Tor 0.4.9.2-alpha-dev
All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Modules Pages
sandbox.c
Go to the documentation of this file.
1/* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2021, The Tor Project, Inc. */
5/* See LICENSE for licensing information */
6
7/**
8 * \file sandbox.c
9 * \brief Code to enable sandboxing.
10 **/
11
12#include "orconfig.h"
13
14#ifndef _LARGEFILE64_SOURCE
15/**
16 * Temporarily required for O_LARGEFILE flag. Needs to be removed
17 * with the libevent fix.
18 */
19#define _LARGEFILE64_SOURCE
20#endif /* !defined(_LARGEFILE64_SOURCE) */
21
22/** Malloc mprotect limit in bytes.
23 *
24 * 28/06/2017: This value was increased from 16 MB to 20 MB after we introduced
25 * LZMA support in Tor (0.3.1.1-alpha). We limit our LZMA coder to 16 MB, but
26 * liblzma have a small overhead that we need to compensate for to avoid being
27 * killed by the sandbox.
28 */
29#define MALLOC_MP_LIM (20*1024*1024)
30
31#include <stdio.h>
32#include <string.h>
33#include <stdlib.h>
34#include <errno.h>
35
36#include "lib/sandbox/sandbox.h"
37#include "lib/container/map.h"
38#include "lib/err/torerr.h"
39#include "lib/log/log.h"
40#include "lib/cc/torint.h"
41#include "lib/malloc/malloc.h"
42#include "lib/string/scanf.h"
43
44#include "ext/tor_queue.h"
45#include "ext/ht.h"
46#include "ext/siphash.h"
47
48#define DEBUGGING_CLOSE
49
50#if defined(USE_LIBSECCOMP)
51
52#include <sys/mman.h>
53#include <sys/syscall.h>
54#include <sys/types.h>
55#include <sys/stat.h>
56#include <sys/epoll.h>
57#include <sys/prctl.h>
58#include <linux/futex.h>
59#include <sys/file.h>
60
61#ifdef ENABLE_FRAGILE_HARDENING
62#include <sys/ptrace.h>
63#endif
64
65#include <stdarg.h>
66#include <seccomp.h>
67#include <signal.h>
68#include <unistd.h>
69#include <fcntl.h>
70#include <time.h>
71#include <poll.h>
72
73#ifdef HAVE_GNU_LIBC_VERSION_H
74#include <gnu/libc-version.h>
75#endif
76#ifdef HAVE_LINUX_NETFILTER_IPV4_H
77#include <linux/netfilter_ipv4.h>
78#endif
79#ifdef HAVE_LINUX_IF_H
80#include <linux/if.h>
81#endif
82#ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
83#include <linux/netfilter_ipv6/ip6_tables.h>
84#endif
85
86#if defined(HAVE_EXECINFO_H) && defined(HAVE_BACKTRACE) && \
87 defined(HAVE_BACKTRACE_SYMBOLS_FD) && defined(HAVE_SIGACTION)
88#define USE_BACKTRACE
89#define BACKTRACE_PRIVATE
90#include "lib/err/backtrace.h"
91#endif /* defined(HAVE_EXECINFO_H) && defined(HAVE_BACKTRACE) && ... */
92
93#ifdef USE_BACKTRACE
94#include <execinfo.h>
95#endif
96
97/**
98 * Linux 32 bit definitions
99 */
100#if defined(__i386__)
101
102#define REG_SYSCALL REG_EAX
103#define M_SYSCALL gregs[REG_SYSCALL]
104
105/**
106 * Linux 64 bit definitions
107 */
108#elif defined(__x86_64__)
109
110#define REG_SYSCALL REG_RAX
111#define M_SYSCALL gregs[REG_SYSCALL]
112
113#elif defined(__arm__)
114
115#define M_SYSCALL arm_r7
116
117#elif defined(__aarch64__) && defined(__LP64__)
118
119#define REG_SYSCALL 8
120#define M_SYSCALL regs[REG_SYSCALL]
121
122#endif /* defined(__i386__) || ... */
123
124#ifdef M_SYSCALL
125#define SYSCALL_NAME_DEBUGGING
126#endif
127
128/**
129 * On newer architectures Linux provides a standardized, generic set of system
130 * calls (defined in Linux's include/uapi/asm-generic/unistd.h), which omits a
131 * number of legacy calls used by glibc on other platforms.
132 */
133#if defined(__aarch64__) || defined(__riscv)
134#define ARCH_USES_GENERIC_SYSCALLS
135#endif
136
137/**Determines if at least one sandbox is active.*/
138static int sandbox_active = 0;
139/** Holds the parameter list configuration for the sandbox.*/
140static sandbox_cfg_t *filter_dynamic = NULL;
141
142#undef SCMP_CMP
143#define SCMP_CMP(a,b,c) ((struct scmp_arg_cmp){(a),(b),(c),0})
144#define SCMP_CMP_STR(a,b,c) \
145 ((struct scmp_arg_cmp) {(a),(b),(intptr_t)(void*)(c),0})
146#define SCMP_CMP4(a,b,c,d) ((struct scmp_arg_cmp){(a),(b),(c),(d)})
147/* We use a wrapper here because these masked comparisons seem to be pretty
148 * verbose. Also, it's important to cast to scmp_datum_t before negating the
149 * mask, since otherwise the negation might get applied to a 32 bit value, and
150 * the high bits of the value might get masked out improperly. */
151#define SCMP_CMP_MASKED(a,b,c) \
152 SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, ~(scmp_datum_t)(b), (c))
153/* Negative constants aren't consistently sign extended or zero extended.
154 * Different compilers, libc, and architectures behave differently. For cases
155 * where the kernel ABI uses a 32 bit integer, this macro can be used to
156 * mask-compare only the lower 32 bits of the value. */
157#define SCMP_CMP_LOWER32_EQ(a,b) \
158 SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, 0xFFFFFFFF, (unsigned int)(b))
159
160/** Variable used for storing all syscall numbers that will be allowed with the
161 * stage 1 general Tor sandbox.
162 */
163static int filter_nopar_gen[] = {
164 SCMP_SYS(access),
165 SCMP_SYS(brk),
166#ifdef __NR_clock_gettime64
167 SCMP_SYS(clock_gettime64),
168#else
169 SCMP_SYS(clock_gettime),
170#endif
171 SCMP_SYS(close),
172 SCMP_SYS(clone),
173 SCMP_SYS(dup),
174#ifdef __NR_clone3
175 SCMP_SYS(clone3),
176#endif
177 SCMP_SYS(epoll_create),
178 SCMP_SYS(epoll_wait),
179#ifdef __NR_epoll_pwait
180 SCMP_SYS(epoll_pwait),
181#endif
182#ifdef HAVE_EVENTFD
183 SCMP_SYS(eventfd2),
184#endif
185#ifdef HAVE_PIPE2
186 SCMP_SYS(pipe2),
187#endif
188#ifdef HAVE_PIPE
189 SCMP_SYS(pipe),
190#endif
191#ifdef __NR_fchmod
192 SCMP_SYS(fchmod),
193#endif
194 SCMP_SYS(fcntl),
195 SCMP_SYS(fstat),
196#ifdef __NR_fstat64
197 SCMP_SYS(fstat64),
198#endif
199 SCMP_SYS(fsync),
200 SCMP_SYS(futex),
201 SCMP_SYS(getdents),
202 SCMP_SYS(getdents64),
203 SCMP_SYS(getegid),
204#ifdef __NR_getegid32
205 SCMP_SYS(getegid32),
206#endif
207 SCMP_SYS(geteuid),
208#ifdef __NR_geteuid32
209 SCMP_SYS(geteuid32),
210#endif
211 SCMP_SYS(getgid),
212#ifdef __NR_getgid32
213 SCMP_SYS(getgid32),
214#endif
215 SCMP_SYS(getpid),
216#ifdef ENABLE_FRAGILE_HARDENING
217 SCMP_SYS(getppid),
218#endif
219#ifdef __NR_getrlimit
220 SCMP_SYS(getrlimit),
221#endif
222 SCMP_SYS(gettimeofday),
223 SCMP_SYS(gettid),
224 SCMP_SYS(getuid),
225#ifdef __NR_getuid32
226 SCMP_SYS(getuid32),
227#endif
228 SCMP_SYS(lseek),
229#ifdef __NR__llseek
230 SCMP_SYS(_llseek),
231#endif
232 // glob uses this..
233 SCMP_SYS(lstat),
234#ifdef __NR_membarrier
235 /* Inter-processor synchronization, needed for tracing support */
236 SCMP_SYS(membarrier),
237#endif
238 SCMP_SYS(mkdir),
239 SCMP_SYS(mlockall),
240#ifdef __NR_mmap
241 /* XXXX restrict this in the same ways as mmap2 */
242 SCMP_SYS(mmap),
243#endif
244 SCMP_SYS(munmap),
245#ifdef __NR_nanosleep
246 SCMP_SYS(nanosleep),
247#endif
248#ifdef __NR_prlimit
249 SCMP_SYS(prlimit),
250#endif
251#ifdef __NR_prlimit64
252 SCMP_SYS(prlimit64),
253#endif
254 SCMP_SYS(read),
255 SCMP_SYS(rt_sigreturn),
256#ifdef __NR_rseq
257 SCMP_SYS(rseq),
258#endif
259 SCMP_SYS(sched_getaffinity),
260#ifdef __NR_sched_yield
261 SCMP_SYS(sched_yield),
262#endif
263 SCMP_SYS(sendmsg),
264 SCMP_SYS(set_robust_list),
265#ifdef __NR_setrlimit
266 SCMP_SYS(setrlimit),
267#endif
268 SCMP_SYS(shutdown),
269#ifdef __NR_sigaltstack
270 SCMP_SYS(sigaltstack),
271#endif
272#ifdef __NR_sigreturn
273 SCMP_SYS(sigreturn),
274#endif
275#if defined(__NR_stat)
276 SCMP_SYS(stat),
277#elif defined(__i386__) && defined(__NR_statx)
278 SCMP_SYS(statx),
279#endif
280 SCMP_SYS(uname),
281 SCMP_SYS(wait4),
282 SCMP_SYS(write),
283 SCMP_SYS(writev),
284 SCMP_SYS(exit_group),
285 SCMP_SYS(exit),
286
287 SCMP_SYS(madvise),
288#ifdef __NR_stat64
289 // getaddrinfo uses this..
