sandbox.c 47 KB
Newer Older
1
 /* Copyright (c) 2001 Matej Pfajfar.
2
3
 * Copyright (c) 2001-2004, Roger Dingledine.
 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
Nick Mathewson's avatar
Nick Mathewson committed
4
 * Copyright (c) 2007-2016, The Tor Project, Inc. */
5
6
7
8
9
10
11
/* See LICENSE for licensing information */

/**
 * \file sandbox.c
 * \brief Code to enable sandboxing.
 **/

12
13
14
#include "orconfig.h"

#ifndef _LARGEFILE64_SOURCE
Cristian Toader's avatar
Cristian Toader committed
15
16
17
18
/**
 * Temporarily required for O_LARGEFILE flag. Needs to be removed
 * with the libevent fix.
 */
Cristian Toader's avatar
Cristian Toader committed
19
#define _LARGEFILE64_SOURCE
20
#endif
Cristian Toader's avatar
Cristian Toader committed
21

22
23
24
/** Malloc mprotect limit in bytes. */
#define MALLOC_MP_LIM 1048576

25
26
27
28
29
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

#include "sandbox.h"
30
#include "container.h"
31
#include "torlog.h"
32
#include "torint.h"
Cristian Toader's avatar
Cristian Toader committed
33
#include "util.h"
34
#include "tor_queue.h"
35

36
37
#include "ht.h"

38
39
40
41
#define DEBUGGING_CLOSE

#if defined(USE_LIBSECCOMP)

42
#include <sys/mman.h>
43
#include <sys/syscall.h>
44
#include <sys/types.h>
Cristian Toader's avatar
Cristian Toader committed
45
#include <sys/stat.h>
Cristian Toader's avatar
Cristian Toader committed
46
#include <sys/epoll.h>
47
48
#include <sys/prctl.h>
#include <linux/futex.h>
49
#include <sys/file.h>
50

51
#include <stdarg.h>
52
53
54
#include <seccomp.h>
#include <signal.h>
#include <unistd.h>
55
#include <fcntl.h>
56
#include <time.h>
57
#include <poll.h>
58

59
60
61
#ifdef HAVE_GNU_LIBC_VERSION_H
#include <gnu/libc-version.h>
#endif
62
63
64
65
66
67
68
69
70
71
#ifdef HAVE_LINUX_NETFILTER_IPV4_H
#include <linux/netfilter_ipv4.h>
#endif
#ifdef HAVE_LINUX_IF_H
#include <linux/if.h>
#endif
#ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
#include <linux/netfilter_ipv6/ip6_tables.h>
#endif

72
73
74
75
76
77
78
79
80
81
82
#if defined(HAVE_EXECINFO_H) && defined(HAVE_BACKTRACE) && \
  defined(HAVE_BACKTRACE_SYMBOLS_FD) && defined(HAVE_SIGACTION)
#define USE_BACKTRACE
#define EXPOSE_CLEAN_BACKTRACE
#include "backtrace.h"
#endif

#ifdef USE_BACKTRACE
#include <execinfo.h>
#endif

Nick Mathewson's avatar
Nick Mathewson committed
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
/**
 * Linux 32 bit definitions
 */
#if defined(__i386__)

#define REG_SYSCALL REG_EAX
#define M_SYSCALL gregs[REG_SYSCALL]

/**
 * Linux 64 bit definitions
 */
#elif defined(__x86_64__)

#define REG_SYSCALL REG_RAX
#define M_SYSCALL gregs[REG_SYSCALL]

#elif defined(__arm__)

#define M_SYSCALL arm_r7

#endif

105
/**Determines if at least one sandbox is active.*/
106
static int sandbox_active = 0;
107
/** Holds the parameter list configuration for the sandbox.*/
Cristian Toader's avatar
Cristian Toader committed
108
static sandbox_cfg_t *filter_dynamic = NULL;
109

