| blob | cc00d2048faec22539dcd5633b9d81db3bdd261f |
1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2021, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file sandbox.c
9 * \brief Code to enable sandboxing.
10 **/
14 #ifndef _LARGEFILE64_SOURCE
15 /**
16 * Temporarily required for O_LARGEFILE flag. Needs to be removed
17 * with the libevent fix.
18 */
19 #define _LARGEFILE64_SOURCE
22 /** Malloc mprotect limit in bytes.
23 *
24 * 28/06/2017: This value was increased from 16 MB to 20 MB after we introduced
25 * LZMA support in Tor (0.3.1.1-alpha). We limit our LZMA coder to 16 MB, but
26 * liblzma have a small overhead that we need to compensate for to avoid being
27 * killed by the sandbox.
28 */
29 #define MALLOC_MP_LIM (20*1024*1024)
31 #include <stdio.h>
32 #include <string.h>
33 #include <stdlib.h>
34 #include <errno.h>
48 #define DEBUGGING_CLOSE
50 #if defined(USE_LIBSECCOMP)
52 #include <sys/mman.h>
53 #include <sys/syscall.h>
54 #include <sys/types.h>
55 #include <sys/stat.h>
56 #include <sys/epoll.h>
57 #include <sys/prctl.h>
58 #include <linux/futex.h>
59 #include <sys/file.h>
61 #ifdef ENABLE_FRAGILE_HARDENING
62 #include <sys/ptrace.h>
63 #endif
65 #include <stdarg.h>
66 #include <seccomp.h>
67 #include <signal.h>
68 #include <unistd.h>
69 #include <fcntl.h>
70 #include <time.h>
71 #include <poll.h>
73 #ifdef HAVE_GNU_LIBC_VERSION_H
74 #include <gnu/libc-version.h>
75 #endif
76 #ifdef HAVE_LINUX_NETFILTER_IPV4_H
77 #include <linux/netfilter_ipv4.h>
78 #endif
79 #ifdef HAVE_LINUX_IF_H
80 #include <linux/if.h>
81 #endif
82 #ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
83 #include <linux/netfilter_ipv6/ip6_tables.h>
84 #endif
86 #if defined(HAVE_EXECINFO_H) && defined(HAVE_BACKTRACE) && \
87 defined(HAVE_BACKTRACE_SYMBOLS_FD) && defined(HAVE_SIGACTION)
88 #define USE_BACKTRACE
89 #define BACKTRACE_PRIVATE
93 #ifdef USE_BACKTRACE
94 #include <execinfo.h>
95 #endif
97 /**
98 * Linux 32 bit definitions
99 */
100 #if defined(__i386__)
102 #define REG_SYSCALL REG_EAX
103 #define M_SYSCALL gregs[REG_SYSCALL]
105 /**
106 * Linux 64 bit definitions
107 */
108 #elif defined(__x86_64__)
110 #define REG_SYSCALL REG_RAX
111 #define M_SYSCALL gregs[REG_SYSCALL]
113 #elif defined(__arm__)
115 #define M_SYSCALL arm_r7
117 #elif defined(__aarch64__) && defined(__LP64__)
119 #define REG_SYSCALL 8
120 #define M_SYSCALL regs[REG_SYSCALL]
124 #ifdef M_SYSCALL
125 #define SYSCALL_NAME_DEBUGGING
126 #endif
128 /**Determines if at least one sandbox is active.*/
130 /** Holds the parameter list configuration for the sandbox.*/
133 #undef SCMP_CMP
134 #define SCMP_CMP(a,b,c) ((struct scmp_arg_cmp){(a),(b),(c),0})
135 #define SCMP_CMP_STR(a,b,c) \
136 ((struct scmp_arg_cmp) {(a),(b),(intptr_t)(void*)(c),0})
137 #define SCMP_CMP4(a,b,c,d) ((struct scmp_arg_cmp){(a),(b),(c),(d)})
138 /* We use a wrapper here because these masked comparisons seem to be pretty
139 * verbose. Also, it's important to cast to scmp_datum_t before negating the
140 * mask, since otherwise the negation might get applied to a 32 bit value, and
141 * the high bits of the value might get masked out improperly. */
142 #define SCMP_CMP_MASKED(a,b,c) \
143 SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, ~(scmp_datum_t)(b), (c))
144 /* For negative constants, the rule to add depends on the glibc version. */
145 #define SCMP_CMP_NEG(a,op,b) (libc_negative_constant_needs_cast() ? \
146 (SCMP_CMP((a), (op), (unsigned int)(b))) : \
147 (SCMP_CMP_STR((a), (op), (b))))
149 /** Variable used for storing all syscall numbers that will be allowed with the
150 * stage 1 general Tor sandbox.
