Home Explore Help
Sign In
mirrors
/
snac2
mirror of https://codeberg.org/grunfink/snac2.git
2
0
Fork 0
Files Issues 0 Wiki
Tree: 7e743e8918
Branches Tags
snac2
/
sandbox.c

sandbox.c 6.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191 
  1. #include "xs.h"
    2. 

  2. 

  3. #include "snac.h"
    4. 

  4. 

  5. #include <unistd.h>
    6. 

  6. 

  7. #if defined (__linux__)
    8. 

  8. #   define __USE_GNU
    9. 

  9. #   include <linux/landlock.h>
    10. 

  10. #   include <sys/syscall.h>
    11. 

  11. #   include <sys/prctl.h>
    12. 

  12. #   include <stdint.h>
    13. 

  13. #   include <fcntl.h>
    14. 

  14. #endif
    15. 

  15. 

  16. void sbox_enter(const char *basedir)
    17. 

  17. {
    18. 

  18.     if (xs_is_true(xs_dict_get(srv_config, "disable_openbsd_security"))) {
    19. 

  19.         srv_log(xs_dup("disable_openbsd_security is deprecated. Use disable_sandbox instead."));
    20. 

  20.         return;
    21. 

  21.     }
    22. 

  22.     if (xs_is_true(xs_dict_get(srv_config, "disable_sandbox"))) {
    23. 

  23.         srv_debug(0, xs_dup("Sandbox disabled by admin"));
    24. 

  24.         return;
    25. 

  25.     }
    26. 

  26. 

  27.     const char *address = xs_dict_get(srv_config, "address");
    28. 

  28. 

  29.     int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications"));
    30. 

  30. 

  31. #if defined (__OpenBSD__)
    32. 

  32.     srv_debug(1, xs_fmt("Calling unveil()"));
    33. 

  33.     unveil(basedir,                "rwc");
    34. 

  34.     unveil("/tmp",                 "rwc");
    35. 

  35.     unveil("/etc/resolv.conf",     "r");
    36. 

  36.     unveil("/etc/hosts",           "r");
    37. 

  37.     unveil("/etc/ssl/openssl.cnf", "r");
    38. 

  38.     unveil("/etc/ssl/cert.pem",    "r");
    39. 

  39.     unveil("/usr/share/zoneinfo",  "r");
    40. 

  40. 

  41.     if (smail)
    42. 

  42.         unveil("/usr/sbin/sendmail",   "x");
    43. 

  43. 

  44.     if (*address == '/')
    45. 

  45.         unveil(address, "rwc");
    46. 

  46. 

  47.     unveil(NULL,                   NULL);
    48. 

  48. 

  49.     srv_debug(1, xs_fmt("Calling pledge()"));
    50. 

  50. 

  51.     xs *p = xs_str_new("stdio rpath wpath cpath flock inet proc dns fattr");
    52. 

  52. 

  53.     if (smail)
    54. 

  54.         p = xs_str_cat(p, " exec");
    55. 

  55. 

  56.     if (*address == '/')
    57. 

  57.         p = xs_str_cat(p, " unix");
    58. 

  58. 

  59.     pledge(p, NULL);
    60. 

  60. 

  61.     xs_free(p);
    62. 

  62. #elif defined (__linux__)
    63. 

  63.     int error, ruleset_fd, abi;
    64. 

  64.     struct landlock_ruleset_attr      rules = {0};
    65. 

  65.     struct landlock_path_beneath_attr path  = {0};
    66. 

  66.     struct landlock_net_port_attr     net   = {0};
    67. 

  67. 

  68.     rules.handled_access_fs =
    69. 

  69.         LANDLOCK_ACCESS_FS_EXECUTE     |
    70. 

  70.         LANDLOCK_ACCESS_FS_WRITE_FILE  |
    71. 

  71.         LANDLOCK_ACCESS_FS_READ_FILE   |
    72. 

  72.         LANDLOCK_ACCESS_FS_REMOVE_DIR  |
    73. 

  73.         LANDLOCK_ACCESS_FS_REMOVE_FILE |
    74. 

  74.         LANDLOCK_ACCESS_FS_MAKE_CHAR   |
    75. 

  75.         LANDLOCK_ACCESS_FS_MAKE_DIR    |
    76. 

  76.         LANDLOCK_ACCESS_FS_MAKE_REG    |
    77. 

  77.         LANDLOCK_ACCESS_FS_MAKE_SOCK   |
    78. 

  78.         LANDLOCK_ACCESS_FS_MAKE_FIFO   |
    79. 

  79.         LANDLOCK_ACCESS_FS_MAKE_BLOCK  |
    80. 

  80.         LANDLOCK_ACCESS_FS_MAKE_SYM    |
    81. 

  81.         LANDLOCK_ACCESS_FS_REFER       |
    82. 

  82.         LANDLOCK_ACCESS_FS_TRUNCATE    |
    83. 

  83.         LANDLOCK_ACCESS_FS_IOCTL_DEV;
    84. 

  84.     rules.handled_access_net =
    85. 

  85.         LANDLOCK_ACCESS_NET_BIND_TCP |
    86. 

  86.         LANDLOCK_ACCESS_NET_CONNECT_TCP;
    87. 

  87. 

  88.     abi = syscall(SYS_landlock_create_ruleset, NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
    89. 

  89.     switch (abi) {
    90. 

  90.     case -1:
    91. 

  91.         srv_debug(0, xs_dup("Kernel without landlock support"));
    92. 

  92.         return;
    93. 

  93.     case 1:
    94. 

  94.         rules.handled_access_fs  &= ~LANDLOCK_ACCESS_FS_REFER;
    95. 

  95.         __attribute__((fallthrough));
    96. 

  96.     case 2:
    97. 

  97.         rules.handled_access_fs  &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
    98. 