290 SCMP_SYS(stat64),
291#endif
292
293#ifdef __NR_getrandom
294 SCMP_SYS(getrandom),
295#endif
296
297#ifdef __NR_sysinfo
298 // qsort uses this..
299 SCMP_SYS(sysinfo),
300#endif
301 /*
302 * These socket syscalls are not required on x86_64 and not supported with
303 * some libseccomp versions (eg: 1.0.1)
304 */
305#if defined(__i386)
306 SCMP_SYS(recv),
307 SCMP_SYS(send),
308#endif
309
310 // socket syscalls
311 SCMP_SYS(bind),
312 SCMP_SYS(listen),
313 SCMP_SYS(connect),
314 SCMP_SYS(getsockname),
315#ifdef ENABLE_NSS
316#ifdef __NR_getpeername
317 SCMP_SYS(getpeername),
318#endif
319#endif
320 SCMP_SYS(recvmsg),
321 SCMP_SYS(recvfrom),
322 SCMP_SYS(sendto),
323 SCMP_SYS(unlink),
324#ifdef __NR_unlinkat
325 SCMP_SYS(unlinkat),
326#endif
327 SCMP_SYS(poll)
328};
329
330/* opendir is not a syscall but it will use either open or openat. We do not
331 * want the decision to allow open/openat to be the callers reponsability, so
332 * we create a phony syscall number for opendir and sb_opendir will choose the
333 * correct syscall. */
334#define PHONY_OPENDIR_SYSCALL -2
335
336/* These macros help avoid the error where the number of filters we add on a
337 * single rule don't match the arg_cnt param. */
338#define seccomp_rule_add_0(ctx,act,call) \
339 seccomp_rule_add((ctx),(act),(call),0)
340#define seccomp_rule_add_1(ctx,act,call,f1) \
341 seccomp_rule_add((ctx),(act),(call),1,(f1))
342#define seccomp_rule_add_2(ctx,act,call,f1,f2) \
343 seccomp_rule_add((ctx),(act),(call),2,(f1),(f2))
344#define seccomp_rule_add_3(ctx,act,call,f1,f2,f3) \
345 seccomp_rule_add((ctx),(act),(call),3,(f1),(f2),(f3))
346#define seccomp_rule_add_4(ctx,act,call,f1,f2,f3,f4) \
347 seccomp_rule_add((ctx),(act),(call),4,(f1),(f2),(f3),(f4))
348#define seccomp_rule_add_5(ctx,act,call,f1,f2,f3,f4,f5) \
349 seccomp_rule_add((ctx),(act),(call),4,(f1),(f2),(f3),(f4),(f5))
350
351static const char *sandbox_get_interned_string(const char *str);
352
353/**
354 * Function responsible for setting up the rt_sigaction syscall for
355 * the seccomp filter sandbox.
356 */
357static int
358sb_rt_sigaction(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
359{
360 unsigned i;
361 int rc;
362 int param[] = { SIGINT, SIGTERM, SIGPIPE, SIGUSR1, SIGUSR2, SIGHUP, SIGCHLD,
363 SIGSEGV, SIGILL, SIGFPE, SIGBUS, SIGSYS, SIGIO,
364#ifdef SIGXFSZ
365 SIGXFSZ
366#endif
367 };
368 (void) filter;
369
370 for (i = 0; i < ARRAY_LENGTH(param); i++) {
371 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigaction),
372 SCMP_CMP(0, SCMP_CMP_EQ, param[i]));
373 if (rc)
374 break;
375 }
376
377 return rc;
378}
379
380#ifdef __NR_time
381/**
382 * Function responsible for setting up the time syscall for
383 * the seccomp filter sandbox.
384 */
385static int
386sb_time(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
387{
388 (void) filter;
389
390 return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(time),
391 SCMP_CMP(0, SCMP_CMP_EQ, 0));
392}
393#endif /* defined(__NR_time) */
394
395/**
396 * Function responsible for setting up the accept4 syscall for
397 * the seccomp filter sandbox.
398 */
399static int
400sb_accept4(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
401{
402 int rc = 0;
403 (void)filter;
404
405#ifdef __i386__
406 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketcall),
407 SCMP_CMP(0, SCMP_CMP_EQ, 18));
408 if (rc) {
409 return rc;
410 }
411#endif /* defined(__i386__) */
412
413 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4),
414 SCMP_CMP_MASKED(3, SOCK_CLOEXEC|SOCK_NONBLOCK, 0));
415 if (rc) {
416 return rc;
417 }
418
419 return 0;
420}
421
422#ifdef __NR_mmap2
423/**
424 * Function responsible for setting up the mmap2 syscall for
425 * the seccomp filter sandbox.
426 */
427static int
428sb_mmap2(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
429{
430 int rc = 0;
431 (void)filter;
432
433 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
434 SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ),
435 SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE));
436 if (rc) {
437 return rc;
438 }
439
440 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
441 SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE),
442 SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE));
443 if (rc) {
444 return rc;
445 }
446
447 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
448 SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
449 SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS));
450 if (rc) {
451 return rc;
452 }
453
454 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
455 SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
456 SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK));
457 if (rc) {
458 return rc;
459 }
460
461 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
462 SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE),
463 SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK));
464 if (rc) {
465 return rc;
466 }
467
468 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
469 SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
470 SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE));
471 if (rc) {
472 return rc;
473 }
474
475 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
476 SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
477 SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS));
478 if (rc) {
479 return rc;
480 }
481
482 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
483 SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_EXEC),
484 SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_DENYWRITE));
485 if (rc) {
486 return rc;
487 }
488
489 return 0;
490}
491#endif /* defined(__NR_mmap2) */
492
493#ifdef HAVE_GNU_LIBC_VERSION_H
494#ifdef HAVE_GNU_GET_LIBC_VERSION
495#define CHECK_LIBC_VERSION
496#endif
497#endif
498
499/* Return true the libc version is greater or equal than
500 * <b>major</b>.<b>minor</b>. Returns false otherwise. */
501static int
502is_libc_at_least(int major, int minor)
503{
504#ifdef CHECK_LIBC_VERSION
505 const char *version = gnu_get_libc_version();
506 if (version == NULL)
507 return 0;
508
509 int libc_major = -1;
510 int libc_minor = -1;
511
512 tor_sscanf(version, "%d.%d", &libc_major, &libc_minor);
513 if (libc_major > major)
514 return 1;
515 else if (libc_major == major && libc_minor >= minor)
516 return 1;
517 else
518 return 0;
519#else /* !defined(CHECK_LIBC_VERSION) */
520 (void)major;
521 (void)minor;
522 return 0;
523#endif /* defined(CHECK_LIBC_VERSION) */
524}
525
526/* Return true if we think we're running with a libc that uses openat for the
527 * open function on linux. */
528static int
529libc_uses_openat_for_open(void)
530{
531#ifdef __NR_open
532 return is_libc_at_least(2, 26);
533#else
534 return 1;
535#endif /* defined(__NR_open) */
536}
537
538/* Calls to opendir() cannot be filtered by the sandbox when built with fragile
539 * hardening for an architecture that uses Linux's generic syscall interface,
540 * so prevent a compiler warning by omitting this function along with
541 * sb_opendir(). */
542#if !(defined(ENABLE_FRAGILE_HARDENING) && defined(ARCH_USES_GENERIC_SYSCALLS))
543/* Return true if we think we're running with a libc that uses openat for the
544 * opendir function on linux. */
545static int
546libc_uses_openat_for_opendir(void)
547{
548#ifdef __NR_open
549 // libc 2.27 and above or between 2.15 (inclusive) and 2.22 (exclusive)
550 return is_libc_at_least(2, 27) ||
551 (is_libc_at_least(2, 15) && !is_libc_at_least(2, 22));
552#else
553 return 1;
554#endif /* defined(__NR_open) */
555}
556#endif /* !(defined(ENABLE_FRAGILE_HARDENING) &&
557 defined(ARCH_USES_GENERIC_SYSCALLS)) */
558
559/** Allow a single file to be opened. If <b>use_openat</b> is true,
560 * we're using a libc that remaps all the opens into openats. */
561static int
562allow_file_open(scmp_filter_ctx ctx, int use_openat, const char *file)
563{
564 if (use_openat) {
565 return seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
566 SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
567 SCMP_CMP_STR(1, SCMP_CMP_EQ, file));
568 } else {
569 return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open),
570 SCMP_CMP_STR(0, SCMP_CMP_EQ, file));
571 }
572}
573
574/**
575 * Function responsible for setting up the open syscall for
576 * the seccomp filter sandbox.
