2021-01-23 12:28:44 +01:00
|
|
|
/*
|
2021-01-23 12:29:02 +01:00
|
|
|
* Copyright (c) 2021 Omar Polo <op@omarpolo.com>
|
2021-01-23 12:28:44 +01:00
|
|
|
*
|
|
|
|
|
* Permission to use, copy, modify, and distribute this software for any
|
|
|
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
|
|
|
* copyright notice and this permission notice appear in all copies.
|
|
|
|
|
*
|
|
|
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
|
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
|
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
|
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
|
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
|
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
|
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
|
|
|
*/
|
|
|
|
|
|
2021-01-15 15:03:45 +01:00
|
|
|
#include "gmid.h"
|
|
|
|
|
|
|
|
|
|
#if defined(__FreeBSD__)
|
|
|
|
|
|
|
|
|
|
#include <sys/capsicum.h>
|
|
|
|
|
|
|
|
|
|
void
|
2021-03-20 09:42:08 +01:00
|
|
|
sandbox_server_process(void)
|
|
|
|
|
{
|
|
|
|
|
if (cap_enter() == -1)
|
|
|
|
|
fatal("cap_enter");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
sandbox_executor_process(void)
|
|
|
|
|
{
|
|
|
|
|
/* We cannot capsicum the executor process because it needs
|
|
|
|
|
* to fork(2)+execve(2) cgi scripts */
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
sandbox_logger_process(void)
|
2021-01-15 15:03:45 +01:00
|
|
|
{
|
|
|
|
|
if (cap_enter() == -1)
|
2021-02-11 10:07:28 +01:00
|
|
|
fatal("cap_enter");
|
2021-01-15 15:03:45 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#elif defined(__linux__)
|
|
|
|
|
|
2021-01-17 10:34:27 +01:00
|
|
|
#include <sys/prctl.h>
|
|
|
|
|
#include <sys/syscall.h>
|
|
|
|
|
#include <sys/syscall.h>
|
|
|
|
|
#include <sys/types.h>
|
|
|
|
|
|
|
|
|
|
#include <linux/audit.h>
|
|
|
|
|
#include <linux/filter.h>
|
|
|
|
|
#include <linux/seccomp.h>
|
|
|
|
|
|
|
|
|
|
#include <errno.h>
|
2021-01-20 17:09:04 +01:00
|
|
|
#include <fcntl.h>
|
2021-01-17 10:34:27 +01:00
|
|
|
#include <stddef.h>
|
|
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
|
|
|
|
|
/* thanks chromium' src/seccomp.c */
|
|
|
|
|
#if defined(__i386__)
|
|
|
|
|
# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
|
|
|
|
|
#elif defined(__x86_64__)
|
|
|
|
|
# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
|
|
|
|
|
#elif defined(__arm__)
|
|
|
|
|
# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM
|
|
|
|
|
#elif defined(__aarch64__)
|
|
|
|
|
# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64
|
|
|
|
|
#elif defined(__mips__)
|
|
|
|
|
# if defined(__mips64)
|
|
|
|
|
# if defined(__MIPSEB__)
|
|
|
|
|
# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS64
|
|
|
|
|
# else
|
|
|
|
|
# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL64
|
|
|
|
|
# endif
|
|
|
|
|
# else
|
|
|
|
|
# if defined(__MIPSEB__)
|
|
|
|
|
# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS
|
|
|
|
|
# else
|
|
|
|
|
# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL
|
|
|
|
|
# endif
|
|
|
|
|
# endif
|
|
|
|
|
#else
|
|
|
|
|
# error "Platform does not support seccomp filter yet"
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/* uncomment to enable debugging. ONLY FOR DEVELOPMENT */
|
|
|
|
|
/* #define SC_DEBUG */
|
|
|
|
|
|
|
|
|
|
#ifdef SC_DEBUG
|
|
|
|
|
# define SC_FAIL SECCOMP_RET_TRAP
|
|
|
|
|
#else
|
|
|
|
|
# define SC_FAIL SECCOMP_RET_KILL
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/* make the filter more readable */
|
|
|
|
|
