(void *) file);
  1076. if (!elem) {
  1077. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1078. return -1;
  1079. }
  1080. elem->next = *cfg;
  1081. *cfg = elem;
  1082. return 0;
  1083. }
  1084. int
  1085. sandbox_cfg_allow_openat_filename_array(sandbox_cfg_t **cfg, ...)
  1086. {
  1087. int rc = 0;
  1088. char *fn = NULL;
  1089. va_list ap;
  1090. va_start(ap, cfg);
  1091. while ((fn = va_arg(ap, char*)) != NULL) {
  1092. rc = sandbox_cfg_allow_openat_filename(cfg, fn);
  1093. if (rc) {
  1094. log_err(LD_BUG,"(Sandbox) sandbox_cfg_allow_openat_filename_array fail");
  1095. goto end;
  1096. }
  1097. }
  1098. end:
  1099. va_end(ap);
  1100. return 0;
  1101. }
  1102. #if 0
  1103. int
  1104. sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com)
  1105. {
  1106. sandbox_cfg_t *elem = NULL;
  1107. elem = new_element(SCMP_SYS(execve), (intptr_t)(void *) com);
  1108. if (!elem) {
  1109. log_err(LD_BUG,"(Sandbox) failed to register parameter!");
  1110. return -1;
  1111. }
  1112. elem->next = *cfg;
  1113. *cfg = elem;
  1114. return 0;
  1115. }
  1116. int
  1117. sandbox_cfg_allow_execve_array(sandbox_cfg_t **cfg, ...)
  1118. {
  1119. int rc = 0;
  1120. char *fn = NULL;
  1121. va_list ap;
  1122. va_start(ap, cfg);
  1123. while ((fn = va_arg(ap, char*)) != NULL) {
  1124. rc = sandbox_cfg_allow_execve(cfg, fn);
  1125. if (rc) {
  1126. log_err(LD_BUG,"(Sandbox) sandbox_cfg_allow_execve_array failed");
  1127. goto end;
  1128. }
  1129. }
  1130. end:
  1131. va_end(ap);
  1132. return 0;
  1133. }
  1134. #endif
  1135. /** Cache entry for getaddrinfo results; used when sandboxing is implemented
  1136. * so that we can consult the cache when the sandbox prevents us from doing
  1137. * getaddrinfo.
  1138. *
  1139. * We support only a limited range of getaddrinfo calls, where servname is null
  1140. * and hints contains only socktype=SOCK_STREAM, family in INET,INET6,UNSPEC.
  1141. */
  1142. typedef struct cached_getaddrinfo_item_t {
  1143. HT_ENTRY(cached_getaddrinfo_item_t) node;
  1144. char *name;
  1145. int family;
  1146. /** set if no error; otherwise NULL */
  1147. struct addrinfo *res;
  1148. /** 0 for no error; otherwise an EAI_* value */
  1149. int err;
  1150. } cached_getaddrinfo_item_t;
  1151. static unsigned
  1152. cached_getaddrinfo_item_hash(const cached_getaddrinfo_item_t *item)
  1153. {
  1154. return (unsigned)siphash24g(item->name, strlen(item->name)) + item->family;
  1155. }
  1156. static unsigned
  1157. cached_getaddrinfo_items_eq(const cached_getaddrinfo_item_t *a,
  1158. const cached_getaddrinfo_item_t *b)
  1159. {
  1160. return (a->family == b->family) && 0 == strcmp(a->name, b->name);
  1161. }
  1162. static void
  1163. cached_getaddrinfo_item_free(cached_getaddrinfo_item_t *item)
  1164. {
  1165. if (item == NULL)
  1166. return;
  1167. tor_free(item->name);
  1168. if (item->res)
  1169. freeaddrinfo(item->res);
  1170. tor_free(item);
  1171. }
  1172. static HT_HEAD(getaddrinfo_cache, cached_getaddrinfo_item_t)
  1173. getaddrinfo_cache = HT_INITIALIZER();
  1174. HT_PROTOTYPE(getaddrinfo_cache, cached_getaddrinfo_item_t, node,
  1175. cached_getaddrinfo_item_hash,
  1176. cached_getaddrinfo_items_eq);
  1177. HT_GENERATE(getaddrinfo_cache, cached_getaddrinfo_item_t, node,
  1178. cached_getaddrinfo_item_hash,
  1179. cached_getaddrinfo_items_eq,
  1180. 0.6, tor_malloc_, tor_realloc_, tor_free_);