577 */
578static int
579sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
580{
581 int rc;
582 sandbox_cfg_t *elem = NULL;
583
584 int use_openat = libc_uses_openat_for_open();
585
586#ifdef ENABLE_FRAGILE_HARDENING
587 /* AddressSanitizer uses either the "open" or the "openat" syscall (depending
588 * on the architecture) to access information about the running process via
589 * the filesystem, so the appropriate call must be allowed without
590 * restriction or the sanitizer will be unable to execute normally when the
591 * process terminates. */
592#ifdef ARCH_USES_GENERIC_SYSCALLS
593 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
594 SCMP_CMP_LOWER32_EQ(0, AT_FDCWD));
595 if (rc != 0) {
596 log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received "
597 "libseccomp error %d", rc);
598 return rc;
599 }
600
601 /* The "open" syscall is not defined on this architecture, so any other
602 * requests to open files will necessarily use "openat" as well and there is
603 * no need to consider any additional rules. */
604 return 0;
605#else
606 rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open));
607 if (rc != 0) {
608 log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
609 "libseccomp error %d", rc);
610 return rc;
611 }
612
613 /* If glibc also uses only the "open" syscall to open files on this system
614 * there is no need to consider any additional rules. */
615 if (!use_openat)
616 return 0;
617#endif /* defined(ARCH_USES_GENERIC_SYSCALLS) */
618#endif /* defined(ENABLE_FRAGILE_HARDENING) */
619
620 // for each dynamic parameter filters
621 for (elem = filter; elem != NULL; elem = elem->next) {
622 smp_param_t *param = elem->param;
623
624 if (param != NULL && param->prot == 1 && param->syscall
625 == SCMP_SYS(open)) {
626 rc = allow_file_open(ctx, use_openat, param->value);
627 if (rc != 0) {
628 log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
629 "libseccomp error %d", rc);
630 return rc;
631 }
632 }
633 }
634
635 return 0;
636}
637
638#ifdef ARCH_USES_GENERIC_SYSCALLS
639static int
640sb_fchmodat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
641{
642 int rc;
643 sandbox_cfg_t *elem = NULL;
644
645 // for each dynamic parameter filters
646 for (elem = filter; elem != NULL; elem = elem->next) {
647 smp_param_t *param = elem->param;
648
649 if (param != NULL && param->prot == 1 && param->syscall
650 == SCMP_SYS(fchmodat)) {
651 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchmodat),
652 SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
653 SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value));
654 if (rc != 0) {
655 log_err(LD_BUG,"(Sandbox) failed to add fchmodat syscall, received "
656 "libseccomp error %d", rc);
657 return rc;
658 }
659 }
660 }
661
662 return 0;
663}
664#else
665static int
666sb_chmod(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
667{
668 int rc;
669 sandbox_cfg_t *elem = NULL;
670
671 // for each dynamic parameter filters
672 for (elem = filter; elem != NULL; elem = elem->next) {
673 smp_param_t *param = elem->param;
674
675 if (param != NULL && param->prot == 1 && param->syscall
676 == SCMP_SYS(chmod)) {
677 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chmod),
678 SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
679 if (rc != 0) {
680 log_err(LD_BUG,"(Sandbox) failed to add chmod syscall, received "
681 "libseccomp error %d", rc);
682 return rc;
683 }
684 }
685 }
686
687 return 0;
688}
689#endif /* defined(ARCH_USES_GENERIC_SYSCALLS) */
690
691#if defined(ARCH_USES_GENERIC_SYSCALLS)
692static int
693sb_fchownat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
694{
695 int rc;
696 sandbox_cfg_t *elem = NULL;
697
698 // for each dynamic parameter filters
699 for (elem = filter; elem != NULL; elem = elem->next) {
700 smp_param_t *param = elem->param;
701
702 if (param != NULL && param->prot == 1 && param->syscall
703 == SCMP_SYS(fchownat)) {
704 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchownat),
705 SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
706 SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value));
707 if (rc != 0) {
708 log_err(LD_BUG,"(Sandbox) failed to add fchownat syscall, received "
709 "libseccomp error %d", rc);
710 return rc;
711 }
712 }
713 }
714
715 return 0;
716}
717#elif defined(__i386__)
718static int
719sb_chown32(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
720{
721 int rc;
722 sandbox_cfg_t *elem = NULL;
723
724 // for each dynamic parameter filters
725 for (elem = filter; elem != NULL; elem = elem->next) {
726 smp_param_t *param = elem->param;
727
728 if (param != NULL && param->prot == 1 && param->syscall
729 == SCMP_SYS(chown32)) {
730 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chown32),
731 SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
732 if (rc != 0) {
733 log_err(LD_BUG,"(Sandbox) failed to add chown32 syscall, received "
734 "libseccomp error %d", rc);
735 return rc;
736 }
737 }
738 }
739
740 return 0;
741}
742#else
743static int
744sb_chown(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
745{
746 int rc;
747 sandbox_cfg_t *elem = NULL;
748
749 // for each dynamic parameter filters
750 for (elem = filter; elem != NULL; elem = elem->next) {
751 smp_param_t *param = elem->param;
752
753 if (param != NULL && param->prot == 1 && param->syscall
754 == SCMP_SYS(chown)) {
755 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chown),
756 SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
757 if (rc != 0) {
758 log_err(LD_BUG,"(Sandbox) failed to add chown syscall, received "
759 "libseccomp error %d", rc);
760 return rc;
761 }
762 }
763 }
764
765 return 0;
766}
767#endif /* defined(ARCH_USES_GENERIC_SYSCALLS) || defined(__i386__) */
768
769#if defined(__NR_rename)
770/**
771 * Function responsible for setting up the rename syscall for
772 * the seccomp filter sandbox.
773 */
774static int
775sb_rename(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
776{
777 int rc;
778 sandbox_cfg_t *elem = NULL;
779
780 // for each dynamic parameter filters
781 for (elem = filter; elem != NULL; elem = elem->next) {
782 smp_param_t *param = elem->param;
783
784 if (param != NULL && param->prot == 1 &&
785 param->syscall == SCMP_SYS(rename)) {
786
787 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rename),
788 SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value),
789 SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value2));
790 if (rc != 0) {
791 log_err(LD_BUG,"(Sandbox) failed to add rename syscall, received "
792 "libseccomp error %d", rc);
793 return rc;
794 }
795 }
796 }
797
798 return 0;
799}
800#elif defined(__NR_renameat)
801/**
802 * Function responsible for setting up the renameat syscall for
803 * the seccomp filter sandbox.
804 */
805static int
806sb_renameat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
807{
808 int rc;
809 sandbox_cfg_t *elem = NULL;
810
811 // for each dynamic parameter filters
812 for (elem = filter; elem != NULL; elem = elem->next) {
813 smp_param_t *param = elem->param;
814
815 if (param != NULL && param->prot == 1 &&
816 param->syscall == SCMP_SYS(renameat)) {
817
818 rc = seccomp_rule_add_4(ctx, SCMP_ACT_ALLOW, SCMP_SYS(renameat),
819 SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
820 SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value),
821 SCMP_CMP_LOWER32_EQ(2, AT_FDCWD),
822 SCMP_CMP_STR(3, SCMP_CMP_EQ, param->value2));
823 if (rc != 0) {
824 log_err(LD_BUG,"(Sandbox) failed to add renameat syscall, received "
825 "libseccomp error %d", rc);
826 return rc;
827 }
828 }
829 }
830
831 return 0;
832}
833#else
834/**
835 * Function responsible for setting up the renameat2 syscall for
836 * the seccomp filter sandbox.
837 */
838static int
839sb_renameat2(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
840{
841 int rc;
842 sandbox_cfg_t *elem = NULL;
843
844 // for each dynamic parameter filters
845 for (elem = filter; elem != NULL; elem = elem->next) {
846 smp_param_t *param = elem->param;
847
848 if (param != NULL && param->prot == 1 &&
849 param->syscall == SCMP_SYS(renameat2)) {
850
851 rc = seccomp_rule_add_5(ctx, SCMP_ACT_ALLOW, SCMP_SYS(renameat2),
852 SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
853 SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value),
854 SCMP_CMP_LOWER32_EQ(2, AT_FDCWD),
855 SCMP_CMP_STR(3, SCMP_CMP_EQ, param->value2),
856 SCMP_CMP(4, SCMP_CMP_EQ, 0));
857 if (rc != 0) {
858 log_err(LD_BUG,"(Sandbox) failed to add renameat2 syscall, received "
859 "libseccomp error %d", rc);
860 return rc;
861 }
862 }
863 }
864
865 return 0;
866}
867#endif /* defined(__NR_rename) || defined(__NR_renameat) */
868
869/* If Tor is built with fragile hardening for an architecture that uses Linux's
870 * generic syscall interface a rule allowing the "openat" syscall without
871 * restriction will have already been added by sb_open(), so there is no need
872 * to consider adding additional, more restrictive rules here as they will
873 * simply be ignored.
874 *
875 * Also, since the "open" syscall is not defined on these architectures, glibc
876 * will necessarily use "openat" for its implementation of opendir() as well.
877 * This means neither of the following two functions will have any effect and
878 * both can be omitted. */
879#if !(defined(ENABLE_FRAGILE_HARDENING) && defined(ARCH_USES_GENERIC_SYSCALLS))
880/**
881 * Function responsible for setting up the openat syscall for
882 * the seccomp filter sandbox.
