Compare commits

...

111 Commits

Author SHA1 Message Date
4cfdead5d0 no_fs: Use landlock if possible
This is not 100% the same, but good enough and more importantly,
does not require unsharing user/mount namespace and the chroot call.
2024-05-26 20:12:20 +02:00
bbc8193ea9 Handle newer landlock ABI versions for filesystem isolation 2024-05-26 20:03:20 +02:00
c9fdeb4a1d enter_namespaces(): Add missing newline at error messages 2024-05-26 19:31:14 +02:00
3732524bfa exile_init_policy(): Don't unshare network namespaces by default
This no longer works on some distros (e. g. Ubuntu 24.04) which
move (back) to restrict unprivileged user namespaces, and is
not required when Landlock is available, which is more and more
a given, thankfully.
2024-05-26 19:28:02 +02:00
4059c1a093 landlock_prepare_ruleset(): zero-init landlock structs
'landlock_ruleset_attr' used to only have a single member. Meanwhile,
depending on linux/headers version, others may be present. So zero-init
the struct, as otherwise we might get 'Invalid argument' return codes,
as those we do not explicitly initialize might contain garbage values.
2024-05-24 13:25:10 +02:00
44b9a17bec Allow specifying uid/gid to map in user namespace 2022-12-27 13:25:12 +01:00
f662398ac3 test: test_launch_get(): Fix typo and remove redundant call 2022-12-27 13:14:39 +01:00
7b859d0aed exile_launch_get(): Remove redundant seek 2022-12-26 18:36:17 +01:00
5cd0a36ced test.sh: Fix regression causing status code to be lost
The changes in 01c5cbf701ab0b0fa928691c6e16e69d13732f3f
did not take into account that "tee" would change the exit code.

Use a protable alternative to &>> now.
2022-12-26 18:29:32 +01:00
618f223491 enter_namespaces(): Fix uid/gid mapping
This was not caught before because a test was missing, fprintf() without ferror()
didn't help, and calling code did not depend on uid maps so far.

Add tests.
2022-12-26 18:23:34 +01:00
01c5cbf701 test.sh: Make it more portable 2022-12-20 10:50:42 +01:00
769f729dc5 README.md: Update 2022-10-26 10:27:38 +02:00
40d23af355 concat_path(): Add missing free() calls 2022-10-23 19:54:21 +02:00
b5f83499f3 exile_append_syscall_policy(): Add missing free() 2022-10-23 19:52:56 +02:00
ff60ec227d perform_mounts(): Fix potential leak and fix iteration
We would not free 'concat_path' in all potential paths.
Also, the iteration would not continue potentially.

This was case unlikely to be hit in practise.
2022-10-23 19:48:33 +02:00
e711a1d53a exile_landlock_is_available(): Fix availability check
The check only assumed the existance of ABI version 1, which
is not the case any more.

Closes: https://github.com/quitesimpleorg/exile.h/issues/1
2022-08-16 23:07:49 +02:00
6628bf4fb7 README: Update and minor improvements 2022-08-16 23:07:42 +02:00
3fa73b0b97 Close file fds by default, introduce policy->keep_fds_open
The better default is to close them, not keeping them open.

Does not close sockets and pipes to not interfere with IPC.