  1181. /** If true, don't try to cache getaddrinfo results. */
  1182. static int sandbox_getaddrinfo_cache_disabled = 0;
  1183. /** Tell the sandbox layer not to try to cache getaddrinfo results. Used as in
  1184. * tor-resolve, when we have no intention of initializing crypto or of
  1185. * installing the sandbox.*/
  1186. void
  1187. sandbox_disable_getaddrinfo_cache(void)
  1188. {
  1189. sandbox_getaddrinfo_cache_disabled = 1;
  1190. }
  1191. int
  1192. sandbox_getaddrinfo(const char *name, const char *servname,
  1193. const struct addrinfo *hints,
  1194. struct addrinfo **res)
  1195. {
  1196. int err;
  1197. struct cached_getaddrinfo_item_t search, *item;
  1198. if (sandbox_getaddrinfo_cache_disabled) {
  1199. return getaddrinfo(name, NULL, hints, res);
  1200. }
  1201. if (servname != NULL) {
  1202. log_warn(LD_BUG, "called with non-NULL servname");
  1203. return EAI_NONAME;
  1204. }
  1205. if (name == NULL) {
  1206. log_warn(LD_BUG, "called with NULL name");
  1207. return EAI_NONAME;
  1208. }
  1209. *res = NULL;
  1210. memset(&search, 0, sizeof(search));
  1211. search.name = (char *) name;
  1212. search.family = hints ? hints->ai_family : AF_UNSPEC;
  1213. item = HT_FIND(getaddrinfo_cache, &getaddrinfo_cache, &search);
  1214. if (! sandbox_is_active()) {
  1215. /* If the sandbox is not turned on yet, then getaddrinfo and store the
  1216. result. */
  1217. err = getaddrinfo(name, NULL, hints, res);
  1218. log_info(LD_NET,"(Sandbox) getaddrinfo %s.", err ? "failed" : "succeeded");
  1219. if (! item) {
  1220. item = tor_malloc_zero(sizeof(*item));
  1221. item->name = tor_strdup(name);
  1222. item->family = hints ? hints->ai_family : AF_UNSPEC;
  1223. HT_INSERT(getaddrinfo_cache, &getaddrinfo_cache, item);
  1224. }
  1225. if (item->res) {
  1226. freeaddrinfo(item->res);
  1227. item->res = NULL;
  1228. }
  1229. item->res = *res;
  1230. item->err = err;
  1231. return err;
  1232. }
  1233. /* Otherwise, the sanbox is on. If we have an item, yield its cached
  1234. result. */
  1235. if (item) {
  1236. *res = item->res;
  1237. return item->err;
  1238. }
  1239. /* getting here means something went wrong */
  1240. log_err(LD_BUG,"(Sandbox) failed to get address %s!", name);
  1241. return EAI_NONAME;
  1242. }
  1243. int
  1244. sandbox_add_addrinfo(const char *name)
  1245. {
  1246. struct addrinfo *res;
  1247. struct addrinfo hints;
  1248. int i;
  1249. static const int families[] = { AF_INET, AF_INET6, AF_UNSPEC };
  1250. memset(&hints, 0, sizeof(hints));
  1251. hints.ai_socktype = SOCK_STREAM;
  1252. for (i = 0; i < 3; ++i) {
  1253. hints.ai_family = families[i];
  1254. res = NULL;
  1255. (void) sandbox_getaddrinfo(name, NULL, &hints, &res);
  1256. if (res)
  1257. sandbox_freeaddrinfo(res);
  1258. }
  1259. return 0;
  1260. }
  1261. void
  1262. sandbox_free_getaddrinfo_cache(void)
  1263. {
  1264. cached_getaddrinfo_item_t **next, **item;
  1265. for (item = HT_START(getaddrinfo_cache, &getaddrinfo_cache);
  1266. item;
  1267. item = next) {
  1268. next = HT_NEXT_RMV(getaddrinfo_cache, &getaddrinfo_cache, item);
  1269. cached_getaddrinfo_item_free(*item);
  1270. }
  1271. HT_CLEAR(getaddrinfo_cache, &getaddrinfo_cache);
  1272. }
  1273. /**
  1274. * Function responsible for going through the parameter syscall filters and
  1275. * call each function pointer in the list.