110
111
#undef SCMP_CMP
#define SCMP_CMP(a,b,c) ((struct scmp_arg_cmp){(a),(b),(c),0})
112
#define SCMP_CMP_STR(a,b,c) \
Nick Mathewson's avatar
Nick Mathewson committed
113
  ((struct scmp_arg_cmp) {(a),(b),(intptr_t)(void*)(c),0})
114
115
116
117
118
119
120
#define SCMP_CMP4(a,b,c,d) ((struct scmp_arg_cmp){(a),(b),(c),(d)})
/* We use a wrapper here because these masked comparisons seem to be pretty
 * verbose. Also, it's important to cast to scmp_datum_t before negating the
 * mask, since otherwise the negation might get applied to a 32 bit value, and
 * the high bits of the value might get masked out improperly. */
#define SCMP_CMP_MASKED(a,b,c) \
  SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, ~(scmp_datum_t)(b), (c))
121

122
123
124
/** Variable used for storing all syscall numbers that will be allowed with the
 * stage 1 general Tor sandbox.
 */
125
static int filter_nopar_gen[] = {
126
    SCMP_SYS(access),
127
    SCMP_SYS(brk),
Cristian Toader's avatar
Cristian Toader committed
128
    SCMP_SYS(clock_gettime),
129
130
131
132
    SCMP_SYS(close),
    SCMP_SYS(clone),
    SCMP_SYS(epoll_create),
    SCMP_SYS(epoll_wait),
133
134
135
#ifdef __NR_epoll_pwait
    SCMP_SYS(epoll_pwait),
#endif
Nick Mathewson's avatar
Nick Mathewson committed
136
#ifdef HAVE_EVENTFD
137
    SCMP_SYS(eventfd2),
Nick Mathewson's avatar
Nick Mathewson committed
138
139
140
141
142
143
#endif
#ifdef HAVE_PIPE2
    SCMP_SYS(pipe2),
#endif
#ifdef HAVE_PIPE
    SCMP_SYS(pipe),
144
145
146
#endif
#ifdef __NR_fchmod
    SCMP_SYS(fchmod),
Nick Mathewson's avatar
Nick Mathewson committed
147
#endif
148
149
150
151
152
    SCMP_SYS(fcntl),
    SCMP_SYS(fstat),
#ifdef __NR_fstat64
    SCMP_SYS(fstat64),
#endif
153
    SCMP_SYS(futex),
154
155
156
157
158
159
160
161
162
163
164
165
166
    SCMP_SYS(getdents64),
    SCMP_SYS(getegid),
#ifdef __NR_getegid32
    SCMP_SYS(getegid32),
#endif
    SCMP_SYS(geteuid),
#ifdef __NR_geteuid32
    SCMP_SYS(geteuid32),
#endif
    SCMP_SYS(getgid),
#ifdef __NR_getgid32
    SCMP_SYS(getgid32),
#endif
167
    SCMP_SYS(getpid),
Nick Mathewson's avatar
Nick Mathewson committed
168
#ifdef __NR_getrlimit
169
    SCMP_SYS(getrlimit),
Nick Mathewson's avatar
Nick Mathewson committed
170
#endif
171
    SCMP_SYS(gettimeofday),
172
    SCMP_SYS(gettid),
173
174
175
176
177
178
179
180
181
182
    SCMP_SYS(getuid),
#ifdef __NR_getuid32
    SCMP_SYS(getuid32),
#endif
    SCMP_SYS(lseek),
#ifdef __NR__llseek
    SCMP_SYS(_llseek),
#endif
    SCMP_SYS(mkdir),
    SCMP_SYS(mlockall),
Nick Mathewson's avatar
Nick Mathewson committed
183
184
#ifdef __NR_mmap
    /* XXXX restrict this in the same ways as mmap2 */
185
    SCMP_SYS(mmap),
Nick Mathewson's avatar
Nick Mathewson committed
186
#endif
187
    SCMP_SYS(munmap),
188
189
190
191
192
193
#ifdef __NR_prlimit
    SCMP_SYS(prlimit),
#endif
#ifdef __NR_prlimit64
    SCMP_SYS(prlimit64),
#endif
194
195
    SCMP_SYS(read),
    SCMP_SYS(rt_sigreturn),
196
    SCMP_SYS(sched_getaffinity),
197
198
199
#ifdef __NR_sched_yield
    SCMP_SYS(sched_yield),
#endif
200
    SCMP_SYS(sendmsg),
201
    SCMP_SYS(set_robust_list),
202
203
204
#ifdef __NR_setrlimit
    SCMP_SYS(setrlimit),
#endif
205
206
207
#ifdef __NR_sigaltstack
    SCMP_SYS(sigaltstack),
#endif
208
209
210
211
#ifdef __NR_sigreturn
    SCMP_SYS(sigreturn),
#endif
    SCMP_SYS(stat),
212
    SCMP_SYS(uname),
213
    SCMP_SYS(wait4),
214
    SCMP_SYS(write),
215
    SCMP_SYS(writev),
216
217
218
    SCMP_SYS(exit_group),
    SCMP_SYS(exit),

