14#ifndef _LARGEFILE64_SOURCE
19#define _LARGEFILE64_SOURCE
29#define MALLOC_MP_LIM (20*1024*1024)
44#include "ext/tor_queue.h"
46#include "ext/siphash.h"
48#define DEBUGGING_CLOSE
50#if defined(USE_LIBSECCOMP)
53#include <sys/syscall.h>
58#include <linux/futex.h>
61#ifdef ENABLE_FRAGILE_HARDENING
62#include <sys/ptrace.h>
73#ifdef HAVE_GNU_LIBC_VERSION_H
74#include <gnu/libc-version.h>
76#ifdef HAVE_LINUX_NETFILTER_IPV4_H
77#include <linux/netfilter_ipv4.h>
82#ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
83#include <linux/netfilter_ipv6/ip6_tables.h>
86#if defined(HAVE_EXECINFO_H) && defined(HAVE_BACKTRACE) && \
87 defined(HAVE_BACKTRACE_SYMBOLS_FD) && defined(HAVE_SIGACTION)
89#define BACKTRACE_PRIVATE
102#define REG_SYSCALL REG_EAX
103#define M_SYSCALL gregs[REG_SYSCALL]
108#elif defined(__x86_64__)
110#define REG_SYSCALL REG_RAX
111#define M_SYSCALL gregs[REG_SYSCALL]
113#elif defined(__arm__)
115#define M_SYSCALL arm_r7
117#elif defined(__aarch64__) && defined(__LP64__)
120#define M_SYSCALL regs[REG_SYSCALL]
125#define SYSCALL_NAME_DEBUGGING
133#if defined(__aarch64__) || defined(__riscv)
134#define ARCH_USES_GENERIC_SYSCALLS
138static int sandbox_active = 0;
143#define SCMP_CMP(a,b,c) ((struct scmp_arg_cmp){(a),(b),(c),0})
144#define SCMP_CMP_STR(a,b,c) \
145 ((struct scmp_arg_cmp) {(a),(b),(intptr_t)(void*)(c),0})
146#define SCMP_CMP4(a,b,c,d) ((struct scmp_arg_cmp){(a),(b),(c),(d)})
151#define SCMP_CMP_MASKED(a,b,c) \
152 SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, ~(scmp_datum_t)(b), (c))
157#define SCMP_CMP_LOWER32_EQ(a,b) \
158 SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, 0xFFFFFFFF, (unsigned int)(b))
163static int filter_nopar_gen[] = {
166#ifdef __NR_clock_gettime64
167 SCMP_SYS(clock_gettime64),
169 SCMP_SYS(clock_gettime),
177 SCMP_SYS(epoll_create),
178 SCMP_SYS(epoll_wait),
179#ifdef __NR_epoll_pwait
180 SCMP_SYS(epoll_pwait),
202 SCMP_SYS(getdents64),
216#ifdef ENABLE_FRAGILE_HARDENING
222 SCMP_SYS(gettimeofday),
234#ifdef __NR_membarrier
236 SCMP_SYS(membarrier),
255 SCMP_SYS(rt_sigreturn),
259 SCMP_SYS(sched_getaffinity),
260#ifdef __NR_sched_yield
261 SCMP_SYS(sched_yield),
264 SCMP_SYS(set_robust_list),
269#ifdef __NR_sigaltstack
270 SCMP_SYS(sigaltstack),
275#if defined(__NR_stat)
277#elif defined(__i386__) && defined(__NR_statx)
284 SCMP_SYS(exit_group),
314 SCMP_SYS(getsockname),
316#ifdef __NR_getpeername
317 SCMP_SYS(getpeername),
334#define PHONY_OPENDIR_SYSCALL -2
338#define seccomp_rule_add_0(ctx,act,call) \
339 seccomp_rule_add((ctx),(act),(call),0)
340#define seccomp_rule_add_1(ctx,act,call,f1) \
341 seccomp_rule_add((ctx),(act),(call),1,(f1))
342#define seccomp_rule_add_2(ctx,act,call,f1,f2) \
343 seccomp_rule_add((ctx),(act),(call),2,(f1),(f2))
344#define seccomp_rule_add_3(ctx,act,call,f1,f2,f3) \
345 seccomp_rule_add((ctx),(act),(call),3,(f1),(f2),(f3))
346#define seccomp_rule_add_4(ctx,act,call,f1,f2,f3,f4) \
347 seccomp_rule_add((ctx),(act),(call),4,(f1),(f2),(f3),(f4))
348#define seccomp_rule_add_5(ctx,act,call,f1,f2,f3,f4,f5) \
349 seccomp_rule_add((ctx),(act),(call),4,(f1),(f2),(f3),(f4),(f5))
351static const char *sandbox_get_interned_string(
const char *str);
362 int param[] = { SIGINT, SIGTERM, SIGPIPE, SIGUSR1, SIGUSR2, SIGHUP, SIGCHLD,
363 SIGSEGV, SIGILL, SIGFPE, SIGBUS, SIGSYS, SIGIO,
371 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigaction),
372 SCMP_CMP(0, SCMP_CMP_EQ, param[i]));
390 return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(time),
391 SCMP_CMP(0, SCMP_CMP_EQ, 0));
406 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketcall),
407 SCMP_CMP(0, SCMP_CMP_EQ, 18));
413 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4),
414 SCMP_CMP_MASKED(3, SOCK_CLOEXEC|SOCK_NONBLOCK, 0));
433 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
434 SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ),