  1276. */
  1277. static int
  1278. add_param_filter(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
  1279. {
  1280. unsigned i;
  1281. int rc = 0;
  1282. // function pointer
  1283. for (i = 0; i < ARRAY_LENGTH(filter_func); i++) {
  1284. if ((filter_func[i])(ctx, cfg)) {
  1285. log_err(LD_BUG,"(Sandbox) failed to add syscall %d, received libseccomp "
  1286. "error %d", i, rc);
  1287. return rc;
  1288. }
  1289. }
  1290. return 0;
  1291. }
  1292. /**
  1293. * Function responsible of loading the libseccomp syscall filters which do not
  1294. * have parameter filtering.
  1295. */
  1296. static int
  1297. add_noparam_filter(scmp_filter_ctx ctx)
  1298. {
  1299. unsigned i;
  1300. int rc = 0;
  1301. // add general filters
  1302. for (i = 0; i < ARRAY_LENGTH(filter_nopar_gen); i++) {
  1303. rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, filter_nopar_gen[i]);
  1304. if (rc != 0) {
  1305. log_err(LD_BUG,"(Sandbox) failed to add syscall index %d (NR=%d), "
  1306. "received libseccomp error %d", i, filter_nopar_gen[i], rc);
  1307. return rc;
  1308. }
  1309. }
  1310. return 0;
  1311. }
  1312. /**
  1313. * Function responsible for setting up and enabling a global syscall filter.
  1314. * The function is a prototype developed for stage 1 of sandboxing Tor.
  1315. * Returns 0 on success.
  1316. */
  1317. static int
  1318. install_syscall_filter(sandbox_cfg_t* cfg)
  1319. {
  1320. int rc = 0;
  1321. scmp_filter_ctx ctx;
  1322. ctx = seccomp_init(SCMP_ACT_TRAP);
  1323. if (ctx == NULL) {
  1324. log_err(LD_BUG,"(Sandbox) failed to initialise libseccomp context");
  1325. rc = -1;
  1326. goto end;
  1327. }
  1328. // protectign sandbox parameter strings
  1329. if ((rc = prot_strings(ctx, cfg))) {
  1330. goto end;
  1331. }
  1332. // add parameter filters
  1333. if ((rc = add_param_filter(ctx, cfg))) {
  1334. log_err(LD_BUG, "(Sandbox) failed to add param filters!");
  1335. goto end;
  1336. }
  1337. // adding filters with no parameters
  1338. if ((rc = add_noparam_filter(ctx))) {
  1339. log_err(LD_BUG, "(Sandbox) failed to add param filters!");
  1340. goto end;
  1341. }
  1342. // loading the seccomp2 filter
  1343. if ((rc = seccomp_load(ctx))) {
  1344. log_err(LD_BUG, "(Sandbox) failed to load: %d (%s)!", rc,
  1345. strerror(-rc));
  1346. goto end;
  1347. }
  1348. // marking the sandbox as active
  1349. sandbox_active = 1;
  1350. end:
  1351. seccomp_release(ctx);
  1352. return (rc < 0 ? -rc : rc);
  1353. }
  1354. #include "linux_syscalls.inc"
  1355. static const char *
  1356. get_syscall_name(int syscall_num)
  1357. {
  1358. int i;
  1359. for (i = 0; SYSCALLS_BY_NUMBER[i].syscall_name; ++i) {
  1360. if (SYSCALLS_BY_NUMBER[i].syscall_num == syscall_num)
  1361. return SYSCALLS_BY_NUMBER[i].syscall_name;
  1362. }
  1363. {
  1364. static char syscall_name_buf[64];
  1365. format_dec_number_sigsafe(syscall_num,
  1366. syscall_name_buf, sizeof(syscall_name_buf));
  1367. return syscall_name_buf;
  1368. }
  1369. }
  1370. #ifdef USE_BACKTRACE
  1371. #define MAX_DEPTH 256
  1372. static void *syscall_cb_buf[MAX_DEPTH];
  1373. #endif
  1374. /**
  1375. * Function called when a SIGSYS is caught by the application. It notifies the
  1376. * user that an error has occurred and either terminates or allows the
  1377. * application to continue execution, based on the DEBUGGING_CLOSE symbol.
