2013-06-17 12:07:14 +02:00
|
|
|
/* Copyright (c) 2001 Matej Pfajfar.
|
|
|
|
* Copyright (c) 2001-2004, Roger Dingledine.
|
|
|
|
* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
|
2015-01-02 20:27:39 +01:00
|
|
|
* Copyright (c) 2007-2015, The Tor Project, Inc. */
|
2013-06-17 12:07:14 +02:00
|
|
|
/* See LICENSE for licensing information */
|
|
|
|
|
|
|
|
/**
|
|
|
|
* \file sandbox.c
|
|
|
|
* \brief Code to enable sandboxing.
|
|
|
|
**/
|
|
|
|
|
2013-09-13 18:31:41 +02:00
|
|
|
#include "orconfig.h"
|
|
|
|
|
|
|
|
#ifndef _LARGEFILE64_SOURCE
|
2013-08-14 23:09:07 +02:00
|
|
|
/**
|
|
|
|
* Temporarily required for O_LARGEFILE flag. Needs to be removed
|
|
|
|
* with the libevent fix.
|
|
|
|
*/
|
2013-08-14 22:03:38 +02:00
|
|
|
#define _LARGEFILE64_SOURCE
|
2013-09-13 18:31:41 +02:00
|
|
|
#endif
|
2013-08-14 22:03:38 +02:00
|
|
|
|
2013-09-12 12:43:06 +02:00
|
|
|
/** Malloc mprotect limit in bytes. */
|
|
|
|
#define MALLOC_MP_LIM 1048576
|
|
|
|
|
2013-06-17 12:07:14 +02:00
|
|
|
#include <stdio.h>
|
|
|
|
#include <string.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
|
|
|
#include "sandbox.h"
|
2014-03-28 07:10:19 +01:00
|
|
|
#include "container.h"
|
2013-06-17 12:07:14 +02:00
|
|
|
#include "torlog.h"
|
2013-07-18 17:11:47 +02:00
|
|
|
#include "torint.h"
|
2013-08-05 13:17:46 +02:00
|
|
|
#include "util.h"
|
2013-09-02 12:54:43 +02:00
|
|
|
#include "tor_queue.h"
|
2013-07-30 20:23:30 +02:00
|
|
|
|
2014-05-22 23:39:36 +02:00
|
|
|
#include "ht.h"
|
|
|
|
|
2013-06-17 12:07:14 +02:00
|
|
|
#define DEBUGGING_CLOSE
|
|
|
|
|
|
|
|
#if defined(USE_LIBSECCOMP)
|
|
|
|
|
2013-07-30 18:09:28 +02:00
|
|
|
#define _GNU_SOURCE
|
|
|
|
|
2013-07-18 17:03:10 +02:00
|
|
|
#include <sys/mman.h>
|
2013-06-17 12:07:14 +02:00
|
|
|
#include <sys/syscall.h>
|
2013-07-30 18:09:28 +02:00
|
|
|
#include <sys/types.h>
|
2013-08-14 22:03:38 +02:00
|
|
|
#include <sys/stat.h>
|
2013-07-30 23:27:14 +02:00
|
|
|
#include <sys/epoll.h>
|
2013-07-31 10:35:25 +02:00
|
|
|
#include <sys/prctl.h>
|
|
|
|
#include <linux/futex.h>
|
2015-10-15 16:35:45 +02:00
|
|
|
#include <sys/file.h>
|
2013-07-30 18:09:28 +02:00
|
|
|
|
2013-08-10 17:04:48 +02:00
|
|
|
#include <stdarg.h>
|
2013-06-17 12:07:14 +02:00
|
|
|
#include <seccomp.h>
|
|
|
|
#include <signal.h>
|
|
|
|
#include <unistd.h>
|
2013-07-30 18:09:28 +02:00
|
|
|
#include <fcntl.h>
|
2013-07-30 22:20:08 +02:00
|
|
|
#include <time.h>
|
2013-07-31 11:05:10 +02:00
|
|
|
#include <poll.h>
|
2013-06-17 12:07:14 +02:00
|
|
|
|
2014-12-23 16:51:36 +01:00
|
|
|
#ifdef HAVE_LINUX_NETFILTER_IPV4_H
|
|
|
|
#include <linux/netfilter_ipv4.h>
|
|
|
|
#endif
|
|
|
|
#ifdef HAVE_LINUX_IF_H
|
|
|
|
#include <linux/if.h>
|
|
|
|
#endif
|
|
|
|
#ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
|
|
|
|
#include <linux/netfilter_ipv6/ip6_tables.h>
|
|
|
|
#endif
|
|
|
|
|
2014-04-10 21:44:52 +02:00
|
|
|
#if defined(HAVE_EXECINFO_H) && defined(HAVE_BACKTRACE) && \
|
|
|
|
defined(HAVE_BACKTRACE_SYMBOLS_FD) && defined(HAVE_SIGACTION)
|
|
|
|
#define USE_BACKTRACE
|
|
|
|
#define EXPOSE_CLEAN_BACKTRACE
|
|
|
|
#include "backtrace.h"
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifdef USE_BACKTRACE
|
|
|
|
#include <execinfo.h>
|
|
|
|
#endif
|
|
|
|
|
2014-05-27 20:50:44 +02:00
|
|
|
/**
|
|
|
|
* Linux 32 bit definitions
|
|
|
|
*/
|
|
|
|
#if defined(__i386__)
|
|
|
|
|
|
|
|
#define REG_SYSCALL REG_EAX
|
|
|
|
#define M_SYSCALL gregs[REG_SYSCALL]
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Linux 64 bit definitions
|
|
|
|
*/
|
|
|
|
#elif defined(__x86_64__)
|
|
|
|
|
|
|
|
#define REG_SYSCALL REG_RAX
|
|
|
|
#define M_SYSCALL gregs[REG_SYSCALL]
|
|
|
|
|
|
|
|
#elif defined(__arm__)
|
|
|
|
|
|
|
|
#define M_SYSCALL arm_r7
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|
2013-09-06 20:41:45 +02:00
|
|
|
/**Determines if at least one sandbox is active.*/
|
2013-09-03 15:37:12 +02:00
|
|
|
static int sandbox_active = 0;
|
2013-09-06 20:41:45 +02:00
|
|
|
/** Holds the parameter list configuration for the sandbox.*/
|
2013-08-05 13:17:46 +02:00
|
|
|
static sandbox_cfg_t *filter_dynamic = NULL;
|
2013-08-19 12:56:50 +02:00
|
|
|
|
2013-09-09 21:16:30 +02:00
|
|
|
#undef SCMP_CMP
|
|
|
|
#define SCMP_CMP(a,b,c) ((struct scmp_arg_cmp){(a),(b),(c),0})
|
2014-08-21 17:20:29 +02:00
|
|
|
#define SCMP_CMP_STR(a,b,c) \
|
2014-08-24 19:32:39 +02:00
|
|
|
((struct scmp_arg_cmp) {(a),(b),(intptr_t)(void*)(c),0})
|
2014-04-16 21:17:23 +02:00
|
|
|
#define SCMP_CMP4(a,b,c,d) ((struct scmp_arg_cmp){(a),(b),(c),(d)})
|
|
|
|
/* We use a wrapper here because these masked comparisons seem to be pretty
|
|
|
|
* verbose. Also, it's important to cast to scmp_datum_t before negating the
|
|
|
|
* mask, since otherwise the negation might get applied to a 32 bit value, and
|
|
|
|
* the high bits of the value might get masked out improperly. */
|
|
|
|
#define SCMP_CMP_MASKED(a,b,c) \
|
|
|
|
SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, ~(scmp_datum_t)(b), (c))
|
2013-09-09 21:16:30 +02:00
|
|
|
|
2013-06-17 12:07:14 +02:00
|
|
|
/** Variable used for storing all syscall numbers that will be allowed with the
|
|
|
|
* stage 1 general Tor sandbox.
|
|
|
|
*/
|
2013-07-24 16:06:06 +02:00
|
|
|
static int filter_nopar_gen[] = {
|
2013-08-07 12:13:12 +02:00
|
|
|
SCMP_SYS(access),
|
2013-06-17 12:07:14 +02:00
|
|
|
SCMP_SYS(brk),
|
2013-08-14 22:03:38 +02:00
|
|
|
SCMP_SYS(clock_gettime),
|
2013-06-17 12:07:14 +02:00
|
|
|
SCMP_SYS(close),
|
|
|
|
SCMP_SYS(clone),
|
|
|
|
SCMP_SYS(epoll_create),
|
|
|
|
SCMP_SYS(epoll_wait),
|
2015-06-15 16:13:11 +02:00
|
|
|
#ifdef HAVE_EVENTFD
|
2015-06-02 20:06:49 +02:00
|
|
|
SCMP_SYS(eventfd2),
|
2015-06-15 16:13:11 +02:00
|
|
|
#endif
|
|
|
|
#ifdef HAVE_PIPE2
|
|
|
|
SCMP_SYS(pipe2),
|
|
|
|
#endif
|
|
|
|
#ifdef HAVE_PIPE
|
|
|
|
SCMP_SYS(pipe),
|
|
|
|
#endif
|
2013-06-17 12:07:14 +02:00
|
|
|
SCMP_SYS(fcntl),
|
|
|
|
SCMP_SYS(fstat),
|
|
|
|
#ifdef __NR_fstat64
|
|
|
|
SCMP_SYS(fstat64),
|
|
|
|
#endif
|
2015-06-02 20:06:49 +02:00
|
|
|
SCMP_SYS(futex),
|
2013-06-17 12:07:14 +02:00
|
|
|
SCMP_SYS(getdents64),
|
|
|
|
SCMP_SYS(getegid),
|
|
|
|
#ifdef __NR_getegid32
|
|
|
|
SCMP_SYS(getegid32),
|
|
|
|
#endif
|
|
|
|
SCMP_SYS(geteuid),
|
|
|
|
#ifdef __NR_geteuid32
|
|
|
|
SCMP_SYS(geteuid32),
|
|
|
|
#endif
|
|
|
|
SCMP_SYS(getgid),
|
|
|
|
#ifdef __NR_getgid32
|
|
|
|
SCMP_SYS(getgid32),
|
|
|
|
#endif
|
2014-06-09 04:33:38 +02:00
|
|
|
#ifdef __NR_getrlimit
|
2013-06-17 12:07:14 +02:00
|
|
|
SCMP_SYS(getrlimit),
|
2014-05-27 20:50:44 +02:00
|
|
|
#endif
|
2013-06-17 12:07:14 +02:00
|
|
|
SCMP_SYS(gettimeofday),
|
2014-05-20 21:49:01 +02:00
|
|
|
SCMP_SYS(gettid),
|
2013-06-17 12:07:14 +02:00
|
|
|
SCMP_SYS(getuid),
|
|
|
|
#ifdef __NR_getuid32
|
|
|
|
SCMP_SYS(getuid32),
|
|
|
|
#endif
|
|
|
|
SCMP_SYS(lseek),
|
|
|
|
#ifdef __NR__llseek
|
|
|
|
SCMP_SYS(_llseek),
|
|
|
|
#endif
|
|
|
|
SCMP_SYS(mkdir),
|
|
|
|
SCMP_SYS(mlockall),
|
2014-05-27 20:50:44 +02:00
|
|
|
#ifdef __NR_mmap
|
|
|
|
/* XXXX restrict this in the same ways as mmap2 */
|
2013-06-17 12:07:14 +02:00
|
|
|
SCMP_SYS(mmap),
|
2014-05-27 20:50:44 +02:00
|
|
|
#endif
|
2013-06-17 12:07:14 +02:00
|
|
|
SCMP_SYS(munmap),
|
|
|
|
SCMP_SYS(read),
|
|
|
|
SCMP_SYS(rt_sigreturn),
|
2014-05-20 21:49:01 +02:00
|
|
|
SCMP_SYS(sched_getaffinity),
|
2015-05-28 20:05:46 +02:00
|
|
|
SCMP_SYS(sendmsg),
|
2013-08-07 12:13:12 +02:00
|
|
|
SCMP_SYS(set_robust_list),
|
2013-06-17 12:07:14 +02:00
|
|
|
#ifdef __NR_sigreturn
|
|
|
|
SCMP_SYS(sigreturn),
|
|
|
|
#endif
|
|
|
|
SCMP_SYS(stat),
|
2013-08-07 12:13:12 +02:00
|
|
|
SCMP_SYS(uname),
|
2015-03-04 12:18:10 +01:00
|
|
|
SCMP_SYS(wait4),
|
2013-06-17 12:07:14 +02:00
|
|
|
SCMP_SYS(write),
|
2014-04-10 21:08:28 +02:00
|
|
|
SCMP_SYS(writev),
|
2013-06-17 12:07:14 +02:00
|
|
|
SCMP_SYS(exit_group),
|
|
|
|
SCMP_SYS(exit),
|
|
|
|
|
2013-08-09 18:07:20 +02:00
|
|
|
SCMP_SYS(madvise),
|
2013-09-09 20:55:47 +02:00
|
|
|
#ifdef __NR_stat64
|
2013-08-12 20:14:43 +02:00
|
|
|
// getaddrinfo uses this..