435 SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE));
440 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
441 SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE),
442 SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE));
447 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
448 SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
449 SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS));
454 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
455 SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
456 SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK));
461 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
462 SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE),
463 SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK));
468 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
469 SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
470 SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE));
475 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
476 SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
477 SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS));
482 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
483 SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_EXEC),
484 SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_DENYWRITE));
493#ifdef HAVE_GNU_LIBC_VERSION_H
494#ifdef HAVE_GNU_GET_LIBC_VERSION
495#define CHECK_LIBC_VERSION
502is_libc_at_least(
int major,
int minor)
504#ifdef CHECK_LIBC_VERSION
505 const char *version = gnu_get_libc_version();
512 tor_sscanf(version,
"%d.%d", &libc_major, &libc_minor);
513 if (libc_major > major)
515 else if (libc_major == major && libc_minor >= minor)
529libc_uses_openat_for_open(
void)
532 return is_libc_at_least(2, 26);
542#if !(defined(ENABLE_FRAGILE_HARDENING) && defined(ARCH_USES_GENERIC_SYSCALLS))
546libc_uses_openat_for_opendir(
void)
550 return is_libc_at_least(2, 27) ||
551 (is_libc_at_least(2, 15) && !is_libc_at_least(2, 22));
562allow_file_open(scmp_filter_ctx ctx,
int use_openat,
const char *file)
565 return seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
566 SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
567 SCMP_CMP_STR(1, SCMP_CMP_EQ, file));
569 return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open),
570 SCMP_CMP_STR(0, SCMP_CMP_EQ, file));
584 int use_openat = libc_uses_openat_for_open();
586#ifdef ENABLE_FRAGILE_HARDENING
592#ifdef ARCH_USES_GENERIC_SYSCALLS
593 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
594 SCMP_CMP_LOWER32_EQ(0, AT_FDCWD));
596 log_err(
LD_BUG,
"(Sandbox) failed to add openat syscall, received "
597 "libseccomp error %d", rc);
606 rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open));
608 log_err(
LD_BUG,
"(Sandbox) failed to add open syscall, received "
609 "libseccomp error %d", rc);
621 for (elem = filter; elem != NULL; elem = elem->next) {
622 smp_param_t *param = elem->param;
624 if (param != NULL && param->prot == 1 && param->syscall
626 rc = allow_file_open(ctx, use_openat, param->value);
628 log_err(
LD_BUG,
"(Sandbox) failed to add open syscall, received "
629 "libseccomp error %d", rc);
638#ifdef ARCH_USES_GENERIC_SYSCALLS
646 for (elem = filter; elem != NULL; elem = elem->next) {
647 smp_param_t *param = elem->param;
649 if (param != NULL && param->prot == 1 && param->syscall
650 == SCMP_SYS(fchmodat)) {
651 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchmodat),
652 SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
653 SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value));
655 log_err(
LD_BUG,
"(Sandbox) failed to add fchmodat syscall, received "
656 "libseccomp error %d", rc);
672 for (elem = filter; elem != NULL; elem = elem->next) {
673 smp_param_t *param = elem->param;
675 if (param != NULL && param->prot == 1 && param->syscall
676 == SCMP_SYS(chmod)) {
677 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chmod),