Issue: #10
2022-07-17 13:00:02 +02:00
8f38dc4480 check_policy_sanity(): Allow vows and syscall policies
Adjust checks to allow a mixed mode between syscall policies and vows.
Check for some easy to make mistakes in such scenario.
2022-06-09 10:02:12 +02:00
42d44b0cc1 README.md: Minor improvements throughout the file 2022-06-06 14:07:37 +02:00
bd3641981c Introduce EXILE_SYSCALL_DENY_RET_NOSYS for syscalls like clone3()
clone3() is used more and more, but we cannot filter it. We can either
allow it fully or return ENONYS. Some libraries perform fallbacks to the
older clone() in that case, which we can filter again.
2022-06-06 14:07:37 +02:00
bbbdfc44da exile.hpp: do_clone(): free stack memory 2022-05-29 19:25:53 +02:00
2dc61828f1 README: Clarify limitations 2022-04-29 21:25:21 +02:00
cdc265cedf c++: exile_launch(): Correct std::enable_if logic if type is a ptr 2022-04-29 21:23:53 +02:00
91858efa51 vows map: Add memfd_create, rseq 2022-04-22 08:37:34 +02:00
88995d214d README.md: Minor improvements (typos, rephrasing) 2022-04-07 00:04:52 +02:00
6eb47daf84 README: Update Debian section 2022-03-28 19:25:55 +02:00
8bf87717a5 vows: ioctl: Make TIOCSTI illegal even when IOCTL vow is set 2022-03-28 19:14:02 +02:00
bcaefffbe8 Improve various error messages 2022-03-28 19:04:28 +02:00
ed5098f2c6 README: Begin demo section 2022-03-17 17:10:38 +01:00
ea66ef76eb exile_flags_to_landlock(): Cover more with ALL_WRITE, except devices
More consistent with mount(), where MS_NODEV disallows those.

We may need to introduce a flag that simply allows everything
2022-03-17 15:47:22 +01:00
66def7a28f append_syscall_to_bpf(): Check for unlikely case of too many sock_filters 2022-03-17 15:47:22 +01:00
dbf8e87440 exile.hpp: Mark do_clone inline, not static 2022-03-17 15:47:22 +01:00
98421fab90 Makefile: Build exile.o separately, link it in all tests 2022-03-17 15:47:22 +01:00
70c3fef500 exile.h: Retire static child_read/write_pipe vars 2022-03-17 15:47:22 +01:00
69829374c7 exile.h: Move definitions to new file exile.c
Especially with exile_launch(), we will be included
from more than one translation unit. Thus, ODR becomes
a headache now.

So move definitions to exile.c.
2022-03-17 15:47:22 +01:00
005851c645 exile.h: Add extern "C" guards 2022-03-17 15:47:22 +01:00
95fa11e928 c++: Add explicit exile_launch() std::basic_string variant 2022-03-17 15:47:22 +01:00
97e2025758 c++: Retire exile_launch_trivial(), use std::enable_if 2022-03-17 15:47:22 +01:00
8cfb73568a Makefile: Add 'tests' target, depend on headers too to rebuild on changes of those 2022-03-17 15:47:22 +01:00
e7a5ba7f7f test.sh: Also run C++ tests 2022-03-17 15:47:22 +01:00
e52eda186b Add test.cpp to test C++ API 2022-03-17 15:47:22 +01:00
90ed5bbae9 Begin C++ API: Add exile.hpp with exile_launch() wrappers 2022-03-17 15:47:22 +01:00
48b6de9036 struct syscall_vow_map: change 'str' to const char* 2022-03-17 15:47:22 +01:00
93acb13929 test: Introduce LOG(), avoid inconsistent printf/fprintf 2022-03-17 15:47:22 +01:00
9247a6636b Introduce exile_vows_from_str() 2022-03-17 15:47:22 +01:00
4a3ac8e0bc exile_launch(): Improve handling/logging of errors 2022-01-16 21:46:11 +01:00
ed54575b89 exile_launch(): Open another pipe to also write to child 2022-01-16 21:46:11 +01:00
0caff45600 EXILE_LOG_ERROR: Prepend function name 2022-01-16 21:46:11 +01:00
080c0e53c2 test: test_mkpath(): Cleanup before run and on success 2022-01-16 21:46:11 +01:00
4adc13215b exile_append_path_policies(): Add sentinel macro, making *policy() version redundant 2022-01-16 21:46:11 +01:00
bf29edf213 Update README with most recent draft 2022-01-16 21:46:11 +01:00
68bfd7e66c Update copyright header 2022-01-16 21:46:11 +01:00
58bc50db61 test: Begin testing exile_launch*() 2022-01-16 21:46:11 +01:00
1e63fa75ef Introduce exile_launch*(): Simplifies launching functions protected by policy
Those functions clone(), then activate the specified policy.
They then jump to the supplied function and pass an argument to it.

exile_launch() returns a read file descriptor, that can be
used by the parent process to get the data.

exile_launch_get() is a convenience wrapper, return a buffer
containing everything read from the sandboxed function.
2022-01-16 21:46:11 +01:00
6c44c88397 create_chroot_dirs(): Correct comment 2022-01-16 21:46:11 +01:00
3780509078 Introduce flags indicating errors to catch non-checked return codes
Certain functions can fail before we execute exile_enable_policy().

