Initial commit
Šī revīzija ir iekļauta:
revīzija
200cd7878c
42
README.md
Parasts fails
42
README.md
Parasts fails
@ -0,0 +1,42 @@
|
||||
qssb (quite simple sandbox)
|
||||
===========================
|
||||
qssb.h is a simple header only library for easy sandboxing of
|
||||
applications.
|
||||
|
||||
It aims to provide an interface to avoid the annoying details that
|
||||
using Seccomp and Linux Namespaces requires.
|
||||
|
||||
Features
|
||||
========
|
||||
Systemcall filtering, restricting file system access, dropping
|
||||
privileges, isolating the application from the network, etc.
|
||||
|
||||
Requirements
|
||||
============
|
||||
Kernel x.y.z.
|
||||
|
||||
Status
|
||||
======
|
||||
No release yet, API is unstable.
|
||||
|
||||
Documentation
|
||||
=============
|
||||
To be written
|
||||
|
||||
Examples
|
||||
========
|
||||
Real world project: cgit sandboxed: https://git.quitesimple.org/cgitsb
|
||||
|
||||
|
||||
Contributing
|
||||
============
|
||||
Contributations are very welcome. Options:
|
||||
1) Pull-Request: github.com/quitesimpleorg/qssb
|
||||
2) Mail to qssb at quitesimple.org with instructions
|
||||
on where to pull the changes.
|
||||
3) Mailing a classic patch.
|
||||
|
||||
License
|
||||
=======
|
||||
ISC
|
||||
|
401
qssb.h
Parasts fails
401
qssb.h
Parasts fails
@ -0,0 +1,401 @@
|
||||
#ifndef QSSB_H
|
||||
#define QSSB_H
|
||||
#define _GNU_SOURCE
|
||||
#include <sched.h>
|
||||
#include <stdio.h>
|
||||
#include <errno.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/mount.h>
|
||||
#include <sys/prctl.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <fcntl.h>
|
||||
#include <linux/limits.h>
|
||||
#include <linux/filter.h>
|
||||
#include <linux/seccomp.h>
|
||||
#include <sys/capability.h>
|
||||
#include <stddef.h>
|
||||
|
||||
//TODO: stolen from kernel samples/seccomp, GPLv2...?
|
||||
#define ALLOW \
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
|
||||
#define DENY \
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
|
||||
#define SYSCALL(nr, jt) \
|
||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (nr), 0, 1), jt
|
||||
|
||||
#define LOAD_SYSCALL_NR \
|
||||
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
|
||||
offsetof(struct seccomp_data, nr))
|
||||
|
||||
#define QSSB_ISOLATE_NETWORK 1<<1
|
||||
|
||||
#define QSSB_LOG_ERROR(...) fprintf(stderr, __VA_ARGS__)
|
||||
|
||||
/* Policy tells qssb what to do */
|
||||
struct qssb_policy
|
||||
{
|
||||
int drop_caps;
|
||||
int preserve_cwd;
|
||||
int not_dumpable;
|
||||
int no_new_privs;
|
||||
int namespace_options;
|
||||
int syscall_default_policy;
|
||||
int *blacklisted_syscalls;
|
||||
int *allowed_syscalls;
|
||||
char *chroot_target_path;
|
||||
char *chdir_path;
|
||||
char **readonly_paths;
|
||||
char **writable_paths;
|
||||
};
|
||||
|
||||
|
||||
/* Creates the default policy
|
||||
* Must be freed using qssb_free_policy
|
||||
* @returns: default policy */
|
||||
struct qssb_policy *qssb_init_policy()
|
||||
{
|
||||
struct qssb_policy *result = calloc(1, sizeof(struct qssb_policy));
|
||||
result->drop_caps = 1;
|
||||
result->not_dumpable = 1;
|
||||
result->no_new_privs = 1;
|
||||
result->namespace_options = 0;
|
||||
result->chdir_path = "/";
|
||||
result->chroot_target_path = NULL;
|
||||
result->readonly_paths = NULL;
|
||||
result->writable_paths = NULL;
|
||||
return result;
|
||||
}
|
||||
|
||||
|
||||
|
||||
/* Creates a directory and all necessary parent directories
|
||||
*
|
||||
* @returns: 0 on success, -ERRNO on failure
|
||||
* */
|
||||
static int mkdir_structure(const char *p, mode_t mode)
|
||||
{
|
||||
char path[PATH_MAX + 2] = { 0 };
|
||||
snprintf(path, sizeof(path), "%s/", p);
|
||||
|
||||
char *begin = path;
|
||||
char *end = begin+1;
|
||||
|
||||
while(*end)
|
||||
{
|
||||
if(*end == '/')
|
||||
{
|
||||
*end = 0;
|
||||
if(mkdir(begin, mode) < 0)
|
||||
{
|
||||
if(errno == EEXIST)
|
||||
{
|
||||
//TODO: stat, test if it is a directory, if not, err