678 SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
680 log_err(
LD_BUG,
"(Sandbox) failed to add chmod syscall, received "
681 "libseccomp error %d", rc);
691#if defined(ARCH_USES_GENERIC_SYSCALLS)
699 for (elem = filter; elem != NULL; elem = elem->next) {
700 smp_param_t *param = elem->param;
702 if (param != NULL && param->prot == 1 && param->syscall
703 == SCMP_SYS(fchownat)) {
704 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchownat),
705 SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
706 SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value));
708 log_err(
LD_BUG,
"(Sandbox) failed to add fchownat syscall, received "
709 "libseccomp error %d", rc);
717#elif defined(__i386__)
725 for (elem = filter; elem != NULL; elem = elem->next) {
726 smp_param_t *param = elem->param;
728 if (param != NULL && param->prot == 1 && param->syscall
729 == SCMP_SYS(chown32)) {
730 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chown32),
731 SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
733 log_err(
LD_BUG,
"(Sandbox) failed to add chown32 syscall, received "
734 "libseccomp error %d", rc);
750 for (elem = filter; elem != NULL; elem = elem->next) {
751 smp_param_t *param = elem->param;
753 if (param != NULL && param->prot == 1 && param->syscall
754 == SCMP_SYS(chown)) {
755 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chown),
756 SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
758 log_err(
LD_BUG,
"(Sandbox) failed to add chown syscall, received "
759 "libseccomp error %d", rc);
769#if defined(__NR_rename)
781 for (elem = filter; elem != NULL; elem = elem->next) {
782 smp_param_t *param = elem->param;
784 if (param != NULL && param->prot == 1 &&
785 param->syscall == SCMP_SYS(rename)) {
787 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rename),
788 SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value),
789 SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value2));
791 log_err(
LD_BUG,
"(Sandbox) failed to add rename syscall, received "
792 "libseccomp error %d", rc);
800#elif defined(__NR_renameat)
812 for (elem = filter; elem != NULL; elem = elem->next) {
813 smp_param_t *param = elem->param;
815 if (param != NULL && param->prot == 1 &&
816 param->syscall == SCMP_SYS(renameat)) {
818 rc = seccomp_rule_add_4(ctx, SCMP_ACT_ALLOW, SCMP_SYS(renameat),
819 SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
820 SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value),
821 SCMP_CMP_LOWER32_EQ(2, AT_FDCWD),
822 SCMP_CMP_STR(3, SCMP_CMP_EQ, param->value2));
824 log_err(
LD_BUG,
"(Sandbox) failed to add renameat syscall, received "
825 "libseccomp error %d", rc);
845 for (elem = filter; elem != NULL; elem = elem->next) {
846 smp_param_t *param = elem->param;
848 if (param != NULL && param->prot == 1 &&
849 param->syscall == SCMP_SYS(renameat2)) {
851 rc = seccomp_rule_add_5(ctx, SCMP_ACT_ALLOW, SCMP_SYS(renameat2),
852 SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
853 SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value),
854 SCMP_CMP_LOWER32_EQ(2, AT_FDCWD),
855 SCMP_CMP_STR(3, SCMP_CMP_EQ, param->value2),
856 SCMP_CMP(4, SCMP_CMP_EQ, 0));
858 log_err(
LD_BUG,
"(Sandbox) failed to add renameat2 syscall, received "
859 "libseccomp error %d", rc);
879#if !(defined(ENABLE_FRAGILE_HARDENING) && defined(ARCH_USES_GENERIC_SYSCALLS))
891 for (elem = filter; elem != NULL; elem = elem->next) {
892 smp_param_t *param = elem->param;
894 if (param != NULL && param->prot == 1 && param->syscall
895 == SCMP_SYS(openat)) {
896 rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
897 SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
898 SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value),
899 SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|
902 log_err(
LD_BUG,
"(Sandbox) failed to add openat syscall, received "
903 "libseccomp error %d", rc);
