search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Correct PPTP server firewall rules chain.
[tomato/davidwu.git] / release / src / router / vsftpd / ptracesandbox.c
blob1f2bbccfce2e761fa9181448297da2009dc29834
1 /*
2 * Part of Very Secure FTPd
3 * Licence: GPL v2
4 * Author: Chris Evans
5 * ptracesandbox.c
6 *
7 * Generic routines to setup and run a process under a restrictive ptrace()
8 * based sandbox.
9 * Note that the style in this file is to not go via the helper functions in
10 * sysutil.c, but instead hit the system APIs directly. This is because I may
11 * very well release just this file to the public domain, and do not want
12 * dependencies on other parts of vsftpd.
13 */
14
15 #include "ptracesandbox.h"
16
17 #if defined(__linux__) && defined(__i386__)
18
19 #include <sys/mman.h>
20 #include <sys/prctl.h>
21 #include <sys/ptrace.h>
22 /* For AF_MAX (NPROTO is defined to this) */
23 #include <sys/socket.h>
24 #include <sys/types.h>
25 #include <sys/user.h>
26 #include <sys/wait.h>
27 #include <err.h>
28 #include <errno.h>
29 #include <fcntl.h>
30 #include <signal.h>
31 #include <stdlib.h>
32 #include <string.h>
33 #include <unistd.h>
34 #include <syslog.h>
35
36 #include <asm/unistd.h>
37
38 #ifndef __NR_sendfile64
39 #define __NR_sendfile64 239
40 #endif
41
42 #ifndef __NR_exit_group
43 #define __NR_exit_group 252
44 #endif
45
46 #ifndef __NR_utimes
47 #define __NR_utimes 271
48 #endif
49
50 /* For the socketcall() multiplex args. */
51 #include <linux/net.h>
52
53 #ifndef PTRACE_SETOPTIONS
54 #define PTRACE_SETOPTIONS 0x4200
55 #endif
56
57 #ifndef PTRACE_O_TRACESYSGOOD
58 #define PTRACE_O_TRACESYSGOOD 1
59 #endif
60
61 #ifndef PTRACE_O_TRACEFORK
62 #define PTRACE_O_TRACEFORK 2
63 #endif
64
65 #ifndef PTRACE_O_TRACEVFORK
66 #define PTRACE_O_TRACEVFORK 4
67 #endif
68
69 #ifndef PTRACE_O_TRACECLONE
70 #define PTRACE_O_TRACECLONE 8
71 #endif
72
73 #ifndef O_DIRECT
74 #define O_DIRECT 040000
75 #endif
76
77 static void sanitize_child();
78 static int get_action(struct pt_sandbox* p_sandbox);
79
80 static int validate_mmap2(struct pt_sandbox* p_sandbox, void* p_arg);
81 static int validate_open_default(struct pt_sandbox* p_sandbox, void* p_arg);
82 static int validate_open_readonly(struct pt_sandbox* p_sandbox, void* p_arg);
83 static int validate_fcntl(struct pt_sandbox* p_sandbox, void* p_arg);
84 static int validate_socketcall(struct pt_sandbox* p_sandbox, void* p_arg);
85 static void install_socketcall(struct pt_sandbox* p_sandbox);
86
87 #define MAX_SYSCALL 300
88
89 struct pt_sandbox
90 {
91 int read_event_fd;
92 int write_event_fd;
93 pid_t pid;
94 int is_allowed[MAX_SYSCALL];
95 ptrace_sandbox_validator_t validator[MAX_SYSCALL];
96 void* validator_arg[MAX_SYSCALL];
97 int is_exit;
98 struct user_regs_struct regs;
99 int is_socketcall_allowed[NPROTO];
100 ptrace_sandbox_validator_t socketcall_validator[NPROTO];
101 void* socketcall_validator_arg[NPROTO];
102 };
103
104 static int s_sigchld_fd = -1;
105
106 void
107 handle_sigchld(int sig)
108 {
109 int ret;
110 if (sig != SIGCHLD)
111 {
112 _exit(1);
113 }
114 if (s_sigchld_fd != -1)
115 {
116 do
117 {
118 static const char zero = '\0';
119 ret = write(s_sigchld_fd, &zero, sizeof(zero));
120 } while (ret == -1 && errno == EINTR);
121 if (ret != 1)
122 {
123 _exit(2);
124 }
125 }
126 }
127
128 struct pt_sandbox*
129 ptrace_sandbox_alloc()
130 {
131 int i;
132 struct sigaction sigact;
133 struct pt_sandbox* ret = malloc(sizeof(struct pt_sandbox));
134 if (ret == NULL)
135 {
136 return NULL;
137 }
138 ret->pid = -1;
139 ret->read_event_fd = -1;
140 ret->write_event_fd = -1;
141 ret->is_exit = 0;
142 memset(&ret->regs, '\0', sizeof(ret->regs));
143 for (i = 0; i < MAX_SYSCALL; ++i)
144 {
145 ret->is_allowed[i] = 0;
146 ret->validator[i] = 0;
147 ret->validator_arg[i] = 0;
148 }
149 for (i = 0; i < NPROTO; ++i)
150 {
151 ret->is_socketcall_allowed[i] = 0;
152 ret->socketcall_validator[i] = 0;
153 ret->socketcall_validator_arg[i] = 0;
154 }
155 memset((void*) &sigact, '\0', sizeof(sigact));
156 sigact.sa_handler = handle_sigchld;
157 if (sigaction(SIGCHLD, &sigact, NULL) != 0)
158 {
159 goto err_out;
160 }
161 return ret;
162 err_out:
163 ptrace_sandbox_free(ret);
164 return NULL;
165 }
166
167 void
168 ptrace_sandbox_free(struct pt_sandbox* p_sandbox)
169 {
170 if (p_sandbox->pid != -1)
171 {
172 warnx("bug: pid active in ptrace_sandbox_free");
173 /* We'll kill it for you so it doesn't escape the sandbox totally, but
174 * we won't reap the zombie.
175 * Killing it like this is a risk: if it's stopped in syscall entry,
176 * that syscall will execute before the pending kill takes effect.
177 * If that pending syscall were to be a fork(), there could be trouble.