|
|
|
|
SCMP_SYS(stat64),
|
2013-09-09 20:55:47 +02:00
|
|
|
#endif
|
2013-07-31 11:05:10 +02:00
|
|
|
|
2015-11-26 16:21:50 +01:00
|
|
|
#ifdef __NR_getrandom
|
|
|
|
SCMP_SYS(getrandom),
|
|
|
|
#endif
|
|
|
|
|
2013-09-12 14:38:14 +02:00
|
|
|
/*
|
|
|
|
* These socket syscalls are not required on x86_64 and not supported with
|
|
|
|
* some libseccomp versions (eg: 1.0.1)
|
|
|
|
*/
|
|
|
|
#if defined(__i386)
|
|
|
|
SCMP_SYS(recv),
|
|
|
|
SCMP_SYS(send),
|
|
|
|
#endif
|
|
|
|
|
2013-06-17 12:07:14 +02:00
|
|
|
// socket syscalls
|
|
|
|
SCMP_SYS(bind),
|
2014-05-28 01:28:12 +02:00
|
|
|
SCMP_SYS(listen),
|
2013-06-17 12:07:14 +02:00
|
|
|
SCMP_SYS(connect),
|
|
|
|
SCMP_SYS(getsockname),
|
|
|
|
SCMP_SYS(recvmsg),
|
2013-08-16 00:43:09 +02:00
|
|
|
SCMP_SYS(recvfrom),
|
2013-06-17 12:07:14 +02:00
|
|
|
SCMP_SYS(sendto),
|
2013-08-21 18:01:01 +02:00
|
|
|
SCMP_SYS(unlink)
|
2013-06-17 12:07:14 +02:00
|
|
|
};
|
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
/* These macros help avoid the error where the number of filters we add on a
|
|
|
|
* single rule don't match the arg_cnt param. */
|
|
|
|
#define seccomp_rule_add_0(ctx,act,call) \
|
|
|
|
seccomp_rule_add((ctx),(act),(call),0)
|
|
|
|
#define seccomp_rule_add_1(ctx,act,call,f1) \
|
|
|
|
seccomp_rule_add((ctx),(act),(call),1,(f1))
|
|
|
|
#define seccomp_rule_add_2(ctx,act,call,f1,f2) \
|
|
|
|
seccomp_rule_add((ctx),(act),(call),2,(f1),(f2))
|
|
|
|
#define seccomp_rule_add_3(ctx,act,call,f1,f2,f3) \
|
|
|
|
seccomp_rule_add((ctx),(act),(call),3,(f1),(f2),(f3))
|
|
|
|
#define seccomp_rule_add_4(ctx,act,call,f1,f2,f3,f4) \
|
|
|
|
seccomp_rule_add((ctx),(act),(call),4,(f1),(f2),(f3),(f4))
|
|
|
|
|
2013-09-06 20:41:45 +02:00
|
|
|
/**
|
|
|
|
* Function responsible for setting up the rt_sigaction syscall for
|
|
|
|
* the seccomp filter sandbox.
|
|
|
|
*/
|
2013-07-30 22:20:08 +02:00
|
|
|
static int
|
2013-08-05 14:40:23 +02:00
|
|
|
sb_rt_sigaction(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
2013-07-30 22:20:08 +02:00
|
|
|
{
|
2013-09-09 21:14:50 +02:00
|
|
|
unsigned i;
|
|
|
|
int rc;
|
2013-07-30 20:23:30 +02:00
|
|
|
int param[] = { SIGINT, SIGTERM, SIGPIPE, SIGUSR1, SIGUSR2, SIGHUP, SIGCHLD,
|
|
|
|
#ifdef SIGXFSZ
|
|
|
|
SIGXFSZ
|
|
|
|
#endif
|
|
|
|
};
|
2013-09-09 21:14:50 +02:00
|
|
|
(void) filter;
|
2013-07-30 20:23:30 +02:00
|
|
|
|
2013-08-05 13:17:46 +02:00
|
|
|
for (i = 0; i < ARRAY_LENGTH(param); i++) {
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigaction),
|
2013-07-30 20:23:30 +02:00
|
|
|
SCMP_CMP(0, SCMP_CMP_EQ, param[i]));
|
2013-07-30 22:43:42 +02:00
|
|
|
if (rc)
|
2013-07-30 20:23:30 +02:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
|
2014-05-20 18:21:31 +02:00
|
|
|
#if 0
|
2013-09-06 20:41:45 +02:00
|
|
|
/**
|
|
|
|
* Function responsible for setting up the execve syscall for
|
|
|
|
* the seccomp filter sandbox.
|
|
|
|
*/
|
2013-07-30 22:20:08 +02:00
|
|
|
static int
|
2013-08-05 14:40:23 +02:00
|
|
|
sb_execve(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
2013-07-30 22:20:08 +02:00
|
|
|
{
|
2013-07-30 20:23:30 +02:00
|
|
|
int rc;
|
2013-08-05 14:40:23 +02:00
|
|
|
sandbox_cfg_t *elem = NULL;
|
2013-07-18 17:11:47 +02:00
|
|
|
|
2013-07-30 20:23:30 +02:00
|
|
|
// for each dynamic parameter filters
|
2013-08-05 14:40:23 +02:00
|
|
|
for (elem = filter; elem != NULL; elem = elem->next) {
|
2014-04-16 18:24:08 +02:00
|
|
|
smp_param_t *param = elem->param;
|
2013-09-02 12:54:43 +02:00
|
|
|
|
|
|
|
if (param != NULL && param->prot == 1 && param->syscall
|
|
|
|
== SCMP_SYS(execve)) {
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve),
|
2014-08-21 17:20:29 +02:00
|
|
|
SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
|
2013-07-30 20:23:30 +02:00
|
|
|
if (rc != 0) {
|
2013-08-21 16:57:15 +02:00
|
|
|
log_err(LD_BUG,"(Sandbox) failed to add execve syscall, received "
|
|
|
|
"libseccomp error %d", rc);
|
2013-07-30 20:23:30 +02:00
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2013-07-18 17:11:47 +02:00
|
|
|
|
2013-07-30 20:23:30 +02:00
|
|
|
return 0;
|
|
|
|
}
|
2014-05-20 18:21:31 +02:00
|
|
|
#endif
|
2013-07-30 20:23:30 +02:00
|
|
|
|
2013-09-06 20:41:45 +02:00
|
|
|
/**
|
|
|
|
* Function responsible for setting up the time syscall for
|
|
|
|
* the seccomp filter sandbox.
|
|
|
|
*/
|
2013-07-30 22:20:08 +02:00
|
|
|
static int
|
2013-08-05 14:40:23 +02:00
|
|
|
sb_time(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
2013-07-30 22:20:08 +02:00
|
|
|
{
|
2013-09-09 21:14:50 +02:00
|
|
|
(void) filter;
|
2014-05-27 20:50:44 +02:00
|
|
|
#ifdef __NR_time
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(time),
|
2013-07-30 20:23:30 +02:00
|
|
|
SCMP_CMP(0, SCMP_CMP_EQ, 0));
|
2014-05-27 20:50:44 +02:00
|
|
|
#else
|
|
|
|
return 0;
|
|
|
|
#endif
|
2013-07-30 20:23:30 +02:00
|
|
|
}
|
|
|
|
|
2013-09-06 20:41:45 +02:00
|
|
|
/**
|
|
|
|
* Function responsible for setting up the accept4 syscall for
|
|
|
|
* the seccomp filter sandbox.
|
|
|
|
*/
|
2013-07-30 22:20:08 +02:00
|
|
|
static int
|
2013-08-05 14:40:23 +02:00
|
|
|
sb_accept4(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
2013-07-30 22:20:08 +02:00
|
|
|
{
|
2013-08-26 19:06:46 +02:00
|
|
|
int rc = 0;
|
2013-09-09 21:14:50 +02:00
|
|
|
(void)filter;
|
2013-08-26 19:06:46 +02:00
|
|
|
|
|
|
|
#ifdef __i386__
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketcall),
|
2013-08-26 20:28:30 +02:00
|
|
|
SCMP_CMP(0, SCMP_CMP_EQ, 18));
|
2013-08-26 19:06:46 +02:00
|
|
|
if (rc) {
|
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4),
|
2014-04-16 21:17:23 +02:00
|
|
|
SCMP_CMP_MASKED(3, SOCK_CLOEXEC|SOCK_NONBLOCK, 0));
|
2014-03-28 06:52:08 +01:00
|
|
|
if (rc) {
|
|
|
|
return rc;
|
|
|
|
}
|
2013-08-26 19:06:46 +02:00
|
|
|
|
|
|
|
return 0;
|
2013-07-30 20:23:30 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
#ifdef __NR_mmap2
|
2013-09-06 20:41:45 +02:00
|
|
|
/**
|
|
|
|
* Function responsible for setting up the mmap2 syscall for
|
|
|
|
* the seccomp filter sandbox.
|
|
|
|
*/
|
2013-07-30 22:20:08 +02:00
|
|
|
static int
|
2013-08-05 14:40:23 +02:00
|
|
|
sb_mmap2(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
2013-07-30 22:20:08 +02:00
|
|
|
{
|
2013-07-30 20:23:30 +02:00
|
|
|
int rc = 0;
|
2014-01-06 10:27:58 +01:00
|
|
|
(void)filter;
|
2013-07-30 20:23:30 +02:00
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
|
2013-07-30 20:23:30 +02:00
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ),
|
|
|
|
SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE));
|
2013-07-30 22:43:42 +02:00
|
|
|
if (rc) {
|
2013-07-30 20:23:30 +02:00
|
|
|
return rc;
|
2013-07-18 17:11:47 +02:00
|
|
|
}
|
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
|
2013-08-09 18:07:20 +02:00
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE),
|
|
|
|
SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE));
|
|
|
|
if (rc) {
|
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
|
2013-07-30 20:23:30 +02:00
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
|
|
|
|
SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS));
|
2013-07-30 22:43:42 +02:00
|
|
|
if (rc) {
|
2013-07-30 20:23:30 +02:00
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
|
2013-08-07 12:13:12 +02:00
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
|
|
|
|
SCMP_CMP(3, SCMP_CMP_EQ,MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK));
|
|
|
|
if (rc) {
|
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
|
2013-08-07 12:13:12 +02:00
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
|
|
|
|
SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE));
|
|
|
|
if (rc) {
|
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
|
2013-08-07 12:13:12 +02:00
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
|
|
|
|
SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS));
|
|
|
|
if (rc) {
|
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
|
2013-08-07 12:13:12 +02:00
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_EXEC),
|
|
|
|
SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_DENYWRITE));
|
|
|
|
if (rc) {
|
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
|
2013-07-30 20:23:30 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2013-09-06 20:41:45 +02:00
|
|
|
/**
|
|
|
|
* Function responsible for setting up the open syscall for
|
|
|
|
* the seccomp filter sandbox.