While the return code should be checked, it's easily forgotten. For
most users, checking just the exile_enable_policy() return code
should suffice.

exile_append_path_policies(): Add check whether a path exists. If not,
set the error flag.

This also allows an early exit, allowing to cleanly handle the case
when a path does not exist. Previously, this was only caught
during activation, and a failure there is generally undefined.
2022-01-16 21:46:11 +01:00
fd4dfb12f0 vow: Add prlimit64(),arch_prctl() 2022-01-16 21:46:11 +01:00
a9e6b3ee67 chroot: Create all paths first, then mount
We mounted after creating dirs, this was potentially problematic
for the next path policy to follow.

Perform two passes on the path_policies list, first creates all
dirs, second does the mounts.
2022-01-16 21:46:11 +01:00
3b61e90761 test: Add mkpath() test 2022-01-16 20:38:03 +01:00
0e27b19999 Handle files for bind-mounts too, rename mkdir_structure() to mkpath() 2022-01-16 20:38:03 +01:00
ff70142e04 exile_flags_to_landlock(): Only add flags for a path that a reasonable 2022-01-08 12:19:31 +01:00
4824c6eaa9 check_policy_sanity(): Traverse path_policy list only if no landlock available 2021-12-29 11:03:51 +01:00
9048a3b4fe append_syscall_to_bpf(): Improve readability 2021-12-29 11:03:51 +01:00
0b54e73ff4 Rework get_vow_argfilter() for readability and easiness
The previous approach had too many special cases, was quite
error-prone when changing things and a bit messy in general.
2021-12-29 11:03:51 +01:00
b2306299d5 vow: fix clone filter broken by ca0f8279 2021-12-28 13:17:20 +01:00
55b43fdaac Rename our 'pledge' mechanism to 'vow'
Among other differences, pledge() from OpenBSD takes a string
and has exec promises. We don't.

Using the same name yet providing a different interface does not
appear reasonable.
2021-12-28 11:05:24 +01:00
6420ca1b40 Add landlock runtime detection
We cannot assume that landlock is enabled if we can compile it.
Even if it's enabled in the kernel it may still not be loaded.

We fill fallback to chroot/bind-mounts if we can.

If we can't (because path policies have landlock-specific options),
we can't do that either.

Closes: #21
2021-12-27 16:51:08 +01:00
98c76089de Handle new 5.16 syscall: futex_waitv 2021-12-27 14:26:37 +01:00
631980b775 Include linux/capability.h instead of sys/capability.h
Some distros put sys/capability.h into libcap-dev or
similiar, which is a bit unforunate, we don't need
libcap-dev or anything like that.

Since we anyway only used the capget()/capset(), we can
just define a simple wrapper and call the syscall directly
and therefore avoid above mentioned issue.
2021-12-27 14:15:50 +01:00
0be081c55d Merge get_pledge_argfilter() with get_pledge_argfilter() 2021-12-27 14:11:58 +01:00
ca0f82790c Use some macros to increase readabiltiy of BPF rules 2021-12-27 12:35:54 +01:00
77adf09d34 test: Add tests for exile_pledge() 2021-12-27 12:35:54 +01:00
bcab0377f1 Add exile_pledge(): A convenience wrapper
exile_pledge() adds seccomp filters derived from the
promises.
2021-12-27 12:35:54 +01:00
b469a82eec pledge: Allow NO_NEW_PRIVS prctls
Retreiving it does no harm. It cannot be unset once set, thus
no harm in allowing to set it either.
2021-12-27 12:35:54 +01:00
6711b394d9 pledge: Add EXILE_SYSCALL_PLEDGE_SECCOMP_INSTALL to allow adding further seccomp filters 2021-12-27 12:35:54 +01:00
9abbc7510c Introduce exile_create_policy(): Creates an clean/empty policy.
exile_create_policy() Creates an empty policy that can be
used by the exile.h API.