  1378. */
  1379. static void
  1380. sigsys_debugging(int nr, siginfo_t *info, void *void_context)
  1381. {
  1382. ucontext_t *ctx = (ucontext_t *) (void_context);
  1383. const char *syscall_name;
  1384. int syscall;
  1385. #ifdef USE_BACKTRACE
  1386. int depth;
  1387. int n_fds, i;
  1388. const int *fds = NULL;
  1389. #endif
  1390. (void) nr;
  1391. if (info->si_code != SYS_SECCOMP)
  1392. return;
  1393. if (!ctx)
  1394. return;
  1395. syscall = (int) ctx->uc_mcontext.M_SYSCALL;
  1396. #ifdef USE_BACKTRACE
  1397. depth = backtrace(syscall_cb_buf, MAX_DEPTH);
  1398. /* Clean up the top stack frame so we get the real function
  1399. * name for the most recently failing function. */
  1400. clean_backtrace(syscall_cb_buf, depth, ctx);
  1401. #endif
  1402. syscall_name = get_syscall_name(syscall);
  1403. tor_log_err_sigsafe("(Sandbox) Caught a bad syscall attempt (syscall ",
  1404. syscall_name,
  1405. ")\n",
  1406. NULL);
  1407. #ifdef USE_BACKTRACE
  1408. n_fds = tor_log_get_sigsafe_err_fds(&fds);
  1409. for (i=0; i < n_fds; ++i)
  1410. backtrace_symbols_fd(syscall_cb_buf, depth, fds[i]);
  1411. #endif
  1412. #if defined(DEBUGGING_CLOSE)
  1413. _exit(1);
  1414. #endif // DEBUGGING_CLOSE
  1415. }
  1416. /**
  1417. * Function that adds a handler for SIGSYS, which is the signal thrown
  1418. * when the application is issuing a syscall which is not allowed. The
  1419. * main purpose of this function is to help with debugging by identifying
  1420. * filtered syscalls.
  1421. */
  1422. static int
  1423. install_sigsys_debugging(void)
  1424. {
  1425. struct sigaction act;
  1426. sigset_t mask;
  1427. memset(&act, 0, sizeof(act));
  1428. sigemptyset(&mask);
  1429. sigaddset(&mask, SIGSYS);
  1430. act.sa_sigaction = &sigsys_debugging;
  1431. act.sa_flags = SA_SIGINFO;
  1432. if (sigaction(SIGSYS, &act, NULL) < 0) {
  1433. log_err(LD_BUG,"(Sandbox) Failed to register SIGSYS signal handler");
  1434. return -1;
  1435. }
  1436. if (sigprocmask(SIG_UNBLOCK, &mask, NULL)) {
  1437. log_err(LD_BUG,"(Sandbox) Failed call to sigprocmask()");
  1438. return -2;
  1439. }
  1440. return 0;
  1441. }
  1442. /**
  1443. * Function responsible of registering the sandbox_cfg_t list of parameter
  1444. * syscall filters to the existing parameter list. This is used for incipient
  1445. * multiple-sandbox support.