883 */
884static int
885sb_openat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
886{
887 int rc;
888 sandbox_cfg_t *elem = NULL;
889
890 // for each dynamic parameter filters
891 for (elem = filter; elem != NULL; elem = elem->next) {
892 smp_param_t *param = elem->param;
893
894 if (param != NULL && param->prot == 1 && param->syscall
895 == SCMP_SYS(openat)) {
896 rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
897 SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
898 SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value),
899 SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|
900 O_CLOEXEC));
901 if (rc != 0) {
902 log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received "
903 "libseccomp error %d", rc);
904 return rc;
905 }
906 }
907 }
908
909 return 0;
910}
911
912static int
913sb_opendir(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
914{
915 int rc;
916 sandbox_cfg_t *elem = NULL;
917
918 // for each dynamic parameter filters
919 for (elem = filter; elem != NULL; elem = elem->next) {
920 smp_param_t *param = elem->param;
921
922 if (param != NULL && param->prot == 1 && param->syscall
923 == PHONY_OPENDIR_SYSCALL) {
924 rc = allow_file_open(ctx, libc_uses_openat_for_opendir(), param->value);
925 if (rc != 0) {
926 log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received "
927 "libseccomp error %d", rc);
928 return rc;
929 }
930 }
931 }
932
933 return 0;
934}
935#endif /* !(defined(ENABLE_FRAGILE_HARDENING) &&
936 defined(ARCH_USES_GENERIC_SYSCALLS)) */
937
938#ifdef ENABLE_FRAGILE_HARDENING
939/**
940 * Function responsible for setting up the ptrace syscall for
941 * the seccomp filter sandbox.
942 */
943static int
944sb_ptrace(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
945{
946 int rc;
947 pid_t pid = getpid();
948 (void) filter;
949
950 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ptrace),
951 SCMP_CMP(0, SCMP_CMP_EQ, PTRACE_ATTACH),
952 SCMP_CMP(1, SCMP_CMP_EQ, pid));
953 if (rc)
954 return rc;
955
956 /* AddressSanitizer uses "PTRACE_GETREGSET" on AArch64 (ARM64) and
957 * System/390, "PTRACE_GETREGS" everywhere else. */
958#if defined(__aarch64__) || defined(__s390__)
959 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ptrace),
960 SCMP_CMP(0, SCMP_CMP_EQ, PTRACE_GETREGSET),
961 SCMP_CMP(1, SCMP_CMP_EQ, pid));
962#else
963 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ptrace),
964 SCMP_CMP(0, SCMP_CMP_EQ, PTRACE_GETREGS),
965 SCMP_CMP(1, SCMP_CMP_EQ, pid));
966#endif /* defined(__aarch64__) || defined(__s390__) */
967 if (rc)
968 return rc;
969
970 return 0;
971}
972#endif
973
974/**
975 * Function responsible for setting up the socket syscall for
976 * the seccomp filter sandbox.
977 */
978static int
979sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
980{
981 int rc = 0;
982 int i, j;
983 (void) filter;
984
985#ifdef __i386__
986 rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket));
987 if (rc)
988 return rc;
989#endif
990
991 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
992 SCMP_CMP(0, SCMP_CMP_EQ, PF_FILE),
993 SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM));
994 if (rc)
995 return rc;
996
997 for (i = 0; i < 2; ++i) {
998 const int pf = i ? PF_INET : PF_INET6;
999 for (j=0; j < 3; ++j) {
1000 const int type = (j == 0) ? SOCK_STREAM :
1001 SOCK_DGRAM;
1002 const int protocol = (j == 0) ? IPPROTO_TCP :
1003 (j == 1) ? IPPROTO_IP :
1004 IPPROTO_UDP;
1005 rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
1006 SCMP_CMP(0, SCMP_CMP_EQ, pf),
1007 SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, type),
1008 SCMP_CMP(2, SCMP_CMP_EQ, protocol));
1009 if (rc)
1010 return rc;
1011 }
1012 }
1013
1014#ifdef ENABLE_NSS
1015 rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
1016 SCMP_CMP(0, SCMP_CMP_EQ, PF_INET),
1017 SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM),
1018 SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_IP));
1019 if (rc)
1020 return rc;
1021#endif /* defined(ENABLE_NSS) */
1022
1023 rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
1024 SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
1025 SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
1026 SCMP_CMP(2, SCMP_CMP_EQ, 0));
1027 if (rc)
1028 return rc;
1029
1030 rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
1031 SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
1032 SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM),
1033 SCMP_CMP(2, SCMP_CMP_EQ, 0));
1034 if (rc)
1035 return rc;
1036
1037 rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
1038 SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK),
1039 SCMP_CMP_MASKED(1, SOCK_CLOEXEC, SOCK_RAW),
1040 SCMP_CMP(2, SCMP_CMP_EQ, 0));
1041 if (rc)
1042 return rc;
1043
1044 return 0;
1045}
1046
1047/**
1048 * Function responsible for setting up the socketpair syscall for
1049 * the seccomp filter sandbox.
1050 */
1051static int
1052sb_socketpair(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
1053{
1054 int rc = 0;
1055 (void) filter;
1056
1057#ifdef __i386__
1058 rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair));
1059 if (rc)
1060 return rc;
1061#endif
1062
1063 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair),
1064 SCMP_CMP(0, SCMP_CMP_EQ, PF_FILE),
1065 SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM|SOCK_CLOEXEC));
1066 if (rc)
1067 return rc;
1068
1069 return 0;
1070}
1071
1072#ifdef HAVE_KIST_SUPPORT
1073
1074#include <linux/sockios.h>
1075
1076static int
1077sb_ioctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
1078{
1079 int rc;
1080 (void) filter;
1081
1082 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl),
1083 SCMP_CMP(1, SCMP_CMP_EQ, SIOCOUTQNSD));
1084 if (rc)
1085 return rc;
1086 return 0;
1087}
1088
1089#endif /* defined(HAVE_KIST_SUPPORT) */
1090
1091/**
1092 * Function responsible for setting up the setsockopt syscall for
1093 * the seccomp filter sandbox.
1094 */
1095static int
1096sb_setsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
1097{
1098 int rc = 0;
1099 (void) filter;
1100
1101#ifdef __i386__
1102 rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt));
1103 if (rc)
1104 return rc;
1105#endif
1106
1107 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
1108 SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
1109 SCMP_CMP(2, SCMP_CMP_EQ, SO_REUSEADDR));
1110 if (rc)
1111 return rc;
1112
1113 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
1114 SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
1115 SCMP_CMP(2, SCMP_CMP_EQ, SO_SNDBUF));
1116 if (rc)
1117 return rc;
1118
1119 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
1120 SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
1121 SCMP_CMP(2, SCMP_CMP_EQ, SO_RCVBUF));
1122 if (rc)
1123 return rc;
1124
1125#ifdef HAVE_SYSTEMD
1126 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
1127 SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
1128 SCMP_CMP(2, SCMP_CMP_EQ, SO_SNDBUFFORCE));
1129 if (rc)
1130 return rc;
1131#endif /* defined(HAVE_SYSTEMD) */
1132
1133#ifdef IP_TRANSPARENT
1134 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
1135 SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
1136 SCMP_CMP(2, SCMP_CMP_EQ, IP_TRANSPARENT));
1137 if (rc)
1138 return rc;
1139#endif /* defined(IP_TRANSPARENT) */
1140
1141#ifdef IPV6_V6ONLY
1142 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
1143 SCMP_CMP(1, SCMP_CMP_EQ, IPPROTO_IPV6),
1144 SCMP_CMP(2, SCMP_CMP_EQ, IPV6_V6ONLY));
1145 if (rc)
1146 return rc;
1147#endif /* defined(IPV6_V6ONLY) */
1148
1149#ifdef IP_BIND_ADDRESS_NO_PORT
1150 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
1151 SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
1152 SCMP_CMP(2, SCMP_CMP_EQ, IP_BIND_ADDRESS_NO_PORT));
1153 if (rc)
1154 return rc;
1155#endif
1156
1157 return 0;
1158}
1159
1160/**
1161 * Function responsible for setting up the getsockopt syscall for
1162 * the seccomp filter sandbox.
1163 */
1164static int
1165sb_getsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
1166{
1167 int rc = 0;
1168 (void) filter;
1169
1170#ifdef __i386__
1171 rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt));
1172 if (rc)
1173 return rc;
1174#endif
1175
1176 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
1177 SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
1178 SCMP_CMP(2, SCMP_CMP_EQ, SO_ERROR));
1179 if (rc)
1180 return rc;
1181
1182 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
1183 SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
1184 SCMP_CMP(2, SCMP_CMP_EQ, SO_ACCEPTCONN));
1185 if (rc)
1186 return rc;
1187
1188#ifdef HAVE_SYSTEMD
1189 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
1190 SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
1191 SCMP_CMP(2, SCMP_CMP_EQ, SO_SNDBUF));
1192 if (rc)
1193 return rc;
1194#endif /* defined(HAVE_SYSTEMD) */
1195
1196#ifdef HAVE_LINUX_NETFILTER_IPV4_H
1197 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
1198 SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
1199 SCMP_CMP(2, SCMP_CMP_EQ, SO_ORIGINAL_DST));
1200 if (rc)
1201 return rc;
1202#endif /* defined(HAVE_LINUX_NETFILTER_IPV4_H) */
1203
1204#ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
1205 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
1206 SCMP_CMP(1, SCMP_CMP_EQ, SOL_IPV6),
1207 SCMP_CMP(2, SCMP_CMP_EQ, IP6T_SO_ORIGINAL_DST));
1208 if (rc)
1209 return rc;
1210#endif /* defined(HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H) */
1211
1212#ifdef HAVE_KIST_SUPPORT
1213#include <netinet/tcp.h>
1214 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
1215 SCMP_CMP(1, SCMP_CMP_EQ, SOL_TCP),
1216 SCMP_CMP(2, SCMP_CMP_EQ, TCP_INFO));
1217 if (rc)
1218 return rc;
1219#endif /* defined(HAVE_KIST_SUPPORT) */
1220
1221 return 0;
1222}
1223
1224#ifdef __NR_fcntl64
1225/**
1226 * Function responsible for setting up the fcntl64 syscall for
1227 * the seccomp filter sandbox.