178 */
179 (void) kill(p_sandbox->pid, SIGKILL);
180 }
181 if (p_sandbox->read_event_fd != -1)
182 {
183 s_sigchld_fd = -1;
184 close(p_sandbox->read_event_fd);
185 close(p_sandbox->write_event_fd);
186 }
187 free(p_sandbox);
188 }
189
190 void
191 ptrace_sandbox_attach_point()
192 {
193 long pt_ret;
194 int ret;
195 pid_t pid = getpid();
196 if (pid <= 1)
197 {
198 warnx("weird pid");
199 _exit(1);
200 }
201 /* You don't have to use PTRACE_TRACEME, but if you don't, a rogue SIGCONT
202 * might wake you up from the STOP below before the tracer has attached.
203 */
204 pt_ret = ptrace(PTRACE_TRACEME, 0, 0, 0);
205 if (pt_ret != 0)
206 {
207 warn("PTRACE_TRACEME failed");
208 _exit(2);
209 }
210 ret = kill(pid, SIGSTOP);
211 if (ret != 0)
212 {
213 warn("kill SIGSTOP failed");
214 _exit(3);
215 }
216 }
217
218 int
219 ptrace_sandbox_launch_process(struct pt_sandbox* p_sandbox,
220 void (*p_func)(void*),
221 void* p_arg)
222 {
223 long pt_ret;
224 pid_t ret;
225 int status;
226 if (p_sandbox->pid != -1)
227 {
228 warnx("bug: process already active");
229 return -1;
230 }
231 ret = fork();
232 if (ret < 0)
233 {
234 return -1;
235 }
236 else if (ret == 0)
237 {
238 /* Child context. */
239 sanitize_child();
240 (*p_func)(p_arg);
241 _exit(0);
242 }
243 /* Parent context */
244 p_sandbox->pid = ret;
245 do
246 {
247 ret = waitpid(p_sandbox->pid, &status, 0);
248 } while (ret == -1 && errno == EINTR);
249 if (ret == -1)
250 {
251 warn("waitpid failed");
252 goto kill_out;
253 }
254 else if (ret != p_sandbox->pid)
255 {
256 warnx("unknown pid %d", ret);
257 goto kill_out;
258 }
259 if (!WIFSTOPPED(status))
260 {
261 warnx("not stopped status %d\n", status);
262 goto kill_out;
263 }
264 if (WSTOPSIG(status) != SIGSTOP)
265 {
266 warnx("not SIGSTOP status %d\n", status);
267 goto kill_out;
268 }
269 /* The fork, etc. tracing options are worth a bit of explanation. We don't
270 * permit process launching syscalls at all as they are dangerous. But
271 * there's a small race if the untrusted process attempts a denied fork()
272 * and then takes a rouge SIGKILL before the supervisor gets a chance to
273 * clear the orig_eax register. In this case the syscall will still execute.
274 * (Policies may not include signal sending capabilities, thus mitigating this
275 * direct attack, however a rogue SIGKILL may come from a non-malicious
276 * source). Therefore, we'd rather any fork()ed process starts off traced,
277 * just in case this tiny race condition triggers.
278 */
279 pt_ret = ptrace(PTRACE_SETOPTIONS,
280 p_sandbox->pid,
281 0,
282 PTRACE_O_TRACESYSGOOD | PTRACE_O_TRACEFORK |
283 PTRACE_O_TRACEVFORK | PTRACE_O_TRACECLONE);
284 if (pt_ret != 0)
285 {
286 warn("PTRACE_SETOPTIONS failure");
287 goto kill_out;
288 }
289 return p_sandbox->pid;
290 kill_out:
291 (void) kill(p_sandbox->pid, SIGKILL);
292 p_sandbox->pid = -1;
293 return -1;
294 }
295
296 int
297 ptrace_sandbox_continue_process(struct pt_sandbox* p_sandbox, int sig)
298 {
299 long pt_ret = ptrace(PTRACE_SYSCALL, p_sandbox->pid, 0, sig);
300 if (pt_ret != 0)
301 {
302 warn("PTRACE_SYSCALL failure");
303 if (errno == ESRCH)
304 {
305 return PTRACE_SANDBOX_ERR_DEAD;
306 }
307 return PTRACE_SANDBOX_ERR_PTRACE;
308 }
309 return 0;
310 }
311
312 int
313 ptrace_sandbox_get_event_fd(struct pt_sandbox* p_sandbox)
314 {
315 /* TODO: allocate pipe fds */
316 (void) p_sandbox;
317 return -1;
318 }
319
320 int
321 ptrace_sandbox_get_event(struct pt_sandbox* p_sandbox, int* status, int block)
322 {
323 pid_t pid;
324 int options = 0;
325 if (!block)
326 {
327 options = WNOHANG;
328 }
329 do
330 {
331 pid = waitpid(p_sandbox->pid, status, options);
332 } while (pid == -1 && errno == EINTR);
333 if (pid == -1)
334 {
335 warn("waitpid failure");
336 if (errno == ECHILD)
337 {
338 return PTRACE_SANDBOX_ERR_DEAD;
339 }
340 return PTRACE_SANDBOX_ERR_WAITPID;
341 }
342 return pid;
343 }
344
345 int
346 ptrace_sandbox_handle_event(struct pt_sandbox* p_sandbox, int status)
347 {
348 int sig;
349 int action;
350 if (WIFEXITED(status) || WIFSIGNALED(status))
351 {
352 p_sandbox->pid = -1;
353 return 1;
354 }
355 if (!WIFSTOPPED(status))
356 {
357 warnx("weird status: %d\n", status);
358 return PTRACE_SANDBOX_ERR_WAIT_STATUS;
359 }
360 sig = WSTOPSIG(status);
361 if (sig >= 0 && sig < 0x80)
362 {
363 /* It's a normal signal; deliver it right on. SIGSTOP / SIGCONT handling
364 * are buggy in the kernel and I'm not sure it's safe to pass either on,
365 * so the signal becomes a little more... robust :)
366 */
367 if (sig == SIGSTOP || sig == SIGCONT)
368 {
369 sig = SIGKILL;
370 }
371 return ptrace_sandbox_continue_process(p_sandbox, sig);
372 }
373 if (!(sig & 0x80))
374 {
375 warnx("weird status: %d\n", status);
376 return PTRACE_SANDBOX_ERR_WAIT_STATUS;
377 }
378 /* Syscall trap. */
379 if (p_sandbox->is_exit)
380 {
381 p_sandbox->is_exit = 0;
382 }
383 else
384 {
385 p_sandbox->is_exit = 1;
386 action = get_action(p_sandbox);
387 if (action != 0)
388 {
389 return action;
390 }
391 }
392 return ptrace_sandbox_continue_process(p_sandbox, 0);
393 }
394
395 int
396 ptrace_sandbox_run_processes(struct pt_sandbox* p_sandbox)
397 {
398 if (ptrace_sandbox_continue_process(p_sandbox, 0) != 0)
399 {
400 goto kill_out;
401 }
402 while (1)
403 {
404 int status;
405 int ret = ptrace_sandbox_get_event(p_sandbox, &status, 1);
406 if (ret <= 0)
407 {
408 goto kill_out;
409 }
410 ret = ptrace_sandbox_handle_event(p_sandbox, status);
411 if (ret < 0)
412 {
413 warnx("couldn't handle sandbox event");
414 goto kill_out;
415 }
416 if (ret == 1)
417 {
418 return 0;
419 }
420 }
421 kill_out:
422 ptrace_sandbox_kill_processes(p_sandbox);
423 return -1;
424 }
425
426 void
427 ptrace_sandbox_kill_processes(struct pt_sandbox* p_sandbox)
428 {
429 long pt_ret;
430 struct user_regs_struct regs;
431 pid_t pid = p_sandbox->pid;
432 if (pid == -1)
433 {
434 return;
435 }
436 p_sandbox->pid = -1;
437 pt_ret = ptrace(PTRACE_GETREGS, pid, 0, &regs);
438 if (pt_ret != 0)
439 {
440 warn("PTRACE_GETREGS failure");
441 /* This API is supposed to be called with the process stopped; but if it
442 * is still running, we can at least help a bit. See security related
443 * comment in ptrace_sandbox_free(), though.