|
||||
}
|
||||
else
|
||||
{
|
||||
QSSB_LOG_ERROR("Failed to create directory for chroot: %s\n", begin);
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
*end = '/';
|
||||
++end;
|
||||
while(*end == '/')
|
||||
{
|
||||
++end;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
++end;
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/* Helper to mount directories into the chroot path "chroot_target_path"
|
||||
* Paths will be created if necessary
|
||||
|
||||
* @returns: 0 on sucess, -ERRNO on failure */
|
||||
static int mount_to_chroot(const char *chroot_target_path, char **paths, unsigned long flags)
|
||||
{
|
||||
if(paths == NULL)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
char *path = *paths;
|
||||
while(path != NULL)
|
||||
{
|
||||
char path_inside_chroot[PATH_MAX + 1];
|
||||
snprintf(path_inside_chroot, sizeof(path_inside_chroot), "%s/%s", chroot_target_path, path);
|
||||
int ret = mkdir_structure(path_inside_chroot, 0700);
|
||||
if(ret < 0)
|
||||
{
|
||||
QSSB_LOG_ERROR("Error creating directory structure while mounting paths to chroot. %s\n", strerror(errno));
|
||||
return ret;
|
||||
}
|
||||
|
||||
ret = mount(path, path_inside_chroot, NULL, flags, NULL);
|
||||
if(ret < 0 )
|
||||
{
|
||||
QSSB_LOG_ERROR("Error: Failed to mount %s to %s: %s\n", path, path_inside_chroot, strerror(errno));
|
||||
return ret;
|
||||
}
|
||||
|
||||
path = *(++paths);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Ends the policy as best as possible. */
|
||||
/* TODO: can this function do actually anything useful?*/
|
||||
static int qssb_end_policy(struct qssb_policy *ctxt)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
/*
|
||||
* Frees the memory taken by a qssb_policy object
|
||||
*/
|
||||
static void qssb_free_policy(struct qssb_policy *ctxt)
|
||||
{
|
||||
free(ctxt);
|
||||
}
|
||||
|
||||
/* Enters the user and mount namespaces */
|
||||
static int enter_namespaces()
|
||||
{
|
||||
int ret = unshare(CLONE_NEWUSER);
|
||||
if(ret == -1)
|
||||
{
|
||||
QSSB_LOG_ERROR("Error: Failed to unshare user namespaces: %s\n", strerror(errno));
|
||||
return ret;
|
||||
}
|
||||
|
||||
uid_t current_uid = getuid();
|
||||
gid_t current_gid = getgid();
|
||||
|
||||
//TODO: check errors
|
||||
FILE *fp = fopen("/proc/self/setgroups", "w");
|
||||
fprintf(fp, "deny");
|
||||
fclose(fp);
|
||||
|
||||
fp = fopen("/proc/self/uid_map", "w");
|
||||
fprintf(fp, "0 %i", current_uid);
|
||||
fclose(fp);
|
||||
|
||||
fp = fopen("/proc/self/gid_map", "w");
|
||||
fprintf(fp, "0 %i", current_gid);
|
||||
fclose(fp);
|
||||
|
||||
ret = unshare(CLONE_NEWNS);
|
||||
if(ret == -1)
|
||||
{
|
||||
QSSB_LOG_ERROR("Error: Failed to unshare mount namespaces: %s\n", strerror(errno));
|
||||
return ret;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Drops all capabiltiies held by the process
|
||||
*
|
||||
* @returns: 0 on sucess, -1 on error
|
||||
*/
|
||||
static int drop_caps()
|
||||
{
|
||||
int cap = 0;
|
||||
int res = 0;
|
||||
while((res = prctl(PR_CAPBSET_DROP, cap, 0, 0, 0)) == 0)
|
||||
{
|
||||
++cap;
|
||||
}
|
||||
|
||||
if(res == -1 && errno != EINVAL)
|
||||
{
|
||||
QSSB_LOG_ERROR("Failed to drop the capability bounding set!");
|
||||
return -errno;
|
||||
}
|
||||
|
||||
//TODO: systems that are not 64 bit
|
||||
struct __user_cap_header_struct h = { 0 };
|
||||
h.pid = 0;
|
||||
h.version = _LINUX_CAPABILITY_VERSION_3;
|
||||
struct __user_cap_data_struct drop[2];
|
||||
drop[0].effective = 0;
|
||||
drop[0].permitted = 0;
|
||||
drop[0].inheritable = 0;
|
||||
drop[1].effective = 0;
|
||||
drop[1].permitted = 0;
|
||||
drop[1].inheritable = 0;
|
||||
if(capset(&h, drop) == -1)
|
||||
{
|
||||
QSSB_LOG_ERROR("Failed to drop capabilities: %s\n", strerror(errno));;
|
||||
return -errno;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Enables the per_syscall seccomp action for system calls
|
||||
*
|
||||
* syscalls: array of system calls numbers. -1 must be the last entry.