1228 */
1229static int
1230sb_fcntl64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
1231{
1232 int rc = 0;
1233 (void) filter;
1234
1235 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
1236 SCMP_CMP(1, SCMP_CMP_EQ, F_GETFL));
1237 if (rc)
1238 return rc;
1239
1240 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
1241 SCMP_CMP(1, SCMP_CMP_EQ, F_SETFL),
1242 SCMP_CMP(2, SCMP_CMP_EQ, O_RDWR|O_NONBLOCK));
1243 if (rc)
1244 return rc;
1245
1246 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
1247 SCMP_CMP(1, SCMP_CMP_EQ, F_GETFD));
1248 if (rc)
1249 return rc;
1250
1251 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
1252 SCMP_CMP(1, SCMP_CMP_EQ, F_SETFD),
1253 SCMP_CMP(2, SCMP_CMP_EQ, FD_CLOEXEC));
1254 if (rc)
1255 return rc;
1256
1257 return 0;
1258}
1259#endif /* defined(__NR_fcntl64) */
1260
1261/**
1262 * Function responsible for setting up the epoll_ctl syscall for
1263 * the seccomp filter sandbox.
1264 *
1265 * Note: basically allows everything but will keep for now..
1266 */
1267static int
1268sb_epoll_ctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
1269{
1270 int rc = 0;
1271 (void) filter;
1272
1273 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
1274 SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_ADD));
1275 if (rc)
1276 return rc;
1277
1278 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
1279 SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_MOD));
1280 if (rc)
1281 return rc;
1282
1283 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
1284 SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_DEL));
1285 if (rc)
1286 return rc;
1287
1288 return 0;
1289}
1290
1291/**
1292 * Function responsible for setting up the prctl syscall for
1293 * the seccomp filter sandbox.
1294 *
1295 * NOTE: if multiple filters need to be added, the PR_SECCOMP parameter needs
1296 * to be allowlisted in this function.
1297 */
1298static int
1299sb_prctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
1300{
1301 int rc = 0;
1302 (void) filter;
1303
1304#ifdef ENABLE_FRAGILE_HARDENING
1305 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl),
1306 SCMP_CMP(0, SCMP_CMP_EQ, PR_GET_DUMPABLE));
1307 if (rc)
1308 return rc;
1309
1310 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl),
1311 SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_PTRACER));
1312 if (rc)
1313 return rc;
1314#endif
1315
1316 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl),
1317 SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_DUMPABLE));
1318 if (rc)
1319 return rc;
1320
1321 return 0;
1322}
1323
1324/**
1325 * Function responsible for setting up the mprotect syscall for
1326 * the seccomp filter sandbox.
1327 *
1328 * NOTE: does not NEED to be here.. currently only occurs before filter; will
1329 * keep just in case for the future.
1330 */
1331static int
1332sb_mprotect(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
1333{
1334 int rc = 0;
1335 (void) filter;
1336
1337 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
1338 SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ));
1339 if (rc)
1340 return rc;
1341
1342 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
1343 SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE));
1344 if (rc)
1345 return rc;
1346
1347 return 0;
1348}
1349
1350/**
1351 * Function responsible for setting up the rt_sigprocmask syscall for
1352 * the seccomp filter sandbox.
1353 */
1354static int
1355sb_rt_sigprocmask(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
1356{
1357 int rc = 0;
1358 (void) filter;
1359
1360#if defined(ENABLE_FRAGILE_HARDENING) || \
1361 defined(USE_TRACING_INSTRUMENTATION_LTTNG)
1362 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
1363 SCMP_CMP(0, SCMP_CMP_EQ, SIG_BLOCK));
1364 if (rc)
1365 return rc;
1366#endif
1367
1368 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
1369 SCMP_CMP(0, SCMP_CMP_EQ, SIG_UNBLOCK));
1370 if (rc)
1371 return rc;
1372
1373 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
1374 SCMP_CMP(0, SCMP_CMP_EQ, SIG_SETMASK));
1375 if (rc)
1376 return rc;
1377
1378 return 0;
1379}
1380
1381/**
1382 * Function responsible for setting up the flock syscall for
1383 * the seccomp filter sandbox.
1384 *
1385 * NOTE: does not need to be here, occurs before filter is applied.
1386 */
1387static int
1388sb_flock(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
1389{
1390 int rc = 0;
1391 (void) filter;
1392
1393 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock),
1394 SCMP_CMP(1, SCMP_CMP_EQ, LOCK_EX|LOCK_NB));
1395 if (rc)
1396 return rc;
1397
1398 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock),
1399 SCMP_CMP(1, SCMP_CMP_EQ, LOCK_UN));
1400 if (rc)
1401 return rc;
1402
1403 return 0;
1404}
1405
1406/**
1407 * Function responsible for setting up the futex syscall for
1408 * the seccomp filter sandbox.
1409 */
1410static int
1411sb_futex(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
1412{
1413 int rc = 0;
1414 (void) filter;
1415
1416 // can remove
1417 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
1418 SCMP_CMP(1, SCMP_CMP_EQ,
1419 FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME));
1420 if (rc)
1421 return rc;
1422
1423 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
1424 SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAKE_PRIVATE));
1425 if (rc)
1426 return rc;
1427
1428 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
1429 SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAIT_PRIVATE));
1430 if (rc)
1431 return rc;
1432
1433 return 0;
1434}
1435
1436/**
1437 * Function responsible for setting up the mremap syscall for
1438 * the seccomp filter sandbox.
1439 *
1440 * NOTE: so far only occurs before filter is applied.
1441 */
1442static int
1443sb_mremap(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
1444{
1445 int rc = 0;
1446 (void) filter;
1447
1448 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mremap),
1449 SCMP_CMP(3, SCMP_CMP_EQ, MREMAP_MAYMOVE));
1450 if (rc)
1451 return rc;
1452
1453 return 0;
1454}
1455
1456#ifdef ARCH_USES_GENERIC_SYSCALLS
1457/**
1458 * Function responsible for setting up the newfstatat syscall for
1459 * the seccomp filter sandbox.
1460 */
1461static int
1462sb_newfstatat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
1463{
1464 int rc = 0;
1465
1466 sandbox_cfg_t *elem = NULL;
1467
1468 // for each dynamic parameter filters
1469 for (elem = filter; elem != NULL; elem = elem->next) {
1470 smp_param_t *param = elem->param;
1471
1472 if (param != NULL && param->prot == 1 && (param->syscall == SCMP_SYS(open)
1473 || param->syscall == PHONY_OPENDIR_SYSCALL
1474 || param->syscall == SCMP_SYS(newfstatat))) {
1475 rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat),
1476 SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
1477 SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value));
1478 if (rc != 0) {
1479 log_err(LD_BUG,"(Sandbox) failed to add newfstatat syscall, received "
1480 "libseccomp error %d", rc);
1481 return rc;
1482 }
1483 }
1484 }
1485
1486 return 0;
1487}
1488#endif /* defined(ARCH_USES_GENERIC_SYSCALLS) */
1489
1490#ifdef __NR_stat64
1491/**
1492 * Function responsible for setting up the stat64 syscall for
1493 * the seccomp filter sandbox.
1494 */
1495static int
1496sb_stat64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
1497{
1498 int rc = 0;
1499 sandbox_cfg_t *elem = NULL;
1500
1501 // for each dynamic parameter filters
1502 for (elem = filter; elem != NULL; elem = elem->next) {
1503 smp_param_t *param = elem->param;
1504
1505 if (param != NULL && param->prot == 1 && (param->syscall == SCMP_SYS(open)
1506 || param->syscall == SCMP_SYS(stat64))) {
1507 rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(stat64),
1508 SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
1509 if (rc != 0) {
1510 log_err(LD_BUG,"(Sandbox) failed to add stat64 syscall, received "
1511 "libseccomp error %d", rc);
1512 return rc;
1513 }
1514 }
1515 }
1516
1517 return 0;
1518}
1519#endif /* defined(__NR_stat64) */
1520
1521static int
1522sb_kill(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
1523{
1524 (void) filter;
1525#ifdef __NR_kill
1526 /* Allow killing anything with signal 0 -- it isn't really a kill. */
1527 return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(kill),
1528 SCMP_CMP(1, SCMP_CMP_EQ, 0));
1529#else
1530 return 0;
1531#endif /* defined(__NR_kill) */
1532}
1533
1534/**
1535 * Array of function pointers responsible for filtering different syscalls at
1536 * a parameter level.
