aboutsummaryrefslogtreecommitdiff
path: root/sandbox.c
diff options
context:
space:
mode:
Diffstat (limited to 'sandbox.c')
-rw-r--r--sandbox.c382
1 files changed, 266 insertions, 116 deletions
diff --git a/sandbox.c b/sandbox.c
index 1a0dc9a..a877c16 100644
--- a/sandbox.c
+++ b/sandbox.c
@@ -59,46 +59,292 @@ sandbox_logger_process(void)
#include <stdio.h>
#include <string.h>
-/* thanks chromium' src/seccomp.c */
+/* uncomment to enable debugging. ONLY FOR DEVELOPMENT */
+/* #define SC_DEBUG */
+
+#ifdef SC_DEBUG
+# define SC_FAIL SECCOMP_RET_TRAP
+#else
+# define SC_FAIL SECCOMP_RET_KILL
+#endif
+
+#if (BYTE_ORDER == LITTLE_ENDIAN)
+# define SC_ARG_LO 0
+# define SC_ARG_HI sizeof(uint32_t)
+#elif (BYTE_ORDER == BIG_ENDIAN)
+# define SC_ARG_LO sizeof(uint32_t)
+# define SC_ARG_HI 0
+#else
+# error "Uknown endian"
+#endif
+
+/* make the filter more readable */
+#define SC_ALLOW(nr) \
+ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_##nr, 0, 1), \
+ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
+
+/*
+ * SC_ALLOW_ARG and the SECCOMP_AUDIT_ARCH below are courtesy of
+ * https://roy.marples.name/git/dhcpcd/blob/HEAD:/src/privsep-linux.c
+ */
+#define SC_ALLOW_ARG(_nr, _arg, _val) \
+ BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, (_nr), 0, 6), \
+ BPF_STMT(BPF_LD + BPF_W + BPF_ABS, \
+ offsetof(struct seccomp_data, args[(_arg)]) + SC_ARG_LO), \
+ BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, \
+ ((_val) & 0xffffffff), 0, 3), \
+ BPF_STMT(BPF_LD + BPF_W + BPF_ABS, \
+ offsetof(struct seccomp_data, args[(_arg)]) + SC_ARG_HI), \
+ BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, \
+ (((uint32_t)((uint64_t)(_val) >> 32)) & 0xffffffff), 0, 1), \
+ BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW), \
+ BPF_STMT(BPF_LD + BPF_W + BPF_ABS, \
+ offsetof(struct seccomp_data, nr))
+
+/*
+ * I personally find this quite nutty. Why can a system header not
+ * define a default for this?
+ */
#if defined(__i386__)
# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
#elif defined(__x86_64__)
# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
+#elif defined(__arc__)
+# if defined(__A7__)
+# if (BYTE_ORDER == LITTLE_ENDIAN)
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACT
+# else
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACTBE
+# endif
+# elif defined(__HS__)
+# if (BYTE_ORDER == LITTLE_ENDIAN)
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2
+# else
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2BE
+# endif
+# else
+# error "Platform does not support seccomp filter yet"
+# endif
#elif defined(__arm__)
-# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM
+# ifndef EM_ARM
+# define EM_ARM 40
+# endif
+# if (BYTE_ORDER == LITTLE_ENDIAN)
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM
+# else
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARMEB
+# endif
#elif defined(__aarch64__)
# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64
+#elif defined(__alpha__)
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ALPHA
+#elif defined(__hppa__)
+# if defined(__LP64__)
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC64
+# else
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC
+# endif
+#elif defined(__ia64__)
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_IA64
+#elif defined(__microblaze__)
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MICROBLAZE
+#elif defined(__m68k__)
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_M68K
#elif defined(__mips__)
-# if defined(__mips64)
-# if defined(__MIPSEB__)
-# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS64
-# else
+# if defined(__MIPSEL__)
+# if defined(__LP64__)
# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL64
+# else
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL
# endif
+# elif defined(__LP64__)
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS64
# else
-# if defined(__MIPSEB__)
-# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS
+# endif
+#elif defined(__nds32__)
+# if (BYTE_ORDER == LITTLE_ENDIAN)
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32
+#else
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32BE
+#endif
+#elif defined(__nios2__)
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NIOS2
+#elif defined(__or1k__)
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_OPENRISC
+#elif defined(__powerpc64__)
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64
+#elif defined(__powerpc__)
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC
+#elif defined(__riscv)
+# if defined(__LP64__)
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV64
+# else
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV32
+# endif
+#elif defined(__s390x__)
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390X
+#elif defined(__s390__)
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390
+#elif defined(__sh__)
+# if defined(__LP64__)
+# if (BYTE_ORDER == LITTLE_ENDIAN)
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL64
# else
-# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH64
+# endif
+# else
+# if (BYTE_ORDER == LITTLE_ENDIAN)
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL
+# else
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH
# endif
# endif
+#elif defined(__sparc__)
+# if defined(__arch64__)
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC64
+# else
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC
+# endif
+#elif defined(__xtensa__)
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_XTENSA
#else
# error "Platform does not support seccomp filter yet"
#endif
-/* uncomment to enable debugging. ONLY FOR DEVELOPMENT */
-/* #define SC_DEBUG */
-
-#ifdef SC_DEBUG
-# define SC_FAIL SECCOMP_RET_TRAP
-#else
-# define SC_FAIL SECCOMP_RET_KILL
+static struct sock_filter filter[] = {
+ /* load the *current* architecture */
+ BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
+ (offsetof(struct seccomp_data, arch))),
+ /* ensure it's the same that we've been compiled on */
+ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,
+ SECCOMP_AUDIT_ARCH, 1, 0),
+ /* if not, kill the program */
+ BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
+
+ /* load the syscall number */
+ BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
+ (offsetof(struct seccomp_data, nr))),
+
+#ifdef __NR_accept
+ SC_ALLOW(accept),
+#endif
+#ifdef __NR_accept4
+ SC_ALLOW(accept4),
+#endif
+#ifdef __NR_brk
+ SC_ALLOW(brk),
+#endif
+#ifdef __NR_clock_gettime
+ SC_ALLOW(clock_gettime),
+#endif
+#if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
+ SECCOMP_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
+#endif
+#ifdef __NR_clock_gettime64
+ SC_ALLOW(clock_gettime64),
+#endif
+#ifdef __NR_close
+ SC_ALLOW(close),
+#endif
+#ifdef __NR_epoll_ctl
+ SC_ALLOW(epoll_ctl),
+#endif
+#ifdef __NR_epoll_pwait
+ SC_ALLOW(epoll_pwait),
+#endif
+#ifdef __NR_epoll_wait
+ SC_ALLOW(epoll_wait),
+#endif
+#ifdef __NR_exit
+ SC_ALLOW(exit),
+#endif
+#ifdef __NR_exit_group
+ SC_ALLOW(exit_group),
+#endif
+#ifdef __NR_fcntl
+ SC_ALLOW(fcntl),
+#endif
+#ifdef __NR_fcntl64
+ SC_ALLOW(fcntl64),
+#endif
+#ifdef __NR_fstat
+ SC_ALLOW(fstat),
+#endif
+#ifdef __NR_getdents64
+ SC_ALLOW(getdents64),
+#endif
+#ifdef __NR_getpid
+ SC_ALLOW(getpid),
+#endif
+#ifdef __NR_getrandom
+ SC_ALLOW(getrandom),
+#endif
+#ifdef __NR_gettimeofday
+ SC_ALLOW(gettimeofday),
+#endif
+#ifdef __NR_ioctl
+ /* allow ioctl only on fd 1, glibc doing stuff? */
+ SC_ALLOW_ARG(__NR_ioctl, 0, 1),
+#endif
+#ifdef __NR_lseek
+ SC_ALLOW(lseek),
+#endif
+#ifdef __NR_madvise
+ SC_ALLOW(madvise),
+#endif
+#ifdef __NR_mmap
+ SC_ALLOW(mmap),
+#endif
+#ifdef __NR_mmap2
+ SC_ALLOW(mmap2),
+#endif
+#ifdef __NR_munmap
+ SC_ALLOW(munmap),
+#endif
+#ifdef __NR_newfstatat
+ SC_ALLOW(newfstatat),
+#endif
+#ifdef __NR_oldfstat
+ SC_ALLOW(oldfstat),