919 for (elem = filter; elem != NULL; elem = elem->next) {
920 smp_param_t *param = elem->param;
922 if (param != NULL && param->prot == 1 && param->syscall
923 == PHONY_OPENDIR_SYSCALL) {
924 rc = allow_file_open(ctx, libc_uses_openat_for_opendir(), param->value);
926 log_err(
LD_BUG,
"(Sandbox) failed to add openat syscall, received "
927 "libseccomp error %d", rc);
938#ifdef ENABLE_FRAGILE_HARDENING
947 pid_t pid = getpid();
950 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ptrace),
951 SCMP_CMP(0, SCMP_CMP_EQ, PTRACE_ATTACH),
952 SCMP_CMP(1, SCMP_CMP_EQ, pid));
958#if defined(__aarch64__) || defined(__s390__)
959 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ptrace),
960 SCMP_CMP(0, SCMP_CMP_EQ, PTRACE_GETREGSET),
961 SCMP_CMP(1, SCMP_CMP_EQ, pid));
963 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ptrace),
964 SCMP_CMP(0, SCMP_CMP_EQ, PTRACE_GETREGS),
965 SCMP_CMP(1, SCMP_CMP_EQ, pid));
986 rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket));
991 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
992 SCMP_CMP(0, SCMP_CMP_EQ, PF_FILE),
993 SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM));
997 for (i = 0; i < 2; ++i) {
998 const int pf = i ? PF_INET : PF_INET6;
999 for (j=0; j < 3; ++j) {
1000 const int type = (j == 0) ? SOCK_STREAM :
1002 const int protocol = (j == 0) ? IPPROTO_TCP :
1003 (j == 1) ? IPPROTO_IP :
1005 rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
1006 SCMP_CMP(0, SCMP_CMP_EQ, pf),
1007 SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, type),
1008 SCMP_CMP(2, SCMP_CMP_EQ, protocol));
1015 rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
1016 SCMP_CMP(0, SCMP_CMP_EQ, PF_INET),
1017 SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM),
1018 SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_IP));
1023 rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
1024 SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
1025 SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
1026 SCMP_CMP(2, SCMP_CMP_EQ, 0));
1030 rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
1031 SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
1032 SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM),
1033 SCMP_CMP(2, SCMP_CMP_EQ, 0));
1037 rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
1038 SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK),
1039 SCMP_CMP_MASKED(1, SOCK_CLOEXEC, SOCK_RAW),
1040 SCMP_CMP(2, SCMP_CMP_EQ, 0));
1058 rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair));
1063 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair),
1064 SCMP_CMP(0, SCMP_CMP_EQ, PF_FILE),
1065 SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM|SOCK_CLOEXEC));
1072#ifdef HAVE_KIST_SUPPORT
1074#include <linux/sockios.h>
1082 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl),
1083 SCMP_CMP(1, SCMP_CMP_EQ, SIOCOUTQNSD));
1102 rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt));
1107 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
1108 SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
1109 SCMP_CMP(2, SCMP_CMP_EQ, SO_REUSEADDR));
1113 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
1114 SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
1115 SCMP_CMP(2, SCMP_CMP_EQ, SO_SNDBUF));
1119 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
1120 SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
1121 SCMP_CMP(2, SCMP_CMP_EQ, SO_RCVBUF));
1126 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
1127 SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
1128 SCMP_CMP(2, SCMP_CMP_EQ, SO_SNDBUFFORCE));
1133#ifdef IP_TRANSPARENT
1134 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
1135 SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
1136 SCMP_CMP(2, SCMP_CMP_EQ, IP_TRANSPARENT));
1142 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
1143 SCMP_CMP(1, SCMP_CMP_EQ, IPPROTO_IPV6),
1144 SCMP_CMP(2, SCMP_CMP_EQ, IPV6_V6ONLY));