exile_init_policy() sets opinionated default values.
2021-12-27 12:35:54 +01:00
029762e894 pledge: Add EXILE_SYSCALL_PLEDGE_IOCTL to allow ioctl() without argfilters 2021-12-27 12:35:54 +01:00
6b513f8339 pledge: Add prctl() default filter 2021-12-27 12:35:54 +01:00
d2357ac676 pledge: Introduce clone() filter and EXILE_SYSCALL_PLEDGE_THREAD 2021-12-27 12:35:54 +01:00
0b0dda0de1 pledge: Begin filter for setsockopt() args 2021-12-27 12:35:54 +01:00
7115ef8b4d Begin an pledge()-like implementation
This begins a pledge() implementation. This also
retires the previous syscall grouping approach,
as pledge() is the superior mechanism.

Squashed:
test: Begin basic pledge test
pledge: Begin EXILE_SYSCALL_PLEDGE_UNIX/EXILE_SYSCALL_PLEDGE_INET
test: Add pledge socket test
Introduce EXILE_SYSCALL_PLEDGE_DENY_ERROR, remove exile_policy->pledge_policy
pledge: Add PROT_EXEC
2021-12-27 12:35:54 +01:00
15a6850023 Begin low-level seccomp arg filter interface
Squashed:
test: Adjust existing to new API with arg filters
test: Add tests for low-level seccomp args filter API
test: Add seccomp_filter_mixed()
test: Switch to syscall() everywhere
append_syscall_to_bpf(): Apply EXILE_SYSCALL_EXIT_BPF_NO_MATCH also for sock_filter.jt
2021-12-27 12:35:54 +01:00
48deab0dde exile_enable_policy(): Only chdir() post chroot() 2021-12-27 12:35:35 +01:00
ce7eb57998 enter_namespaces(): Fix error message 2021-12-27 12:35:35 +01:00
3407fded04 Add EXILE_FS_ALLOW_ALL_{READ,WRITE}
Issue: #19
2021-12-27 00:30:52 +01:00
1b4c5477a5 rename to exile.h
qssb.h was a preliminary name and can't be pronounced smoothly.

exile.h is more fitting and it's also short. Something exiled is essentially
something isolated, which is pretty much what this library does (isolation from
resources such as file system, network and others accessible by system calls).
2021-11-30 18:19:15 +01:00
756b0fb421 rename qssb.h to exile.h 2021-11-30 17:40:36 +01:00
d150c2ecd9 Don't add any seccomp rules by default
Cannot be done properly on a pure syscall basis at this point.

A whitelist is almost certainly too restrictive, which means user
has to manually adjust the policy anyway. Then the default is not
of much use. Or too permissive.

A blacklist has to play catchup with new kernel versions. This may
be be improved upon by blocking all unknown (too new) syscall
numbers. However, in light of the fact we drop caps and set no_new_privs,
it's debtable how much we can gain from a blacklist anyway.

So best to leave it to the user. We also need to allow checking args
too in order to make it easier to build policies. Perhaps get
inspiration from pledge() in OpenBSD.
2021-11-20 20:54:28 +01:00
435bcefa48 test: Skip landlock specific tests if unavailble during compile time 2021-11-20 19:25:30 +01:00
2a4cee2ece test: Use xqssb_enable_policy() throughout where reasonable 2021-11-20 16:56:19 +01:00
d847d0f996 qssb_append_group_syscall_policy(): Make QSSB_SYSCGROUP_NONE an invalid group 2021-11-14 21:46:47 +01:00
1a2443db18 qssb_append_syscalls_policy(): Fix mem leak on failure 2021-11-14 21:46:47 +01:00
db17e58deb Assign syscalls into groups. Add whitelist mode (default).
Classify syscalls into groups, for x86_64 only for now.
Up to date for 5.15, generate some #ifndef for syscalls
introduced since 5.10. Only support x86_64 therefore at this point.