|
|
|
|
*/
|
2013-07-30 22:20:08 +02:00
|
|
|
static int
|
2013-08-05 14:40:23 +02:00
|
|
|
sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
2013-07-30 22:20:08 +02:00
|
|
|
{
|
2013-07-30 20:23:30 +02:00
|
|
|
int rc;
|
2013-08-05 14:40:23 +02:00
|
|
|
sandbox_cfg_t *elem = NULL;
|
2013-07-30 20:23:30 +02:00
|
|
|
|
|
|
|
// for each dynamic parameter filters
|
2013-08-05 14:40:23 +02:00
|
|
|
for (elem = filter; elem != NULL; elem = elem->next) {
|
2013-09-02 12:54:43 +02:00
|
|
|
smp_param_t *param = elem->param;
|
|
|
|
|
|
|
|
if (param != NULL && param->prot == 1 && param->syscall
|
|
|
|
== SCMP_SYS(open)) {
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open),
|
2014-08-21 17:20:29 +02:00
|
|
|
SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
|
2013-07-30 20:23:30 +02:00
|
|
|
if (rc != 0) {
|
2013-08-21 16:57:15 +02:00
|
|
|
log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
|
|
|
|
"libseccomp error %d", rc);
|
2013-07-30 20:23:30 +02:00
|
|
|
return rc;
|
|
|
|
}
|
2013-07-18 17:11:47 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-04-17 03:50:49 +02:00
|
|
|
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open),
|
2016-02-24 22:01:24 +01:00
|
|
|
SCMP_CMP_MASKED(1, O_CLOEXEC|O_NONBLOCK|O_NOCTTY|O_NOFOLLOW,
|
|
|
|
O_RDONLY));
|
2013-08-20 12:10:07 +02:00
|
|
|
if (rc != 0) {
|
|
|
|
log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
|
|
|
|
"error %d", rc);
|
|
|
|
return rc;
|
|
|
|
}
|
2013-08-07 12:13:12 +02:00
|
|
|
|
2013-07-30 20:23:30 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2014-04-16 20:54:39 +02:00
|
|
|
static int
|
|
|
|
sb__sysctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
|
|
|
{
|
|
|
|
int rc;
|
|
|
|
(void) filter;
|
|
|
|
(void) ctx;
|
|
|
|
|
|
|
|
rc = seccomp_rule_add_0(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(_sysctl));
|
|
|
|
if (rc != 0) {
|
|
|
|
log_err(LD_BUG,"(Sandbox) failed to add _sysctl syscall, "
|
|
|
|
"received libseccomp error %d", rc);
|
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2014-03-28 08:51:50 +01:00
|
|
|
/**
|
|
|
|
* Function responsible for setting up the rename syscall for
|
|
|
|
* the seccomp filter sandbox.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
sb_rename(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
|
|
|
{
|
|
|
|
int rc;
|
|
|
|
sandbox_cfg_t *elem = NULL;
|
|
|
|
|
|
|
|
// for each dynamic parameter filters
|
|
|
|
for (elem = filter; elem != NULL; elem = elem->next) {
|
|
|
|
smp_param_t *param = elem->param;
|
|
|
|
|
|
|
|
if (param != NULL && param->prot == 1 &&
|
|
|
|
param->syscall == SCMP_SYS(rename)) {
|
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rename),
|
2014-08-21 17:20:29 +02:00
|
|
|
SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value),
|
|
|
|
SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value2));
|
2014-03-28 08:51:50 +01:00
|
|
|
if (rc != 0) {
|
|
|
|
log_err(LD_BUG,"(Sandbox) failed to add rename syscall, received "
|
|
|
|
"libseccomp error %d", rc);
|
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2013-09-06 20:41:45 +02:00
|
|
|
/**
|
|
|
|
* Function responsible for setting up the openat syscall for
|
|
|
|
* the seccomp filter sandbox.
|
|
|
|
*/
|
2013-07-30 22:20:08 +02:00
|
|
|
static int
|
2013-08-05 14:40:23 +02:00
|
|
|
sb_openat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
2013-07-30 22:20:08 +02:00
|
|
|
{
|
2013-07-30 20:23:30 +02:00
|
|
|
int rc;
|
2013-08-05 14:40:23 +02:00
|
|
|
sandbox_cfg_t *elem = NULL;
|
2013-07-30 20:23:30 +02:00
|
|
|
|
|
|
|
// for each dynamic parameter filters
|
2013-08-05 14:40:23 +02:00
|
|
|
for (elem = filter; elem != NULL; elem = elem->next) {
|
2013-09-02 12:54:43 +02:00
|
|
|
smp_param_t *param = elem->param;
|
|
|
|
|
|
|
|
if (param != NULL && param->prot == 1 && param->syscall
|
|
|
|
== SCMP_SYS(openat)) {
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
|
2013-08-16 00:43:09 +02:00
|
|
|
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
|
2014-08-21 17:20:29 +02:00
|
|
|
SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value),
|
2013-08-16 00:43:09 +02:00
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|
|
|
|
|
O_CLOEXEC));
|
2013-07-30 20:23:30 +02:00
|
|
|
if (rc != 0) {
|
2013-08-19 12:56:50 +02:00
|
|
|
log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received "
|
|
|
|
"libseccomp error %d", rc);
|
2013-07-30 20:23:30 +02:00
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2013-09-06 20:41:45 +02:00
|
|
|
/**
|
|
|
|
* Function responsible for setting up the socket syscall for
|
|
|
|
* the seccomp filter sandbox.
|
|
|
|
*/
|
2013-07-30 22:20:08 +02:00
|
|
|
static int
|
2013-08-05 14:40:23 +02:00
|
|
|
sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
2013-07-30 22:20:08 +02:00
|
|
|
{
|
|
|
|
int rc = 0;
|
2014-04-16 21:17:23 +02:00
|
|
|
int i;
|
2013-09-09 21:14:50 +02:00
|
|
|
(void) filter;
|
2013-07-30 22:20:08 +02:00
|
|
|
|
2013-08-16 00:43:09 +02:00
|
|
|
#ifdef __i386__
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket));
|
2013-08-16 00:43:09 +02:00
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
#endif
|
|
|
|
|
2014-04-16 21:17:23 +02:00
|
|
|
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
|
2013-08-16 00:43:09 +02:00
|
|
|
SCMP_CMP(0, SCMP_CMP_EQ, PF_FILE),
|
2014-04-16 21:17:23 +02:00
|
|
|
SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM));
|
2013-08-16 00:43:09 +02:00
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
2014-04-16 21:17:23 +02:00
|
|
|
for (i = 0; i < 2; ++i) {
|
|
|
|
const int pf = i ? PF_INET : PF_INET6;
|
2013-07-30 22:20:08 +02:00
|
|
|
|
2014-04-16 21:17:23 +02:00
|
|
|
rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
|
|
|
|
SCMP_CMP(0, SCMP_CMP_EQ, pf),
|
|
|
|
SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
|
2014-01-06 10:27:58 +01:00
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_TCP));
|
2014-04-16 21:17:23 +02:00
|
|
|
if (rc)
|
|
|
|
return rc;
|
2014-01-06 10:27:58 +01:00
|
|
|
|
2014-04-16 21:17:23 +02:00
|
|
|
rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
|
|
|
|
SCMP_CMP(0, SCMP_CMP_EQ, pf),
|
|
|
|
SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM),
|
2013-08-16 00:43:09 +02:00
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_IP));
|
2014-04-16 21:17:23 +02:00
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
}
|
2013-08-16 00:43:09 +02:00
|
|
|
|
2015-02-23 18:33:58 +01:00
|
|
|
rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
|
|
|
|
SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
|
|
|
|
SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
|
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, 0));
|
2015-05-28 20:05:46 +02:00
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
|
|
|
rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
|
|
|
|
SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
|
|
|
|
SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM),
|
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, 0));
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
2015-02-23 18:33:58 +01:00
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
|
2013-08-14 23:23:51 +02:00
|
|
|
SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK),
|
|
|
|
SCMP_CMP(1, SCMP_CMP_EQ, SOCK_RAW),
|
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, 0));
|
2013-07-30 22:20:08 +02:00
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2013-09-06 20:41:45 +02:00
|
|
|
/**
|
|
|
|
* Function responsible for setting up the socketpair syscall for
|
|
|
|
* the seccomp filter sandbox.
|
|
|
|
*/
|
2013-08-16 00:43:09 +02:00
|
|
|
static int
|
|
|
|
sb_socketpair(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
|
|
|
{
|
|
|
|
int rc = 0;
|
2013-09-09 21:14:50 +02:00
|
|
|
(void) filter;
|
2013-08-16 00:43:09 +02:00
|
|
|
|
|
|
|
#ifdef __i386__
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair));
|
2013-08-16 00:43:09 +02:00
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
#endif
|
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair),
|
2013-08-16 00:43:09 +02:00
|
|
|
SCMP_CMP(0, SCMP_CMP_EQ, PF_FILE),
|
|
|
|
SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM|SOCK_CLOEXEC));
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2013-09-06 20:41:45 +02:00
|
|
|
/**
|
|
|
|
* Function responsible for setting up the setsockopt syscall for
|
|
|
|
* the seccomp filter sandbox.
|
|
|
|
*/
|
2013-07-30 22:52:54 +02:00
|
|
|
static int
|
2013-08-05 14:40:23 +02:00
|
|
|
sb_setsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
2013-07-30 22:52:54 +02:00
|
|
|
{
|
|
|
|
int rc = 0;
|
2013-09-09 21:14:50 +02:00
|
|
|
(void) filter;
|
2013-07-30 22:52:54 +02:00
|
|
|
|
2013-08-16 00:43:09 +02:00
|
|
|
#ifdef __i386__
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt));
|
2013-08-16 00:43:09 +02:00
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
#endif
|
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
|
2013-07-30 22:52:54 +02:00
|
|
|
SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
|
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, SO_REUSEADDR));
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
2014-05-29 17:04:32 +02:00
|
|
|
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
|
|
|
|
SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
|
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, SO_SNDBUF));
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
|
|
|
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
|
|
|
|
SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
|
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, SO_RCVBUF));
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
2014-02-02 21:47:48 +01:00
|
|
|
#ifdef IP_TRANSPARENT
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
|
2014-02-02 21:47:48 +01:00
|
|
|
SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
|
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, IP_TRANSPARENT));
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
#endif
|
|
|
|
|
2013-07-30 22:52:54 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2013-09-06 20:41:45 +02:00
|
|
|
/**
|
|
|
|
* Function responsible for setting up the getsockopt syscall for
|
|
|
|
* the seccomp filter sandbox.
|
|
|
|
*/
|
2013-08-21 16:57:15 +02:00
|
|
|
static int
|
|
|
|
sb_getsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
2013-08-16 00:43:09 +02:00
|
|
|
{
|
|
|
|
int rc = 0;
|
2013-09-09 21:14:50 +02:00
|
|
|
(void) filter;
|
2013-08-16 00:43:09 +02:00
|
|
|
|
|
|
|
#ifdef __i386__
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt));
|
2013-08-16 00:43:09 +02:00
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
#endif
|
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
|
2013-08-16 00:43:09 +02:00
|
|
|
SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
|
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, SO_ERROR));
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
2014-12-23 16:51:36 +01:00
|
|
|
#ifdef HAVE_LINUX_NETFILTER_IPV4_H
|
|
|
|
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
|
|
|
|
SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
|
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, SO_ORIGINAL_DST));
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
|
|
|
|
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
|
|
|
|
SCMP_CMP(1, SCMP_CMP_EQ, SOL_IPV6),
|
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, IP6T_SO_ORIGINAL_DST));
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
#endif
|
|
|
|
|
2013-08-16 00:43:09 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2013-07-30 22:52:54 +02:00
|
|
|
#ifdef __NR_fcntl64
|
2013-09-06 20:41:45 +02:00
|
|
|
/**
|
|
|
|
* Function responsible for setting up the fcntl64 syscall for
|
|
|
|
* the seccomp filter sandbox.