1149#ifdef IP_BIND_ADDRESS_NO_PORT
1150 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
1151 SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
1152 SCMP_CMP(2, SCMP_CMP_EQ, IP_BIND_ADDRESS_NO_PORT));
1171 rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt));
1176 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
1177 SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
1178 SCMP_CMP(2, SCMP_CMP_EQ, SO_ERROR));
1182 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
1183 SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
1184 SCMP_CMP(2, SCMP_CMP_EQ, SO_ACCEPTCONN));
1189 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
1190 SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
1191 SCMP_CMP(2, SCMP_CMP_EQ, SO_SNDBUF));
1196#ifdef HAVE_LINUX_NETFILTER_IPV4_H
1197 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
1198 SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
1199 SCMP_CMP(2, SCMP_CMP_EQ, SO_ORIGINAL_DST));
1204#ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
1205 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
1206 SCMP_CMP(1, SCMP_CMP_EQ, SOL_IPV6),
1207 SCMP_CMP(2, SCMP_CMP_EQ, IP6T_SO_ORIGINAL_DST));
1212#ifdef HAVE_KIST_SUPPORT
1213#include <netinet/tcp.h>
1214 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
1215 SCMP_CMP(1, SCMP_CMP_EQ, SOL_TCP),
1216 SCMP_CMP(2, SCMP_CMP_EQ, TCP_INFO));
1235 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
1236 SCMP_CMP(1, SCMP_CMP_EQ, F_GETFL));
1240 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
1241 SCMP_CMP(1, SCMP_CMP_EQ, F_SETFL),
1242 SCMP_CMP(2, SCMP_CMP_EQ, O_RDWR|O_NONBLOCK));
1246 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
1247 SCMP_CMP(1, SCMP_CMP_EQ, F_GETFD));
1251 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
1252 SCMP_CMP(1, SCMP_CMP_EQ, F_SETFD),
1253 SCMP_CMP(2, SCMP_CMP_EQ, FD_CLOEXEC));
1273 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
1274 SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_ADD));
1278 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
1279 SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_MOD));
1283 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
1284 SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_DEL));
1304#ifdef ENABLE_FRAGILE_HARDENING
1305 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl),
1306 SCMP_CMP(0, SCMP_CMP_EQ, PR_GET_DUMPABLE));
1310 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl),
1311 SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_PTRACER));
1316 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl),
1317 SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_DUMPABLE));
1337 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
1338 SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ));
1342 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
1343 SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE));
1355sb_rt_sigprocmask(scmp_filter_ctx ctx,
sandbox_cfg_t *filter)
1360#if defined(ENABLE_FRAGILE_HARDENING) || \
1361 defined(USE_TRACING_INSTRUMENTATION_LTTNG)
1362 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
1363 SCMP_CMP(0, SCMP_CMP_EQ, SIG_BLOCK));
1368 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
1369 SCMP_CMP(0, SCMP_CMP_EQ, SIG_UNBLOCK));
1373 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
1374 SCMP_CMP(0, SCMP_CMP_EQ, SIG_SETMASK));
1393 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock),
1394 SCMP_CMP(1, SCMP_CMP_EQ, LOCK_EX|LOCK_NB));
1398 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock),
1399 SCMP_CMP(1, SCMP_CMP_EQ, LOCK_UN));
1417 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
1418 SCMP_CMP(1, SCMP_CMP_EQ,
1419 FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME));
1423 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
1424 SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAKE_PRIVATE));