  1446. */
  1447. static int
  1448. register_cfg(sandbox_cfg_t* cfg)
  1449. {
  1450. sandbox_cfg_t *elem = NULL;
  1451. if (filter_dynamic == NULL) {
  1452. filter_dynamic = cfg;
  1453. return 0;
  1454. }
  1455. for (elem = filter_dynamic; elem->next != NULL; elem = elem->next)
  1456. ;
  1457. elem->next = cfg;
  1458. return 0;
  1459. }
  1460. #endif // USE_LIBSECCOMP
  1461. #ifdef USE_LIBSECCOMP
  1462. /**
  1463. * Initialises the syscall sandbox filter for any linux architecture, taking
  1464. * into account various available features for different linux flavours.
  1465. */
  1466. static int
  1467. initialise_libseccomp_sandbox(sandbox_cfg_t* cfg)
  1468. {
  1469. if (install_sigsys_debugging())
  1470. return -1;
  1471. if (install_syscall_filter(cfg))
  1472. return -2;
  1473. if (register_cfg(cfg))
  1474. return -3;
  1475. return 0;
  1476. }
  1477. int
  1478. sandbox_is_active(void)
  1479. {
  1480. return sandbox_active != 0;
  1481. }
  1482. #endif // USE_LIBSECCOMP
  1483. sandbox_cfg_t*
  1484. sandbox_cfg_new(void)
  1485. {
  1486. return NULL;
  1487. }
  1488. int
  1489. sandbox_init(sandbox_cfg_t *cfg)
  1490. {
  1491. #if defined(USE_LIBSECCOMP)
  1492. return initialise_libseccomp_sandbox(cfg);
  1493. #elif defined(__linux__)
  1494. (void)cfg;
  1495. log_warn(LD_GENERAL,
  1496. "This version of Tor was built without support for sandboxing. To "
  1497. "build with support for sandboxing on Linux, you must have "
  1498. "libseccomp and its necessary header files (e.g. seccomp.h).");
  1499. return 0;
  1500. #else
  1501. (void)cfg;
  1502. log_warn(LD_GENERAL,
  1503. "Currently, sandboxing is only implemented on Linux. The feature "
  1504. "is disabled on your platform.");
  1505. return 0;
  1506. #endif
  1507. }
  1508. #ifndef USE_LIBSECCOMP
  1509. int
  1510. sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
  1511. {
  1512. (void)cfg; (void)file;
  1513. return 0;
  1514. }
  1515. int
  1516. sandbox_cfg_allow_open_filename_array(sandbox_cfg_t **cfg, ...)
  1517. {
  1518. (void)cfg;
  1519. return 0;
  1520. }
  1521. int
  1522. sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file)
  1523. {
  1524. (void)cfg; (void)file;
  1525. return 0;
  1526. }
  1527. int
  1528. sandbox_cfg_allow_openat_filename_array(sandbox_cfg_t **cfg, ...)
  1529. {
  1530. (void)cfg;
  1531. return 0;
  1532. }
  1533. #if 0
  1534. int
  1535. sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com)
  1536. {
  1537. (void)cfg; (void)com;
  1538. return 0;
  1539. }
  1540. int
  1541. sandbox_cfg_allow_execve_array(sandbox_cfg_t **cfg, ...)
  1542. {
  1543. (void)cfg;
  1544. return 0;
  1545. }
  1546. #endif
  1547. int
  1548. sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file)
  1549. {
  1550. (void)cfg; (void)file;
  1551. return 0;
  1552. }
  1553. int
  1554. sandbox_cfg_allow_stat_filename_array(sandbox_cfg_t **cfg, ...)
  1555. {
  1556. (void)cfg;
  1557. return 0;
  1558. }
  1559. int
  1560. sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2)
  1561. {
  1562. (void)cfg; (void)file1; (void)file2;
  1563. return 0;
  1564. }
  1565. int
  1566. sandbox_is_active(void)
  1567. {
  1568. return 0;
  1569. }
  1570. void
  1571. sandbox_disable_getaddrinfo_cache(void)
  1572. {
  1573. }
  1574. #endif