151 */
155 #ifdef __NR_clock_gettime64
157 #else
159 #endif
163 #ifdef __NR_clone3
165 #endif
168 #ifdef __NR_epoll_pwait
170 #endif
171 #ifdef HAVE_EVENTFD
173 #endif
174 #ifdef HAVE_PIPE2
176 #endif
177 #ifdef HAVE_PIPE
179 #endif
180 #ifdef __NR_fchmod
182 #endif
185 #ifdef __NR_fstat64
187 #endif
193 #ifdef __NR_getegid32
195 #endif
197 #ifdef __NR_geteuid32
199 #endif
201 #ifdef __NR_getgid32
203 #endif
205 #ifdef ENABLE_FRAGILE_HARDENING
207 #endif
208 #ifdef __NR_getrlimit
210 #endif
214 #ifdef __NR_getuid32
216 #endif
218 #ifdef __NR__llseek
220 #endif
221 // glob uses this..
225 #ifdef __NR_mmap
226 /* XXXX restrict this in the same ways as mmap2 */
228 #endif
230 #ifdef __NR_nanosleep
232 #endif
233 #ifdef __NR_prlimit
235 #endif
236 #ifdef __NR_prlimit64
238 #endif
241 #ifdef __NR_rseq
243 #endif
245 #ifdef __NR_sched_yield
247 #endif
250 #ifdef __NR_setrlimit
252 #endif
254 #ifdef __NR_sigaltstack
256 #endif
257 #ifdef __NR_sigreturn
259 #endif
261 #if defined(__i386__) && defined(__NR_statx)
263 #endif
272 #ifdef __NR_stat64
273 // getaddrinfo uses this..
275 #endif
277 #ifdef __NR_getrandom
279 #endif
281 #ifdef __NR_sysinfo
282 // qsort uses this..
284 #endif
285 /*
286 * These socket syscalls are not required on x86_64 and not supported with
287 * some libseccomp versions (eg: 1.0.1)
288 */
289 #if defined(__i386)
292 #endif
294 // socket syscalls
299 #ifdef ENABLE_NSS
300 #ifdef __NR_getpeername
302 #endif
303 #endif
308 #ifdef __NR_unlinkat
310 #endif
312 };
314 /* opendir is not a syscall but it will use either open or openat. We do not
315 * want the decision to allow open/openat to be the callers reponsability, so
316 * we create a phony syscall number for opendir and sb_opendir will choose the
317 * correct syscall. */
318 #define PHONY_OPENDIR_SYSCALL -2
320 /* These macros help avoid the error where the number of filters we add on a
321 * single rule don't match the arg_cnt param. */
322 #define seccomp_rule_add_0(ctx,act,call) \
323 seccomp_rule_add((ctx),(act),(call),0)
324 #define seccomp_rule_add_1(ctx,act,call,f1) \
325 seccomp_rule_add((ctx),(act),(call),1,(f1))
326 #define seccomp_rule_add_2(ctx,act,call,f1,f2) \
327 seccomp_rule_add((ctx),(act),(call),2,(f1),(f2))
328 #define seccomp_rule_add_3(ctx,act,call,f1,f2,f3) \
329 seccomp_rule_add((ctx),(act),(call),3,(f1),(f2),(f3))
330 #define seccomp_rule_add_4(ctx,act,call,f1,f2,f3,f4) \
331 seccomp_rule_add((ctx),(act),(call),4,(f1),(f2),(f3),(f4))
335 /**
336 * Function responsible for setting up the rt_sigaction syscall for
337 * the seccomp filter sandbox.