1428 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
1429 SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAIT_PRIVATE));
1448 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mremap),
1449 SCMP_CMP(3, SCMP_CMP_EQ, MREMAP_MAYMOVE));
1456#ifdef ARCH_USES_GENERIC_SYSCALLS
1469 for (elem = filter; elem != NULL; elem = elem->next) {
1470 smp_param_t *param = elem->param;
1472 if (param != NULL && param->prot == 1 && (param->syscall == SCMP_SYS(open)
1473 || param->syscall == PHONY_OPENDIR_SYSCALL
1474 || param->syscall == SCMP_SYS(newfstatat))) {
1475 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat),
1476 SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
1477 SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value));
1479 log_err(
LD_BUG,
"(Sandbox) failed to add newfstatat syscall, received "
1480 "libseccomp error %d", rc);
1502 for (elem = filter; elem != NULL; elem = elem->next) {
1503 smp_param_t *param = elem->param;
1505 if (param != NULL && param->prot == 1 && (param->syscall == SCMP_SYS(open)
1506 || param->syscall == SCMP_SYS(stat64))) {
1507 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(stat64),
1508 SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
1510 log_err(
LD_BUG,
"(Sandbox) failed to add stat64 syscall, received "
1511 "libseccomp error %d", rc);
1527 return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(kill),
1528 SCMP_CMP(1, SCMP_CMP_EQ, 0));
1538static sandbox_filter_func_t filter_func[] = {
1548#if defined(ARCH_USES_GENERIC_SYSCALLS)
1550#elif defined(__i386__)
1555#if defined(ARCH_USES_GENERIC_SYSCALLS)
1561#if !(defined(ENABLE_FRAGILE_HARDENING) && defined(ARCH_USES_GENERIC_SYSCALLS))
1565#ifdef ENABLE_FRAGILE_HARDENING
1568#if defined(__NR_rename)
1570#elif defined(__NR_renameat)
1584#if defined(ARCH_USES_GENERIC_SYSCALLS)
1586#elif defined(__NR_stat64)
1594#ifdef HAVE_KIST_SUPPORT
1609 const char *interned = sandbox_get_interned_string(str);
1611 if (sandbox_active && str != NULL && interned == NULL) {
1612 log_warn(
LD_BUG,
"No interned sandbox parameter found for %s", str);
1615 return interned ? interned : str;
1623sandbox_interned_string_is_missing(
const char *str)
1625 return sandbox_active && sandbox_get_interned_string(str) == NULL;
1634sandbox_get_interned_string(
const char *str)
1641 for (elem = filter_dynamic; elem != NULL; elem = elem->next) {
1642 smp_param_t *param = elem->param;
1645 if (!strcmp(str, (
char*)(param->value))) {
1646 return (
char*)param->value;
1648 if (param->value2 && !strcmp(str, (
char*)param->value2)) {
1649 return (
char*)param->value2;
1659prot_strings_helper(strmap_t *locations,
1660 char **pr_mem_next_p,
1661 size_t *pr_mem_left_p,
1671 param_val = (
char*) *value_p;
1672 param_size = strlen(param_val) + 1;
1673 location = strmap_get(locations, param_val);
1678 *value_p = location;
1680 }
else if (*pr_mem_left_p >= param_size) {
1682 location = *pr_mem_next_p;
1683 memcpy(location, param_val, param_size);
1687 *value_p = location;
1689 strmap_set(locations, location, location);
1692 *pr_mem_next_p += param_size;
1693 *pr_mem_left_p -= param_size;
1696 log_err(
LD_BUG,
"(Sandbox) insufficient protected memory!");
1711 size_t pr_mem_size = 0, pr_mem_left = 0;
1712 char *pr_mem_next = NULL, *pr_mem_base;
1714 strmap_t *locations = NULL;
1717 for (el = cfg; el != NULL; el = el->next) {
1718 pr_mem_size += strlen((
char*) el->param->value) + 1;
1719 if (el->param->value2)
1720 pr_mem_size += strlen((
char*) el->param->value2) + 1;
1724 pr_mem_base = (
char*) mmap(NULL,
MALLOC_MP_LIM + pr_mem_size,
1725 PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0);
1726 if (pr_mem_base == MAP_FAILED) {
1727 log_err(
LD_BUG,
"(Sandbox) failed allocate protected memory! mmap: %s",
1734 pr_mem_left = pr_mem_size;
1736 locations = strmap_new();
1739 for (el = cfg; el != NULL; el = el->next) {
1740 if (prot_strings_helper(locations, &pr_mem_next, &pr_mem_left,