1537 */
1538static sandbox_filter_func_t filter_func[] = {
1539 sb_rt_sigaction,
1540 sb_rt_sigprocmask,
1541#ifdef __NR_time
1542 sb_time,
1543#endif
1544 sb_accept4,
1545#ifdef __NR_mmap2
1546 sb_mmap2,
1547#endif
1548#if defined(ARCH_USES_GENERIC_SYSCALLS)
1549 sb_fchownat,
1550#elif defined(__i386__)
1551 sb_chown32,
1552#else
1553 sb_chown,
1554#endif
1555#if defined(ARCH_USES_GENERIC_SYSCALLS)
1556 sb_fchmodat,
1557#else
1558 sb_chmod,
1559#endif
1560 sb_open,
1561#if !(defined(ENABLE_FRAGILE_HARDENING) && defined(ARCH_USES_GENERIC_SYSCALLS))
1562 sb_openat,
1563 sb_opendir,
1564#endif
1565#ifdef ENABLE_FRAGILE_HARDENING
1566 sb_ptrace,
1567#endif
1568#if defined(__NR_rename)
1569 sb_rename,
1570#elif defined(__NR_renameat)
1571 sb_renameat,
1572#else
1573 sb_renameat2,
1574#endif
1575#ifdef __NR_fcntl64
1576 sb_fcntl64,
1577#endif
1578 sb_epoll_ctl,
1579 sb_prctl,
1580 sb_mprotect,
1581 sb_flock,
1582 sb_futex,
1583 sb_mremap,
1584#if defined(ARCH_USES_GENERIC_SYSCALLS)
1585 sb_newfstatat,
1586#elif defined(__NR_stat64)
1587 sb_stat64,
1588#endif
1589
1590 sb_socket,
1591 sb_setsockopt,
1592 sb_getsockopt,
1593 sb_socketpair,
1594#ifdef HAVE_KIST_SUPPORT
1595 sb_ioctl,
1596#endif
1597 sb_kill
1598};
1599
1600/**
1601 * Return the interned (and hopefully sandbox-permitted) string equal
1602 * to @a str.
1603 *
1604 * Return NULL if `str` is NULL, or `str` is not an interned string.
1605 **/
1606const char *
1607sandbox_intern_string(const char *str)
1608{
1609 const char *interned = sandbox_get_interned_string(str);
1610
1611 if (sandbox_active && str != NULL && interned == NULL) {
1612 log_warn(LD_BUG, "No interned sandbox parameter found for %s", str);
1613 }
1614
1615 return interned ? interned : str;
1616}
1617
1618/**
1619 * Return true if the sandbox is running and we are missing an interned string
1620 * equal to @a str.
1621 */
1622bool
1623sandbox_interned_string_is_missing(const char *str)
1624{
1625 return sandbox_active && sandbox_get_interned_string(str) == NULL;
1626}
1627
1628/**
1629 * Try to find and return the interned string equal to @a str.
1630 *
1631 * If there is no such string, return NULL.
1632 **/
1633static const char *
1634sandbox_get_interned_string(const char *str)
1635{
1636 sandbox_cfg_t *elem;
1637
1638 if (str == NULL)
1639 return NULL;
1640
1641 for (elem = filter_dynamic; elem != NULL; elem = elem->next) {
1642 smp_param_t *param = elem->param;
1643
1644 if (param->prot) {
1645 if (!strcmp(str, (char*)(param->value))) {
1646 return (char*)param->value;
1647 }
1648 if (param->value2 && !strcmp(str, (char*)param->value2)) {
1649 return (char*)param->value2;
1650 }
1651 }
1652 }
1653
1654 return NULL;
1655}
1656
1657/* DOCDOC */
1658static int
1659prot_strings_helper(strmap_t *locations,
1660 char **pr_mem_next_p,
1661 size_t *pr_mem_left_p,
1662 char **value_p)
1663{
1664 char *param_val;
1665 size_t param_size;
1666 void *location;
1667
1668 if (*value_p == 0)
1669 return 0;
1670
1671 param_val = (char*) *value_p;
1672 param_size = strlen(param_val) + 1;
1673 location = strmap_get(locations, param_val);
1674
1675 if (location) {
1676 // We already interned this string.
1677 tor_free(param_val);
1678 *value_p = location;
1679 return 0;
1680 } else if (*pr_mem_left_p >= param_size) {
1681 // copy to protected
1682 location = *pr_mem_next_p;
1683 memcpy(location, param_val, param_size);
1684
1685 // re-point el parameter to protected
1686 tor_free(param_val);
1687 *value_p = location;
1688
1689 strmap_set(locations, location, location); /* good real estate advice */
1690
1691 // move next available protected memory
1692 *pr_mem_next_p += param_size;
1693 *pr_mem_left_p -= param_size;
1694 return 0;
1695 } else {
1696 log_err(LD_BUG,"(Sandbox) insufficient protected memory!");
1697 return -1;
1698 }
1699}
1700
1701/**
1702 * Protects all the strings in the sandbox's parameter list configuration. It
1703 * works by calculating the total amount of memory required by the parameter
1704 * list, allocating the memory using mmap, and protecting it from writes with
1705 * mprotect().
1706 */
1707static int
1708prot_strings(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
1709{
1710 int ret = 0;
1711 size_t pr_mem_size = 0, pr_mem_left = 0;
1712 char *pr_mem_next = NULL, *pr_mem_base;
1713 sandbox_cfg_t *el = NULL;
1714 strmap_t *locations = NULL;
1715
1716 // get total number of bytes required to mmap. (Overestimate.)
1717 for (el = cfg; el != NULL; el = el->next) {
1718 pr_mem_size += strlen((char*) el->param->value) + 1;
1719 if (el->param->value2)
1720 pr_mem_size += strlen((char*) el->param->value2) + 1;
1721 }
1722
1723 // allocate protected memory with MALLOC_MP_LIM canary
1724 pr_mem_base = (char*) mmap(NULL, MALLOC_MP_LIM + pr_mem_size,
1725 PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0);
1726 if (pr_mem_base == MAP_FAILED) {
1727 log_err(LD_BUG,"(Sandbox) failed allocate protected memory! mmap: %s",
1728 strerror(errno));
1729 ret = -1;
1730 goto out;
1731 }
1732
1733 pr_mem_next = pr_mem_base + MALLOC_MP_LIM;
1734 pr_mem_left = pr_mem_size;
1735
1736 locations = strmap_new();
1737
1738 // change el value pointer to protected
1739 for (el = cfg; el != NULL; el = el->next) {
1740 if (prot_strings_helper(locations, &pr_mem_next, &pr_mem_left,
1741 &el->param->value) < 0) {
1742 ret = -2;
1743 goto out;
1744 }
1745 if (prot_strings_helper(locations, &pr_mem_next, &pr_mem_left,
1746 &el->param->value2) < 0) {
1747 ret = -2;
1748 goto out;
1749 }
1750 el->param->prot = 1;
1751 }
1752
1753 // protecting from writes
1754 if (mprotect(pr_mem_base, MALLOC_MP_LIM + pr_mem_size, PROT_READ)) {
1755 log_err(LD_BUG,"(Sandbox) failed to protect memory! mprotect: %s",
1756 strerror(errno));
1757 ret = -3;
1758 goto out;
1759 }
1760
1761 /*
1762 * Setting sandbox restrictions so the string memory cannot be tampered with
1763 */
1764 // no mremap of the protected base address
1765 ret = seccomp_rule_add_1(ctx, SCMP_ACT_KILL, SCMP_SYS(mremap),
1766 SCMP_CMP(0, SCMP_CMP_EQ, (intptr_t) pr_mem_base));
1767 if (ret) {
1768 log_err(LD_BUG,"(Sandbox) mremap protected memory filter fail!");
1769 goto out;
1770 }
1771
1772 // no munmap of the protected base address
1773 ret = seccomp_rule_add_1(ctx, SCMP_ACT_KILL, SCMP_SYS(munmap),
1774 SCMP_CMP(0, SCMP_CMP_EQ, (intptr_t) pr_mem_base));
1775 if (ret) {
1776 log_err(LD_BUG,"(Sandbox) munmap protected memory filter fail!");
1777 goto out;
1778 }
1779
1780 /*
1781 * Allow mprotect with PROT_READ|PROT_WRITE because openssl uses it, but
1782 * never over the memory region used by the protected strings.
1783 *
1784 * PROT_READ|PROT_WRITE was originally fully allowed in sb_mprotect(), but
1785 * had to be removed due to limitation of libseccomp regarding intervals.
1786 *
1787 * There is a restriction on how much you can mprotect with R|W up to the
1788 * size of the canary.
1789 */
1790 ret = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
1791 SCMP_CMP(0, SCMP_CMP_LT, (intptr_t) pr_mem_base),
1792 SCMP_CMP(1, SCMP_CMP_LE, MALLOC_MP_LIM),
1793 SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE));
1794 if (ret) {
1795 log_err(LD_BUG,"(Sandbox) mprotect protected memory filter fail (LT)!");
1796 goto out;
1797 }
1798
1799 ret = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
1800 SCMP_CMP(0, SCMP_CMP_GT, (intptr_t) pr_mem_base + pr_mem_size +
1801 MALLOC_MP_LIM),
1802 SCMP_CMP(1, SCMP_CMP_LE, MALLOC_MP_LIM),
1803 SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE));
1804 if (ret) {
1805 log_err(LD_BUG,"(Sandbox) mprotect protected memory filter fail (GT)!");
1806 goto out;
1807 }
1808
1809 out:
1810 strmap_free(locations, NULL);
1811 return ret;
1812}
1813
1814/**
1815 * Auxiliary function used in order to allocate a sandbox_cfg_t element and set
1816 * its values according the parameter list. All elements are initialised
1817 * with the 'prot' field set to false, as the pointer is not protected at this
1818 * point.