338 */
339 static int
341 {
346 #ifdef SIGXFSZ
347 SIGXFSZ
348 #endif
349 };
357 }
360 }
362 #ifdef __NR_time
363 /**
364 * Function responsible for setting up the time syscall for
365 * the seccomp filter sandbox.
366 */
367 static int
369 {
374 }
377 /**
378 * Function responsible for setting up the accept4 syscall for
379 * the seccomp filter sandbox.
380 */
381 static int
383 {
387 #ifdef __i386__
392 }
399 }
402 }
404 #ifdef __NR_mmap2
405 /**
406 * Function responsible for setting up the mmap2 syscall for
407 * the seccomp filter sandbox.
408 */
409 static int
411 {
420 }
427 }
434 }
441 }
448 }
455 }
462 }
465 }
468 #ifdef HAVE_GNU_LIBC_VERSION_H
469 #ifdef HAVE_GNU_GET_LIBC_VERSION
470 #define CHECK_LIBC_VERSION
471 #endif
472 #endif
474 /* Return true the libc version is greater or equal than
475 * <b>major</b>.<b>minor</b>. Returns false otherwise. */
476 static int
478 {
479 #ifdef CHECK_LIBC_VERSION
492 else
499 }
501 /* Return true if we think we're running with a libc that uses openat for the
502 * open function on linux. */
503 static int
505 {
507 }
509 /* Return true if we think we're running with a libc that uses openat for the
510 * opendir function on linux. */
511 static int
513 {
514 // libc 2.27 and above or between 2.15 (inclusive) and 2.22 (exclusive)
517 }
519 /* Return true if we think we're running with a libc that needs to cast
520 * negative arguments like AT_FDCWD for seccomp rules. */
521 static int
523 {
525 }
527 /** Allow a single file to be opened. If <b>use_openat</b> is true,
528 * we're using a libc that remaps all the opens into openats. */
529 static int
531 {
539 }
540 }
542 /**
543 * Function responsible for setting up the open syscall for
544 * the seccomp filter sandbox.
545 */
546 static int
548 {
554 #ifdef ENABLE_FRAGILE_HARDENING
555 /* AddressSanitizer uses the "open" syscall to access information about the
556 * running process via the filesystem, so that call must be allowed without
557 * restriction or the sanitizer will be unable to execute normally when the
558 * process terminates. */
564 }
566 /* If glibc also uses only the "open" syscall to open files on this system
567 * there is no need to consider any additional rules. */
570 #endif
572 // for each dynamic parameter filters
583 }
584 }
585 }
588 }
590 static int
592 {
596 // for each dynamic parameter filters
608 }
609 }
610 }
613 }
615 #ifdef __i386__
616 static int
618 {
622 // for each dynamic parameter filters
634 }
635 }
636 }
639 }
640 #else
641 static int
643 {
647 // for each dynamic parameter filters
659 }
660 }
661 }
664 }
667 /**
668 * Function responsible for setting up the rename syscall for
669 * the seccomp filter sandbox.
670 */
671 static int
673 {
677 // for each dynamic parameter filters
691 }
692 }
693 }
696 }
698 /**
699 * Function responsible for setting up the openat syscall for
700 * the seccomp filter sandbox.
701 */
702 static int
704 {
708 // for each dynamic parameter filters
718 O_CLOEXEC));
723 }
724 }
725 }
728 }
730 static int
732 {
736 // for each dynamic parameter filters
747 }
748 }
749 }
752 }
754 #ifdef ENABLE_FRAGILE_HARDENING
755 /**
756 * Function responsible for setting up the ptrace syscall for
757 * the seccomp filter sandbox.
758 */
759 static int
761 {
779 }
780 #endif
782 /**
783 * Function responsible for setting up the socket syscall for
784 * the seccomp filter sandbox.
785 */
786 static int
788 {
793 #ifdef __i386__
797 #endif
809 SOCK_DGRAM;
812 IPPROTO_UDP;
819 }
820 }
822 #ifdef ENABLE_NSS
853 }
855 /**
856 * Function responsible for setting up the socketpair syscall for
857 * the seccomp filter sandbox.