|
|
|
|
*/
|
2013-07-30 22:52:54 +02:00
|
|
|
static int
|
2013-08-05 14:40:23 +02:00
|
|
|
sb_fcntl64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
2013-07-30 22:52:54 +02:00
|
|
|
{
|
|
|
|
int rc = 0;
|
2014-01-06 10:27:58 +01:00
|
|
|
(void) filter;
|
2013-07-30 22:52:54 +02:00
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
|
2013-07-30 22:52:54 +02:00
|
|
|
SCMP_CMP(1, SCMP_CMP_EQ, F_GETFL));
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
|
2013-07-30 22:52:54 +02:00
|
|
|
SCMP_CMP(1, SCMP_CMP_EQ, F_SETFL),
|
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, O_RDWR|O_NONBLOCK));
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
|
2013-08-07 12:13:12 +02:00
|
|
|
SCMP_CMP(1, SCMP_CMP_EQ, F_GETFD));
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
|
2013-08-07 12:13:12 +02:00
|
|
|
SCMP_CMP(1, SCMP_CMP_EQ, F_SETFD),
|
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, FD_CLOEXEC));
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
2013-07-30 22:52:54 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2013-09-06 20:41:45 +02:00
|
|
|
/**
|
|
|
|
* Function responsible for setting up the epoll_ctl syscall for
|
|
|
|
* the seccomp filter sandbox.
|
|
|
|
*
|
|
|
|
* Note: basically allows everything but will keep for now..
|
|
|
|
*/
|
2013-07-30 23:27:14 +02:00
|
|
|
static int
|
2013-08-05 14:40:23 +02:00
|
|
|
sb_epoll_ctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
2013-07-30 23:27:14 +02:00
|
|
|
{
|
|
|
|
int rc = 0;
|
2013-09-09 21:14:50 +02:00
|
|
|
(void) filter;
|
2013-07-30 23:27:14 +02:00
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
|
2013-07-30 23:27:14 +02:00
|
|
|
SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_ADD));
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
|
2013-07-30 23:27:14 +02:00
|
|
|
SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_MOD));
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
|
2013-08-05 13:17:46 +02:00
|
|
|
SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_DEL));
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
2013-07-30 23:27:14 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2013-07-31 10:35:25 +02:00
|
|
|
/**
|
2013-09-06 20:41:45 +02:00
|
|
|
* Function responsible for setting up the fcntl64 syscall for
|
|
|
|
* the seccomp filter sandbox.
|
|
|
|
*
|
|
|
|
* NOTE: if multiple filters need to be added, the PR_SECCOMP parameter needs
|
|
|
|
* to be whitelisted in this function.
|
2013-07-31 10:35:25 +02:00
|
|
|
*/
|
|
|
|
static int
|
2013-08-05 14:40:23 +02:00
|
|
|
sb_prctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
2013-07-31 10:35:25 +02:00
|
|
|
{
|
|
|
|
int rc = 0;
|
2013-09-09 21:14:50 +02:00
|
|
|
(void) filter;
|
2013-07-31 10:35:25 +02:00
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl),
|
2013-07-31 10:35:25 +02:00
|
|
|
SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_DUMPABLE));
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2013-09-06 20:41:45 +02:00
|
|
|
* Function responsible for setting up the fcntl64 syscall for
|
|
|
|
* the seccomp filter sandbox.
|
|
|
|
*
|
|
|
|
* NOTE: does not NEED to be here.. currently only occurs before filter; will
|
|
|
|
* keep just in case for the future.
|
2013-07-31 10:35:25 +02:00
|
|
|
*/
|
|
|
|
static int
|
2013-08-05 14:40:23 +02:00
|
|
|
sb_mprotect(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
2013-07-31 10:35:25 +02:00
|
|
|
{
|
|
|
|
int rc = 0;
|
2013-09-09 21:14:50 +02:00
|
|
|
(void) filter;
|
2013-07-31 10:35:25 +02:00
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
|
2013-07-31 10:35:25 +02:00
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ));
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
|
2013-08-07 12:13:12 +02:00
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE));
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
2013-07-31 10:35:25 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2013-09-06 20:41:45 +02:00
|
|
|
/**
|
|
|
|
* Function responsible for setting up the rt_sigprocmask syscall for
|
|
|
|
* the seccomp filter sandbox.
|
|
|
|
*/
|
2013-07-31 10:35:25 +02:00
|
|
|
static int
|
2013-08-05 14:40:23 +02:00
|
|
|
sb_rt_sigprocmask(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
2013-07-31 10:35:25 +02:00
|
|
|
{
|
|
|
|
int rc = 0;
|
2013-09-09 21:14:50 +02:00
|
|
|
(void) filter;
|
2013-07-31 10:35:25 +02:00
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
|
2013-07-31 10:35:25 +02:00
|
|
|
SCMP_CMP(0, SCMP_CMP_EQ, SIG_UNBLOCK));
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
|
2013-08-07 12:13:12 +02:00
|
|
|
SCMP_CMP(0, SCMP_CMP_EQ, SIG_SETMASK));
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
2013-07-31 10:35:25 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2013-09-06 20:41:45 +02:00
|
|
|
* Function responsible for setting up the flock syscall for
|
|
|
|
* the seccomp filter sandbox.
|
|
|
|
*
|
|
|
|
* NOTE: does not need to be here, occurs before filter is applied.
|
2013-07-31 10:35:25 +02:00
|
|
|
*/
|
|
|
|
static int
|
2013-08-05 14:40:23 +02:00
|
|
|
sb_flock(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
2013-07-31 10:35:25 +02:00
|
|
|
{
|
|
|
|
int rc = 0;
|
2013-09-09 21:14:50 +02:00
|
|
|
(void) filter;
|
2013-07-31 10:35:25 +02:00
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock),
|
2013-07-31 10:35:25 +02:00
|
|
|
SCMP_CMP(1, SCMP_CMP_EQ, LOCK_EX|LOCK_NB));
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock),
|
2013-08-21 12:38:00 +02:00
|
|
|
SCMP_CMP(1, SCMP_CMP_EQ, LOCK_UN));
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
2013-07-31 10:35:25 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2013-09-06 20:41:45 +02:00
|
|
|
/**
|
|
|
|
* Function responsible for setting up the futex syscall for
|
|
|
|
* the seccomp filter sandbox.
|
|
|
|
*/
|
2013-07-31 10:35:25 +02:00
|
|
|
static int
|
2013-08-05 14:40:23 +02:00
|
|
|
sb_futex(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
2013-07-31 10:35:25 +02:00
|
|
|
{
|
|
|
|
int rc = 0;
|
2013-09-09 21:14:50 +02:00
|
|
|
(void) filter;
|
2013-07-31 10:35:25 +02:00
|
|
|
|
2013-08-07 12:13:12 +02:00
|
|
|
// can remove
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
|
2013-07-31 10:35:25 +02:00
|
|
|
SCMP_CMP(1, SCMP_CMP_EQ,
|
|
|
|
FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME));
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
|
2013-08-07 12:13:12 +02:00
|
|
|
SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAKE_PRIVATE));
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
|
2013-08-07 12:13:12 +02:00
|
|
|
SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAIT_PRIVATE));
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
2013-07-31 10:35:25 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2013-09-06 20:41:45 +02:00
|
|
|
* Function responsible for setting up the mremap syscall for
|
|
|
|
* the seccomp filter sandbox.
|
|
|
|
*
|
|
|
|
* NOTE: so far only occurs before filter is applied.
|
2013-07-31 10:35:25 +02:00
|
|
|
*/
|
|
|
|
static int
|
2013-08-05 14:40:23 +02:00
|
|
|
sb_mremap(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
2013-07-31 10:35:25 +02:00
|
|
|
{
|
|
|
|
int rc = 0;
|
2013-09-09 21:14:50 +02:00
|
|
|
(void) filter;
|
2013-07-31 10:35:25 +02:00
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mremap),
|
2013-08-05 14:40:23 +02:00
|
|
|
SCMP_CMP(3, SCMP_CMP_EQ, MREMAP_MAYMOVE));
|
2013-07-31 10:35:25 +02:00
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2013-09-06 20:41:45 +02:00
|
|
|
/**
|
|
|
|
* Function responsible for setting up the poll syscall for
|
|
|
|
* the seccomp filter sandbox.
|
|
|
|
*/
|
2013-07-31 11:05:10 +02:00
|
|
|
static int
|
2013-08-05 14:40:23 +02:00
|
|
|
sb_poll(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
2013-07-31 11:05:10 +02:00
|
|
|
{
|
|
|
|
int rc = 0;
|
2013-09-09 21:14:50 +02:00
|
|
|
(void) filter;
|
2013-07-31 11:05:10 +02:00
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(poll),
|
2013-07-31 11:05:10 +02:00
|
|
|
SCMP_CMP(1, SCMP_CMP_EQ, 1),
|
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, 10));
|
|
|
|
if (rc)
|
|
|
|
return rc;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2013-08-12 20:14:43 +02:00
|
|
|
#ifdef __NR_stat64
|
2013-09-06 20:41:45 +02:00
|
|
|
/**
|
|
|
|
* Function responsible for setting up the stat64 syscall for
|
|
|
|
* the seccomp filter sandbox.
|
|
|
|
*/
|
2013-08-12 20:14:43 +02:00
|
|
|
static int
|
|
|
|
sb_stat64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
|
|
|
{
|
|
|
|
int rc = 0;
|
|
|
|
sandbox_cfg_t *elem = NULL;
|
|
|
|
|
|
|
|
// for each dynamic parameter filters
|
|
|
|
for (elem = filter; elem != NULL; elem = elem->next) {
|
2013-09-02 12:54:43 +02:00
|
|
|
smp_param_t *param = elem->param;
|
|
|
|
|
|
|
|
if (param != NULL && param->prot == 1 && (param->syscall == SCMP_SYS(open)
|
|
|
|
|| param->syscall == SCMP_SYS(stat64))) {
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(stat64),
|
2014-08-21 17:20:29 +02:00
|
|
|
SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
|
2013-08-12 20:14:43 +02:00
|
|
|
if (rc != 0) {
|
2013-08-21 16:57:15 +02:00
|
|
|
log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
|
|
|
|
"libseccomp error %d", rc);
|
2013-08-12 20:14:43 +02:00
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2013-09-06 20:41:45 +02:00
|
|
|
/**
|
|
|
|
* Array of function pointers responsible for filtering different syscalls at
|
|
|
|
* a parameter level.