219
    SCMP_SYS(madvise),
Nick Mathewson's avatar
Nick Mathewson committed
220
#ifdef __NR_stat64
221
222
    // getaddrinfo uses this..
    SCMP_SYS(stat64),
Nick Mathewson's avatar
Nick Mathewson committed
223
#endif
224

225
226
227
228
#ifdef __NR_getrandom
    SCMP_SYS(getrandom),
#endif

229
230
231
232
#ifdef __NR_sysinfo
    // qsort uses this..
    SCMP_SYS(sysinfo),
#endif
233
234
235
236
237
238
239
240
241
    /*
     * These socket syscalls are not required on x86_64 and not supported with
     * some libseccomp versions (eg: 1.0.1)
     */
#if defined(__i386)
    SCMP_SYS(recv),
    SCMP_SYS(send),
#endif

242
243
    // socket syscalls
    SCMP_SYS(bind),
Nick Mathewson's avatar
Nick Mathewson committed
244
    SCMP_SYS(listen),
245
246
247
    SCMP_SYS(connect),
    SCMP_SYS(getsockname),
    SCMP_SYS(recvmsg),
Cristian Toader's avatar
Cristian Toader committed
248
    SCMP_SYS(recvfrom),
249
    SCMP_SYS(sendto),
250
    SCMP_SYS(unlink)
251
252
};

253
254
255
256
257
258
259
260
261
262
263
264
265
/* These macros help avoid the error where the number of filters we add on a
 * single rule don't match the arg_cnt param. */
#define seccomp_rule_add_0(ctx,act,call) \
  seccomp_rule_add((ctx),(act),(call),0)
#define seccomp_rule_add_1(ctx,act,call,f1) \
  seccomp_rule_add((ctx),(act),(call),1,(f1))
#define seccomp_rule_add_2(ctx,act,call,f1,f2)  \
  seccomp_rule_add((ctx),(act),(call),2,(f1),(f2))
#define seccomp_rule_add_3(ctx,act,call,f1,f2,f3)       \
  seccomp_rule_add((ctx),(act),(call),3,(f1),(f2),(f3))
#define seccomp_rule_add_4(ctx,act,call,f1,f2,f3,f4)      \
  seccomp_rule_add((ctx),(act),(call),4,(f1),(f2),(f3),(f4))

266
267
268
269
/**
 * Function responsible for setting up the rt_sigaction syscall for
 * the seccomp filter sandbox.
 */
270
static int
271
sb_rt_sigaction(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
272
{
273
274
  unsigned i;
  int rc;
275
276
277
278
279
  int param[] = { SIGINT, SIGTERM, SIGPIPE, SIGUSR1, SIGUSR2, SIGHUP, SIGCHLD,
#ifdef SIGXFSZ
      SIGXFSZ
#endif
      };
280
  (void) filter;
281

Cristian Toader's avatar
Cristian Toader committed
282
  for (i = 0; i < ARRAY_LENGTH(param); i++) {
283
    rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigaction),
284
        SCMP_CMP(0, SCMP_CMP_EQ, param[i]));
Cristian Toader's avatar
Cristian Toader committed
285
    if (rc)
286
287
288
289
290
291
      break;
  }

  return rc;
}

292
#if 0
293
294
295
296
/**
 * Function responsible for setting up the execve syscall for
 * the seccomp filter sandbox.
 */
297
static int
298
sb_execve(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
299
{
300
  int rc;
301
  sandbox_cfg_t *elem = NULL;
302