858 */
859 static int
861 {
865 #ifdef __i386__
869 #endif
878 }
880 #ifdef HAVE_KIST_SUPPORT
882 #include <linux/sockios.h>
884 static int
886 {
895 }
899 /**
900 * Function responsible for setting up the setsockopt syscall for
901 * the seccomp filter sandbox.
902 */
903 static int
905 {
909 #ifdef __i386__
913 #endif
933 #ifdef HAVE_SYSTEMD
941 #ifdef IP_TRANSPARENT
949 #ifdef IPV6_V6ONLY
958 }
960 /**
961 * Function responsible for setting up the getsockopt syscall for
962 * the seccomp filter sandbox.
963 */
964 static int
966 {
970 #ifdef __i386__
974 #endif
988 #ifdef HAVE_SYSTEMD
996 #ifdef HAVE_LINUX_NETFILTER_IPV4_H
1004 #ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
1012 #ifdef HAVE_KIST_SUPPORT
1013 #include <netinet/tcp.h>
1022 }
1024 #ifdef __NR_fcntl64
1025 /**
1026 * Function responsible for setting up the fcntl64 syscall for
1027 * the seccomp filter sandbox.
1028 */
1029 static int
1031 {
1058 }
1061 /**
1062 * Function responsible for setting up the epoll_ctl syscall for
1063 * the seccomp filter sandbox.
1064 *
1065 * Note: basically allows everything but will keep for now..
1066 */
1067 static int
1069 {
1089 }
1091 /**
1092 * Function responsible for setting up the prctl syscall for
1093 * the seccomp filter sandbox.
1094 *
1095 * NOTE: if multiple filters need to be added, the PR_SECCOMP parameter needs
1096 * to be allowlisted in this function.
1097 */
1098 static int
1100 {
1104 #ifdef ENABLE_FRAGILE_HARDENING
1114 #endif
1122 }
1124 /**
1125 * Function responsible for setting up the mprotect syscall for
1126 * the seccomp filter sandbox.
1127 *
1128 * NOTE: does not NEED to be here.. currently only occurs before filter; will
1129 * keep just in case for the future.
1130 */
1131 static int
1133 {
1148 }
1150 /**
1151 * Function responsible for setting up the rt_sigprocmask syscall for
1152 * the seccomp filter sandbox.
1153 */
1154 static int
1156 {
1160 #ifdef ENABLE_FRAGILE_HARDENING
1165 #endif
1178 }
1180 /**
1181 * Function responsible for setting up the flock syscall for
1182 * the seccomp filter sandbox.
1183 *
1184 * NOTE: does not need to be here, occurs before filter is applied.
1185 */
1186 static int
1188 {
1203 }
1205 /**
1206 * Function responsible for setting up the futex syscall for
1207 * the seccomp filter sandbox.
1208 */
1209 static int
1211 {
1215 // can remove
1233 }
1235 /**
1236 * Function responsible for setting up the mremap syscall for
1237 * the seccomp filter sandbox.
1238 *
1239 * NOTE: so far only occurs before filter is applied.
1240 */
1241 static int
1243 {
1253 }
1255 #ifdef __NR_stat64
1256 /**
1257 * Function responsible for setting up the stat64 syscall for
1258 * the seccomp filter sandbox.
1259 */
1260 static int
1262 {
1266 // for each dynamic parameter filters
1278 }
1279 }
1280 }
1283 }
1286 static int
1288 {
1290 #ifdef __NR_kill
1291 /* Allow killing anything with signal 0 -- it isn't really a kill. */
1294 #else
1297 }
1299 /**
1300 * Array of function pointers responsible for filtering different syscalls at
1301 * a parameter level.
