aboutsummaryrefslogtreecommitdiff
path: root/src/init.cpp
diff options
context:
space:
mode:
authorpracticalswift <practicalswift@users.noreply.github.com>2021-10-01 13:53:59 +0000
committerpracticalswift <practicalswift@users.noreply.github.com>2021-10-01 13:51:10 +0000
commit4747da3a5b639b5a336b737e7e3cbf060cf2efcf (patch)
treec375c8eff3a7f4b02f66247b52dfee286e7fcbae /src/init.cpp
parente69cbac628bfdca4a8e4ead821190eaf5b6b3d07 (diff)
Add syscall sandboxing (seccomp-bpf)
Diffstat (limited to 'src/init.cpp')
-rw-r--r--src/init.cpp36
1 files changed, 36 insertions, 0 deletions
diff --git a/src/init.cpp b/src/init.cpp
index ff36ec805c..541c0a9afc 100644
--- a/src/init.cpp
+++ b/src/init.cpp
@@ -60,6 +60,7 @@
#include <util/check.h>
#include <util/moneystr.h>
#include <util/string.h>
+#include <util/syscall_sandbox.h>
#include <util/system.h>
#include <util/thread.h>
#include <util/threadnames.h>
@@ -562,6 +563,10 @@ void SetupServerArgs(ArgsManager& argsman)
hidden_args.emplace_back("-daemonwait");
#endif
+#if defined(USE_SYSCALL_SANDBOX)
+ argsman.AddArg("-sandbox=<mode>", "Use the experimental syscall sandbox in the specified mode (-sandbox=log-and-abort or -sandbox=abort). Allow only expected syscalls to be used by bitcoind. Note that this is an experimental new feature that may cause bitcoind to exit or crash unexpectedly: use with caution. In the \"log-and-abort\" mode the invocation of an unexpected syscall results in a debug handler being invoked which will log the incident and terminate the program (without executing the unexpected syscall). In the \"abort\" mode the invocation of an unexpected syscall results in the entire process being killed immediately by the kernel without executing the unexpected syscall.", ArgsManager::ALLOW_ANY, OptionsCategory::OPTIONS);
+#endif // USE_SYSCALL_SANDBOX
+
// Add the hidden options
argsman.AddHiddenArgs(hidden_args);
}
@@ -1018,6 +1023,37 @@ bool AppInitParameterInteraction(const ArgsManager& args)
return InitError(_("No proxy server specified. Use -proxy=<ip> or -proxy=<ip:port>."));
}
+#if defined(USE_SYSCALL_SANDBOX)
+ if (args.IsArgSet("-sandbox") && !args.IsArgNegated("-sandbox")) {
+ const std::string sandbox_arg{args.GetArg("-sandbox", "")};
+ bool log_syscall_violation_before_terminating{false};
+ if (sandbox_arg == "log-and-abort") {
+ log_syscall_violation_before_terminating = true;
+ } else if (sandbox_arg == "abort") {
+ // log_syscall_violation_before_terminating is false by default.
+ } else {
+ return InitError(Untranslated("Unknown syscall sandbox mode (-sandbox=<mode>). Available modes are \"log-and-abort\" and \"abort\"."));
+ }
+ // execve(...) is not allowed by the syscall sandbox.
+ const std::vector<std::string> features_using_execve{
+ "-alertnotify",
+ "-blocknotify",
+ "-signer",
+ "-startupnotify",
+ "-walletnotify",
+ };
+ for (const std::string& feature_using_execve : features_using_execve) {
+ if (!args.GetArg(feature_using_execve, "").empty()) {
+ return InitError(Untranslated(strprintf("The experimental syscall sandbox feature (-sandbox=<mode>) is incompatible with %s (which uses execve).", feature_using_execve)));
+ }
+ }
+ if (!SetupSyscallSandbox(log_syscall_violation_before_terminating)) {
+ return InitError(Untranslated("Installation of the syscall sandbox failed."));
+ }
+ LogPrintf("Experimental syscall sandbox enabled (-sandbox=%s): bitcoind will terminate if an unexpected (not allowlisted) syscall is invoked.\n", sandbox_arg);
+ }
+#endif // USE_SYSCALL_SANDBOX
+
return true;
}