303
  // for each dynamic parameter filters
304
  for (elem = filter; elem != NULL; elem = elem->next) {
305
    smp_param_t *param = elem->param;
306
307
308

    if (param != NULL && param->prot == 1 && param->syscall
        == SCMP_SYS(execve)) {
309
      rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve),
310
               SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
311
      if (rc != 0) {
Cristian Toader's avatar
Cristian Toader committed
312
313
        log_err(LD_BUG,"(Sandbox) failed to add execve syscall, received "
            "libseccomp error %d", rc);
314
315
316
317
        return rc;
      }
    }
  }
318

319
320
  return 0;
}
321
#endif
322

323
324
325
326
/**
 * Function responsible for setting up the time syscall for
 * the seccomp filter sandbox.
 */
327
static int
328
sb_time(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
329
{
330
  (void) filter;
Nick Mathewson's avatar
Nick Mathewson committed
331
#ifdef __NR_time
332
  return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(time),
333
       SCMP_CMP(0, SCMP_CMP_EQ, 0));
Nick Mathewson's avatar
Nick Mathewson committed
334
335
336
#else
  return 0;
#endif
337
338
}

339
340
341
342
/**
 * Function responsible for setting up the accept4 syscall for
 * the seccomp filter sandbox.
 */
343
static int
344
sb_accept4(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
345
{
Cristian Toader's avatar
Cristian Toader committed
346
  int rc = 0;
347
  (void)filter;
Cristian Toader's avatar
Cristian Toader committed
348
349

#ifdef __i386__
350
  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketcall),
Cristian Toader's avatar
Cristian Toader committed
351
      SCMP_CMP(0, SCMP_CMP_EQ, 18));
Cristian Toader's avatar
Cristian Toader committed
352
353
354
355
356
  if (rc) {
    return rc;
  }
#endif

357
  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4),
358
                   SCMP_CMP_MASKED(3, SOCK_CLOEXEC|SOCK_NONBLOCK, 0));
359
360
361
  if (rc) {
    return rc;
  }
Cristian Toader's avatar
Cristian Toader committed
362
363

  return 0;
364
365
366
}

#ifdef __NR_mmap2
367
368
369
370
/**
 * Function responsible for setting up the mmap2 syscall for
 * the seccomp filter sandbox.
 */
371
static int
372
sb_mmap2(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
373
{
374
  int rc = 0;
Nick Mathewson's avatar
Nick Mathewson committed
375
  (void)filter;
376

377
  rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
378
379
       SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ),
       SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE));
Cristian Toader's avatar
Cristian Toader committed
380
  if (rc) {
381
    return rc;
382
383
  }

384
  rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
385
386
387
388
389
390
       SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE),
       SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE));
  if (rc) {
    return rc;
  }

391
  rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
392
393
       SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
       SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS));
Cristian Toader's avatar
Cristian Toader committed
394
  if (rc) {
395
396
397
    return rc;
  }

398
  rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
399
400
401
402
403
404
       SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
       SCMP_CMP(3, SCMP_CMP_EQ,MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK));
  if (rc) {
    return rc;
  }

405
  rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
406
407
408
409
410
411
      SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
      SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE));
  if (rc) {
    return rc;
  }

412
  rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
413
414
415
416
417
418
      SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
      SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS));
  if (rc) {
    return rc;
  }

419
  rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
420
421
422
423
424
425
      SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_EXEC),
      SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_DENYWRITE));
  if (rc) {
    return rc;
  }

426
427
428
429
  return 0;
}
#endif

430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
#ifdef HAVE_GNU_LIBC_VERSION_H
#ifdef HAVE_GNU_GET_LIBC_VERSION
#define CHECK_LIBC_VERSION
#endif
#endif

/* Return true if we think we're running with a libc that always uses
 * openat on linux. */
static int
libc_uses_openat_for_everything(void)
{
#ifdef CHECK_LIBC_VERSION
  const char *version = gnu_get_libc_version();
  if (version == NULL)
    return 0;

  int major = -1;
  int minor = -1;

  tor_sscanf(version, "%d.%d", &major, &minor);
  if (major >= 3)
    return 1;
  else if (major == 2 && minor >= 26)
    return 1;
  else
    return 0;
#else
  return 0;
#endif
}