|
|
|
|
*/
|
2013-07-30 20:23:30 +02:00
|
|
|
static sandbox_filter_func_t filter_func[] = {
|
|
|
|
sb_rt_sigaction,
|
2013-07-31 10:35:25 +02:00
|
|
|
sb_rt_sigprocmask,
|
2014-05-20 18:21:31 +02:00
|
|
|
#if 0
|
2013-07-30 20:23:30 +02:00
|
|
|
sb_execve,
|
2014-05-20 18:21:31 +02:00
|
|
|
#endif
|
2013-07-30 20:23:30 +02:00
|
|
|
sb_time,
|
|
|
|
sb_accept4,
|
2013-09-09 20:55:47 +02:00
|
|
|
#ifdef __NR_mmap2
|
2013-07-30 20:23:30 +02:00
|
|
|
sb_mmap2,
|
2013-09-09 20:55:47 +02:00
|
|
|
#endif
|
2013-07-30 20:23:30 +02:00
|
|
|
sb_open,
|
2013-07-30 22:20:08 +02:00
|
|
|
sb_openat,
|
2014-04-16 20:54:39 +02:00
|
|
|
sb__sysctl,
|
2014-03-28 08:51:50 +01:00
|
|
|
sb_rename,
|
2013-09-09 20:55:47 +02:00
|
|
|
#ifdef __NR_fcntl64
|
2013-07-30 23:27:14 +02:00
|
|
|
sb_fcntl64,
|
2013-09-09 20:55:47 +02:00
|
|
|
#endif
|
2013-07-31 10:35:25 +02:00
|
|
|
sb_epoll_ctl,
|
|
|
|
sb_prctl,
|
|
|
|
sb_mprotect,
|
|
|
|
sb_flock,
|
|
|
|
sb_futex,
|
2013-07-31 11:05:10 +02:00
|
|
|
sb_mremap,
|
2013-08-12 20:14:43 +02:00
|
|
|
sb_poll,
|
2013-09-09 20:55:47 +02:00
|
|
|
#ifdef __NR_stat64
|
2013-08-14 23:23:51 +02:00
|
|
|
sb_stat64,
|
2013-09-09 20:55:47 +02:00
|
|
|
#endif
|
2013-08-14 23:23:51 +02:00
|
|
|
|
|
|
|
sb_socket,
|
2013-08-16 00:43:09 +02:00
|
|
|
sb_setsockopt,
|
|
|
|
sb_getsockopt,
|
|
|
|
sb_socketpair
|
2013-07-30 20:23:30 +02:00
|
|
|
};
|
|
|
|
|
2014-04-16 18:45:34 +02:00
|
|
|
const char *
|
2013-09-02 12:54:43 +02:00
|
|
|
sandbox_intern_string(const char *str)
|
2013-07-30 20:23:30 +02:00
|
|
|
{
|
|
|
|
sandbox_cfg_t *elem;
|
|
|
|
|
2013-09-02 12:54:43 +02:00
|
|
|
if (str == NULL)
|
2013-07-30 20:23:30 +02:00
|
|
|
return NULL;
|
|
|
|
|
2013-07-24 16:15:57 +02:00
|
|
|
for (elem = filter_dynamic; elem != NULL; elem = elem->next) {
|
2013-09-02 12:54:43 +02:00
|
|
|
smp_param_t *param = elem->param;
|
|
|
|
|
2014-04-16 18:45:34 +02:00
|
|
|
if (param->prot) {
|
|
|
|
if (!strcmp(str, (char*)(param->value))) {
|
|
|
|
return (char*)param->value;
|
|
|
|
}
|
|
|
|
if (param->value2 && !strcmp(str, (char*)param->value2)) {
|
|
|
|
return (char*)param->value2;
|
|
|
|
}
|
2013-07-24 16:15:57 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-04-16 18:48:56 +02:00
|
|
|
if (sandbox_active)
|
|
|
|
log_warn(LD_BUG, "No interned sandbox parameter found for %s", str);
|
2013-09-02 12:54:43 +02:00
|
|
|
return str;
|
2013-07-18 17:11:47 +02:00
|
|
|
}
|
|
|
|
|
2014-04-16 18:45:34 +02:00
|
|
|
/** DOCDOC */
|
|
|
|
static int
|
|
|
|
prot_strings_helper(strmap_t *locations,
|
|
|
|
char **pr_mem_next_p,
|
|
|
|
size_t *pr_mem_left_p,
|
2014-08-21 17:20:29 +02:00
|
|
|
char **value_p)
|
2014-04-16 18:45:34 +02:00
|
|
|
{
|
|
|
|
char *param_val;
|
|
|
|
size_t param_size;
|
|
|
|
void *location;
|
|
|
|
|
|
|
|
if (*value_p == 0)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
param_val = (char*) *value_p;
|
|
|
|
param_size = strlen(param_val) + 1;
|
|
|
|
location = strmap_get(locations, param_val);
|
|
|
|
|
|
|
|
if (location) {
|
|
|
|
// We already interned this string.
|
|
|
|
tor_free(param_val);
|
2014-08-21 17:20:29 +02:00
|
|
|
*value_p = location;
|
2014-04-16 18:45:34 +02:00
|
|
|
return 0;
|
|
|
|
} else if (*pr_mem_left_p >= param_size) {
|
|
|
|
// copy to protected
|
|
|
|
location = *pr_mem_next_p;
|
|
|
|
memcpy(location, param_val, param_size);
|
|
|
|
|
|
|
|
// re-point el parameter to protected
|
|
|
|
tor_free(param_val);
|
2014-08-21 17:20:29 +02:00
|
|
|
*value_p = location;
|
2014-04-16 18:45:34 +02:00
|
|
|
|
|
|
|
strmap_set(locations, location, location); /* good real estate advice */
|
|
|
|
|
|
|
|
// move next available protected memory
|
|
|
|
*pr_mem_next_p += param_size;
|
|
|
|
*pr_mem_left_p -= param_size;
|
|
|
|
return 0;
|
|
|
|
} else {
|
|
|
|
log_err(LD_BUG,"(Sandbox) insufficient protected memory!");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2013-09-06 20:41:45 +02:00
|
|
|
/**
|
|
|
|
* Protects all the strings in the sandbox's parameter list configuration. It
|
|
|
|
* works by calculating the total amount of memory required by the parameter
|
|
|
|
* list, allocating the memory using mmap, and protecting it from writes with
|
|
|
|
* mprotect().
|
|
|
|
*/
|
2013-08-29 15:51:05 +02:00
|
|
|
static int
|
2013-09-10 13:35:11 +02:00
|
|
|
prot_strings(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
|
2013-08-29 15:53:12 +02:00
|
|
|
{
|
2013-08-29 15:51:05 +02:00
|
|
|
int ret = 0;
|
2013-09-06 11:26:50 +02:00
|
|
|
size_t pr_mem_size = 0, pr_mem_left = 0;
|
2013-08-29 15:51:05 +02:00
|
|
|
char *pr_mem_next = NULL, *pr_mem_base;
|
|
|
|
sandbox_cfg_t *el = NULL;
|
2014-03-28 07:10:19 +01:00
|
|
|
strmap_t *locations = NULL;
|
2013-08-29 15:51:05 +02:00
|
|
|
|
2014-03-28 07:10:19 +01:00
|
|
|
// get total number of bytes required to mmap. (Overestimate.)
|
2013-08-29 15:53:12 +02:00
|
|
|
for (el = cfg; el != NULL; el = el->next) {
|
2014-04-16 18:24:08 +02:00
|
|
|
pr_mem_size += strlen((char*) el->param->value) + 1;
|
2014-04-16 18:45:34 +02:00
|
|
|
if (el->param->value2)
|
|
|
|
pr_mem_size += strlen((char*) el->param->value2) + 1;
|
2013-08-29 15:51:05 +02:00
|
|
|
}
|
2013-07-24 16:06:06 +02:00
|
|
|
|
2013-09-12 12:43:06 +02:00
|
|
|
// allocate protected memory with MALLOC_MP_LIM canary
|
|
|
|
pr_mem_base = (char*) mmap(NULL, MALLOC_MP_LIM + pr_mem_size,
|
|
|
|
PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0);
|
2013-08-29 15:51:05 +02:00
|
|
|
if (pr_mem_base == MAP_FAILED) {
|
|
|
|
log_err(LD_BUG,"(Sandbox) failed allocate protected memory! mmap: %s",
|
|
|
|
strerror(errno));
|
|
|
|
ret = -1;
|
2013-07-24 16:06:06 +02:00
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
2013-09-12 12:43:06 +02:00
|
|
|
pr_mem_next = pr_mem_base + MALLOC_MP_LIM;
|
2013-08-29 15:51:05 +02:00
|
|
|
pr_mem_left = pr_mem_size;
|
|
|
|
|
2014-03-28 07:10:19 +01:00
|
|
|
locations = strmap_new();
|
|
|
|
|
2013-08-29 15:51:05 +02:00
|
|
|
// change el value pointer to protected
|
|
|
|
for (el = cfg; el != NULL; el = el->next) {
|
2014-04-16 18:45:34 +02:00
|
|
|
if (prot_strings_helper(locations, &pr_mem_next, &pr_mem_left,
|
|
|
|
&el->param->value) < 0) {
|
|
|
|
ret = -2;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
if (prot_strings_helper(locations, &pr_mem_next, &pr_mem_left,
|
|
|
|
&el->param->value2) < 0) {
|
2013-08-29 15:51:05 +02:00
|
|
|
ret = -2;
|
|
|
|
goto out;
|
|
|
|
}
|
2014-04-16 18:45:34 +02:00
|
|
|
el->param->prot = 1;
|
2013-08-29 15:51:05 +02:00
|
|
|
}
|
2013-07-24 16:06:06 +02:00
|
|
|
|
|
|
|
// protecting from writes
|
2013-09-12 12:43:06 +02:00
|
|
|
if (mprotect(pr_mem_base, MALLOC_MP_LIM + pr_mem_size, PROT_READ)) {
|
2013-08-29 15:51:05 +02:00
|
|
|
log_err(LD_BUG,"(Sandbox) failed to protect memory! mprotect: %s",
|
|
|
|
strerror(errno));
|
|
|
|
ret = -3;
|
|
|
|
goto out;
|
2013-07-24 16:06:06 +02:00
|
|
|
}
|
|
|
|
|
2013-09-10 13:35:11 +02:00
|
|
|
/*
|
|
|
|
* Setting sandbox restrictions so the string memory cannot be tampered with
|
|
|
|
*/
|
|
|
|
// no mremap of the protected base address
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
ret = seccomp_rule_add_1(ctx, SCMP_ACT_KILL, SCMP_SYS(mremap),
|
2013-09-10 13:35:11 +02:00
|
|
|
SCMP_CMP(0, SCMP_CMP_EQ, (intptr_t) pr_mem_base));
|
|
|
|
if (ret) {
|
|
|
|
log_err(LD_BUG,"(Sandbox) mremap protected memory filter fail!");
|
2014-08-25 17:14:31 +02:00
|
|
|
goto out;
|
2013-09-10 13:35:11 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// no munmap of the protected base address
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
ret = seccomp_rule_add_1(ctx, SCMP_ACT_KILL, SCMP_SYS(munmap),
|
2013-09-10 13:35:11 +02:00
|
|
|
SCMP_CMP(0, SCMP_CMP_EQ, (intptr_t) pr_mem_base));
|
|
|
|
if (ret) {
|
|
|
|
log_err(LD_BUG,"(Sandbox) munmap protected memory filter fail!");
|
2014-08-21 17:40:48 +02:00
|
|
|
goto out;
|
2013-09-10 13:35:11 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Allow mprotect with PROT_READ|PROT_WRITE because openssl uses it, but
|
|
|
|
* never over the memory region used by the protected strings.
|
|
|
|
*
|
|
|
|
* PROT_READ|PROT_WRITE was originally fully allowed in sb_mprotect(), but
|
|
|
|
* had to be removed due to limitation of libseccomp regarding intervals.
|
2013-09-12 12:43:06 +02:00
|
|
|
*
|
|
|
|
* There is a restriction on how much you can mprotect with R|W up to the
|
|
|
|
* size of the canary.
|
2013-09-10 13:35:11 +02:00
|
|
|
*/
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
ret = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
|
2013-09-10 13:35:11 +02:00
|
|
|
SCMP_CMP(0, SCMP_CMP_LT, (intptr_t) pr_mem_base),
|
2013-09-12 12:43:06 +02:00
|
|
|
SCMP_CMP(1, SCMP_CMP_LE, MALLOC_MP_LIM),
|
2013-09-10 13:35:11 +02:00
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE));
|
|
|
|
if (ret) {
|
|
|
|
log_err(LD_BUG,"(Sandbox) mprotect protected memory filter fail (LT)!");
|
2014-08-21 17:40:48 +02:00
|
|
|
goto out;
|
2013-09-10 13:35:11 +02:00
|
|
|
}
|
|
|
|
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
ret = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
|
2013-09-12 12:43:06 +02:00
|
|
|
SCMP_CMP(0, SCMP_CMP_GT, (intptr_t) pr_mem_base + pr_mem_size +
|
|
|
|
MALLOC_MP_LIM),
|
|
|
|
SCMP_CMP(1, SCMP_CMP_LE, MALLOC_MP_LIM),
|
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE));
|
2013-09-10 13:35:11 +02:00
|
|
|
if (ret) {
|
|
|
|
log_err(LD_BUG,"(Sandbox) mprotect protected memory filter fail (GT)!");
|
2014-08-21 17:40:48 +02:00
|
|
|
goto out;
|
2013-09-10 13:35:11 +02:00
|
|
|
}
|
|
|
|
|
2013-07-24 16:06:06 +02:00
|
|
|
out:
|
2014-03-28 07:10:19 +01:00
|
|
|
strmap_free(locations, NULL);
|
|
|
|
return ret;
|
2013-07-24 16:06:06 +02:00
|
|
|
}
|
|
|
|
|
2013-09-06 20:41:45 +02:00
|
|
|
/**
|
|
|
|
* Auxiliary function used in order to allocate a sandbox_cfg_t element and set
|
|
|
|
* it's values according the the parameter list. All elements are initialised
|
|
|
|
* with the 'prot' field set to false, as the pointer is not protected at this
|
|
|
|
* point.