1741 &el->param->value) < 0) {
1745 if (prot_strings_helper(locations, &pr_mem_next, &pr_mem_left,
1746 &el->param->value2) < 0) {
1750 el->param->prot = 1;
1754 if (mprotect(pr_mem_base,
MALLOC_MP_LIM + pr_mem_size, PROT_READ)) {
1755 log_err(
LD_BUG,
"(Sandbox) failed to protect memory! mprotect: %s",
1765 ret = seccomp_rule_add_1(ctx, SCMP_ACT_KILL, SCMP_SYS(mremap),
1766 SCMP_CMP(0, SCMP_CMP_EQ, (intptr_t) pr_mem_base));
1768 log_err(
LD_BUG,
"(Sandbox) mremap protected memory filter fail!");
1773 ret = seccomp_rule_add_1(ctx, SCMP_ACT_KILL, SCMP_SYS(munmap),
1774 SCMP_CMP(0, SCMP_CMP_EQ, (intptr_t) pr_mem_base));
1776 log_err(
LD_BUG,
"(Sandbox) munmap protected memory filter fail!");
1790 ret = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
1791 SCMP_CMP(0, SCMP_CMP_LT, (intptr_t) pr_mem_base),
1793 SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE));
1795 log_err(
LD_BUG,
"(Sandbox) mprotect protected memory filter fail (LT)!");
1799 ret = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
1800 SCMP_CMP(0, SCMP_CMP_GT, (intptr_t) pr_mem_base + pr_mem_size +
1803 SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE));
1805 log_err(
LD_BUG,
"(Sandbox) mprotect protected memory filter fail (GT)!");
1810 strmap_free(locations, NULL);
1821new_element2(
int syscall,
char *value,
char *value2)
1823 smp_param_t *param = NULL;
1826 param = elem->param = tor_malloc_zero(
sizeof(smp_param_t));
1828 param->syscall = syscall;
1829 param->value = value;
1830 param->value2 = value2;
1837new_element(
int syscall,
char *value)
1839 return new_element2(syscall, value, NULL);
1842#if defined(ARCH_USES_GENERIC_SYSCALLS)
1843#define SCMP_chown SCMP_SYS(fchownat)
1844#elif defined(__i386__)
1845#define SCMP_chown SCMP_SYS(chown32)
1847#define SCMP_chown SCMP_SYS(chown)
1850#if defined(ARCH_USES_GENERIC_SYSCALLS)
1851#define SCMP_chmod SCMP_SYS(fchmodat)
1853#define SCMP_chmod SCMP_SYS(chmod)
1856#if defined(__NR_rename)
1857#define SCMP_rename SCMP_SYS(rename)
1858#elif defined(__NR_renameat)
1859#define SCMP_rename SCMP_SYS(renameat)
1861#define SCMP_rename SCMP_SYS(renameat2)
1864#if defined(ARCH_USES_GENERIC_SYSCALLS)
1865#define SCMP_stat SCMP_SYS(newfstatat)
1866#elif defined(__NR_stat64)
1867#define SCMP_stat SCMP_SYS(stat64)
1869#define SCMP_stat SCMP_SYS(stat)
1877 elem = new_element(SCMP_stat, file);
1890 elem = new_element(SCMP_SYS(open), file);
1899sandbox_cfg_allow_chmod_filename(
sandbox_cfg_t **cfg,
char *file)
1903 elem = new_element(SCMP_chmod, file);
1912sandbox_cfg_allow_chown_filename(
sandbox_cfg_t **cfg,
char *file)
1916 elem = new_element(SCMP_chown, file);
1925sandbox_cfg_allow_rename(
sandbox_cfg_t **cfg,
char *file1,
char *file2)
1929 elem = new_element2(SCMP_rename, file1, file2);
1942 elem = new_element(SCMP_SYS(openat), file);
1955 elem = new_element(PHONY_OPENDIR_SYSCALL, dir);
1975 rc = filter_func[i](ctx, cfg);
1977 log_err(
LD_BUG,
"(Sandbox) failed to add syscall %d, received libseccomp "
1991add_noparam_filter(scmp_filter_ctx ctx)
1998 rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, filter_nopar_gen[i]);
2000 log_err(
LD_BUG,
"(Sandbox) failed to add syscall index %d (NR=%d), "
2001 "received libseccomp error %d", i, filter_nopar_gen[i], rc);
2006 if (is_libc_at_least(2, 33)) {
2007#ifdef __NR_newfstatat
2019 rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat));
2021 log_err(
LD_BUG,
"(Sandbox) failed to add newfstatat() syscall; "
2022 "received libseccomp error %d", rc);
2040 scmp_filter_ctx ctx;
2042 ctx = seccomp_init(SCMP_ACT_ERRNO(EPERM));
2044 log_err(
LD_BUG,
"(Sandbox) failed to initialise libseccomp context");
2050 if ((rc = prot_strings(ctx, cfg))) {
2055 if ((rc = add_param_filter(ctx, cfg))) {
2056 log_err(
LD_BUG,
"(Sandbox) failed to add param filters!");
2061 if ((rc = add_noparam_filter(ctx))) {
2062 log_err(
LD_BUG,
"(Sandbox) failed to add param filters!");