461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
/** Allow a single file to be opened.  If <b>use_openat</b> is true,
 * we're using a libc that remaps all the opens into openats. */
static int
allow_file_open(scmp_filter_ctx ctx, int use_openat, const char *file)
{
  if (use_openat) {
    return seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
                              SCMP_CMP_STR(0, SCMP_CMP_EQ, AT_FDCWD),
                              SCMP_CMP_STR(1, SCMP_CMP_EQ, file));
  } else {
    return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open),
                              SCMP_CMP_STR(0, SCMP_CMP_EQ, file));
  }
}

476
477
478
479
/**
 * Function responsible for setting up the open syscall for
 * the seccomp filter sandbox.
 */
480
static int
481
sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
482
{
483
  int rc;
484
  sandbox_cfg_t *elem = NULL;
485

486
487
  int use_openat = libc_uses_openat_for_everything();

488
  // for each dynamic parameter filters
489
  for (elem = filter; elem != NULL; elem = elem->next) {
490
491
492
493
    smp_param_t *param = elem->param;

    if (param != NULL && param->prot == 1 && param->syscall
        == SCMP_SYS(open)) {
494
      rc = allow_file_open(ctx, use_openat, param->value);
495
      if (rc != 0) {
Cristian Toader's avatar
Cristian Toader committed
496
497
        log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
            "libseccomp error %d", rc);
498
499
        return rc;
      }
500
501
502
    }
  }

503
  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open),
504
505
                SCMP_CMP_MASKED(1, O_CLOEXEC|O_NONBLOCK|O_NOCTTY|O_NOFOLLOW,
                                O_RDONLY));
506
507
508
509
510
  if (rc != 0) {
    log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
        "error %d", rc);
    return rc;
  }
511

512
513
514
515
516
517
518
519
520
  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(openat),
                SCMP_CMP_MASKED(2, O_CLOEXEC|O_NONBLOCK|O_NOCTTY|O_NOFOLLOW,
                                O_RDONLY));
  if (rc != 0) {
    log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received "
            "libseccomp error %d", rc);
    return rc;
  }

521
522
523
  return 0;
}

524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
static int
sb_chmod(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
  int rc;
  sandbox_cfg_t *elem = NULL;

  // for each dynamic parameter filters
  for (elem = filter; elem != NULL; elem = elem->next) {
    smp_param_t *param = elem->param;

    if (param != NULL && param->prot == 1 && param->syscall
        == SCMP_SYS(chmod)) {
      rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chmod),
            SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
      if (rc != 0) {
        log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
            "libseccomp error %d", rc);
        return rc;
      }
    }
  }

  return 0;
}

static int
sb_chown(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
  int rc;
  sandbox_cfg_t *elem = NULL;

  // for each dynamic parameter filters
  for (elem = filter; elem != NULL; elem = elem->next) {
    smp_param_t *param = elem->param;

    if (param != NULL && param->prot == 1 && param->syscall
        == SCMP_SYS(chown)) {
      rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chown),
            SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
      if (rc != 0) {
        log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
            "libseccomp error %d", rc);
        return rc;
      }
    }
  }

  return 0;
}

574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
static int
sb__sysctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
  int rc;
  (void) filter;
  (void) ctx;

  rc = seccomp_rule_add_0(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(_sysctl));
  if (rc != 0) {
    log_err(LD_BUG,"(Sandbox) failed to add _sysctl syscall, "
        "received libseccomp error %d", rc);
    return rc;
  }

  return 0;
}

591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
/**
 * Function responsible for setting up the rename syscall for
 * the seccomp filter sandbox.
 */
static int
sb_rename(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
  int rc;
  sandbox_cfg_t *elem = NULL;

  // for each dynamic parameter filters
  for (elem = filter; elem != NULL; elem = elem->next) {
    smp_param_t *param = elem->param;

    if (param != NULL && param->prot == 1 &&
        param->syscall == SCMP_SYS(rename)) {