444 */
445 (void) kill(pid, SIGKILL);
446 return;
447 }
448 /* Kind of nasty, but the only way of stopping a started syscall from
449 * executing is to rewrite the registers to execute a different syscall.
450 */
451 regs.orig_eax = __NR_exit_group;
452 regs.eip = 0xffffffff;
453 pt_ret = ptrace(PTRACE_SETREGS, pid, 0, &regs);
454 if (pt_ret != 0)
455 {
456 warn("PTRACE_SETREGS failure");
457 /* Deliberate fall-thru. */
458 }
459 pt_ret = ptrace(PTRACE_KILL, pid, 0, 0);
460 if (pt_ret != 0)
461 {
462 warn("PTRACE_KILL failure");
463 /* Deliberate fall-thru. */
464 }
465 /* Just to make ourselves clear. */
466 (void) kill(pid, SIGKILL);
467 /* So the GETREGS succeeded, so the process definitely _was_ there. We can
468 * safely wait for it to reap the zombie.
469 */
470 (void) waitpid(pid, NULL, 0);
471 }
472
473 int
474 ptrace_sandbox_get_arg(struct pt_sandbox* p_sandbox,
475 int arg,
476 unsigned long* p_out)
477 {
478 long ret = 0;
479 struct user_regs_struct* p_regs = &p_sandbox->regs;
480 if (p_regs->orig_eax == 0)
481 {
482 return PTRACE_SANDBOX_ERR_API_ABUSE_STOPIT;
483 }
484 if (arg < 0 || arg > 5)
485 {
486 return PTRACE_SANDBOX_ERR_API_ABUSE_STOPIT;
487 }
488 switch (arg)
489 {
490 case 0:
491 ret = p_regs->ebx;
492 break;
493 case 1:
494 ret = p_regs->ecx;
495 break;
496 case 2:
497 ret = p_regs->edx;
498 break;
499 case 3:
500 ret = p_regs->esi;
501 break;
502 case 4:
503 ret = p_regs->edi;
504 break;
505 case 5:
506 ret = p_regs->ebp;
507 break;
508 }
509 *p_out = ret;
510 return 0;
511 }
512
513 int
514 ptrace_sandbox_get_socketcall_arg(struct pt_sandbox* p_sandbox,
515 int arg,
516 unsigned long* p_out)
517 {
518 unsigned long ptr;
519 int ret;
520 struct user_regs_struct* p_regs = &p_sandbox->regs;
521 if (p_regs->orig_eax == 0)
522 {
523 return PTRACE_SANDBOX_ERR_API_ABUSE_STOPIT;
524 }
525 if (arg < 0 || arg > 2)
526 {
527 return PTRACE_SANDBOX_ERR_API_ABUSE_STOPIT;
528 }
529 ret = ptrace_sandbox_get_arg(p_sandbox, 1, &ptr);
530 if (ret != 0)
531 {
532 return ret;
533 }
534 ptr += (arg * 4);
535 ret = ptrace_sandbox_get_long(p_sandbox, ptr, p_out);
536 return ret;
537 }
538
539 int
540 ptrace_sandbox_get_long(struct pt_sandbox* p_sandbox,
541 unsigned long ptr,
542 unsigned long* p_out)
543 {
544 return ptrace_sandbox_get_buf(p_sandbox, ptr, sizeof(long), (void*) p_out);
545 }
546
547 int
548 ptrace_sandbox_get_buf(struct pt_sandbox* p_sandbox,
549 unsigned long ptr,
550 unsigned long len,
551 void* p_buf)
552 {
553 long pt_ret;
554 char* p_out = (char*) p_buf;
555 for (; len > 0; len -= sizeof(long))
556 {
557 errno = 0;
558 pt_ret = ptrace(PTRACE_PEEKDATA, p_sandbox->pid, (void*) ptr, 0);
559 if (pt_ret == -1 && errno != 0)
560 {
561 warn("PTRACE_GETREGS failure");
562 if (errno == ESRCH)
563 {
564 return PTRACE_SANDBOX_ERR_DEAD;
565 }
566 return PTRACE_SANDBOX_ERR_PTRACE;
567 }
568 if (len >= sizeof(long))
569 {
570 memcpy(p_out, &pt_ret, sizeof(long));
571 }
572 else
573 {
574 memcpy(p_out, &pt_ret, len);
575 }
576 p_out += sizeof(long);
577 ptr += sizeof(long);
578 }
579 return 0;
580 }
581
582 static void
583 sanitize_child()
584 {
585 /* Ensure that if our sandbox supervisor goes down, so do we. */
586 int ret = prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
587 if (ret != 0)
588 {
589 _exit(3);
590 }
591 }
592
593 static int
594 get_action(struct pt_sandbox* p_sandbox)
595 {
596 int ret;
597 int call;
598 int cs;
599 long pt_ret = ptrace(PTRACE_GETREGS, p_sandbox->pid, 0, &(p_sandbox->regs));
600 if (pt_ret != 0)
601 {
602 warn("PTRACE_GETREGS failure");
603 if (errno == ESRCH)
604 {
605 return PTRACE_SANDBOX_ERR_DEAD;
606 }
607 return PTRACE_SANDBOX_ERR_PTRACE;
608 }
609 /* We need to be sure that the child is attempting a syscall against the
610 * 32-bit syscall table, otherwise they can bypass the policy by abusing the
611 * fact that e.g. syscall 200 is getgid32() on 32-bit but tkill() on 64-bit.