|
|
|
|
*/
|
2013-09-02 12:54:43 +02:00
|
|
|
static sandbox_cfg_t*
|
2014-08-21 17:20:29 +02:00
|
|
|
new_element2(int syscall, char *value, char *value2)
|
2013-09-02 12:54:43 +02:00
|
|
|
{
|
|
|
|
smp_param_t *param = NULL;
|
|
|
|
|
2014-03-28 08:51:50 +01:00
|
|
|
sandbox_cfg_t *elem = tor_malloc_zero(sizeof(sandbox_cfg_t));
|
2014-04-16 18:24:08 +02:00
|
|
|
param = elem->param = tor_malloc_zero(sizeof(smp_param_t));
|
2013-09-02 12:54:43 +02:00
|
|
|
|
|
|
|
param->syscall = syscall;
|
|
|
|
param->value = value;
|
2014-03-28 08:51:50 +01:00
|
|
|
param->value2 = value2;
|
2013-09-02 12:54:43 +02:00
|
|
|
param->prot = 0;
|
|
|
|
|
|
|
|
return elem;
|
|
|
|
}
|
|
|
|
|
2014-03-28 08:51:50 +01:00
|
|
|
static sandbox_cfg_t*
|
2014-08-21 17:20:29 +02:00
|
|
|
new_element(int syscall, char *value)
|
2014-03-28 08:51:50 +01:00
|
|
|
{
|
2014-08-21 17:20:29 +02:00
|
|
|
return new_element2(syscall, value, NULL);
|
2014-03-28 08:51:50 +01:00
|
|
|
}
|
|
|
|
|
2013-08-12 20:14:43 +02:00
|
|
|
#ifdef __NR_stat64
|
2013-09-09 20:55:47 +02:00
|
|
|
#define SCMP_stat SCMP_SYS(stat64)
|
|
|
|
#else
|
|
|
|
#define SCMP_stat SCMP_SYS(stat)
|
|
|
|
#endif
|
|
|
|
|
2013-08-12 20:14:43 +02:00
|
|
|
int
|
2014-04-11 09:04:16 +02:00
|
|
|
sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file)
|
2013-08-12 20:14:43 +02:00
|
|
|
{
|
|
|
|
sandbox_cfg_t *elem = NULL;
|
|
|
|
|
2014-08-21 17:20:29 +02:00
|
|
|
elem = new_element(SCMP_stat, file);
|
2013-09-02 12:54:43 +02:00
|
|
|
if (!elem) {
|
|
|
|
log_err(LD_BUG,"(Sandbox) failed to register parameter!");
|
|
|
|
return -1;
|
|
|
|
}
|
2013-08-12 20:14:43 +02:00
|
|
|
|
|
|
|
elem->next = *cfg;
|
|
|
|
*cfg = elem;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2013-07-25 12:25:20 +02:00
|
|
|
int
|
2014-04-11 09:04:16 +02:00
|
|
|
sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
|
2013-07-25 12:25:20 +02:00
|
|
|
{
|
2013-07-29 15:30:39 +02:00
|
|
|
sandbox_cfg_t *elem = NULL;
|
2013-07-24 16:06:06 +02:00
|
|
|
|
2014-08-21 17:20:29 +02:00
|
|
|
elem = new_element(SCMP_SYS(open), file);
|
2013-09-02 12:54:43 +02:00
|
|
|
if (!elem) {
|
|
|
|
log_err(LD_BUG,"(Sandbox) failed to register parameter!");
|
|
|
|
return -1;
|
|
|
|
}
|
2013-08-05 14:40:23 +02:00
|
|
|
|
|
|
|
elem->next = *cfg;
|
|
|
|
*cfg = elem;
|
2013-07-24 16:06:06 +02:00
|
|
|
|
2013-08-10 17:04:48 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2014-03-28 08:51:50 +01:00
|
|
|
int
|
|
|
|
sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2)
|
|
|
|
{
|
|
|
|
sandbox_cfg_t *elem = NULL;
|
|
|
|
|
2014-08-21 17:20:29 +02:00
|
|
|
elem = new_element2(SCMP_SYS(rename), file1, file2);
|
2014-03-28 08:51:50 +01:00
|
|
|
|
|
|
|
if (!elem) {
|
|
|
|
log_err(LD_BUG,"(Sandbox) failed to register parameter!");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
elem->next = *cfg;
|
|
|
|
*cfg = elem;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2013-07-30 18:09:28 +02:00
|
|
|
int
|
2014-04-11 09:04:16 +02:00
|
|
|
sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file)
|
2013-07-30 18:09:28 +02:00
|
|
|
{
|
|
|
|
sandbox_cfg_t *elem = NULL;
|
2013-06-17 12:07:14 +02:00
|
|
|
|
2014-08-21 17:20:29 +02:00
|
|
|
elem = new_element(SCMP_SYS(openat), file);
|
2013-09-02 12:54:43 +02:00
|
|
|
if (!elem) {
|
|
|
|
log_err(LD_BUG,"(Sandbox) failed to register parameter!");
|
|
|
|
return -1;
|
|
|
|
}
|
2013-06-17 12:07:14 +02:00
|
|
|
|
2013-08-05 14:40:23 +02:00
|
|
|
elem->next = *cfg;
|
|
|
|
*cfg = elem;
|
2013-07-24 16:15:57 +02:00
|
|
|
|
2013-08-10 17:04:48 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2014-05-20 18:21:31 +02:00
|
|
|
#if 0
|
2013-08-05 13:17:46 +02:00
|
|
|
int
|
2013-09-09 21:14:50 +02:00
|
|
|
sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com)
|
2013-08-05 13:17:46 +02:00
|
|
|
{
|
|
|
|
sandbox_cfg_t *elem = NULL;
|
|
|
|
|
2014-08-21 17:20:29 +02:00
|
|
|
elem = new_element(SCMP_SYS(execve), com);
|
2013-09-02 12:54:43 +02:00
|
|
|
if (!elem) {
|
|
|
|
log_err(LD_BUG,"(Sandbox) failed to register parameter!");
|
|
|
|
return -1;
|
|
|
|
}
|
2013-08-05 14:40:23 +02:00
|
|
|
|
|
|
|
elem->next = *cfg;
|
|
|
|
*cfg = elem;
|
2013-08-05 13:17:46 +02:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2014-05-20 18:21:31 +02:00
|
|
|
#endif
|
2013-08-10 17:04:48 +02:00
|
|
|
|
2014-05-22 23:39:36 +02:00
|
|
|
/** Cache entry for getaddrinfo results; used when sandboxing is implemented
|
|
|
|
* so that we can consult the cache when the sandbox prevents us from doing
|
|
|
|
* getaddrinfo.
|
|
|
|
*
|
|
|
|
* We support only a limited range of getaddrinfo calls, where servname is null
|
|
|
|
* and hints contains only socktype=SOCK_STREAM, family in INET,INET6,UNSPEC.
|
|
|
|
*/
|
|
|
|
typedef struct cached_getaddrinfo_item_t {
|
|
|
|
HT_ENTRY(cached_getaddrinfo_item_t) node;
|
|
|
|
char *name;
|
|
|
|
int family;
|
|
|
|
/** set if no error; otherwise NULL */
|
|
|
|
struct addrinfo *res;
|
|
|
|
/** 0 for no error; otherwise an EAI_* value */
|
|
|
|
int err;
|
|
|
|
} cached_getaddrinfo_item_t;
|
|
|
|
|
|
|
|
static unsigned
|
|
|
|
cached_getaddrinfo_item_hash(const cached_getaddrinfo_item_t *item)
|
|
|
|
{
|
2014-06-11 17:29:44 +02:00
|
|
|
return (unsigned)siphash24g(item->name, strlen(item->name)) + item->family;
|
2014-05-22 23:39:36 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
static unsigned
|
|
|
|
cached_getaddrinfo_items_eq(const cached_getaddrinfo_item_t *a,
|
|
|
|
const cached_getaddrinfo_item_t *b)
|
|
|
|
{
|
|
|
|
return (a->family == b->family) && 0 == strcmp(a->name, b->name);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
cached_getaddrinfo_item_free(cached_getaddrinfo_item_t *item)
|
|
|
|
{
|
|
|
|
if (item == NULL)
|
|
|
|
return;
|
|
|
|
|
|
|
|
tor_free(item->name);
|
|
|
|
if (item->res)
|
|
|
|
freeaddrinfo(item->res);
|
|
|
|
tor_free(item);
|
|
|
|
}
|
|
|
|
|
|
|
|
static HT_HEAD(getaddrinfo_cache, cached_getaddrinfo_item_t)
|
|
|
|
getaddrinfo_cache = HT_INITIALIZER();
|
|
|
|
|
|
|
|
HT_PROTOTYPE(getaddrinfo_cache, cached_getaddrinfo_item_t, node,
|
|
|
|
cached_getaddrinfo_item_hash,
|
|
|
|
cached_getaddrinfo_items_eq);
|
2014-09-02 18:48:34 +02:00
|
|
|
HT_GENERATE2(getaddrinfo_cache, cached_getaddrinfo_item_t, node,
|
|
|
|
cached_getaddrinfo_item_hash,
|
|
|
|
cached_getaddrinfo_items_eq,
|
|
|
|
0.6, tor_reallocarray_, tor_free_)
|
2014-05-22 23:39:36 +02:00
|
|
|
|
2014-09-29 18:57:07 +02:00
|
|
|
/** If true, don't try to cache getaddrinfo results. */
|
|
|
|
static int sandbox_getaddrinfo_cache_disabled = 0;
|
|
|
|
|
|
|
|
/** Tell the sandbox layer not to try to cache getaddrinfo results. Used as in
|
|
|
|
* tor-resolve, when we have no intention of initializing crypto or of
|
|
|
|
* installing the sandbox.*/
|
|
|
|
void
|
|
|
|
sandbox_disable_getaddrinfo_cache(void)
|
|
|
|
{
|
|
|
|
sandbox_getaddrinfo_cache_disabled = 1;
|
|
|
|
}
|
|
|
|
|
2014-12-30 18:35:01 +01:00
|
|
|
void
|
|
|
|
sandbox_freeaddrinfo(struct addrinfo *ai)
|
|
|
|
{
|
|
|
|
if (sandbox_getaddrinfo_cache_disabled)
|
|
|
|
freeaddrinfo(ai);
|
|
|
|
}
|
|
|
|
|
2013-08-21 16:57:15 +02:00
|
|
|
int
|
2013-09-09 21:59:41 +02:00
|
|
|
sandbox_getaddrinfo(const char *name, const char *servname,
|
|
|
|
const struct addrinfo *hints,
|
|
|
|
struct addrinfo **res)
|
2013-08-19 12:56:50 +02:00
|
|
|
{
|
2014-05-22 23:39:36 +02:00
|
|
|
int err;
|
|
|
|
struct cached_getaddrinfo_item_t search, *item;
|
2013-08-19 12:56:50 +02:00
|
|
|
|
2014-09-29 18:57:07 +02:00
|
|
|
if (sandbox_getaddrinfo_cache_disabled) {
|
|
|
|
return getaddrinfo(name, NULL, hints, res);
|
|
|
|
}
|
|
|
|
|
2014-05-22 23:39:36 +02:00
|
|
|
if (servname != NULL) {
|
|
|
|
log_warn(LD_BUG, "called with non-NULL servname");
|
|
|
|
return EAI_NONAME;
|
|
|
|
}
|
|
|
|
if (name == NULL) {
|
|
|
|
log_warn(LD_BUG, "called with NULL name");
|
|
|
|
return EAI_NONAME;
|
|
|
|
}
|
2013-09-09 21:59:41 +02:00
|
|
|
|
2013-08-19 12:56:50 +02:00
|
|
|
*res = NULL;
|
|
|
|
|
2014-05-22 23:39:36 +02:00
|
|
|
memset(&search, 0, sizeof(search));
|
|
|
|