2067 if ((rc = seccomp_load(ctx))) {
2068 log_err(
LD_BUG,
"(Sandbox) failed to load: %d (%s)! "
2069 "Are you sure that your kernel has seccomp2 support? The "
2070 "sandbox won't work without it.", rc,
2079 seccomp_release(ctx);
2080 return (rc < 0 ? -rc : rc);
2083#ifdef SYSCALL_NAME_DEBUGGING
2084#include "lib/sandbox/linux_syscalls.inc"
2088get_syscall_name(
int syscall_num)
2091 for (i = 0; SYSCALLS_BY_NUMBER[i].syscall_name; ++i) {
2092 if (SYSCALLS_BY_NUMBER[i].syscall_num == syscall_num)
2093 return SYSCALLS_BY_NUMBER[i].syscall_name;
2097 static char syscall_name_buf[64];
2099 syscall_name_buf,
sizeof(syscall_name_buf));
2100 return syscall_name_buf;
2107get_syscall_from_ucontext(
const ucontext_t *ctx)
2109 return (
int) ctx->uc_mcontext.M_SYSCALL;
2113get_syscall_name(
int syscall_num)
2119get_syscall_from_ucontext(
const ucontext_t *ctx)
2127#define MAX_DEPTH 256
2128static void *syscall_cb_buf[MAX_DEPTH];
2137sigsys_debugging(
int nr, siginfo_t *info,
void *void_context)
2139 ucontext_t *ctx = (ucontext_t *) (void_context);
2140 const char *syscall_name;
2144 const int *fds = NULL;
2155 int syscall = get_syscall_from_ucontext(ctx);
2158 depth = backtrace(syscall_cb_buf, MAX_DEPTH);
2161 clean_backtrace(syscall_cb_buf, depth, ctx);
2164 syscall_name = get_syscall_name(syscall);
2173 for (i=0; i < n_fds; ++i)
2174 backtrace_symbols_fd(syscall_cb_buf, (
int)depth, fds[i]);
2177#if defined(DEBUGGING_CLOSE)
2189install_sigsys_debugging(
void)
2191 struct sigaction act;
2194 memset(&act, 0,
sizeof(act));
2196 sigaddset(&mask, SIGSYS);
2198 act.sa_sigaction = &sigsys_debugging;
2199 act.sa_flags = SA_SIGINFO;
2200 if (sigaction(SIGSYS, &act, NULL) < 0) {
2201 log_err(
LD_BUG,
"(Sandbox) Failed to register SIGSYS signal handler");
2205 if (sigprocmask(SIG_UNBLOCK, &mask, NULL)) {
2206 log_err(
LD_BUG,
"(Sandbox) Failed call to sigprocmask()");
2223 if (filter_dynamic == NULL) {
2224 filter_dynamic = cfg;
2228 for (elem = filter_dynamic; elem->next != NULL; elem = elem->next)
2238#ifdef USE_LIBSECCOMP
2247 setenv(
"LIBC_FATAL_STDERR_",
"1", 1);
2249 if (install_sigsys_debugging())
2252 if (install_syscall_filter(cfg))
2255 if (register_cfg(cfg))
2264 return sandbox_active != 0;
2277#if defined(USE_LIBSECCOMP)
2278 return initialise_libseccomp_sandbox(cfg);
2280#elif defined(__linux__)
2283 "This version of Tor was built without support for sandboxing. To "
2284 "build with support for sandboxing on Linux, you must have "
2285 "libseccomp and its necessary header files (e.g. seccomp.h).");
2291 "Currently, sandboxing is only implemented on Linux. The feature "
2292 "is disabled on your platform.");
2297#ifndef USE_LIBSECCOMP
2301 (void)cfg; (void)file;
2308 (void)cfg; (void)file;
2315 (void)cfg; (void)dir;
2322 (void)cfg; (void)file;
2327sandbox_cfg_allow_chown_filename(
sandbox_cfg_t **cfg,
char *file)
2329 (void)cfg; (void)file;
2334sandbox_cfg_allow_chmod_filename(
sandbox_cfg_t **cfg,
char *file)
2336 (void)cfg; (void)file;
2341sandbox_cfg_allow_rename(
sandbox_cfg_t **cfg,
char *file1,
char *file2)
2343 (void)cfg; (void)file1; (void)file2;
Headers for util_malloc.c.
int sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
int sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file)
sandbox_cfg_t * sandbox_cfg_new(void)
int sandbox_init(sandbox_cfg_t *cfg)
int sandbox_is_active(void)
int sandbox_cfg_allow_opendir_dirname(sandbox_cfg_t **cfg, char *dir)
int sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file)
Header file for sandbox.c.
struct sandbox_cfg_elem_t sandbox_cfg_t
#define sandbox_intern_string(s)
int tor_sscanf(const char *buf, const char *pattern,...)
Definitions for timing-related constants.
int format_dec_number_sigsafe(unsigned long x, char *buf, int buf_len)
void tor_log_err_sigsafe(const char *m,...)
int tor_log_get_sigsafe_err_fds(const int **out)
Integer definitions used throughout Tor.