612 * If the syscall instruct was int80 or sysenter, is it guaranteed to hit
613 * the 32-bit table. If it is syscall, the current CS selector determines
614 * the table. Therefore, we can check the current CS selector references a
615 * known system-only selector that is guaranteed 32-bit (not long mode).
616 */
617 cs = p_sandbox->regs.xcs;
618 if (cs != 0x73 && cs != 0x23)
619 {
620 warnx("bad CS %d", cs);
621 ret = PTRACE_SANDBOX_ERR_BAD_SYSCALL;
622 goto out;
623 }
624 call = (int) p_sandbox->regs.orig_eax;
625 if (call < 0 || call >= MAX_SYSCALL)
626 {
627 warnx("syscall %d out of bounds", call);
628 ret = PTRACE_SANDBOX_ERR_BAD_SYSCALL;
629 goto out;
630 }
631 if (p_sandbox->is_allowed[call] != 1)
632 {
633 syslog(LOG_LOCAL0 | LOG_DEBUG, "syscall not permitted: %d", call);
634 warnx("syscall not permitted: %d", call);
635 ret = PTRACE_SANDBOX_ERR_POLICY_SYSCALL;
636 goto out;
637 }
638 if (p_sandbox->validator[call])
639 {
640 ptrace_sandbox_validator_t p_validate = p_sandbox->validator[call];
641 int validate_ret = (*p_validate)(p_sandbox, p_sandbox->validator_arg[call]);
642 if (validate_ret != 0)
643 {
644 syslog(LOG_LOCAL0 | LOG_DEBUG,
645 "syscall validate fail: %d (%d)",
646 call,
647 validate_ret);
648 warnx("syscall validate failed: %d (%d)", call, validate_ret);
649 ret = PTRACE_SANDBOX_ERR_POLICY_ARGS;
650 goto out;
651 }
652 }
653 ret = 0;
654 out:
655 memset(&p_sandbox->regs, '\0', sizeof(&p_sandbox->regs));
656 return ret;
657 }
658
659 void
660 ptrace_sandbox_permit_exit(struct pt_sandbox* p_sandbox)
661 {
662 p_sandbox->is_allowed[__NR_exit] = 1;
663 p_sandbox->is_allowed[__NR_exit_group] = 1;
664 }
665
666 void
667 ptrace_sandbox_permit_read(struct pt_sandbox* p_sandbox)
668 {
669 p_sandbox->is_allowed[__NR_read] = 1;
670 }
671
672 void
673 ptrace_sandbox_permit_write(struct pt_sandbox* p_sandbox)
674 {
675 p_sandbox->is_allowed[__NR_write] = 1;
676 }
677
678 void
679 ptrace_sandbox_permit_sigaction(struct pt_sandbox* p_sandbox)
680 {
681 p_sandbox->is_allowed[__NR_sigaction] = 1;
682 p_sandbox->is_allowed[__NR_rt_sigaction] = 1;
683 }
684
685 void
686 ptrace_sandbox_permit_alarm(struct pt_sandbox* p_sandbox)
687 {
688 p_sandbox->is_allowed[__NR_alarm] = 1;
689 }
690
691 void
692 ptrace_sandbox_permit_query_time(struct pt_sandbox* p_sandbox)
693 {
694 p_sandbox->is_allowed[__NR_gettimeofday] = 1;
695 p_sandbox->is_allowed[__NR_time] = 1;
696 }
697
698 void
699 ptrace_sandbox_permit_mmap(struct pt_sandbox* p_sandbox)
700 {
701 p_sandbox->is_allowed[__NR_mmap2] = 1;
702 p_sandbox->validator[__NR_mmap2] = validate_mmap2;
703 }
704
705 static int
706 validate_mmap2(struct pt_sandbox* p_sandbox, void* p_arg)
707 {
708 unsigned long arg4;
709 int ret = ptrace_sandbox_get_arg(p_sandbox, 3, &arg4);
710 (void) p_arg;
711 if (ret != 0)
712 {
713 return ret;
714 }
715 if (arg4 & MAP_SHARED)
716 {
717 return -1;
718 }
719 return 0;
720 }
721
722 void
723 ptrace_sandbox_permit_mprotect(struct pt_sandbox* p_sandbox)
724 {
725 p_sandbox->is_allowed[__NR_mprotect] = 1;
726 }
727
728 void
729 ptrace_sandbox_permit_file_stats(struct pt_sandbox* p_sandbox)
730 {
731 p_sandbox->is_allowed[__NR_stat] = 1;
732 p_sandbox->is_allowed[__NR_stat64] = 1;
733 p_sandbox->is_allowed[__NR_lstat] = 1;
734 p_sandbox->is_allowed[__NR_lstat64] = 1;
735 }
736
737 void
738 ptrace_sandbox_permit_fd_stats(struct pt_sandbox* p_sandbox)
739 {
740 p_sandbox->is_allowed[__NR_fstat] = 1;
741 p_sandbox->is_allowed[__NR_fstat64] = 1;
742 }
743
744 void
745 ptrace_sandbox_permit_getcwd(struct pt_sandbox* p_sandbox)
746 {
747 p_sandbox->is_allowed[__NR_getcwd] = 1;
748 }
749
750 void
751 ptrace_sandbox_permit_chdir(struct pt_sandbox* p_sandbox)
752 {
753 p_sandbox->is_allowed[__NR_chdir] = 1;
754 }
755
756 void
757 ptrace_sandbox_permit_umask(struct pt_sandbox* p_sandbox)
758 {
759 p_sandbox->is_allowed[__NR_umask] = 1;
760 }
761
762 void
763 ptrace_sandbox_permit_open(struct pt_sandbox* p_sandbox, int writeable)
764 {
765 p_sandbox->is_allowed[__NR_open] = 1;
766 if (writeable == 1)
767 {
768 p_sandbox->validator[__NR_open] = validate_open_default;
769 }
770 else
771 {
772 p_sandbox->validator[__NR_open] = validate_open_readonly;
773 }
774 }
775
776 static int