608
      rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rename),
609
610
            SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value),
            SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value2));
611
612
613
614
615
616
617
618
619
620
621
      if (rc != 0) {
        log_err(LD_BUG,"(Sandbox) failed to add rename syscall, received "
            "libseccomp error %d", rc);
        return rc;
      }
    }
  }

  return 0;
}

622
623
624
625
/**
 * Function responsible for setting up the openat syscall for
 * the seccomp filter sandbox.
 */
626
static int
627
sb_openat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
628
{
629
  int rc;
630
  sandbox_cfg_t *elem = NULL;
631
632

  // for each dynamic parameter filters
633
  for (elem = filter; elem != NULL; elem = elem->next) {
634
635
636
637
    smp_param_t *param = elem->param;

    if (param != NULL && param->prot == 1 && param->syscall
        == SCMP_SYS(openat)) {
638
      rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
Cristian Toader's avatar
Cristian Toader committed
639
          SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
640
          SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value),
Cristian Toader's avatar
Cristian Toader committed
641
642
          SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|
              O_CLOEXEC));
643
      if (rc != 0) {
644
645
        log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received "
            "libseccomp error %d", rc);
646
647
648
649
650
651
652
653
        return rc;
      }
    }
  }

  return 0;
}

654
655
656
657
/**
 * Function responsible for setting up the socket syscall for
 * the seccomp filter sandbox.
 */
658
static int
659
sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
660
661
{
  int rc = 0;
662
  int i, j;
663
  (void) filter;
664

Cristian Toader's avatar
Cristian Toader committed
665
#ifdef __i386__
666
  rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket));
Cristian Toader's avatar
Cristian Toader committed
667
668
669
670
  if (rc)
    return rc;
#endif

671
  rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
Cristian Toader's avatar
Cristian Toader committed
672
      SCMP_CMP(0, SCMP_CMP_EQ, PF_FILE),
673
      SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM));
Cristian Toader's avatar
Cristian Toader committed
674
675
676
  if (rc)
    return rc;

677
678
  for (i = 0; i < 2; ++i) {
    const int pf = i ? PF_INET : PF_INET6;
679
680
681
682
683
684
685
686
687
688
689
690
691
    for (j=0; j < 3; ++j) {
      const int type     = (j == 0) ? SOCK_STREAM :
                                      SOCK_DGRAM;
      const int protocol = (j == 0) ? IPPROTO_TCP :
                           (j == 1) ? IPPROTO_IP :
                                      IPPROTO_UDP;
      rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
        SCMP_CMP(0, SCMP_CMP_EQ, pf),
        SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, type),
        SCMP_CMP(2, SCMP_CMP_EQ, protocol));
      if (rc)
        return rc;
    }
692
  }
Cristian Toader's avatar
Cristian Toader committed
693

694
695
696
697
  rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
      SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
      SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
      SCMP_CMP(2, SCMP_CMP_EQ, 0));
698
699
700
701
702
703
704
705
706
  if (rc)
    return rc;

  rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
      SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
      SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM),
      SCMP_CMP(2, SCMP_CMP_EQ, 0));
  if (rc)
    return rc;
707

708
  rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
709
      SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK),
710
      SCMP_CMP_MASKED(1, SOCK_CLOEXEC, SOCK_RAW),
711
      SCMP_CMP(2, SCMP_CMP_EQ, 0));
712
713
714
715
716
717
  if (rc)
    return rc;

  return 0;
}

718
719
720
721
/**
 * Function responsible for setting up the socketpair syscall for
 * the seccomp filter sandbox.
 */
Cristian Toader's avatar
Cristian Toader committed
722
723
724
725
static int
sb_socketpair(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
  int rc = 0;
726
  (void) filter;
Cristian Toader's avatar
Cristian Toader committed
727
728

#ifdef __i386__
729
  rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair));
Cristian Toader's avatar
Cristian Toader committed
730
731
732
733
  if (rc)
    return rc;
#endif

734
  rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair),
Cristian Toader's avatar
Cristian Toader committed
735
736
737
738
739
740
741
742
      SCMP_CMP(0, SCMP_CMP_EQ, PF_FILE),
      SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM|SOCK_CLOEXEC));
  if (rc)
    return rc;

  return 0;
}

743
744
745
746
/**
 * Function responsible for setting up the setsockopt syscall for
 * the seccomp filter sandbox.
 */
Cristian Toader's avatar
fcntl64    
Cristian Toader committed
747
static int
748
sb_setsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
Cristian Toader's avatar
fcntl64    
Cristian Toader committed
749
750
{
  int rc = 0;
751
  (void) filter;
Cristian Toader's avatar
fcntl64    
Cristian Toader committed
752