Switch from blacklisting to a default whitelist.
2021-11-14 21:46:47 +01:00
0d7c5bd6d4 append_syscall_to_bpf(): Explicit type cast to fix (C++) warnings 2021-10-25 18:18:31 +02:00
55e1f42ca8 check_policy_sanity(): Initialize last_policy 2021-10-03 21:25:37 +02:00
11d64c6fcf enter_namespaces(): Check fopen/fprintf errors 2021-09-12 20:00:03 +02:00
ebe043c08d Fix missing \n in some error outputs 2021-09-12 19:50:05 +02:00
8bc0d1e73a Use overflow-safe operator builtins
As a precaution as it does not hurt
2021-09-12 19:47:45 +02:00
215032f32c enable_no_fs(): Fix corresponding test by adding missing default policy 2021-09-06 21:43:50 +02:00
411e00715d Rename qssb_append_default_syscall_policy() to better distinguish it from qssb_append_syscall_default_policy() 2021-09-05 17:24:42 +02:00
8a9b1730de test: Remove argc,argv from tests as there was no use for them 2021-09-05 17:12:25 +02:00
b2b501d97e test: Refactor: Put seccomp tests into child processes ; Simplfy .sh
Refactor the test logic. Seccomp tests that can be
killed run in their own subprocess now.

All test functions now return 0 on success. Therefore,
the shell script can be simplified.
2021-09-05 17:12:25 +02:00
26f391f736 test: implement test_seccomp_errno() 2021-09-05 17:12:25 +02:00
68fd1a0a87 test: test_seccomp_blacklisted_call_permitted(): Add missing default policy 2021-09-05 17:12:25 +02:00
b0d0beab22 README.md: Update 2021-09-05 17:12:25 +02:00
c44ce85628 test: Add test ensuring seccomp ends with default rule, minor fixes 2021-09-05 17:12:25 +02:00
25d8ed9bca check_policy_sanity(): Add syscall policy checks 2021-09-05 17:12:25 +02:00
e389140436 test.sh: Log exit code, print yes/no instead of 1/0 2021-09-05 17:12:25 +02:00
f6af1bb78f policy: Add disable_syscall_filter policy. Add defaults only on enable.
Only add default syscall policy when disable_syscall_filter is 0 (default)
and no user-custom policy has been added.
2021-09-05 17:12:25 +02:00
9192ec3aa4 Rewrite syscall policy logic
Instead of having a blacklist and whitelist, we now allow
setting a policy that runs as a chain.

This adds qssb_append_syscalls_policy()

Furthermore, add a feature to decide per syscall which action to take.
This allows now to return an error instead of just killing the process.

In the future, it may allow us to set optimize/shrink the BPF filter.
2021-09-05 17:12:03 +02:00
9 changed files with 3808 additions and 1242 deletions

View File

@ -1,17 +1,27 @@
prefix = /usr/local
bindir = $(prefix)/bin
CFLAGS = -std=c99 -Wall -Wextra -pedantic
CXXFLAGS = -std=c++20 -Wall -Wextra -pedantic
.DEFAULT_GOAL := test
.DEFAULT_GOAL := tests
clean:
rm -f test
rm -f test exile.o testcpp
test: test.c
$(CC) test.c -g $(CFLAGS) -o test
check: test
exile.o: exile.c exile.h
$(CC) -c exile.c -g $(CFLAGS) -o exile.o
test: test.c exile.h exile.o
$(CC) test.c exile.o -g $(CFLAGS) -o test
testcpp: test.cpp exile.h exile.hpp exile.o
$(CXX) test.cpp exile.o -g $(CXXFLAGS) -o testcpp
tests: test testcpp
check: tests
./test.sh
.PHONY: check