777 validate_open_default(struct pt_sandbox* p_sandbox, void* p_arg)
778 {
779 unsigned long arg2;
780 int ret = ptrace_sandbox_get_arg(p_sandbox, 1, &arg2);
781 (void) p_arg;
782 if (ret != 0)
783 {
784 return ret;
785 }
786 if (arg2 & (O_ASYNC | O_DIRECT | O_SYNC))
787 {
788 return -1;
789 }
790 return 0;
791 }
792
793 static int
794 validate_open_readonly(struct pt_sandbox* p_sandbox, void* p_arg)
795 {
796 unsigned long arg2;
797 int ret = validate_open_default(p_sandbox, p_arg);
798 if (ret != 0)
799 {
800 return ret;
801 }
802 ret = ptrace_sandbox_get_arg(p_sandbox, 1, &arg2);
803 if (ret != 0)
804 {
805 return ret;
806 }
807 if ((arg2 & O_ACCMODE) != O_RDONLY)
808 {
809 return -1;
810 }
811 return 0;
812 }
813
814 void
815 ptrace_sandbox_permit_close(struct pt_sandbox* p_sandbox)
816 {
817 p_sandbox->is_allowed[__NR_close] = 1;
818 }
819
820 void
821 ptrace_sandbox_permit_getdents(struct pt_sandbox* p_sandbox)
822 {
823 p_sandbox->is_allowed[__NR_getdents] = 1;
824 p_sandbox->is_allowed[__NR_getdents64] = 1;
825 }
826
827 void
828 ptrace_sandbox_permit_fcntl(struct pt_sandbox* p_sandbox)
829 {
830 p_sandbox->is_allowed[__NR_fcntl] = 1;
831 p_sandbox->validator[__NR_fcntl] = validate_fcntl;
832 p_sandbox->is_allowed[__NR_fcntl64] = 1;
833 p_sandbox->validator[__NR_fcntl64] = validate_fcntl;
834 }
835
836 static int
837 validate_fcntl(struct pt_sandbox* p_sandbox, void* p_arg)
838 {
839 unsigned long arg2;
840 unsigned long arg3;
841 int ret = ptrace_sandbox_get_arg(p_sandbox, 1, &arg2);
842 (void) p_arg;
843 if (ret != 0)
844 {
845 return ret;
846 }
847 ret = ptrace_sandbox_get_arg(p_sandbox, 2, &arg3);
848 if (ret != 0)
849 {
850 return ret;
851 }
852 if (arg2 != F_GETFL &&
853 arg2 != F_SETFL &&
854 arg2 != F_SETOWN &&
855 arg2 != F_SETLK &&
856 arg2 != F_SETLKW &&
857 arg2 != F_SETLK64 &&
858 arg2 != F_SETLKW64 &&
859 arg2 != F_SETFD &&
860 arg2 != F_GETFD)
861 {
862 syslog(LOG_LOCAL0 | LOG_DEBUG, "fcntl not permitted: %ld", arg2);
863 warnx("fcntl not permitted: %ld", arg2);
864 return -1;
865 }
866 if (arg2 == F_SETFL && (arg3 & (O_ASYNC | O_DIRECT)))
867 {
868 return -2;
869 }
870 if (arg2 == F_SETOWN && (int) arg3 != p_sandbox->pid)
871 {
872 return -3;
873 }
874 return 0;
875 }
876
877 void
878 ptrace_sandbox_permit_sendfile(struct pt_sandbox* p_sandbox)
879 {
880 p_sandbox->is_allowed[__NR_sendfile] = 1;
881 p_sandbox->is_allowed[__NR_sendfile64] = 1;
882 }
883
884 void
885 ptrace_sandbox_permit_seek(struct pt_sandbox* p_sandbox)
886 {
887 p_sandbox->is_allowed[__NR_lseek] = 1;
888 p_sandbox->is_allowed[__NR__llseek] = 1;
889 }
890
891 void
892 ptrace_sandbox_permit_select(struct pt_sandbox* p_sandbox)
893 {
894 p_sandbox->is_allowed[__NR_select] = 1;
895 p_sandbox->is_allowed[__NR__newselect] = 1;
896 }
897
898 void
899 ptrace_sandbox_permit_unlink(struct pt_sandbox* p_sandbox)
900 {
901 p_sandbox->is_allowed[__NR_unlink] = 1;
902 }
903
904 void
905 ptrace_sandbox_permit_mkdir(struct pt_sandbox* p_sandbox)
906 {
907 p_sandbox->is_allowed[__NR_mkdir] = 1;
908 }
909
910 void
911 ptrace_sandbox_permit_rmdir(struct pt_sandbox* p_sandbox)
912 {
913 p_sandbox->is_allowed[__NR_rmdir] = 1;
914 }
915
916 void
917 ptrace_sandbox_permit_rename(struct pt_sandbox* p_sandbox)
918 {
919 p_sandbox->is_allowed[__NR_rename] = 1;
920 }
921
922 void
923 ptrace_sandbox_permit_utime(struct pt_sandbox* p_sandbox)
924 {
925 p_sandbox->is_allowed[__NR_utime] = 1;
926 p_sandbox->is_allowed[__NR_utimes] = 1;
927 }
928
929 void
930 ptrace_sandbox_permit_sigreturn(struct pt_sandbox* p_sandbox)
931 {
932 p_sandbox->is_allowed[__NR_sigreturn] = 1;
933 }
934
935 void
936 ptrace_sandbox_permit_recv(struct pt_sandbox* p_sandbox)
937 {
938 install_socketcall(p_sandbox);
939 p_sandbox->is_socketcall_allowed[SYS_RECV] = 1;
940 }
941
942 static void
943 install_socketcall(struct pt_sandbox* p_sandbox)
944 {
945 p_sandbox->is_allowed[__NR_socketcall] = 1;
946 p_sandbox->validator[__NR_socketcall] = validate_socketcall;
947 }
948
949 static int
950 validate_socketcall(struct pt_sandbox* p_sandbox, void* p_arg)
951 {
952 unsigned long arg1;
953 int ret = ptrace_sandbox_get_arg(p_sandbox, 0, &arg1);
954 (void) p_arg;
955 if (ret != 0)
956 {
957 return ret;
958 }