#define SC_ALLOW(nr) \
|
|
|
|
|
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_##nr, 0, 1), \
|
|
|
|
|
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
|
|
|
|
|
|
|
|
|
|
#ifdef SC_DEBUG
|
|
|
|
|
|
|
|
|
|
#include <signal.h>
|
|
|
|
|
#include <unistd.h>
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
sandbox_seccomp_violation(int signum, siginfo_t *info, void *ctx)
|
|
|
|
|
{
|
|
|
|
|
(void)signum;
|
|
|
|
|
(void)ctx;
|
|
|
|
|
|
|
|
|
|
fprintf(stderr, "%s: unexpected system call (arch:0x%x,syscall:%d @ %p)\n",
|
|
|
|
|
__func__, info->si_arch, info->si_syscall, info->si_call_addr);
|
|
|
|
|
_exit(1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
sandbox_seccomp_catch_sigsys(void)
|
|
|
|
|
{
|
|
|
|
|
struct sigaction act;
|
|
|
|
|
sigset_t mask;
|
|
|
|
|
|
|
|
|
|
memset(&act, 0, sizeof(act));
|
|
|
|
|
sigemptyset(&mask);
|
|
|
|
|
sigaddset(&mask, SIGSYS);
|
|
|
|
|
|
|
|
|
|
act.sa_sigaction = &sandbox_seccomp_violation;
|
|
|
|
|
act.sa_flags = SA_SIGINFO;
|
2021-02-11 10:07:28 +01:00
|
|
|
if (sigaction(SIGSYS, &act, NULL) == -1)
|
|
|
|
|
fatal("%s: sigaction(SIGSYS): %s",
|
2021-01-17 10:34:27 +01:00
|
|
|
__func__, strerror(errno));
|
2021-02-11 10:07:28 +01:00
|
|
|
|
|
|
|
|
if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1)
|
|
|
|
|
fatal("%s: sigprocmask(SIGSYS): %s\n",
|
2021-01-17 10:34:27 +01:00
|
|
|
__func__, strerror(errno));
|
|
|
|
|
}
|
|
|
|
|
#endif /* SC_DEBUG */
|
|
|
|
|
|
2021-01-15 15:03:45 +01:00
|
|
|
void
|
2021-03-20 09:42:08 +01:00
|
|
|
sandbox_server_process(void)
|
2021-01-15 15:03:45 +01:00
|
|
|
{
|
2021-01-17 10:34:27 +01:00
|
|
|
struct sock_filter filter[] = {
|
|
|
|
|
/* load the *current* architecture */
|
|
|
|
|
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
|
|
|
|
|
(offsetof(struct seccomp_data, arch))),
|
|
|
|
|
/* ensure it's the same that we've been compiled on */
|
|
|
|
|
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,
|
|
|
|
|
SECCOMP_AUDIT_ARCH, 1, 0),
|
|
|
|
|
/* if not, kill the program */
|
|
|
|
|
BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
|
|
|
|
|
|
|
|
|
|
/* load the syscall number */
|
|
|
|
|
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
|
|
|
|
|
(offsetof(struct seccomp_data, nr))),
|
|
|
|
|
|
|
|
|
|
/* allow logging on stdout */
|
|
|
|
|
SC_ALLOW(write),
|
|
|
|
|
SC_ALLOW(writev),
|
|
|
|
|
SC_ALLOW(readv),
|
|
|
|
|
|
|
|
|
|
/* these are used to serve the files. note how we
|
|
|
|
|
* allow openat but not open. */
|
2021-02-10 19:02:08 +01:00
|
|
|
#ifdef __NR_epoll_wait
|
|
|
|
|
/* epoll_wait(2) isn't present on aarch64, at least */
|
2021-02-10 15:21:56 +01:00
|
|
|
SC_ALLOW(epoll_wait),
|
2021-02-10 19:02:08 +01:00
|
|
|
#endif
|
2021-02-08 13:46:46 +01:00
|
|
|
SC_ALLOW(epoll_pwait),
|
|
|
|
|
SC_ALLOW(epoll_ctl),
|
2021-02-12 12:59:03 +01:00
|
|
|
SC_ALLOW(accept),
|
2021-02-08 13:46:46 +01:00
|
|
|
SC_ALLOW(accept4),
|
2021-01-17 10:34:27 +01:00
|
|
|
SC_ALLOW(read),
|
|
|
|
|
SC_ALLOW(openat),
|
|
|
|
|
SC_ALLOW(fstat),
|
2021-02-10 20:20:59 +01:00
|
|
|
SC_ALLOW(newfstatat),
|
2021-01-17 10:34:27 +01:00
|
|
|
SC_ALLOW(close),
|
|
|
|
|
SC_ALLOW(lseek),
|
|
|
|
|
SC_ALLOW(brk),
|
|
|
|
|
SC_ALLOW(mmap),
|
|
|
|
|
SC_ALLOW(munmap),
|
|
|
|
|
|
2021-02-23 13:12:27 +01:00
|
|
|
/* for imsg */
|
|
|
|
|
SC_ALLOW(sendmsg),
|
2021-03-20 10:24:44 +01:00
|
|
|
SC_ALLOW(prlimit64),
|
2021-02-23 13:12:27 +01:00
|
|
|
|
2021-02-08 19:39:23 +01:00
|
|
|
/* needed for signal handling */
|
|
|
|
|
SC_ALLOW(rt_sigreturn),
|
|
|
|
|
SC_ALLOW(rt_sigaction),