Cristian Toader's avatar
Cristian Toader committed
753
#ifdef __i386__
754
  rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt));
Cristian Toader's avatar
Cristian Toader committed
755
756
757
758
  if (rc)
    return rc;
#endif

759
  rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
Cristian Toader's avatar
fcntl64    
Cristian Toader committed
760
761
762
763
764
      SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
      SCMP_CMP(2, SCMP_CMP_EQ, SO_REUSEADDR));
  if (rc)
    return rc;

765
766
767
768
769
770
771
772
773
774
775
776
  rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
      SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
      SCMP_CMP(2, SCMP_CMP_EQ, SO_SNDBUF));
  if (rc)
    return rc;

  rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
      SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
      SCMP_CMP(2, SCMP_CMP_EQ, SO_RCVBUF));
  if (rc)
    return rc;

777
778
779
780
781
782
783
784
#ifdef HAVE_SYSTEMD
  rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
      SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
      SCMP_CMP(2, SCMP_CMP_EQ, SO_SNDBUFFORCE));
  if (rc)
    return rc;
#endif

785
#ifdef IP_TRANSPARENT
786
  rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
787
788
789
790
791
792
      SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
      SCMP_CMP(2, SCMP_CMP_EQ, IP_TRANSPARENT));
  if (rc)
    return rc;
#endif

793
794
795
796
797
798
799
800
#ifdef IPV6_V6ONLY
  rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
      SCMP_CMP(1, SCMP_CMP_EQ, IPPROTO_IPV6),
      SCMP_CMP(2, SCMP_CMP_EQ, IPV6_V6ONLY));
  if (rc)
    return rc;
#endif

Cristian Toader's avatar
fcntl64    
Cristian Toader committed
801
802
803
  return 0;
}

804
805
806
807
/**
 * Function responsible for setting up the getsockopt syscall for
 * the seccomp filter sandbox.
 */
Cristian Toader's avatar
Cristian Toader committed
808
809
static int
sb_getsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
Cristian Toader's avatar
Cristian Toader committed
810
811
{
  int rc = 0;
812
  (void) filter;
Cristian Toader's avatar
Cristian Toader committed
813
814

#ifdef __i386__
815
  rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt));
Cristian Toader's avatar
Cristian Toader committed
816
817
818
819
  if (rc)
    return rc;
#endif

820
  rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
Cristian Toader's avatar
Cristian Toader committed
821
822
823
824
825
      SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
      SCMP_CMP(2, SCMP_CMP_EQ, SO_ERROR));
  if (rc)
    return rc;

826
827
828
829
830
831
832
833
#ifdef HAVE_SYSTEMD
  rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
      SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
      SCMP_CMP(2, SCMP_CMP_EQ, SO_SNDBUF));
  if (rc)
    return rc;
#endif

834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
#ifdef HAVE_LINUX_NETFILTER_IPV4_H
  rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
      SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
      SCMP_CMP(2, SCMP_CMP_EQ, SO_ORIGINAL_DST));
  if (rc)
    return rc;
#endif

#ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
  rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
      SCMP_CMP(1, SCMP_CMP_EQ, SOL_IPV6),
      SCMP_CMP(2, SCMP_CMP_EQ, IP6T_SO_ORIGINAL_DST));
  if (rc)
    return rc;
#endif

Cristian Toader's avatar
Cristian Toader committed
850
851
852
  return 0;
}

Cristian Toader's avatar
fcntl64    
Cristian Toader committed
853
#ifdef __NR_fcntl64
854
855
856
857
/**
 * Function responsible for setting up the fcntl64 syscall for
 * the seccomp filter sandbox.
 */
Cristian Toader's avatar
fcntl64    
Cristian Toader committed
858
static int
859
sb_fcntl64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
Cristian Toader's avatar
fcntl64    
Cristian Toader committed
860
861
{
  int rc = 0;
Nick Mathewson's avatar
Nick Mathewson committed
862
  (void) filter;
Cristian Toader's avatar
fcntl64    
Cristian Toader committed
863