959 if (arg1 < 1 || arg1 >= NPROTO)
960 {
961 return -1;
962 }
963 if (p_sandbox->is_socketcall_allowed[arg1] != 1)
964 {
965 syslog(LOG_LOCAL0 | LOG_DEBUG, "socketcall not permitted: %ld", arg1);
966 warnx("socketcall not permitted: %ld", arg1);
967 return -2;
968 }
969 if (p_sandbox->socketcall_validator[arg1])
970 {
971 ptrace_sandbox_validator_t p_val = p_sandbox->socketcall_validator[arg1];
972 ret = (*p_val)(p_sandbox, p_sandbox->socketcall_validator_arg[arg1]);
973 if (ret != 0)
974 {
975 syslog(LOG_LOCAL0 | LOG_DEBUG,
976 "socketcall validate fail: %ld (%d)",
977 arg1,
978 ret);
979 warnx("socketcall validate fail: %ld (%d)", arg1, ret);
980 return -3;
981 }
982 }
983 return 0;
984 }
985
986 void
987 ptrace_sandbox_permit_readlink(struct pt_sandbox* p_sandbox)
988 {
989 p_sandbox->is_allowed[__NR_readlink] = 1;
990 }
991
992 void
993 ptrace_sandbox_permit_brk(struct pt_sandbox* p_sandbox)
994 {
995 p_sandbox->is_allowed[__NR_brk] = 1;
996 }
997
998 void
999 ptrace_sandbox_permit_sleep(struct pt_sandbox* p_sandbox)
1000 {
1001 p_sandbox->is_allowed[__NR_nanosleep] = 1;
1002 }
1003
1004 void
1005 ptrace_sandbox_permit_fchmod(struct pt_sandbox* p_sandbox)
1006 {
1007 p_sandbox->is_allowed[__NR_fchmod] = 1;
1008 }
1009
1010 void
1011 ptrace_sandbox_permit_chmod(struct pt_sandbox* p_sandbox)
1012 {
1013 p_sandbox->is_allowed[__NR_chmod] = 1;
1014 }
1015
1016 void
1017 ptrace_sandbox_permit_fchown(struct pt_sandbox* p_sandbox)
1018 {
1019 p_sandbox->is_allowed[__NR_fchown] = 1;
1020 p_sandbox->is_allowed[__NR_fchown32] = 1;
1021 }
1022
1023 void
1024 ptrace_sandbox_permit_mremap(struct pt_sandbox* p_sandbox)
1025 {
1026 p_sandbox->is_allowed[__NR_mremap] = 1;
1027 }
1028
1029 void
1030 ptrace_sandbox_permit_ftruncate(struct pt_sandbox* p_sandbox)
1031 {
1032 p_sandbox->is_allowed[__NR_ftruncate] = 1;
1033 p_sandbox->is_allowed[__NR_ftruncate64] = 1;
1034 }
1035
1036 void
1037 ptrace_sandbox_permit_socket(struct pt_sandbox* p_sandbox)
1038 {
1039 install_socketcall(p_sandbox);
1040 p_sandbox->is_socketcall_allowed[SYS_SOCKET] = 1;
1041 }
1042
1043 void
1044 ptrace_sandbox_set_socket_validator(struct pt_sandbox* p_sandbox,
1045 ptrace_sandbox_validator_t val,
1046 void* p_arg)
1047 {
1048 p_sandbox->socketcall_validator[SYS_SOCKET] = val;
1049 p_sandbox->socketcall_validator_arg[SYS_SOCKET] = p_arg;
1050 }
1051
1052 void
1053 ptrace_sandbox_permit_bind(struct pt_sandbox* p_sandbox)
1054 {
1055 install_socketcall(p_sandbox);
1056 p_sandbox->is_socketcall_allowed[SYS_BIND] = 1;
1057 }
1058
1059 void
1060 ptrace_sandbox_set_bind_validator(struct pt_sandbox* p_sandbox,
1061 ptrace_sandbox_validator_t val,
1062 void* p_arg)
1063 {
1064 p_sandbox->socketcall_validator[SYS_BIND] = val;
1065 p_sandbox->socketcall_validator_arg[SYS_BIND] = p_arg;
1066 }
1067
1068 void
1069 ptrace_sandbox_permit_connect(struct pt_sandbox* p_sandbox)
1070 {
1071 install_socketcall(p_sandbox);
1072 p_sandbox->is_socketcall_allowed[SYS_CONNECT] = 1;
1073 }
1074
1075 void
1076 ptrace_sandbox_set_connect_validator(struct pt_sandbox* p_sandbox,
1077 ptrace_sandbox_validator_t val,
1078 void* p_arg)
1079 {
1080 p_sandbox->socketcall_validator[SYS_CONNECT] = val;
1081 p_sandbox->socketcall_validator_arg[SYS_CONNECT] = p_arg;
1082 }
1083
1084 void
1085 ptrace_sandbox_permit_listen(struct pt_sandbox* p_sandbox)
1086 {
1087 install_socketcall(p_sandbox);
1088 p_sandbox->is_socketcall_allowed[SYS_LISTEN] = 1;
1089 }
1090
1091 void
1092 ptrace_sandbox_permit_accept(struct pt_sandbox* p_sandbox)
1093 {
1094 install_socketcall(p_sandbox);
1095 p_sandbox->is_socketcall_allowed[SYS_ACCEPT] = 1;
1096 }
1097
1098 void
1099 ptrace_sandbox_permit_setsockopt(struct pt_sandbox* p_sandbox)
1100 {
1101 install_socketcall(p_sandbox);
1102 p_sandbox->is_socketcall_allowed[SYS_SETSOCKOPT] = 1;
1103 }
1104
1105 void
1106 ptrace_sandbox_set_setsockopt_validator(struct pt_sandbox* p_sandbox,
1107 ptrace_sandbox_validator_t val,
1108 void* p_arg)
1109 {
1110 p_sandbox->socketcall_validator[SYS_SETSOCKOPT] = val;
1111 p_sandbox->socketcall_validator_arg[SYS_SETSOCKOPT] = p_arg;
1112 }
1113
1114 void
1115 ptrace_sandbox_permit_getsockopt(struct pt_sandbox* p_sandbox)
1116 {
1117 install_socketcall(p_sandbox);