224
README.md
View File

@ -1,53 +1,225 @@
# qssb.h (quite simple sandbox)
`qssb.h` is a simple header-only library that provides an interface to sandbox processes on Linux. Using Seccomp and Linux Namespaces for that purpose requires some knowledge of annoying details which this library aims to abstract away as much as possible, when reasonable. Hence, the goal is to provide a convenient way for processes to restrict themselves in order to mitigate the effect of exploits. Currently, it utilizes technologies like Seccomp, Namespaces and Landlock to this end.
# exile.h
`exile.h` provides an API for processes on Linux to easily isolate themselves in order
to mitigate the effect of exploited vulnerabilities, i. e. when attacker has achieved
arbitrary code execution. exile.h makes it simpler for developers to use existing technologies such as Seccomp and Linux Namespaces. Those generally require knowledge of details and are not trivial for developers to employ, which prevents a more widespread adoption.
The following section offers small examples. Then the motivation is explained in more detail. Proper API documentation will be maintained in other files.
## Quick demo
This section quickly demonstrates the simplicity of the API. It serves as an overview to get a first impression.
system() is used to keep the example C code short. It also demonstrates that subprocesses are also subject to restrictions imposed by exile.h.
While the examples show different features separately, it is generally possible to combine those.
### Filesystem isolation
```c
#include "exile.h"
#include <assert.h>
int main(void)
{
system("echo test > /home/user/testfile");
struct exile_policy *policy = exile_init_policy();
exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ, "/home/user");
exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_ALL_WRITE, "/tmp");
int ret = exile_enable_policy(policy);
if(ret != 0)
{
exit(EXIT_FAILURE);
}
int fd = open("/home/user/test", O_CREAT | O_WRONLY | O_TRUNC, 0600);
assert(fd == -1);
fd = open("/home/user/testfile", O_RDONLY);
//use fd
assert(fd != -1);
fd = open("/tmp/testfile", O_CREAT | O_WRONLY | O_TRUNC, 0600);
//use fd
assert(fd != -1);
return 0;
}
```
The assert() calls won't be fired, consistent with the policy that allows only reading
from /home/user. We can write to /tmp/ though as it was specified in the policy.
### vows(): pledge()-like API / System call policies
exile.h allows specifying which syscalls are permitted or denied. In the following example,
'ls' is never executed, as the specified "vows" do not allow the execve() system call. The process will be killed.
```c
#include "exile.h"
int main(void)
{
struct exile_policy *policy = exile_init_policy();
policy->vow_promises = exile_vows_from_str("stdio rpath wpath cpath");
exile_enable_policy(policy);
printf("Trying to execute...");
execlp("/bin/ls", "ls", "/", NULL);
}
```
### Isolation from network
exile offers a quick way to isolate a process from the default network namespace.
```c
#include "exile.h"
int main(void)
{
struct exile_policy *policy = exile_init_policy();
policy->namespace_options |= EXILE_UNSHARE_NETWORK;
int ret = exile_enable_policy(policy);
if(ret != 0)
{
exit(EXIT_FAILURE);
}
system("curl -I https://evil.tld");
}
```
Produces ```curl: (6) Could not resolve host: evil.tld```. For example, this is useful for subprocesses which do not need
network access, but perform tasks such as parsing user-supplied file formats.
### Isolation of single functions (EXPERIMENTAL)
Currently, work is being done that hopefully will allow isolation of individual function calls in a mostly pain-free manner.
Consider the following C++ code:
```cpp
#include <iostream>
#include <fstream>
#include "exile.hpp"
std::string cat(std::string path)
{
std::fstream f1;
f1.open(path.c_str(), std::ios::in);
std::string content;
std::string line;
while(getline(f1, line)) {
content += line + "\n";
}
return content;
}
int main(void)
{
struct exile_policy *policy = exile_init_policy();
policy->vow_promises = exile_vows_from_str("stdio rpath");
std::string content = exile_launch<std::string>(policy, cat, "/etc/hosts");
std::cout << content;
policy = exile_init_policy();
policy->vow_promises = exile_vows_from_str("stdio");
try
{
content = exile_launch<std::string>(policy, cat, "/etc/hosts");
std::cout << content;
}
catch(std::exception &e)
{