search.name = (char *) name;
|
|
|
|
search.family = hints ? hints->ai_family : AF_UNSPEC;
|
|
|
|
item = HT_FIND(getaddrinfo_cache, &getaddrinfo_cache, &search);
|
|
|
|
|
|
|
|
if (! sandbox_is_active()) {
|
|
|
|
/* If the sandbox is not turned on yet, then getaddrinfo and store the
|
|
|
|
result. */
|
2013-08-19 12:56:50 +02:00
|
|
|
|
2014-05-22 23:39:36 +02:00
|
|
|
err = getaddrinfo(name, NULL, hints, res);
|
|
|
|
log_info(LD_NET,"(Sandbox) getaddrinfo %s.", err ? "failed" : "succeeded");
|
|
|
|
|
|
|
|
if (! item) {
|
|
|
|
item = tor_malloc_zero(sizeof(*item));
|
|
|
|
item->name = tor_strdup(name);
|
|
|
|
item->family = hints ? hints->ai_family : AF_UNSPEC;
|
|
|
|
HT_INSERT(getaddrinfo_cache, &getaddrinfo_cache, item);
|
2013-09-02 10:44:04 +02:00
|
|
|
}
|
2013-08-19 12:56:50 +02:00
|
|
|
|
2014-05-22 23:39:36 +02:00
|
|
|
if (item->res) {
|
|
|
|
freeaddrinfo(item->res);
|
|
|
|
item->res = NULL;
|
2013-09-03 15:37:12 +02:00
|
|
|
}
|
2014-05-22 23:39:36 +02:00
|
|
|
item->res = *res;
|
|
|
|
item->err = err;
|
|
|
|
return err;
|
|
|
|
}
|
2013-09-03 15:37:12 +02:00
|
|
|
|
2014-05-22 23:39:36 +02:00
|
|
|
/* Otherwise, the sanbox is on. If we have an item, yield its cached
|
|
|
|
result. */
|
|
|
|
if (item) {
|
|
|
|
*res = item->res;
|
|
|
|
return item->err;
|
2013-09-03 15:37:12 +02:00
|
|
|
}
|
|
|
|
|
2014-05-22 23:39:36 +02:00
|
|
|
/* getting here means something went wrong */
|
2013-09-02 11:16:02 +02:00
|
|
|
log_err(LD_BUG,"(Sandbox) failed to get address %s!", name);
|
2014-06-11 17:00:56 +02:00
|
|
|
return EAI_NONAME;
|
2013-08-19 12:56:50 +02:00
|
|
|
}
|
|
|
|
|
2013-09-02 10:44:04 +02:00
|
|
|
int
|
2014-05-22 23:39:36 +02:00
|
|
|
sandbox_add_addrinfo(const char *name)
|
2013-08-19 12:56:50 +02:00
|
|
|
{
|
2014-05-22 23:39:36 +02:00
|
|
|
struct addrinfo *res;
|
2013-08-19 12:56:50 +02:00
|
|
|
struct addrinfo hints;
|
2014-05-22 23:39:36 +02:00
|
|
|
int i;
|
|
|
|
static const int families[] = { AF_INET, AF_INET6, AF_UNSPEC };
|
2013-08-19 12:56:50 +02:00
|
|
|
|
|
|
|
memset(&hints, 0, sizeof(hints));
|
|
|
|
hints.ai_socktype = SOCK_STREAM;
|
2014-05-22 23:39:36 +02:00
|
|
|
for (i = 0; i < 3; ++i) {
|
|
|
|
hints.ai_family = families[i];
|
2013-08-19 12:56:50 +02:00
|
|
|
|
2014-05-22 23:39:36 +02:00
|
|
|
res = NULL;
|
|
|
|
(void) sandbox_getaddrinfo(name, NULL, &hints, &res);
|
|
|
|
if (res)
|
|
|
|
sandbox_freeaddrinfo(res);
|
2013-08-19 12:56:50 +02:00
|
|
|
}
|
|
|
|
|
2014-05-22 23:39:36 +02:00
|
|
|
return 0;
|
|
|
|
}
|
2013-09-02 10:44:04 +02:00
|
|
|
|
2014-05-22 23:39:36 +02:00
|
|
|
void
|
|
|
|
sandbox_free_getaddrinfo_cache(void)
|
|
|
|
{
|
|
|
|
cached_getaddrinfo_item_t **next, **item;
|
|
|
|
|
|
|
|
for (item = HT_START(getaddrinfo_cache, &getaddrinfo_cache);
|
|
|
|
item;
|
|
|
|
item = next) {
|
|
|
|
next = HT_NEXT_RMV(getaddrinfo_cache, &getaddrinfo_cache, item);
|
|
|
|
cached_getaddrinfo_item_free(*item);
|
|
|
|
}
|
|
|
|
|
|
|
|
HT_CLEAR(getaddrinfo_cache, &getaddrinfo_cache);
|
2013-08-19 12:56:50 +02:00
|
|
|
}
|
|
|
|
|
2013-09-06 20:41:45 +02:00
|
|
|
/**
|
|
|
|
* Function responsible for going through the parameter syscall filters and
|
|
|
|
* call each function pointer in the list.
|
2013-06-17 12:07:14 +02:00
|
|
|
*/
|
2013-07-18 17:03:10 +02:00
|
|
|
static int
|
2013-07-25 13:08:02 +02:00
|
|
|
add_param_filter(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
|
2013-07-18 17:03:10 +02:00
|
|
|
{
|
2013-09-09 21:14:50 +02:00
|
|
|
unsigned i;
|
|
|
|
int rc = 0;
|
2013-06-17 12:07:14 +02:00
|
|
|
|
2013-07-30 20:23:30 +02:00
|
|
|
// function pointer
|
2013-08-05 13:17:46 +02:00
|
|
|
for (i = 0; i < ARRAY_LENGTH(filter_func); i++) {
|
2013-08-05 14:40:23 +02:00
|
|
|
if ((filter_func[i])(ctx, cfg)) {
|
|
|
|
log_err(LD_BUG,"(Sandbox) failed to add syscall %d, received libseccomp "
|
|
|
|
"error %d", i, rc);
|
2013-07-18 17:03:10 +02:00
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
}
|
2013-06-17 12:07:14 +02:00
|
|
|
|
2013-07-18 17:03:10 +02:00
|
|
|
return 0;
|
|
|
|
}
|
2013-06-17 12:07:14 +02:00
|
|
|
|
2013-09-06 20:41:45 +02:00
|
|
|
/**
|
|
|
|
* Function responsible of loading the libseccomp syscall filters which do not
|
|
|
|
* have parameter filtering.
|
|
|
|
*/
|
2013-07-18 17:03:10 +02:00
|
|
|
static int
|
|
|
|
add_noparam_filter(scmp_filter_ctx ctx)
|
|
|
|
{
|
2013-09-09 21:14:50 +02:00
|
|
|
unsigned i;
|
|
|
|
int rc = 0;
|
2013-07-18 17:03:10 +02:00
|
|
|
|
|
|
|
// add general filters
|
2013-08-07 12:13:12 +02:00
|
|
|
for (i = 0; i < ARRAY_LENGTH(filter_nopar_gen); i++) {
|
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 18:59:33 +02:00
|
|
|
rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, filter_nopar_gen[i]);
|
2013-07-18 17:03:10 +02:00
|
|
|
if (rc != 0) {
|
2013-09-09 21:37:45 +02:00
|
|
|
log_err(LD_BUG,"(Sandbox) failed to add syscall index %d (NR=%d), "
|
|
|
|
"received libseccomp error %d", i, filter_nopar_gen[i], rc);
|
2013-07-18 17:03:10 +02:00
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
2013-06-17 12:07:14 +02:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Function responsible for setting up and enabling a global syscall filter.
|
|
|
|
* The function is a prototype developed for stage 1 of sandboxing Tor.
|
|
|
|
* Returns 0 on success.
|
|
|
|
*/
|
|
|
|
static int
|
2013-07-25 13:08:02 +02:00
|
|
|
install_syscall_filter(sandbox_cfg_t* cfg)
|
2013-06-17 12:07:14 +02:00
|
|
|
{
|
2013-07-18 17:03:10 +02:00
|
|
|
int rc = 0;
|
2013-06-17 12:07:14 +02:00
|
|
|
scmp_filter_ctx ctx;
|
|
|
|
|
|
|
|
ctx = seccomp_init(SCMP_ACT_TRAP);
|
|
|
|
if (ctx == NULL) {
|
|
|
|
log_err(LD_BUG,"(Sandbox) failed to initialise libseccomp context");
|
|
|
|
rc = -1;
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
|
2013-09-10 13:35:11 +02:00
|
|
|
// protectign sandbox parameter strings
|
|
|
|
if ((rc = prot_strings(ctx, cfg))) {
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
|
2013-07-18 17:03:10 +02:00
|
|
|
// add parameter filters
|
2013-07-25 13:08:02 +02:00
|
|
|
if ((rc = add_param_filter(ctx, cfg))) {
|
2013-07-18 17:03:10 +02:00
|
|
|
log_err(LD_BUG, "(Sandbox) failed to add param filters!");
|
|
|
|
goto end;
|
2013-06-17 12:07:14 +02:00
|
|
|
}
|
|
|
|
|
2013-07-18 17:03:10 +02:00
|
|
|
// adding filters with no parameters
|
|
|
|
if ((rc = add_noparam_filter(ctx))) {
|
|
|
|
log_err(LD_BUG, "(Sandbox) failed to add param filters!");
|
|
|
|
goto end;
|
2013-06-17 12:07:14 +02:00
|
|
|
}
|
|
|
|
|
2013-09-03 15:37:12 +02:00
|
|
|
// loading the seccomp2 filter
|
2013-09-06 20:41:45 +02:00
|
|
|
if ((rc = seccomp_load(ctx))) {
|
2014-05-27 21:08:10 +02:00
|
|
|
log_err(LD_BUG, "(Sandbox) failed to load: %d (%s)!", rc,
|
|
|
|
strerror(-rc));
|
2013-09-03 15:37:12 +02:00
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
|
|
|
|
// marking the sandbox as active
|
|
|
|
sandbox_active = 1;
|
2013-06-17 12:07:14 +02:00
|
|
|
|
|
|
|
end:
|
|
|
|
seccomp_release(ctx);
|
|
|
|
return (rc < 0 ? -rc : rc);
|
|
|
|
}
|
|
|
|
|
2014-04-17 04:22:47 +02:00
|
|
|
#include "linux_syscalls.inc"
|
|
|
|
static const char *
|
|
|
|
get_syscall_name(int syscall_num)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
for (i = 0; SYSCALLS_BY_NUMBER[i].syscall_name; ++i) {
|
|
|
|
if (SYSCALLS_BY_NUMBER[i].syscall_num == syscall_num)
|
|
|
|
return SYSCALLS_BY_NUMBER[i].syscall_name;
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
static char syscall_name_buf[64];
|
|
|
|
format_dec_number_sigsafe(syscall_num,
|
|
|
|
syscall_name_buf, sizeof(syscall_name_buf));
|
|
|
|
return syscall_name_buf;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-04-10 21:44:52 +02:00
|
|
|
#ifdef USE_BACKTRACE
|
|
|
|
#define MAX_DEPTH 256
|
|
|
|
static void *syscall_cb_buf[MAX_DEPTH];
|
|
|
|
#endif
|
|
|
|
|
2013-06-17 12:07:14 +02:00
|
|
|
/**
|
|
|
|
* Function called when a SIGSYS is caught by the application. It notifies the
|
|
|
|
* user that an error has occurred and either terminates or allows the
|
|
|
|
* application to continue execution, based on the DEBUGGING_CLOSE symbol.
