diff options
| author | laanwj <126646+laanwj@users.noreply.github.com> | 2022-04-06 11:51:05 +0200 |
|---|---|---|
| committer | laanwj <126646+laanwj@users.noreply.github.com> | 2022-04-06 11:57:08 +0200 |
| commit | c5c4fb31828107a5ded88627632e19e05b2c7e83 (patch) | |
| tree | f53a5a0c7fde4706de75a75993823c4481242c0d | |
| parent | f3e35633690c71ebb69ec2ed08998565cade1522 (diff) | |
| parent | fabdf9f870a4c07cb3548c3b385438f02179ea88 (diff) | |
Merge bitcoin/bitcoin#24758: Disable the syscall sandbox for bitcoin-qt and remove gui-related syscalls
fabdf9f870a4c07cb3548c3b385438f02179ea88 Remove gui-only syscalls (MarcoFalke)
fa0c2aa826282fe40d2ce7becb4eb6d4814447a3 init: Disable syscall sandbox in the bitcoin-qt process (MarcoFalke)
Pull request description:
It is basically impossible (and a bit out of scope) for us to maintain a sandbox for the qt library. I am not sure if it is possible to only sandbox a few threads in a process, but I doubt this will add no practical benefit anyway, so I am disabling the sandbox for the whole bitcoin-qt process.
See also https://github.com/bitcoin/bitcoin/pull/24690#issuecomment-1084372400
ACKs for top commit:
laanwj:
Code review ACK fabdf9f870a4c07cb3548c3b385438f02179ea88
Tree-SHA512: 944ded03ee25f7dfd0bfeea9c3f97f575f2d470aa03b387b07f3e3bec5cb886e4aaa17e4a9fb359d3e670e6da69adc9111673d13e6561ec55b3161bb67dfe760
| -rw-r--r-- | src/init.cpp | 5 | ||||
| -rw-r--r-- | src/init.h | 2 | ||||
| -rw-r--r-- | src/node/interfaces.cpp | 2 | ||||
| -rw-r--r-- | src/util/syscall_sandbox.cpp | 3 | ||||
| -rw-r--r-- | src/util/syscall_sandbox.h | 3 |
5 files changed, 6 insertions, 9 deletions
diff --git a/src/init.cpp b/src/init.cpp index 83937c6925..86e6ec4451 100644 --- a/src/init.cpp +++ b/src/init.cpp @@ -792,7 +792,7 @@ bool AppInitBasicSetup(const ArgsManager& args) return true; } -bool AppInitParameterInteraction(const ArgsManager& args) +bool AppInitParameterInteraction(const ArgsManager& args, bool use_syscall_sandbox) { const CChainParams& chainparams = Params(); // ********************************************************* Step 2: parameter interactions @@ -1058,6 +1058,9 @@ bool AppInitParameterInteraction(const ArgsManager& args) if (!SetupSyscallSandbox(log_syscall_violation_before_terminating)) { return InitError(Untranslated("Installation of the syscall sandbox failed.")); } + if (use_syscall_sandbox) { + SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION); + } LogPrintf("Experimental syscall sandbox enabled (-sandbox=%s): bitcoind will terminate if an unexpected (not allowlisted) syscall is invoked.\n", sandbox_arg); } #endif // USE_SYSCALL_SANDBOX diff --git a/src/init.h b/src/init.h index ddd439f619..2250ae20a0 100644 --- a/src/init.h +++ b/src/init.h @@ -41,7 +41,7 @@ bool AppInitBasicSetup(const ArgsManager& args); * @note This can be done before daemonization. Do not call Shutdown() if this function fails. * @pre Parameters should be parsed and config file should be read, AppInitBasicSetup should have been called. */ -bool AppInitParameterInteraction(const ArgsManager& args); +bool AppInitParameterInteraction(const ArgsManager& args, bool use_syscall_sandbox = true); /** * Initialization sanity checks: ecc init, sanity checks, dir lock. * @note This can be done before daemonization. Do not call Shutdown() if this function fails. diff --git a/src/node/interfaces.cpp b/src/node/interfaces.cpp index d71455bc37..73d15652b1 100644 --- a/src/node/interfaces.cpp +++ b/src/node/interfaces.cpp @@ -90,7 +90,7 @@ public: uint32_t getLogCategories() override { return LogInstance().GetCategoryMask(); } bool baseInitialize() override { - return AppInitBasicSetup(gArgs) && AppInitParameterInteraction(gArgs) && AppInitSanityChecks() && + return AppInitBasicSetup(gArgs) && AppInitParameterInteraction(gArgs, /*use_syscall_sandbox=*/false) && AppInitSanityChecks() && AppInitLockDataDirectory() && AppInitInterfaces(*m_context); } bool appInitMain(interfaces::BlockAndHeaderTipInfo* tip_info) override diff --git a/src/util/syscall_sandbox.cpp b/src/util/syscall_sandbox.cpp index a05efac602..a69f815ce4 100644 --- a/src/util/syscall_sandbox.cpp +++ b/src/util/syscall_sandbox.cpp @@ -592,8 +592,6 @@ public: allowed_syscalls.insert(__NR_getcwd); // get current working directory allowed_syscalls.insert(__NR_getdents); // get directory entries allowed_syscalls.insert(__NR_getdents64); // get directory entries - allowed_syscalls.insert(__NR_inotify_rm_watch);// remove an existing watch from an inotify instance - allowed_syscalls.insert(__NR_linkat); // create relative to a directory file descriptor allowed_syscalls.insert(__NR_lstat); // get file status allowed_syscalls.insert(__NR_mkdir); // create a directory allowed_syscalls.insert(__NR_newfstatat); // get file status @@ -823,7 +821,6 @@ bool SetupSyscallSandbox(bool log_syscall_violation_before_terminating) return false; } } - SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION); return true; } diff --git a/src/util/syscall_sandbox.h b/src/util/syscall_sandbox.h index f7a1cbdb55..dc02ce29e9 100644 --- a/src/util/syscall_sandbox.h +++ b/src/util/syscall_sandbox.h @@ -45,9 +45,6 @@ void SetSyscallSandboxPolicy(SyscallSandboxPolicy syscall_policy); #if defined(USE_SYSCALL_SANDBOX) //! Setup and enable the experimental syscall sandbox for the running process. -//! -//! SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION) is called as part of -//! SetupSyscallSandbox(...). [[nodiscard]] bool SetupSyscallSandbox(bool log_syscall_violation_before_terminating); //! Invoke a disallowed syscall. Use for testing purposes. |