864
  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
Cristian Toader's avatar
fcntl64    
Cristian Toader committed
865
866
867
868
      SCMP_CMP(1, SCMP_CMP_EQ, F_GETFL));
  if (rc)
    return rc;

869
  rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
Cristian Toader's avatar
fcntl64    
Cristian Toader committed
870
871
872
873
874
      SCMP_CMP(1, SCMP_CMP_EQ, F_SETFL),
      SCMP_CMP(2, SCMP_CMP_EQ, O_RDWR|O_NONBLOCK));
  if (rc)
    return rc;

875
  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
876
877
878
879
      SCMP_CMP(1, SCMP_CMP_EQ, F_GETFD));
  if (rc)
    return rc;

880
  rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
881
882
883
884
885
      SCMP_CMP(1, SCMP_CMP_EQ, F_SETFD),
      SCMP_CMP(2, SCMP_CMP_EQ, FD_CLOEXEC));
  if (rc)
    return rc;

Cristian Toader's avatar
fcntl64    
Cristian Toader committed
886
887
888
889
  return 0;
}
#endif

890
891
892
893
894
895
/**
 * Function responsible for setting up the epoll_ctl syscall for
 * the seccomp filter sandbox.
 *
 *  Note: basically allows everything but will keep for now..
 */
Cristian Toader's avatar
Cristian Toader committed
896
static int
897
sb_epoll_ctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
Cristian Toader's avatar
Cristian Toader committed
898
899
{
  int rc = 0;
900
  (void) filter;
Cristian Toader's avatar
Cristian Toader committed
901

902
  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
Cristian Toader's avatar
Cristian Toader committed
903
904
905
906
      SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_ADD));
  if (rc)
    return rc;

907
  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
Cristian Toader's avatar
Cristian Toader committed
908
909
910
911
      SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_MOD));
  if (rc)
    return rc;

912
  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
Cristian Toader's avatar
Cristian Toader committed
913
914
915
916
      SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_DEL));
  if (rc)
    return rc;

Cristian Toader's avatar
Cristian Toader committed
917
918
919
  return 0;
}

920
/**
921
 * Function responsible for setting up the prctl syscall for
922
923
924
925
 * the seccomp filter sandbox.
 *
 * NOTE: if multiple filters need to be added, the PR_SECCOMP parameter needs
 * to be whitelisted in this function.
926
927
 */
static int
928
sb_prctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
929
930
{
  int rc = 0;
931
  (void) filter;
932

933
  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl),
934
935
936
937
938
939
940
941
      SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_DUMPABLE));
  if (rc)
    return rc;

  return 0;
}

/**
942
 * Function responsible for setting up the mprotect syscall for
943
944
945
946
 * the seccomp filter sandbox.
 *
 * NOTE: does not NEED to be here.. currently only occurs before filter; will
 * keep just in case for the future.
947
948
 */
static int
949
sb_mprotect(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
950
951
{
  int rc = 0;
952
  (void) filter;
953

954
  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
955
956
957
958
      SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ));
  if (rc)
    return rc;

959
  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
960
961
962
963
      SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE));
  if (rc)
    return rc;

964
965
966
  return 0;
}

967
968
969
970
/**
 * Function responsible for setting up the rt_sigprocmask syscall for
 * the seccomp filter sandbox.
 */
971
static int
972
sb_rt_sigprocmask(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
973
974
{
  int rc = 0;
975
  (void) filter;
976

977
  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
978
979
980
981
      SCMP_CMP(0, SCMP_CMP_EQ, SIG_UNBLOCK));
  if (rc)
    return rc;

982
  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
983
984
985
986
      SCMP_CMP(0, SCMP_CMP_EQ, SIG_SETMASK));
  if (rc)
    return rc;

987
988
989
990
  return 0;
}

/**
991
992
993
994
 * Function responsible for setting up the flock syscall for
 * the seccomp filter sandbox.
 *
 *  NOTE: does not need to be here, occurs before filter is applied.
995
996
 */
static int
997
sb_flock(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
998
999
{
  int rc = 0;
1000
  (void) filter;
For faster browsing, not all history is shown. View entire blame