  98.         __attribute__((fallthrough));
    99. 

  99.     case 3:
    100. 

  100.         rules.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP);
    101. 

  101.         __attribute__((fallthrough));
    102. 

  102.     case 4:
    103. 

  103.         rules.handled_access_fs  &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV;
    104. 

  104.     }
    105. 

  105.     srv_debug(1, xs_fmt("lanlock abi: %d", abi));
    106. 

  106. 

  107.     ruleset_fd = syscall(SYS_landlock_create_ruleset, &rules, sizeof(struct landlock_ruleset_attr), 0);
    108. 

  108.     if (ruleset_fd == -1) {
    109. 

  109.         srv_debug(0, xs_fmt("landlock_create_ruleset failed: %s", strerror(errno)));
    110. 

  110.         return;
    111. 

  111.     }
    112. 

  112. 

  113. #define LL_R LANDLOCK_ACCESS_FS_READ_FILE
    114. 

  114. #define LL_X LANDLOCK_ACCESS_FS_EXECUTE
    115. 

  115. #define LL_RWCF (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_TRUNCATE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REFER)
    116. 

  116. #define LL_RWCD (LL_RWCF | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_REMOVE_DIR)
    117. 

  117. #define LL_UNIX (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_SOCK)
    118. 

  118. #define LL_CONN LANDLOCK_ACCESS_NET_CONNECT_TCP
    119. 

  119. #define LL_BIND LANDLOCK_ACCESS_NET_BIND_TCP
    120. 

  120. 

  121. #define LANDLOCK_PATH(p, r) do {\
    122. 

  122.     path.allowed_access = r;\
    123. 

  123.     if (abi < 2)\
    124. 

  124.         path.allowed_access &= ~LANDLOCK_ACCESS_FS_REFER;\
    125. 

  125.     if (abi < 3)\
    126. 

  126.         path.allowed_access &= ~LANDLOCK_ACCESS_FS_TRUNCATE;\
    127. 

  127.     path.parent_fd = open(p, O_PATH | O_CLOEXEC);\
    128. 

  128.     if (path.parent_fd == -1) {\
    129. 

  129.         srv_debug(2, xs_fmt("open %s: %s", p, strerror(errno)));\
    130. 

  130.         goto close;\
    131. 

  131.     }\
    132. 

  132.     error = syscall(SYS_landlock_add_rule, ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, &path, 0); \
    133. 

  133.     if (error) {\
    134. 

  134.         srv_debug(0, xs_fmt("LANDLOCK_PATH(%s): %s", p, strerror(errno)));\
    135. 

  135.         goto close;\
    136. 

  136.     }\
    137. 

  137. } while (0)
    138. 

  138. 

  139. #define LANDLOCK_PORT(p, r) do {\
    140. 

  140.     uint16_t _p = p;\
    141. 

  141.     net.port = _p;\
    142. 

  142.     net.allowed_access = r;\
    143. 

  143.     error = syscall(SYS_landlock_add_rule, ruleset_fd, LANDLOCK_RULE_NET_PORT, &net, 0);\
    144. 

  144.     if (error) {\
    145. 

  145.         srv_debug(0, xs_fmt("LANDLOCK_PORT(%d): %s", _p, strerror(errno)));\
    146. 

  146.         goto close;\
    147. 

  147.     }\
    148. 

  148. } while (0)
    149. 

  149. 

  150.     LANDLOCK_PATH(basedir,                LL_RWCD);
    151. 

  151.     LANDLOCK_PATH("/tmp",                 LL_RWCD);
    152. 

  152. #ifndef WITHOUT_SHM
    153. 

  153.     LANDLOCK_PATH("/dev/shm",             LL_RWCF);
    154. 

  154. #endif
    155. 

  155.     LANDLOCK_PATH("/etc/resolv.conf",     LL_R  );
    156. 

  156.     LANDLOCK_PATH("/etc/hosts",           LL_R  );
    157. 

  157.     LANDLOCK_PATH("/etc/ssl/openssl.cnf", LL_R  );
    158. 

  158.     LANDLOCK_PATH("/etc/ssl/cert.pem",    LL_R  );
    159. 

  159.     LANDLOCK_PATH("/usr/share/zoneinfo",  LL_R  );
    160. 

  160. 

  161.     if (*address == '/')
    162. 

  162.         LANDLOCK_PATH(address, LL_UNIX);
    163. 

  163. 

  164.     if (smail)
    165. 

  165.         LANDLOCK_PATH("/usr/sbin/sendmail", LL_X);
    166. 

  166. 

  167.     if (abi > 3) {
    168. 

  168.         if (*address != '/') {
    169. 

  169.             LANDLOCK_PORT(
    170. 

  170.                 (uint16_t)xs_number_get(xs_dict_get(srv_config, "port")), LL_BIND);
    171. 

  171.         }
    172. 

  172. 

  173.         LANDLOCK_PORT(80,  LL_CONN);
    174. 

  174.         LANDLOCK_PORT(443, LL_CONN);
    175. 

  175.     }
    176. 

  176.     
    177. 

  177.     if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
    178. 

  178.         srv_debug(0, xs_fmt("prctl SET_NO_NEW_PRIVS: %s", strerror(errno)));
    179. 

  179.         goto close;
    180. 

  180.     }
    181. 

  181. 

  182.     if (syscall(SYS_landlock_restrict_self, ruleset_fd, 0))
    183. 

  183.         srv_debug(0, xs_fmt("landlock_restrict_self: %s", strerror(errno)));
    184. 

  184. 

  185.     srv_log(xs_dup("landlocked"));
    186. 

  186. 

  187. close:
    188. 

  188.     close(ruleset_fd);
    189. 

  189. 

  190. #endif
    191. 

  191. }
    192.