|
|
|
|
|
|
2021-01-17 10:34:27 +01:00
|
|
|
/* we need recvmsg to receive fd */
|
|
|
|
|
SC_ALLOW(recvmsg),
|
|
|
|
|
|
|
|
|
|
/* XXX: ??? */
|
|
|
|
|
SC_ALLOW(getpid),
|
|
|
|
|
|
2021-02-08 13:46:46 +01:00
|
|
|
/* alpine on amd64 */
|
2021-01-20 17:19:54 +01:00
|
|
|
SC_ALLOW(clock_gettime),
|
2021-02-08 13:46:46 +01:00
|
|
|
SC_ALLOW(madvise),
|
2021-01-20 17:19:54 +01:00
|
|
|
|
2021-01-25 16:25:04 +01:00
|
|
|
/* void on aarch64 does a gettrandom */
|
|
|
|
|
SC_ALLOW(getrandom),
|
|
|
|
|
|
2021-02-10 20:20:59 +01:00
|
|
|
/* arch on amd64 */
|
|
|
|
|
SC_ALLOW(gettimeofday),
|
|
|
|
|
|
2021-01-24 20:12:32 +01:00
|
|
|
/* for directory listing */
|
|
|
|
|
SC_ALLOW(getdents64),
|
|
|
|
|
|
2021-01-17 10:34:27 +01:00
|
|
|
SC_ALLOW(exit),
|
|
|
|
|
SC_ALLOW(exit_group),
|
2021-01-20 17:19:54 +01:00
|
|
|
|
2021-02-08 19:39:23 +01:00
|
|
|
/* allow only F_GETFL, F_SETFL & F_SETFD fcntl */
|
2021-01-24 20:12:32 +01:00
|
|
|
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 8),
|
2021-01-20 16:54:26 +01:00
|
|
|
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
|
2021-01-20 17:09:04 +01:00
|
|
|
(offsetof(struct seccomp_data, args[1]))),
|
|
|
|
|
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_GETFL, 0, 1),
|
|
|
|
|
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
|
|
|
|
|
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFL, 0, 1),
|
|
|
|
|
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
|
2021-01-24 20:12:32 +01:00
|
|
|
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFD, 0, 1),
|
|
|
|
|
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
|
2021-01-20 17:09:04 +01:00
|
|
|
BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
|
2021-01-20 17:22:35 +01:00
|
|
|
|
2021-01-20 17:19:54 +01:00
|
|
|
/* re-load the syscall number */
|
2021-01-20 16:54:26 +01:00
|
|
|
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
|
|
|
|
|
(offsetof(struct seccomp_data, nr))),
|
|
|
|
|
|
2021-01-17 10:34:27 +01:00
|
|
|
/* allow ioctl but only on fd 1, glibc doing stuff? */
|
|
|
|
|
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_ioctl, 0, 3),
|
|
|
|
|
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
|
|
|
|
|
(offsetof(struct seccomp_data, args[0]))),
|
|
|
|
|
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 1, 0, 1),
|
|
|
|
|
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
|
|
|
|
|
|
|
|
|
|
/* disallow enything else */
|
|
|
|
|
BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct sock_fprog prog = {
|
|
|
|
|
.len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
|
|
|
|
|
.filter = filter,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
#ifdef SC_DEBUG
|
|
|
|
|
sandbox_seccomp_catch_sigsys();
|
|
|
|
|
#endif
|
|
|
|
|
|
2021-02-11 10:07:28 +01:00
|
|
|
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
|
|
|
|
|
fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
|
2021-01-17 10:34:27 +01:00
|
|
|
__func__, strerror(errno));
|
|
|
|
|
|
2021-02-11 10:07:28 +01:00
|
|
|
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1)
|
|
|
|
|
fatal("%s: prctl(PR_SET_SECCOMP): %s\n",
|
2021-01-17 10:34:27 +01:00
|
|
|
__func__, strerror(errno));
|
2021-01-15 15:03:45 +01:00
|
|
|
}
|
|
|
|
|
|
2021-03-20 09:42:08 +01:00
|
|
|
void
|
|
|
|
|
sandbox_executor_process(void)
|
|
|
|
|
{
|
|
|
|
|
/* We cannot use seccomp for the executor process because we
|
|
|
|
|
* don't know what the child will do. Also, our filter will
|
|
|
|
|
* be inherited so the child cannot set its own seccomp
|
|
|
|
|
* policy. */