1118 p_sandbox->is_socketcall_allowed[SYS_GETSOCKOPT] = 1;
1119 }
1120
1121 void
1122 ptrace_sandbox_set_getsockopt_validator(struct pt_sandbox* p_sandbox,
1123 ptrace_sandbox_validator_t val,
1124 void* p_arg)
1125 {
1126 p_sandbox->socketcall_validator[SYS_GETSOCKOPT] = val;
1127 p_sandbox->socketcall_validator_arg[SYS_GETSOCKOPT] = p_arg;
1128 }
1129
1130 void
1131 ptrace_sandbox_permit_shutdown(struct pt_sandbox* p_sandbox)
1132 {
1133 install_socketcall(p_sandbox);
1134 p_sandbox->is_socketcall_allowed[SYS_SHUTDOWN] = 1;
1135 }
1136
1137 #else /* __linux__ && __i386__ */
1138
1139 struct pt_sandbox*
1140 ptrace_sandbox_alloc()
1141 {
1142 return 0;
1143 }
1144
1145 void
1146 ptrace_sandbox_free(struct pt_sandbox* p_sandbox)
1147 {
1148 (void) p_sandbox;
1149 }
1150
1151 int
1152 ptrace_sandbox_launch_process(struct pt_sandbox* p_sandbox,
1153 void (*p_func)(void*),
1154 void* p_arg)
1155 {
1156 (void) p_sandbox;
1157 (void) p_func;
1158 (void) p_arg;
1159 return -1;
1160 }
1161
1162 int
1163 ptrace_sandbox_run_processes(struct pt_sandbox* p_sandbox)
1164 {
1165 (void) p_sandbox;
1166 return -1;
1167 }
1168
1169 void
1170 ptrace_sandbox_attach_point(void)
1171 {
1172 }
1173
1174 void
1175 ptrace_sandbox_permit_exit(struct pt_sandbox* p_sandbox)
1176 {
1177 (void) p_sandbox;
1178 }
1179
1180 void
1181 ptrace_sandbox_permit_read(struct pt_sandbox* p_sandbox)
1182 {
1183 (void) p_sandbox;
1184 }
1185
1186 void
1187 ptrace_sandbox_permit_write(struct pt_sandbox* p_sandbox)
1188 {
1189 (void) p_sandbox;
1190 }
1191
1192 void
1193 ptrace_sandbox_permit_sigaction(struct pt_sandbox* p_sandbox)
1194 {
1195 (void) p_sandbox;
1196 }
1197
1198 void
1199 ptrace_sandbox_permit_alarm(struct pt_sandbox* p_sandbox)
1200 {
1201 (void) p_sandbox;
1202 }
1203
1204 void
1205 ptrace_sandbox_permit_query_time(struct pt_sandbox* p_sandbox)
1206 {
1207 (void) p_sandbox;
1208 }
1209
1210 void
1211 ptrace_sandbox_permit_mmap(struct pt_sandbox* p_sandbox)
1212 {
1213 (void) p_sandbox;
1214 }
1215
1216 void
1217 ptrace_sandbox_permit_mprotect(struct pt_sandbox* p_sandbox)
1218 {
1219 (void) p_sandbox;
1220 }
1221
1222 void
1223 ptrace_sandbox_permit_file_stats(struct pt_sandbox* p_sandbox)
1224 {
1225 (void) p_sandbox;
1226 }
1227
1228 void
1229 ptrace_sandbox_permit_fd_stats(struct pt_sandbox* p_sandbox)
1230 {
1231 (void) p_sandbox;
1232 }
1233
1234 void
1235 ptrace_sandbox_permit_getcwd(struct pt_sandbox* p_sandbox)
1236 {
1237 (void) p_sandbox;
1238 }
1239
1240 void
1241 ptrace_sandbox_permit_chdir(struct pt_sandbox* p_sandbox)
1242 {
1243 (void) p_sandbox;
1244 }
1245
1246 void
1247 ptrace_sandbox_permit_umask(struct pt_sandbox* p_sandbox)
1248 {
1249 (void) p_sandbox;
1250 }
1251
1252 void
1253 ptrace_sandbox_permit_open(struct pt_sandbox* p_sandbox, int writeable)
1254 {
1255 (void) p_sandbox;
1256 (void) writeable;
1257 }
1258
1259 void
1260 ptrace_sandbox_permit_close(struct pt_sandbox* p_sandbox)
1261 {
1262 (void) p_sandbox;
1263 }
1264
1265 void
1266 ptrace_sandbox_permit_getdents(struct pt_sandbox* p_sandbox)
1267 {
1268 (void) p_sandbox;
1269 }
1270
1271 void
1272 ptrace_sandbox_permit_fcntl(struct pt_sandbox* p_sandbox)
1273 {
1274 (void) p_sandbox;
1275 }
1276
1277 void
1278 ptrace_sandbox_permit_sendfile(struct pt_sandbox* p_sandbox)
1279 {
1280 (void) p_sandbox;
1281 }
1282
1283 void
1284 ptrace_sandbox_permit_seek(struct pt_sandbox* p_sandbox)
1285 {
1286 (void) p_sandbox;
1287 }
1288
1289 void
1290 ptrace_sandbox_permit_select(struct pt_sandbox* p_sandbox)
1291 {
1292 (void) p_sandbox;
1293 }
1294
1295 void
1296 ptrace_sandbox_permit_unlink(struct pt_sandbox* p_sandbox)
1297 {
1298 (void) p_sandbox;
1299 }
1300
1301 void
1302 ptrace_sandbox_permit_mkdir(struct pt_sandbox* p_sandbox)
1303 {
1304 (void) p_sandbox;
1305 }
1306
1307 void
1308 ptrace_sandbox_permit_rmdir(struct pt_sandbox* p_sandbox)
1309 {
1310 (void) p_sandbox;
1311 }
1312
1313 void
1314 ptrace_sandbox_permit_rename(struct pt_sandbox* p_sandbox)
1315 {
1316 (void) p_sandbox;
1317 }
1318
1319 void
1320 ptrace_sandbox_permit_utime(struct pt_sandbox* p_sandbox)
1321 {
1322 (void) p_sandbox;
1323 }
1324
1325 void
1326 ptrace_sandbox_permit_utimes(struct pt_sandbox* p_sandbox)
1327 {
1328 (void) p_sandbox;