1819 */
1820static sandbox_cfg_t*
1821new_element2(int syscall, char *value, char *value2)
1822{
1823 smp_param_t *param = NULL;
1824
1825 sandbox_cfg_t *elem = tor_malloc_zero(sizeof(sandbox_cfg_t));
1826 param = elem->param = tor_malloc_zero(sizeof(smp_param_t));
1827
1828 param->syscall = syscall;
1829 param->value = value;
1830 param->value2 = value2;
1831 param->prot = 0;
1832
1833 return elem;
1834}
1835
1836static sandbox_cfg_t*
1837new_element(int syscall, char *value)
1838{
1839 return new_element2(syscall, value, NULL);
1840}
1841
1842#if defined(ARCH_USES_GENERIC_SYSCALLS)
1843#define SCMP_chown SCMP_SYS(fchownat)
1844#elif defined(__i386__)
1845#define SCMP_chown SCMP_SYS(chown32)
1846#else
1847#define SCMP_chown SCMP_SYS(chown)
1848#endif
1849
1850#if defined(ARCH_USES_GENERIC_SYSCALLS)
1851#define SCMP_chmod SCMP_SYS(fchmodat)
1852#else
1853#define SCMP_chmod SCMP_SYS(chmod)
1854#endif
1855
1856#if defined(__NR_rename)
1857#define SCMP_rename SCMP_SYS(rename)
1858#elif defined(__NR_renameat)
1859#define SCMP_rename SCMP_SYS(renameat)
1860#else
1861#define SCMP_rename SCMP_SYS(renameat2)
1862#endif
1863
1864#if defined(ARCH_USES_GENERIC_SYSCALLS)
1865#define SCMP_stat SCMP_SYS(newfstatat)
1866#elif defined(__NR_stat64)
1867#define SCMP_stat SCMP_SYS(stat64)
1868#else
1869#define SCMP_stat SCMP_SYS(stat)
1870#endif
1871
1872int
1873sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file)
1874{
1875 sandbox_cfg_t *elem = NULL;
1876
1877 elem = new_element(SCMP_stat, file);
1878
1879 elem->next = *cfg;
1880 *cfg = elem;
1881
1882 return 0;
1883}
1884
1885int
1886sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
1887{
1888 sandbox_cfg_t *elem = NULL;
1889
1890 elem = new_element(SCMP_SYS(open), file);
1891
1892 elem->next = *cfg;
1893 *cfg = elem;
1894
1895 return 0;
1896}
1897
1898int
1899sandbox_cfg_allow_chmod_filename(sandbox_cfg_t **cfg, char *file)
1900{
1901 sandbox_cfg_t *elem = NULL;
1902
1903 elem = new_element(SCMP_chmod, file);
1904
1905 elem->next = *cfg;
1906 *cfg = elem;
1907
1908 return 0;
1909}
1910
1911int
1912sandbox_cfg_allow_chown_filename(sandbox_cfg_t **cfg, char *file)
1913{
1914 sandbox_cfg_t *elem = NULL;
1915
1916 elem = new_element(SCMP_chown, file);
1917
1918 elem->next = *cfg;
1919 *cfg = elem;
1920
1921 return 0;
1922}
1923
1924int
1925sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2)
1926{
1927 sandbox_cfg_t *elem = NULL;
1928
1929 elem = new_element2(SCMP_rename, file1, file2);
1930
1931 elem->next = *cfg;
1932 *cfg = elem;
1933
1934 return 0;
1935}
1936
1937int
1938sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file)
1939{
1940 sandbox_cfg_t *elem = NULL;
1941
1942 elem = new_element(SCMP_SYS(openat), file);
1943
1944 elem->next = *cfg;
1945 *cfg = elem;
1946
1947 return 0;
1948}
1949
1950int
1951sandbox_cfg_allow_opendir_dirname(sandbox_cfg_t **cfg, char *dir)
1952{
1953 sandbox_cfg_t *elem = NULL;
1954
1955 elem = new_element(PHONY_OPENDIR_SYSCALL, dir);
1956
1957 elem->next = *cfg;
1958 *cfg = elem;
1959
1960 return 0;
1961}
1962
1963/**
1964 * Function responsible for going through the parameter syscall filters and
1965 * call each function pointer in the list.
1966 */
1967static int
1968add_param_filter(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
1969{
1970 unsigned i;
1971 int rc = 0;
1972
1973 // function pointer
1974 for (i = 0; i < ARRAY_LENGTH(filter_func); i++) {
1975 rc = filter_func[i](ctx, cfg);
1976 if (rc) {
1977 log_err(LD_BUG,"(Sandbox) failed to add syscall %d, received libseccomp "
1978 "error %d", i, rc);
1979 return rc;
1980 }
1981 }
1982
1983 return 0;
1984}
1985
1986/**
1987 * Function responsible of loading the libseccomp syscall filters which do not
1988 * have parameter filtering.
1989 */
1990static int
1991add_noparam_filter(scmp_filter_ctx ctx)
1992{
1993 unsigned i;
1994 int rc = 0;
1995
1996 // add general filters
1997 for (i = 0; i < ARRAY_LENGTH(filter_nopar_gen); i++) {
1998 rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, filter_nopar_gen[i]);
1999 if (rc != 0) {
2000 log_err(LD_BUG,"(Sandbox) failed to add syscall index %d (NR=%d), "
2001 "received libseccomp error %d", i, filter_nopar_gen[i], rc);
2002 return rc;
2003 }
2004 }
2005
2006 if (is_libc_at_least(2, 33)) {
2007#ifdef __NR_newfstatat
2008 // Libc 2.33 uses this syscall to implement both fstat() and stat().
2009 //
2010 // The trouble is that to implement fstat(fd, &st), it calls:
2011 // newfstatat(fs, "", &st, AT_EMPTY_PATH)
2012 // We can't detect this usage in particular, because "" is a pointer
2013 // we don't control. And we can't just look for AT_EMPTY_PATH, since
2014 // AT_EMPTY_PATH only has effect when the path string is empty.
2015 //
2016 // So our only solution seems to be allowing all fstatat calls, which
2017 // means that an attacker can stat() anything on the filesystem. That's
2018 // not a great solution, but I can't find a better one.
2019 rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat));
2020 if (rc != 0) {
2021 log_err(LD_BUG,"(Sandbox) failed to add newfstatat() syscall; "
2022 "received libseccomp error %d", rc);
2023 return rc;
2024 }
2025#endif
2026 }
2027
2028 return 0;
2029}
2030
2031/**
2032 * Function responsible for setting up and enabling a global syscall filter.
2033 * The function is a prototype developed for stage 1 of sandboxing Tor.
2034 * Returns 0 on success.
2035 */
2036static int
2037install_syscall_filter(sandbox_cfg_t* cfg)
2038{
2039 int rc = 0;
2040 scmp_filter_ctx ctx;
2041
2042 ctx = seccomp_init(SCMP_ACT_ERRNO(EPERM));
2043 if (ctx == NULL) {
2044 log_err(LD_BUG,"(Sandbox) failed to initialise libseccomp context");
2045 rc = -1;
2046 goto end;
2047 }
2048
2049 // protecting sandbox parameter strings
2050 if ((rc = prot_strings(ctx, cfg))) {
2051 goto end;
2052 }
2053
2054 // add parameter filters
2055 if ((rc = add_param_filter(ctx, cfg))) {
2056 log_err(LD_BUG, "(Sandbox) failed to add param filters!");
2057 goto end;
2058 }
2059
2060 // adding filters with no parameters
2061 if ((rc = add_noparam_filter(ctx))) {
2062 log_err(LD_BUG, "(Sandbox) failed to add param filters!");
2063 goto end;
2064 }
2065
2066 // loading the seccomp2 filter
2067 if ((rc = seccomp_load(ctx))) {
2068 log_err(LD_BUG, "(Sandbox) failed to load: %d (%s)! "
2069 "Are you sure that your kernel has seccomp2 support? The "
2070 "sandbox won't work without it.", rc,
2071 strerror(-rc));
2072 goto end;
2073 }
2074
2075 // marking the sandbox as active
2076 sandbox_active = 1;
2077
2078 end:
2079 seccomp_release(ctx);
2080 return (rc < 0 ? -rc : rc);
2081}
2082
2083#ifdef SYSCALL_NAME_DEBUGGING
2084#include "lib/sandbox/linux_syscalls.inc"
2085
2086/** Return a string containing the name of a given syscall (if we know it) */
2087static const char *
2088get_syscall_name(int syscall_num)
2089{
2090 int i;
2091 for (i = 0; SYSCALLS_BY_NUMBER[i].syscall_name; ++i) {
2092 if (SYSCALLS_BY_NUMBER[i].syscall_num == syscall_num)
2093 return SYSCALLS_BY_NUMBER[i].syscall_name;
2094 }
2095
2096 {
2097 static char syscall_name_buf[64];
2098 format_dec_number_sigsafe(syscall_num,
2099 syscall_name_buf, sizeof(syscall_name_buf));
2100 return syscall_name_buf;
2101 }
2102}
2103
2104/** Return the syscall number from a ucontext_t that we got in a signal
2105 * handler (if we know how to do that). */
2106static int
2107get_syscall_from_ucontext(const ucontext_t *ctx)
2108{
2109 return (int) ctx->uc_mcontext.M_SYSCALL;
2110}
2111#else /* !defined(SYSCALL_NAME_DEBUGGING) */
2112static const char *
2113get_syscall_name(int syscall_num)
2114{
2115 (void) syscall_num;
2116 return "unknown";
2117}
2118static int
2119get_syscall_from_ucontext(const ucontext_t *ctx)
2120{
2121 (void) ctx;
2122 return -1;
2123}
2124#endif /* defined(SYSCALL_NAME_DEBUGGING) */
2125
2126#ifdef USE_BACKTRACE
2127#define MAX_DEPTH 256
2128static void *syscall_cb_buf[MAX_DEPTH];
2129#endif
2130
2131/**
2132 * Function called when a SIGSYS is caught by the application. It notifies the
2133 * user that an error has occurred and either terminates or allows the
2134 * application to continue execution, based on the DEBUGGING_CLOSE symbol.