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
sandbox_logger_process(void)
|
|
|
|
|
{
|
|
|
|
|
/* To be honest, here we could use a seccomp policy to only
|
|
|
|
|
* allow writev(2) and memory allocations. */
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2021-01-15 15:03:45 +01:00
|
|
|
#elif defined(__OpenBSD__)
|
|
|
|
|
|
|
|
|
|
#include <unistd.h>
|
|
|
|
|
|
|
|
|
|
void
|
2021-03-20 09:42:08 +01:00
|
|
|
sandbox_server_process(void)
|
2021-01-15 15:03:45 +01:00
|
|
|
{
|
2021-04-30 19:16:34 +02:00
|
|
|
struct vhost *h;
|
|
|
|
|
struct location *l;
|
2021-01-15 15:03:45 +01:00
|
|
|
|
2021-03-31 18:32:18 +02:00
|
|
|
TAILQ_FOREACH(h, &hosts, vhosts) {
|
2021-04-30 19:16:34 +02:00
|
|
|
TAILQ_FOREACH(l, &h->locations, locations) {
|
|
|
|
|
if (l->dir == NULL)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
if (unveil(l->dir, "r") == -1)
|
|
|
|
|
fatal("unveil %s for domain %s",
|
|
|
|
|
l->dir,
|
|
|
|
|
h->domain);
|
|
|
|
|
}
|
2021-01-15 15:03:45 +01:00
|
|
|
}
|
|
|
|
|
|
2021-01-16 20:41:34 +01:00
|
|
|
if (pledge("stdio recvfd rpath inet", NULL) == -1)
|
2021-02-11 10:07:28 +01:00
|
|
|
fatal("pledge");
|
2021-01-15 15:03:45 +01:00
|
|
|
}
|
|
|
|
|
|
2021-03-20 09:42:08 +01:00
|
|
|
void
|
|
|
|
|
sandbox_executor_process(void)
|
|
|
|
|
{
|
2021-03-31 18:32:18 +02:00
|
|
|
struct vhost *h;
|
2021-04-30 19:16:34 +02:00
|
|
|
struct location *l;
|
2021-05-09 20:23:36 +02:00
|
|
|
struct fcgi *f;
|
|
|
|
|
size_t i;
|
2021-03-20 09:42:08 +01:00
|
|
|
|
2021-03-31 18:32:18 +02:00
|
|
|
TAILQ_FOREACH(h, &hosts, vhosts) {
|
2021-04-30 19:16:34 +02:00
|
|
|
TAILQ_FOREACH(l, &h->locations, locations) {
|
|
|
|
|
if (l->dir == NULL)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
/* r so we can chdir into the correct directory */
|
|
|
|
|
if (unveil(l->dir, "rx") == -1)
|
|
|
|
|
fatal("unveil %s for domain %s",
|
|
|
|
|
l->dir, h->domain);
|
|
|
|
|
}
|
2021-03-20 09:42:08 +01:00
|
|
|
}
|
|
|
|
|
|
2021-05-09 20:23:36 +02:00
|
|
|
for (i = 0; i < FCGI_MAX; i++) {
|
|
|
|
|
f = &fcgi[i];
|
|
|
|
|
if (f->path != NULL) {
|
|
|
|
|
if (unveil(f->path, "rw") == -1)
|
|
|
|
|
fatal("unveil %s", f->path);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (f->prog != NULL) {
|
|
|
|
|
if (unveil(f->prog, "rx") == -1)
|
|
|
|
|
fatal("unveil %s", f->prog);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* rpath: to chdir into the correct directory
|
|
|
|
|
* proc exec: CGI
|
|
|
|
|
* dns inet unix: FastCGI
|
|
|
|
|
*/
|
|
|
|
|
if (pledge("stdio rpath sendfd proc exec dns inet unix", NULL))
|
2021-03-20 09:42:08 +01:00
|
|
|
err(1, "pledge");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
sandbox_logger_process(void)
|
|
|
|
|
{
|
|
|
|
|
if (pledge("stdio", NULL) == -1)
|
|
|
|
|
err(1, "pledge");
|
|
|
|
|
}
|
|
|
|
|
|
2021-01-15 15:03:45 +01:00
|
|
|
#else
|
|
|
|
|
|
2021-03-20 09:42:08 +01:00
|
|
|
#warning "No sandbox method known for this OS"
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
sandbox_server_process(void)
|
|
|
|
|
{
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2021-01-15 15:03:45 +01:00
|
|
|
void
|
2021-03-20 09:42:08 +01:00
|
|
|
sandbox_executor_process(void)
|
2021-01-15 15:03:45 +01:00
|
|
|
{
|
2021-02-11 10:04:47 +01:00
|
|
|
log_notice(NULL, "no sandbox method known for this OS");
|
2021-01-15 15:03:45 +01:00
|
|
|
}
|
|
|
|
|
|
2021-03-20 09:42:08 +01:00
|
|
|
void
|
|
|
|
|
sandbox_logger_process(void)
|
|
|
|
|
{
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2021-01-15 15:03:45 +01:00
|
|
|
#endif
|