+#endif
+#ifdef __NR_openat
+ SC_ALLOW(openat),
+#endif
+#ifdef __NR_prlimit64
+ SC_ALLOW(prlimit64),
+#endif
+#ifdef __NR_read
+ SC_ALLOW(read),
+#endif
+#ifdef __NR_recvmsg
+ SC_ALLOW(recvmsg),
+#endif
+#ifdef __NR_redav
+ SC_ALLOW(redav),
+#endif
+#ifdef __NR_rt_sigaction
+ SC_ALLOW(rt_sigaction),
+#endif
+#ifdef __NR_rt_sigreturn
+ SC_ALLOW(rt_sigreturn),
+#endif
+#ifdef __NR_sendmsg
+ SC_ALLOW(sendmsg),
+#endif
+#ifdef __NR_statx
+ SC_ALLOW(statx),
+#endif
+#ifdef __NR_write
+ SC_ALLOW(write),
+#endif
+#ifdef __NR_writev
+ SC_ALLOW(writev),
#endif
-/* make the filter more readable */
-#define SC_ALLOW(nr) \
- BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_##nr, 0, 1), \
- BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
+ /* disallow enything else */
+ BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
+};
#ifdef SC_DEBUG
@@ -141,102 +387,6 @@ sandbox_seccomp_catch_sigsys(void)
void
sandbox_server_process(void)
{
- struct sock_filter filter[] = {
- /* load the *current* architecture */
- BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
- (offsetof(struct seccomp_data, arch))),
- /* ensure it's the same that we've been compiled on */
- BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,
- SECCOMP_AUDIT_ARCH, 1, 0),
- /* if not, kill the program */
- BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
-
- /* load the syscall number */
- BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
- (offsetof(struct seccomp_data, nr))),
-
- /* allow logging on stdout */
- SC_ALLOW(write),
- SC_ALLOW(writev),
- SC_ALLOW(readv),
-
- /* these are used to serve the files. note how we
- * allow openat but not open. */
-#ifdef __NR_epoll_wait
- /* epoll_wait(2) isn't present on aarch64, at least */
- SC_ALLOW(epoll_wait),
-#endif
- SC_ALLOW(epoll_pwait),
- SC_ALLOW(epoll_ctl),
- SC_ALLOW(accept),
- SC_ALLOW(accept4),
- SC_ALLOW(read),
- SC_ALLOW(openat),
- SC_ALLOW(fstat),
- SC_ALLOW(newfstatat),
- SC_ALLOW(close),
- SC_ALLOW(lseek),
- SC_ALLOW(brk),
- SC_ALLOW(mmap),
- SC_ALLOW(munmap),
-
- /* for imsg */
- SC_ALLOW(sendmsg),
- SC_ALLOW(prlimit64),
-
- /* needed for signal handling */
- SC_ALLOW(rt_sigreturn),
- SC_ALLOW(rt_sigaction),
-
- /* we need recvmsg to receive fd */
- SC_ALLOW(recvmsg),
-
- /* XXX: ??? */
- SC_ALLOW(getpid),
-
- /* alpine on amd64 */
- SC_ALLOW(clock_gettime),
- SC_ALLOW(madvise),
-
- /* void on aarch64 does a gettrandom */
- SC_ALLOW(getrandom),
-
- /* arch on amd64 */
- SC_ALLOW(gettimeofday),
-
- /* for directory listing */
- SC_ALLOW(getdents64),
-
- SC_ALLOW(exit),
- SC_ALLOW(exit_group),
-
- /* allow only F_GETFL, F_SETFL & F_SETFD fcntl */
- BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 8),
- BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
- (offsetof(struct seccomp_data, args[1]))),
- BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_GETFL, 0, 1),
- BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
- BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFL, 0, 1),
- BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
- BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFD, 0, 1),
- BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
- BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
-
- /* re-load the syscall number */
- BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
- (offsetof(struct seccomp_data, nr))),
-
- /* allow ioctl but only on fd 1, glibc doing stuff? */
- BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_ioctl, 0, 3),
- BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
- (offsetof(struct seccomp_data, args[0]))),
- BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 1, 0, 1),
- BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
-
- /* disallow enything else */
- BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
- };
-
struct sock_fprog prog = {
.len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
.filter = filter,