aboutsummaryrefslogtreecommitdiff
path: root/sandbox.c
AgeCommit message (Collapse)Author
2023-07-24add ability to log to files with log access <path>Omar Polo
2023-06-24copyright years++Omar Polo
2023-06-23sort pledge promises as per pledge(2)Omar Polo
2023-06-23drop `proc' pledge in the main processOmar Polo
unlike the name might suggest, proc_kill() doesn't use kill(2) so proc is not needed.
2023-06-13drop questionable #warningOmar Polo
2023-06-11add a privsep crypto engineOmar Polo
Incorporate the OpenSMTPD' privsep crypto engine. The idea behind it is to never load the certificate' private keys in a networked process, instead they are loaded in a separate process (the `crypto' one) which signs payloads on the behalf of the server processes. This way, we greatly reduce the risk of leaking the certificate' private key should the server process be compromised. This currently compiles only on LibreSSL (portable fix is in the way).
2023-06-09fix sandbox_server_processOmar Polo
it does the unveil(2)ing based on the first config, which breaks config-reloading.
2023-06-08provide sandbox_main_process on !OpenBSDOmar Polo
2023-06-08rework the daemon to do fork+execOmar Polo
It uses the 'common' proc.c from various OpenBSD-daemons. gmid grew organically bit by bit and it was also the first place where I tried to implement privsep. It wasn't done very well, in fact the parent process (that retains root privileges) just fork()s a generation of servers, all sharing *exactly* the same address space. No good! Now, we fork() and re-exec() ourselves, so that each process has a fresh address space. Some features (require client ca for example) are temporarly disabled, will be fixed in subsequent commits. The "ge" program is also temporarly disabled as it needs tweaks to do privsep too.
2023-06-06use fatal() in code used in the daemonOmar Polo
2023-06-06switch to the more usual log.cOmar Polo
2023-06-06rename log.[ch] to logger.[ch]Omar Polo
2023-06-05provide a more usual fatalOmar Polo
fatal usually appends the error string. Add 'fatalx' that doesn't. Fix callers and move the prototypes to log.h
2023-05-08send capsicum/landlock/seccomp hack to ValhallaOmar Polo
2023-05-08drop landlock/seccomp and capsicum supportOmar Polo
it reached a point where this stuff is not maintenable. I'd like to move forward with gmid, but the restriction of capsicum and the linux environment at large that make landlock unusable (how can you resolve DNS portably when under landlock?) -and don't get me started on seccomp- makes it impossible for me to do any work. So, I prefer removing the crap, resuming working on gmid by cleaning stuff and consolidating the features, improving various things etc... and then eventually see how to introduce some sandboxing again on other systems. Patches to resume sandboxing are, as always, welcome!
2022-11-27adjust pledge/unveil on OpenBSDOmar Polo
to connect to unix-domain sockets the `unix' pledge is needed and also unveil "w". gmid can't mutate files because it doesn't pledge `wpath' nor `cpath'.
2022-10-05make the various strings in the config fixed-lengthOmar Polo
will help in future restructuring to have fixed-size objects.
2022-09-06optionally disable the sandbox on some systemsOmar Polo
The FreeBSD and Linux' sandbox can't deal with `fastcgi' and `proxy' configuration rules: new sockets needs to be opened and it's either impossible (the former) or a huge pain in the arse (the latter). The sandbox is still always used in case only static files are served.
2022-09-06gc sandbox_executor_processOmar Polo
2022-09-06get rid of the CGI supportOmar Polo
I really want to get rid of the `executor' process hack for CGI scripts and its escalation to allow fastcgi and proxying to work on non-OpenBSD. This drops the CGI support and the `executor' process entirely and is the first step towards gmid 2.0. It also allows to have more secure defaults. On non-OpenBSD systems this means that the sandbox will be deactivated as soon as fastcgi or proxying are used: you can't open sockets under FreeBSD' capsicum(4) and I don't want to go thru the pain of making it work under linux' seccomp/landlock. Patches are always welcome however. For folks using CGI scripts (hey, I'm one of you!) not all hope is lost: fcgiwrap or OpenBSD' slowcgi(8) are ways to run CGI scripts as they were FastCGI applications. fixes for the documentation and to the non-OpenBSD sandboxes will follow.
2022-03-19const-ify some tablesOmar Polo
matches found with % grep -R '=[ ]*{' . | fgrep -v const
2022-02-13tightens seccomp filter: allow only openat(O_RDONLY)Omar Polo
be more strict and allow an openat only with the O_RDONLY flag. This is kind of redundant with landlock, but still good to have. Landlock is not yet widely available and won't kill the process upon policy violation; furthermore, landlock can be disabled at boot time. tested on GNU and musl libc on arch and alpine amd64.
2022-02-13sort syscalls in seccomp filterOmar Polo
2022-02-13Allow Arch-Armv7 syscalls in sandbox.cTobias Berger
2022-02-10fix landlock usageOmar Polo
Mickaël Salaün, the landlock author, pointed out the same error on the got implementation. The assumption that not listed access capabilities are implicitly denied is completely wrong: > In a nutshell, the ruleset's handled_access_fs is required for > backward and forward compatibility (i.e. the kernel and user space may > not know each other's supported restrictions), hence the need to be > explicit about the denied-by-default access rights.