2135 */
2136static void
2137sigsys_debugging(int nr, siginfo_t *info, void *void_context)
2138{
2139 ucontext_t *ctx = (ucontext_t *) (void_context);
2140 const char *syscall_name;
2141#ifdef USE_BACKTRACE
2142 size_t depth;
2143 int n_fds, i;
2144 const int *fds = NULL;
2145#endif
2146
2147 (void) nr;
2148
2149 if (info->si_code != SYS_SECCOMP)
2150 return;
2151
2152 if (!ctx)
2153 return;
2154
2155 int syscall = get_syscall_from_ucontext(ctx);
2156
2157#ifdef USE_BACKTRACE
2158 depth = backtrace(syscall_cb_buf, MAX_DEPTH);
2159 /* Clean up the top stack frame so we get the real function
2160 * name for the most recently failing function. */
2161 clean_backtrace(syscall_cb_buf, depth, ctx);
2162#endif /* defined(USE_BACKTRACE) */
2163
2164 syscall_name = get_syscall_name(syscall);
2165
2166 tor_log_err_sigsafe("(Sandbox) Caught a bad syscall attempt (syscall ",
2167 syscall_name,
2168 ")\n",
2169 NULL);
2170
2171#ifdef USE_BACKTRACE
2172 n_fds = tor_log_get_sigsafe_err_fds(&fds);
2173 for (i=0; i < n_fds; ++i)
2174 backtrace_symbols_fd(syscall_cb_buf, (int)depth, fds[i]);
2175#endif
2176
2177#if defined(DEBUGGING_CLOSE)
2178 _exit(1); // exit ok: programming error has led to sandbox failure.
2179#endif // DEBUGGING_CLOSE
2180}
2181
2182/**
2183 * Function that adds a handler for SIGSYS, which is the signal thrown
2184 * when the application is issuing a syscall which is not allowed. The
2185 * main purpose of this function is to help with debugging by identifying
2186 * filtered syscalls.
2187 */
2188static int
2189install_sigsys_debugging(void)
2190{
2191 struct sigaction act;
2192 sigset_t mask;
2193
2194 memset(&act, 0, sizeof(act));
2195 sigemptyset(&mask);
2196 sigaddset(&mask, SIGSYS);
2197
2198 act.sa_sigaction = &sigsys_debugging;
2199 act.sa_flags = SA_SIGINFO;
2200 if (sigaction(SIGSYS, &act, NULL) < 0) {
2201 log_err(LD_BUG,"(Sandbox) Failed to register SIGSYS signal handler");
2202 return -1;
2203 }
2204
2205 if (sigprocmask(SIG_UNBLOCK, &mask, NULL)) {
2206 log_err(LD_BUG,"(Sandbox) Failed call to sigprocmask()");
2207 return -2;
2208 }
2209
2210 return 0;
2211}
2212
2213/**
2214 * Function responsible of registering the sandbox_cfg_t list of parameter
2215 * syscall filters to the existing parameter list. This is used for incipient
2216 * multiple-sandbox support.
2217 */
2218static int
2219register_cfg(sandbox_cfg_t* cfg)
2220{
2221 sandbox_cfg_t *elem = NULL;
2222
2223 if (filter_dynamic == NULL) {
2224 filter_dynamic = cfg;
2225 return 0;
2226 }
2227
2228 for (elem = filter_dynamic; elem->next != NULL; elem = elem->next)
2229 ;
2230
2231 elem->next = cfg;
2232
2233 return 0;
2234}
2235
2236#endif /* defined(USE_LIBSECCOMP) */
2237
2238#ifdef USE_LIBSECCOMP
2239/**
2240 * Initialises the syscall sandbox filter for any linux architecture, taking
2241 * into account various available features for different linux flavours.
2242 */
2243static int
2244initialise_libseccomp_sandbox(sandbox_cfg_t* cfg)
2245{
2246 /* Prevent glibc from trying to open /dev/tty on fatal error */
2247 setenv("LIBC_FATAL_STDERR_", "1", 1);
2248
2249 if (install_sigsys_debugging())
2250 return -1;
2251
2252 if (install_syscall_filter(cfg))
2253 return -2;
2254
2255 if (register_cfg(cfg))
2256 return -3;
2257
2258 return 0;
2259}
2260
2261int
2262sandbox_is_active(void)
2263{
2264 return sandbox_active != 0;
2265}
2266#endif /* defined(USE_LIBSECCOMP) */
2267
2268sandbox_cfg_t*
2269sandbox_cfg_new(void)
2270{
2271 return NULL;
2272}
2273
2274int
2275sandbox_init(sandbox_cfg_t *cfg)
2276{
2277#if defined(USE_LIBSECCOMP)
2278 return initialise_libseccomp_sandbox(cfg);
2279
2280#elif defined(__linux__)
2281 (void)cfg;
2282 log_warn(LD_GENERAL,
2283 "This version of Tor was built without support for sandboxing. To "
2284 "build with support for sandboxing on Linux, you must have "
2285 "libseccomp and its necessary header files (e.g. seccomp.h).");
2286 return 0;
2287
2288#else
2289 (void)cfg;
2290 log_warn(LD_GENERAL,
2291 "Currently, sandboxing is only implemented on Linux. The feature "
2292 "is disabled on your platform.");
2293 return 0;
2294#endif /* defined(USE_LIBSECCOMP) || ... */
2295}
2296
2297#ifndef USE_LIBSECCOMP
2298int
2299sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
2300{
2301 (void)cfg; (void)file;
2302 return 0;
2303}
2304
2305int
2306sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file)
2307{
2308 (void)cfg; (void)file;
2309 return 0;
2310}
2311
2312int
2313sandbox_cfg_allow_opendir_dirname(sandbox_cfg_t **cfg, char *dir)
2314{
2315 (void)cfg; (void)dir;
2316 return 0;
2317}
2318
2319int
2320sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file)
2321{
2322 (void)cfg; (void)file;
2323 return 0;
2324}
2325
2326int
2327sandbox_cfg_allow_chown_filename(sandbox_cfg_t **cfg, char *file)
2328{
2329 (void)cfg; (void)file;
2330 return 0;
2331}
2332
2333int
2334sandbox_cfg_allow_chmod_filename(sandbox_cfg_t **cfg, char *file)
2335{
2336 (void)cfg; (void)file;
2337 return 0;
2338}
2339
2340int
2341sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2)
2342{
2343 (void)cfg; (void)file1; (void)file2;
2344 return 0;
2345}
2346
2347int
2348sandbox_is_active(void)
2349{
2350 return 0;
2351}
2352
2353#endif /* !defined(USE_LIBSECCOMP) */
backtrace.h
Header for backtrace.c.
ARRAY_LENGTH
#define ARRAY_LENGTH(x)
Definition: compat_compiler.h:241
log.h
Headers for log.c.
LD_BUG
#define LD_BUG
Definition: log.h:86
LD_GENERAL
#define LD_GENERAL
Definition: log.h:62
malloc.h
Headers for util_malloc.c.
tor_free
#define tor_free(p)
Definition: malloc.h:56
map.h
Headers for map.c.
sandbox_cfg_allow_open_filename
int sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
Definition: sandbox.c:2299
MALLOC_MP_LIM
#define MALLOC_MP_LIM
Definition: sandbox.c:29
sandbox_cfg_allow_stat_filename
int sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file)
Definition: sandbox.c:2320
sandbox_cfg_new
sandbox_cfg_t * sandbox_cfg_new(void)
Definition: sandbox.c:2269
sandbox_init
int sandbox_init(sandbox_cfg_t *cfg)
Definition: sandbox.c:2275
sandbox_is_active
int sandbox_is_active(void)
Definition: sandbox.c:2348
sandbox_cfg_allow_opendir_dirname
int sandbox_cfg_allow_opendir_dirname(sandbox_cfg_t **cfg, char *dir)
Definition: sandbox.c:2313
sandbox_cfg_allow_openat_filename
int sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file)
Definition: sandbox.c:2306
sandbox.h
Header file for sandbox.c.
sandbox_cfg_t
struct sandbox_cfg_elem_t sandbox_cfg_t
Definition: sandbox.h:35
sandbox_intern_string
#define sandbox_intern_string(s)
Definition: sandbox.h:110
SYS_SECCOMP
#define SYS_SECCOMP
Definition: sandbox.h:24
tor_sscanf
int tor_sscanf(const char *buf, const char *pattern,...)
Definition: scanf.c:309
scanf.h
Header for scanf.c.
time.h
Definitions for timing-related constants.
format_dec_number_sigsafe
int format_dec_number_sigsafe(unsigned long x, char *buf, int buf_len)
Definition: torerr.c:305
tor_log_err_sigsafe
void tor_log_err_sigsafe(const char *m,...)
Definition: torerr.c:70
tor_log_get_sigsafe_err_fds
int tor_log_get_sigsafe_err_fds(const int **out)
Definition: torerr.c:103
torerr.h
Headers for torerr.c.
torint.h
Integer definitions used throughout Tor.
Generated by doxygen 1.9.4