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
sigsys_debugging(int nr, siginfo_t *info, void *void_context)
|
|
|
|
{
|
|
|
|
ucontext_t *ctx = (ucontext_t *) (void_context);
|
2014-04-17 04:22:47 +02:00
|
|
|
const char *syscall_name;
|
2013-11-18 17:00:16 +01:00
|
|
|
int syscall;
|
2014-04-10 21:44:52 +02:00
|
|
|
#ifdef USE_BACKTRACE
|
2015-12-15 16:30:04 +01:00
|
|
|
size_t depth;
|
2014-04-10 21:44:52 +02:00
|
|
|
int n_fds, i;
|
|
|
|
const int *fds = NULL;
|
|
|
|
#endif
|
|
|
|
|
2013-06-17 12:07:14 +02:00
|
|
|
(void) nr;
|
|
|
|
|
|
|
|
if (info->si_code != SYS_SECCOMP)
|
|
|
|
return;
|
|
|
|
|
|
|
|
if (!ctx)
|
|
|
|
return;
|
|
|
|
|
2014-05-27 20:50:44 +02:00
|
|
|
syscall = (int) ctx->uc_mcontext.M_SYSCALL;
|
2013-06-17 12:07:14 +02:00
|
|
|
|
2014-04-10 21:44:52 +02:00
|
|
|
#ifdef USE_BACKTRACE
|
|
|
|
depth = backtrace(syscall_cb_buf, MAX_DEPTH);
|
|
|
|
/* Clean up the top stack frame so we get the real function
|
|
|
|
* name for the most recently failing function. */
|
|
|
|
clean_backtrace(syscall_cb_buf, depth, ctx);
|
|
|
|
#endif
|
|
|
|
|
2014-04-17 04:22:47 +02:00
|
|
|
syscall_name = get_syscall_name(syscall);
|
|
|
|
|
2013-11-18 17:00:16 +01:00
|
|
|
tor_log_err_sigsafe("(Sandbox) Caught a bad syscall attempt (syscall ",
|
2014-04-17 04:22:47 +02:00
|
|
|
syscall_name,
|
2013-11-18 17:00:16 +01:00
|
|
|
")\n",
|
|
|
|
NULL);
|
2013-06-17 12:07:14 +02:00
|
|
|
|
2014-04-10 21:44:52 +02:00
|
|
|
#ifdef USE_BACKTRACE
|
|
|
|
n_fds = tor_log_get_sigsafe_err_fds(&fds);
|
|
|
|
for (i=0; i < n_fds; ++i)
|
2015-12-16 15:05:49 +01:00
|
|
|
backtrace_symbols_fd(syscall_cb_buf, (int)depth, fds[i]);
|
2014-04-10 21:44:52 +02:00
|
|
|
#endif
|
|
|
|
|
2013-06-17 12:07:14 +02:00
|
|
|
#if defined(DEBUGGING_CLOSE)
|
|
|
|
_exit(1);
|
|
|
|
#endif // DEBUGGING_CLOSE
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Function that adds a handler for SIGSYS, which is the signal thrown
|
|
|
|
* when the application is issuing a syscall which is not allowed. The
|
|
|
|
* main purpose of this function is to help with debugging by identifying
|
|
|
|
* filtered syscalls.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
install_sigsys_debugging(void)
|
|
|
|
{
|
|
|
|
struct sigaction act;
|
|
|
|
sigset_t mask;
|
|
|
|
|
|
|
|
memset(&act, 0, sizeof(act));
|
|
|
|
sigemptyset(&mask);
|
|
|
|
sigaddset(&mask, SIGSYS);
|
|
|
|
|
|
|
|
act.sa_sigaction = &sigsys_debugging;
|
|
|
|
act.sa_flags = SA_SIGINFO;
|
|
|
|
if (sigaction(SIGSYS, &act, NULL) < 0) {
|
|
|
|
log_err(LD_BUG,"(Sandbox) Failed to register SIGSYS signal handler");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (sigprocmask(SIG_UNBLOCK, &mask, NULL)) {
|
|
|
|
log_err(LD_BUG,"(Sandbox) Failed call to sigprocmask()");
|
|
|
|
return -2;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
2013-08-05 14:40:23 +02:00
|
|
|
|
2013-09-06 20:41:45 +02:00
|
|
|
/**
|
|
|
|
* Function responsible of registering the sandbox_cfg_t list of parameter
|
|
|
|
* syscall filters to the existing parameter list. This is used for incipient
|
|
|
|
* multiple-sandbox support.
|
|
|
|
*/
|
2013-08-21 16:57:15 +02:00
|
|
|
static int
|
|
|
|
register_cfg(sandbox_cfg_t* cfg)
|
|
|
|
{
|
2013-08-05 14:40:23 +02:00
|
|
|
sandbox_cfg_t *elem = NULL;
|
|
|
|
|
|
|
|
if (filter_dynamic == NULL) {
|
|
|
|
filter_dynamic = cfg;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2014-04-11 09:04:16 +02:00
|
|
|
for (elem = filter_dynamic; elem->next != NULL; elem = elem->next)
|
|
|
|
;
|
2013-08-05 14:40:23 +02:00
|
|
|
|
|
|
|
elem->next = cfg;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2013-06-17 12:07:14 +02:00
|
|
|
#endif // USE_LIBSECCOMP
|
|
|
|
|
|
|
|
#ifdef USE_LIBSECCOMP
|
|
|
|
/**
|
|
|
|
* Initialises the syscall sandbox filter for any linux architecture, taking
|
|
|
|
* into account various available features for different linux flavours.
|
|
|
|
*/
|
|
|
|
static int
|
2013-07-25 13:08:02 +02:00
|
|
|
initialise_libseccomp_sandbox(sandbox_cfg_t* cfg)
|
2013-06-17 12:07:14 +02:00
|
|
|
{
|
2015-02-11 15:44:07 +01:00
|
|
|
/* Prevent glibc from trying to open /dev/tty on fatal error */
|
|
|
|
setenv("LIBC_FATAL_STDERR_", "1", 1);
|
|
|
|
|
2013-06-17 12:07:14 +02:00
|
|
|
if (install_sigsys_debugging())
|
|
|
|
return -1;
|
|
|
|
|
2013-07-25 13:08:02 +02:00
|
|
|
if (install_syscall_filter(cfg))
|
2013-06-17 12:07:14 +02:00
|
|
|
return -2;
|
|
|
|
|
2013-08-05 14:40:23 +02:00
|
|
|
if (register_cfg(cfg))
|
|
|
|
return -3;
|
|
|
|
|
2013-06-17 12:07:14 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2014-04-16 22:05:10 +02:00
|
|
|
int
|
|
|
|
sandbox_is_active(void)
|
|
|
|
{
|
|
|
|
return sandbox_active != 0;
|
|
|
|
}
|
2013-06-17 12:07:14 +02:00
|
|
|
#endif // USE_LIBSECCOMP
|
|
|
|
|
2013-07-25 13:08:02 +02:00
|
|
|
sandbox_cfg_t*
|
2013-08-28 19:01:52 +02:00
|
|
|
sandbox_cfg_new(void)
|
2013-06-17 12:07:14 +02:00
|
|
|
{
|
2013-07-25 13:08:02 +02:00
|
|
|
return NULL;
|
|
|
|
}
|
2013-06-17 12:07:14 +02:00
|
|
|
|
2013-07-25 13:08:02 +02:00
|
|
|
int
|
2013-09-09 21:59:41 +02:00
|
|
|
sandbox_init(sandbox_cfg_t *cfg)
|
2013-07-25 13:08:02 +02:00
|
|
|
{
|
2013-06-17 12:07:14 +02:00
|
|
|
#if defined(USE_LIBSECCOMP)
|
2013-07-25 13:08:02 +02:00
|
|
|
return initialise_libseccomp_sandbox(cfg);
|
2013-06-17 12:07:14 +02:00
|
|
|
|
2014-04-18 20:49:39 +02:00
|
|
|
#elif defined(__linux__)
|
2013-09-09 21:59:41 +02:00
|
|
|
(void)cfg;
|
2014-04-18 20:49:39 +02:00
|
|
|
log_warn(LD_GENERAL,
|
2014-04-26 03:08:01 +02:00
|
|
|
"This version of Tor was built without support for sandboxing. To "
|
2014-04-18 20:49:39 +02:00
|
|
|
"build with support for sandboxing on Linux, you must have "
|
|
|
|
"libseccomp and its necessary header files (e.g. seccomp.h).");
|
2013-06-17 12:07:14 +02:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
#else
|
2013-09-09 21:59:41 +02:00
|
|
|
(void)cfg;
|
2014-04-18 20:49:39 +02:00
|
|
|
log_warn(LD_GENERAL,
|
|
|
|
"Currently, sandboxing is only implemented on Linux. The feature "
|
|
|
|
"is disabled on your platform.");
|
2013-06-17 12:07:14 +02:00
|
|
|
return 0;
|
|
|
|
#endif
|
|
|
|
}
|
2013-07-14 08:49:34 +02:00
|
|
|
|
2013-09-09 21:59:41 +02:00
|
|
|
#ifndef USE_LIBSECCOMP
|
|
|
|
int
|
2014-04-11 09:04:16 +02:00
|
|
|
sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
|
2013-09-09 21:59:41 +02:00
|
|
|
{
|
2014-04-11 09:04:16 +02:00
|
|
|
(void)cfg; (void)file;
|
2013-09-09 21:59:41 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
2014-04-11 09:04:16 +02:00
|
|
|
sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file)
|
2013-09-09 21:59:41 +02:00
|
|
|
{
|
2014-04-11 09:04:16 +02:00
|
|
|
(void)cfg; (void)file;
|
2013-09-09 21:59:41 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2014-05-20 18:21:31 +02:00
|
|
|
#if 0
|
2013-09-09 21:59:41 +02:00
|
|
|
int
|
|
|
|
sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com)
|
|
|
|
{
|
|
|
|
(void)cfg; (void)com;
|
|
|
|
return 0;
|
|
|
|
}
|
2014-05-20 18:21:31 +02:00
|
|
|
#endif
|
2013-09-09 21:59:41 +02:00
|
|
|
|
|
|
|
int
|
2014-04-11 09:04:16 +02:00
|
|
|
sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file)
|
2013-09-09 21:59:41 +02:00
|
|
|
{
|
2014-04-11 09:04:16 +02:00
|
|
|
(void)cfg; (void)file;
|
2013-09-09 21:59:41 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2014-04-11 09:06:05 +02:00
|
|
|
int
|
|
|
|
sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2)
|
|
|
|
{
|
|
|
|
(void)cfg; (void)file1; (void)file2;
|
|
|
|
return 0;
|
|
|
|
}
|
2014-04-16 22:05:10 +02:00
|
|
|
|
|
|
|
int
|
|
|
|
sandbox_is_active(void)
|
|
|
|
{
|
|
|
|
return 0;
|
|
|
|
}
|
2014-09-29 18:57:07 +02:00
|
|
|
|
|
|
|
void
|
|
|
|
sandbox_disable_getaddrinfo_cache(void)
|
|
|
|
{
|
|
|
|
}
|
2013-09-09 21:59:41 +02:00
|
|
|
#endif
|
2013-09-09 22:00:40 +02:00
|
|
|
|