2021-12-11[seccomp] allow ugetrlimit(2), needed by glibc on armv7lMax
2021-10-18fmtOmar Polo
2021-10-09don't work around a missing -Wno-unused-parameterOmar Polo
It's been there for a long time, and it's frankly annoying to pretend to use parameters. Most of the time, they're there to satisfy an interface and nothings more.
2021-10-02enforce PR_SET_NO_NEW_PRIVS in the logger processOmar Polo
otherwise landlock will refuse to enable itself and the logger process dies.
2021-09-26forgot includeOmar Polo
2021-09-26[seccomp] allow ioctl(FIONREAD)Omar Polo
it's needed by bufferevent_read
2021-09-25refactor landlockOmar Polo
refactor the landlock-related code into something more manageable. The only real difference is that before the logger process would try to landlock itself to "/" without perms, something that landlock doesn't support (now it enables landlock and then restrict itself, which is the correct move.)
2021-09-19landlock the logger process tooOmar Polo
Disallow everything landlock can handle. The logger process doesn't need any fs access (on OpenBSD it runs with pledge("stdio recvfd")).
2021-09-19add helper function gmid_create_landlock_rsOmar Polo
2021-09-19landlock the server processOmar Polo
Trying to implement some landlock policies (rules?) where possible. The server process is, of course, the most dangerous process so start with that. The following should be equivalent to the unveil(2) call on OpenBSD: allows only to read files and directories inside the vhost roots. I'm assuming seccomp is enabled so I'm not trying to disallow actions such as LANDLOCK_ACCESS_FS_EXECUTE or LANDLOCK_ACCESS_FS_REMOVE_FILE which require syscalls that are already disallowed. I'm only trying to limit the damage that the currently allowed system calls can do. e.g. since write(2) is allowed, gmid could modify *any* file it has access to; this is now forbidden by landlock. There are still too many #ifdefs for my tastes, but it's still better than the seccomp code.
2021-07-23typoOmar Polo
Since there was 0 reports in a month can I assume it's not actually used anywhere?
2021-07-23allow fstat64Omar Polo
used by glibc on aarch64. Found and tested by pine, thanks!
2021-07-09typoOmar Polo
2021-07-07style(9)-ifyOmar Polo
2021-07-03typoOmar Polo
2021-07-03fix seccomp filter for ppc64leOmar Polo
before we matched ppc64le as ppc64 (which is big ending I presume), so the seccomp filter would always kill gmid #4 related
2021-07-02configure: add --disable-sandboxOmar Polo
Calling `configure' with --disable-sandbox will disable the sandbox support *completely* at compile time. gmid will still complain at compile time and during the startup. Users shouldn't disable the sandbox if possible, but instead report problem upstream so they get fixed (hopefully.) #4 related
2021-07-02reworked seccomp filterOmar Polo
* SECCOMP_AUDIT_ARCH extended to support more architectures * relax fcntl policy: allow the syscall regardless of the flags * wrap every syscall in a ifdef, and add some (statx, fcntl64, ...) used in x86 Some bits were taken from dhcpcd[0], thanks! #4 related [0]: https://roy.marples.name/git/dhcpcd/blob/HEAD:/src/privsep-linux.c
2021-06-15allow sending fd to log on to the logger processOmar Polo
the logger process now can receive a file descriptor to write logs to. At the moment the logic is simple, if it receives a file it logs there, otherwise it logs to syslog. This will allow to log on custom log files.
2021-05-09fastcgi: a first implementationOmar Polo
Not production-ready yet, but it's a start. This adds a third ``backend'' for gmid: until now there it served local files or CGI scripts, now FastCGI applications too. FastCGI is meant to be an improvement over CGI: instead of exec'ing a script for every request, it allows to open a single connection to an ``application'' and send the requests/receive the responses over that socket using a simple binary protocol. At the moment gmid supports three different methods of opening a fastcgi connection: - local unix sockets, with: fastcgi "/path/to/sock" - network sockets, with: fastcgi tcp "host" [port] port defaults to 9000 and can be either a string or a number - subprocess, with: fastcgi spawn "/path/to/program" the fastcgi protocol is done over the executed program stdin of these, the last is only for testing and may be removed in the future. P.S.: the fastcgi rule is per-location of course :)
2021-04-30allow ``root'' rule to be specified per-location blockOmar Polo
2021-03-31list instead of fixed-size array for vhosts and locationsOmar Polo
saves some bytes of memory and removes the limit on the maximum number of vhosts and location blocks.
2021-03-20[seccomp] allow prlimit64Omar Polo
it's needed by getdtablesize, at least on glibc
2021-03-20move all sandbox-related code to sandbox.cOmar Polo
while there, add capsicum for the logger process
2021-02-23[seccomp] allow sendmsgOmar Polo