1329 }
1330
1331 void
1332 ptrace_sandbox_permit_sigreturn(struct pt_sandbox* p_sandbox)
1333 {
1334 (void) p_sandbox;
1335 }
1336
1337 void
1338 ptrace_sandbox_permit_recv(struct pt_sandbox* p_sandbox)
1339 {
1340 (void) p_sandbox;
1341 }
1342
1343 void
1344 ptrace_sandbox_kill_processes(struct pt_sandbox* p_sandbox)
1345 {
1346 (void) p_sandbox;
1347 }
1348
1349 int
1350 ptrace_sandbox_get_arg(struct pt_sandbox* p_sandbox,
1351 int arg,
1352 unsigned long* p_out)
1353 {
1354 (void) p_sandbox;
1355 (void) arg;
1356 (void) p_out;
1357 return -1;
1358 }
1359
1360 int
1361 ptrace_sandbox_get_socketcall_arg(struct pt_sandbox* p_sandbox,
1362 int arg,
1363 unsigned long* p_out)
1364 {
1365 (void) p_sandbox;
1366 (void) arg;
1367 (void) p_out;
1368 return -1;
1369 }
1370
1371 int
1372 ptrace_sandbox_get_long(struct pt_sandbox* p_sandbox,
1373 unsigned long ptr,
1374 unsigned long* p_out)
1375 {
1376 (void) p_sandbox;
1377 (void) ptr;
1378 (void) p_out;
1379 return -1;
1380 }
1381
1382 int
1383 ptrace_sandbox_get_buf(struct pt_sandbox* p_sandbox,
1384 unsigned long ptr,
1385 unsigned long len,
1386 void* p_buf)
1387 {
1388 (void) p_sandbox;
1389 (void) ptr;
1390 (void) len;
1391 (void) p_buf;
1392 return -1;
1393 }
1394
1395 void
1396 ptrace_sandbox_permit_readlink(struct pt_sandbox* p_sandbox)
1397 {
1398 (void) p_sandbox;
1399 }
1400
1401 void
1402 ptrace_sandbox_permit_brk(struct pt_sandbox* p_sandbox)
1403 {
1404 (void) p_sandbox;
1405 }
1406
1407 void
1408 ptrace_sandbox_permit_sleep(struct pt_sandbox* p_sandbox)
1409 {
1410 (void) p_sandbox;
1411 }
1412
1413 void
1414 ptrace_sandbox_permit_fchmod(struct pt_sandbox* p_sandbox)
1415 {
1416 (void) p_sandbox;
1417 }
1418
1419 void
1420 ptrace_sandbox_permit_chmod(struct pt_sandbox* p_sandbox)
1421 {
1422 (void) p_sandbox;
1423 }
1424
1425 void
1426 ptrace_sandbox_permit_fchown(struct pt_sandbox* p_sandbox)
1427 {
1428 (void) p_sandbox;
1429 }
1430
1431 void
1432 ptrace_sandbox_permit_mremap(struct pt_sandbox* p_sandbox)
1433 {
1434 (void) p_sandbox;
1435 }
1436
1437 void
1438 ptrace_sandbox_permit_ftruncate(struct pt_sandbox* p_sandbox)
1439 {
1440 (void) p_sandbox;
1441 }
1442
1443 void
1444 ptrace_sandbox_permit_socket(struct pt_sandbox* p_sandbox)
1445 {
1446 (void) p_sandbox;
1447 }
1448
1449 void
1450 ptrace_sandbox_set_socket_validator(struct pt_sandbox* p_sandbox,
1451 ptrace_sandbox_validator_t val,
1452 void* p_arg)
1453 {
1454 (void) p_sandbox;
1455 (void) val;
1456 (void) p_arg;
1457 }
1458
1459 void
1460 ptrace_sandbox_permit_bind(struct pt_sandbox* p_sandbox)
1461 {
1462 (void) p_sandbox;
1463 }
1464
1465 void
1466 ptrace_sandbox_set_bind_validator(struct pt_sandbox* p_sandbox,
1467 ptrace_sandbox_validator_t val,
1468 void* p_arg)
1469 {
1470 (void) p_sandbox;
1471 (void) val;
1472 (void) p_arg;
1473 }
1474
1475 void
1476 ptrace_sandbox_permit_connect(struct pt_sandbox* p_sandbox)
1477 {
1478 (void) p_sandbox;
1479 }
1480
1481 void
1482 ptrace_sandbox_set_connect_validator(struct pt_sandbox* p_sandbox,
1483 ptrace_sandbox_validator_t val,
1484 void* p_arg)
1485 {
1486 (void) p_sandbox;
1487 (void) val;
1488 (void) p_arg;
1489 }
1490
1491 void
1492 ptrace_sandbox_permit_listen(struct pt_sandbox* p_sandbox)
1493 {
1494 (void) p_sandbox;
1495 }
1496
1497 void
1498 ptrace_sandbox_permit_accept(struct pt_sandbox* p_sandbox)
1499 {
1500 (void) p_sandbox;
1501 }
1502
1503 void
1504 ptrace_sandbox_permit_setsockopt(struct pt_sandbox* p_sandbox)
1505 {
1506 (void) p_sandbox;
1507 }
1508
1509 void
1510 ptrace_sandbox_set_setsockopt_validator(struct pt_sandbox* p_sandbox,
1511 ptrace_sandbox_validator_t val,
1512 void* p_arg)
1513 {
1514 (void) p_sandbox;
1515 (void) val;
1516 (void) p_arg;
1517 }
1518
1519 void
1520 ptrace_sandbox_permit_getsockopt(struct pt_sandbox* p_sandbox)
1521 {
1522 (void) p_sandbox;
1523 }
1524
1525 void
1526 ptrace_sandbox_set_getsockopt_validator(struct pt_sandbox* p_sandbox,
1527 ptrace_sandbox_validator_t val,
1528 void* p_arg)
1529 {
1530 (void) p_sandbox;
1531 (void) val;
1532 (void) p_arg;
1533 }
1534
1535 void
1536 ptrace_sandbox_permit_shutdown(struct pt_sandbox* p_sandbox)
1537 {
1538 (void) p_sandbox;
1539 }
1540
1541 #endif /* __linux__ && __i386__ */