1302 */
1304 sb_rt_sigaction,
1305 sb_rt_sigprocmask,
1306 #ifdef __NR_time
1307 sb_time,
1308 #endif
1309 sb_accept4,
1310 #ifdef __NR_mmap2
1311 sb_mmap2,
1312 #endif
1313 #ifdef __i386__
1314 sb_chown32,
1315 #else
1316 sb_chown,
1317 #endif
1318 sb_chmod,
1319 sb_open,
1320 sb_openat,
1321 sb_opendir,
1322 #ifdef ENABLE_FRAGILE_HARDENING
1323 sb_ptrace,
1324 #endif
1325 sb_rename,
1326 #ifdef __NR_fcntl64
1327 sb_fcntl64,
1328 #endif
1329 sb_epoll_ctl,
1330 sb_prctl,
1331 sb_mprotect,
1332 sb_flock,
1333 sb_futex,
1334 sb_mremap,
1335 #ifdef __NR_stat64
1336 sb_stat64,
1337 #endif
1339 sb_socket,
1340 sb_setsockopt,
1341 sb_getsockopt,
1342 sb_socketpair,
1343 #ifdef HAVE_KIST_SUPPORT
1344 sb_ioctl,
1345 #endif
1346 sb_kill
1347 };
1349 /**
1350 * Return the interned (and hopefully sandbox-permitted) string equal
1351 * to @a str.
1352 *
1353 * Return NULL if `str` is NULL, or `str` is not an interned string.
1354 **/
1357 {
1362 }
1365 }
1367 /**
1368 * Return true if the sandbox is running and we are missing an interned string
1369 * equal to @a str.
1370 */
1371 bool
1373 {
1375 }
1377 /**
1378 * Try to find and return the interned string equal to @a str.
1379 *
1380 * If there is no such string, return NULL.
1381 **/
1384 {
1396 }
1399 }
1400 }
1401 }
1404 }
1406 /* DOCDOC */
1407 static int
1412 {
1425 // We already interned this string.
1430 // copy to protected
1434 // re-point el parameter to protected
1440 // move next available protected memory
1447 }
1448 }
1450 /**
1451 * Protects all the strings in the sandbox's parameter list configuration. It
1452 * works by calculating the total amount of memory required by the parameter
1453 * list, allocating the memory using mmap, and protecting it from writes with
1454 * mprotect().
1455 */
1456 static int
1458 {
1465 // get total number of bytes required to mmap. (Overestimate.)
1470 }
1472 // allocate protected memory with MALLOC_MP_LIM canary
1480 }
1487 // change el value pointer to protected
1493 }
1498 }
1500 }
1502 // protecting from writes
1508 }
1510 /*
1511 * Setting sandbox restrictions so the string memory cannot be tampered with
1512 */
1513 // no mremap of the protected base address
1519 }
1521 // no munmap of the protected base address
1527 }
1529 /*
1530 * Allow mprotect with PROT_READ|PROT_WRITE because openssl uses it, but
1531 * never over the memory region used by the protected strings.
1532 *
1533 * PROT_READ|PROT_WRITE was originally fully allowed in sb_mprotect(), but
1534 * had to be removed due to limitation of libseccomp regarding intervals.
1535 *
1536 * There is a restriction on how much you can mprotect with R|W up to the
1537 * size of the canary.
1538 */
1546 }
1550 MALLOC_MP_LIM),
1556 }
1558 out:
1561 }
1563 /**
1564 * Auxiliary function used in order to allocate a sandbox_cfg_t element and set
1565 * its values according the parameter list. All elements are initialised
1566 * with the 'prot' field set to false, as the pointer is not protected at this
1567 * point.
1568 */
1571 {
1583 }
1587 {
1589 }
1591 #ifdef __i386__
1592 #define SCMP_chown SCMP_SYS(chown32)
1593 #else
1594 #define SCMP_chown SCMP_SYS(chown)
1595 #endif
1597 #ifdef __NR_stat64
1598 #define SCMP_stat SCMP_SYS(stat64)
1599 #else
1600 #define SCMP_stat SCMP_SYS(stat)
1601 #endif
1603 int
1605 {
1614 }
1616 int
1618 {
1627 }
1629 int
1631 {
1640 }
1642 int
1644 {
1653 }
1655 int
1657 {
1666 }
1668 int
1670 {
1679 }
1681 int
1683 {
1692 }
1694 /**
1695 * Function responsible for going through the parameter syscall filters and
1696 * call each function pointer in the list.
1697 */
1698 static int
1700 {
1704 // function pointer
1711 }
1712 }
1715 }
1717 /**
1718 * Function responsible of loading the libseccomp syscall filters which do not
1719 * have parameter filtering.
1720 */
1721 static int
1723 {
1727 // add general filters
1734 }
1735 }
1738 #ifdef __NR_newfstatat
1739 // Libc 2.33 uses this syscall to implement both fstat() and stat().