|
||||
* per_syscall: action to apply for each system call
|
||||
* default_action: the default action at the end
|
||||
*
|
||||
* @returns: 0 on success, -1 on error
|
||||
*/
|
||||
static int seccomp_enable(int *syscalls, int per_syscall, int default_action)
|
||||
{
|
||||
struct sock_filter filter[1024] =
|
||||
{
|
||||
LOAD_SYSCALL_NR,
|
||||
};
|
||||
|
||||
int current_filter_index = 1;
|
||||
while(*syscalls != -1)
|
||||
{
|
||||
struct sock_filter syscall = BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, *syscalls, 0, 1);
|
||||
struct sock_filter action = BPF_STMT(BPF_RET+BPF_K, per_syscall);
|
||||
filter[current_filter_index++] = syscall;
|
||||
filter[current_filter_index++] = action;
|
||||
|
||||
++syscalls;
|
||||
}
|
||||
|
||||
struct sock_filter da = BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL);
|
||||
filter[current_filter_index] = da;
|
||||
|
||||
struct sock_fprog prog = {
|
||||
.len = current_filter_index + 1,
|
||||
.filter = filter,
|
||||
};
|
||||
|
||||
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1)
|
||||
{
|
||||
QSSB_LOG_ERROR("prctl SET_SECCOMP %s\n", strerror(errno));
|
||||
return -1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Blacklists the specified systemcalls.
|
||||
*
|
||||
* syscalls: array of system calls numbers. -1 must be the last entry.
|
||||
*/
|
||||
static int seccomp_enable_blacklist(int *syscalls)
|
||||
{
|
||||
return seccomp_enable(syscalls, SECCOMP_RET_KILL, SECCOMP_RET_ALLOW);
|
||||
}
|
||||
|
||||
/*
|
||||
* Blacklists the specified systemcalls.
|
||||
*
|
||||
* syscalls: array of system calls numbers. -1 must be the last entry.
|
||||
*/
|
||||
static int seccomp_enable_whitelist(int *syscalls)
|
||||
{
|
||||
return seccomp_enable(syscalls, SECCOMP_RET_ALLOW, SECCOMP_RET_KILL);
|
||||
}
|
||||
|
||||
/* Enables the specified qssb_policy.
|
||||
*
|
||||
* The calling process is supposed *TO BE WRITTEN* if
|
||||
* this function fails.
|
||||
* @returns: 0 on sucess, <0 on error
|
||||
*/
|
||||
int qssb_enable_policy(struct qssb_policy *policy)
|
||||
{
|
||||
if(policy->blacklisted_syscalls != NULL && policy->allowed_syscalls != NULL)
|
||||
{
|
||||
QSSB_LOG_ERROR("Error: Cannot mix blacklisted and whitelisted systemcalls\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
|
||||
if(policy->chroot_target_path == NULL)
|
||||
{
|
||||
policy->chroot_target_path = "/tmp/.TODOIMPLEMENT"; //TODO: implement
|
||||
}
|
||||
|
||||
if(enter_namespaces() < 0)
|
||||
{
|
||||
QSSB_LOG_ERROR("Error while trying to enter namespaces\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
if(policy->readonly_paths != NULL || policy->writable_paths != NULL)
|
||||
{
|
||||
if(mount_to_chroot(policy->chroot_target_path, policy->readonly_paths, MS_BIND | MS_RDONLY) < 0)
|
||||
{
|
||||
return -1;
|
||||
}
|
||||
|
||||
if(mount_to_chroot(policy->chroot_target_path, policy->writable_paths, MS_BIND) < 0)
|
||||
{
|
||||
return -1;
|
||||
}
|
||||
|
||||
if(chroot(policy->chroot_target_path) < 0)
|
||||
{
|
||||
QSSB_LOG_ERROR("chroot: failed to enter %s\n", policy->chroot_target_path);
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
if(chdir(policy->chdir_path) < 0)
|
||||
{
|
||||
return -1;
|
||||
}
|
||||
|
||||
if(policy->drop_caps)
|
||||
{
|
||||
drop_caps();
|
||||
}
|
||||
|
||||
if(policy->not_dumpable)
|
||||
{
|
||||
if(prctl(PR_SET_DUMPABLE, 0) == -1)
|
||||
{
|
||||
QSSB_LOG_ERROR("prctl: PR_SET_DUMPABLE failed\n");
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
if(policy->no_new_privs)
|
||||
{
|
||||
if(prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
|
||||
{
|
||||
QSSB_LOG_ERROR("prctl: PR_SET_NO_NEW_PRIVS failed: %s\n", strerror(errno));
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
if(policy->allowed_syscalls != NULL)
|
||||
{
|
||||
if(seccomp_enable_whitelist(policy->allowed_syscalls) <0)
|
||||
{
|
||||
QSSB_LOG_ERROR("seccomp_enable_whitelist failed\n");
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
if(policy->blacklisted_syscalls != NULL)
|
||||
{
|
||||
if(seccomp_enable_blacklist(policy->blacklisted_syscalls) <0)
|
||||
{
|
||||
QSSB_LOG_ERROR("seccomp_enable_blacklist failed\n");
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
#endif
|
Notiek ielāde…
Atsaukties uz šo jaunā problēmā
Block a user