1740 //
1741 // The trouble is that to implement fstat(fd, &st), it calls:
1742 // newfstatat(fs, "", &st, AT_EMPTY_PATH)
1743 // We can't detect this usage in particular, because "" is a pointer
1744 // we don't control. And we can't just look for AT_EMPTY_PATH, since
1745 // AT_EMPTY_PATH only has effect when the path string is empty.
1746 //
1747 // So our only solution seems to be allowing all fstatat calls, which
1748 // means that an attacker can stat() anything on the filesystem. That's
1749 // not a great solution, but I can't find a better one.
1755 }
1756 #endif
1757 }
1760 }
1762 /**
1763 * Function responsible for setting up and enabling a global syscall filter.
1764 * The function is a prototype developed for stage 1 of sandboxing Tor.
1765 * Returns 0 on success.
1766 */
1767 static int
1769 {
1771 scmp_filter_ctx ctx;
1778 }
1780 // protecting sandbox parameter strings
1783 }
1785 // add parameter filters
1789 }
1791 // adding filters with no parameters
1795 }
1797 // loading the seccomp2 filter
1800 "Are you sure that your kernel has seccomp2 support? The "
1804 }
1806 // marking the sandbox as active
1809 end:
1812 }
1814 #ifdef SYSCALL_NAME_DEBUGGING
1817 /** Return a string containing the name of a given syscall (if we know it) */
1820 {
1825 }
1827 {
1832 }
1833 }
1835 /** Return the syscall number from a ucontext_t that we got in a signal
1836 * handler (if we know how to do that). */
1837 static int
1839 {
1841 }
1845 {
1848 }
1849 static int
1851 {
1854 }
1857 #ifdef USE_BACKTRACE
1858 #define MAX_DEPTH 256
1860 #endif
1862 /**
1863 * Function called when a SIGSYS is caught by the application. It notifies the
1864 * user that an error has occurred and either terminates or allows the
1865 * application to continue execution, based on the DEBUGGING_CLOSE symbol.
1866 */
1867 static void
1869 {
1872 #ifdef USE_BACKTRACE
1876 #endif
1888 #ifdef USE_BACKTRACE
1890 /* Clean up the top stack frame so we get the real function
1891 * name for the most recently failing function. */
1898 syscall_name,
1900 NULL);
1902 #ifdef USE_BACKTRACE
1906 #endif
1908 #if defined(DEBUGGING_CLOSE)
1911 }
1913 /**
1914 * Function that adds a handler for SIGSYS, which is the signal thrown
1915 * when the application is issuing a syscall which is not allowed. The
1916 * main purpose of this function is to help with debugging by identifying
1917 * filtered syscalls.
1918 */
1919 static int
1921 {
1923 sigset_t mask;
1934 }
1939 }
1942 }
1944 /**
1945 * Function responsible of registering the sandbox_cfg_t list of parameter
1946 * syscall filters to the existing parameter list. This is used for incipient
1947 * multiple-sandbox support.
1948 */
1949 static int
1951 {
1957 }
1960 ;
1965 }
1969 #ifdef USE_LIBSECCOMP
1970 /**
1971 * Initialises the syscall sandbox filter for any linux architecture, taking
1972 * into account various available features for different linux flavours.
1973 */
1974 static int
1976 {
1977 /* Prevent glibc from trying to open /dev/tty on fatal error */
1990 }
1992 int
1994 {
1996 }
1999 sandbox_cfg_t*
2001 {
2003 }
2005 int
2007 {
2008 #if defined(USE_LIBSECCOMP)
2011 #elif defined(__linux__)
2014 "This version of Tor was built without support for sandboxing. To "
2015 "build with support for sandboxing on Linux, you must have "
2019 #else
2022 "Currently, sandboxing is only implemented on Linux. The feature "
2026 }
2028 #ifndef USE_LIBSECCOMP
2029 int
2031 {
2034 }
2036 int
2038 {
2041 }
2043 int
2045 {
2048 }
2050 int
2052 {
2055 }
2057 int
2059 {
2062 }
2064 int
2066 {
2069 }
2071 int
2073 {
2076 }
2078 int
2080 {
2082 }