std::cout << "launch failure: " << e.what() << std::endl;
}
}
```
We execute "cat()". The first call succeeds. In the second, we get an exception, because
the subprocess "cat()" was launched in violated the policy (missing "rpath" vow).
Naturally, there is a performance overhead. Certain challenges remain, such as the fact
that being executed in a subproces, we operate on copies, so handling references
is not something that has been given much thought. There is also the fact
that clone()ing from threads opens a can of worms, particularly with locks. Hence, exile_launch() is best avoided in multi-threaded contexts.
## Status
No release yet, expiremental, API is unstable, builds will break on updates of this library.
No release yet, experimental, API is unstable, builds will break on updates of this library.
Currently, it's mainly evolving from the needs of my other projects which use exile.h.
### Real-world usage
- looqs: https://github.com/quitesimpleorg/looqs
- qswiki: https://gitea.quitesimple.org/crtxcr/qswiki
## Motivation and Background
exile.h unlocks existing Linux mechanisms to facilitate isolation of processes from resources. Limiting the scope of what programs can do helps defending the rest of the system when a process gets under attacker's control (when classic mitigations such as ASLR etc. failed). To this end, OpenBSD has the pledge() and unveil() functions available. Those functions are helpful mitigation mechanisms, but such accessible ways are unfortunately not readily available on Linux. This is where exile.h steps in.
Seccomp allows restricting the system calls available to a process and thus decrease the systems attack surface, but it generally is not easy to use. Requiring BPF filter instructions, you generally just can't make use of it right away without learning
about BPF. exile.h provides an API inspired by pledge(), building on top of seccomp. It also provides an interface to manually restrict the system calls that can be issued.
Traditional methods employed to restrict file system access, like different uids/gids, chroot, bind-mounts, namespaces etc. may require administrator intervention, are perhaps only suitable for daemons and not desktop applications, or are generally rather involved. As a positive example, Landlock since 5.13 is a vast improvement to limit file system access of processes. It also greatly simplifies exile.h' implementation of fs isolation.
Abstracting those details may help developers bring sandboxing into their applications.
## Features
- Restricting file system access (using Landlock or Namespaces/chroot as fallback)
- Systemcall filtering (using seccomp-bpf). An interface inspired by OpenBSD's pledge() is available
- Dropping privileges in general, such as capabilities
- Isolating the application from the network, etc. through Namespaces
- Helpers to isolate single functions
- Systemcall filtering (using seccomp-bpf)
- restricting file system access (using Landlock and/or Namespaces)
- dropping privileges
- isolating the application from the network, etc.
## What it's not
A way for end users/administrators to restrict processes. In the future, a wrapper binary may be available to achieve this, but it generally aims for developers to bring sandboxing/isolation into their software. This allows a more fine-grained approach, as the developers are more familiar with their software. Applying restrictions with solutions like AppArmor requires
them to be present and installed on the system and it's easy to break things this way.
Therefore, software should ideally be written with sandboxing in mind from the beginning.
## Documentation
Will be available once the interface stabilizes.
It's recommended to start with [README.usage.md] to get a feeling for exile.h.
API-Documentation: [README.api.md]
## Limitations
Built upon kernel technologies, exile.h naturally inherits their limitations:
- New syscalls can be introduced by new kernel versions. exile.h must keep in sync, and users must keep the library up to date.
- seccomp has no deep argument inspection (yet), particularly new syscalls
cannot be reasonably filtered, such as clone3(), or io_uring.
- You can't know what syscalls libraries will issue. An update to existing
libraries may cause them to use different syscalls not allowed by a policy. However, using vows and keeping up to date with exile.h should cover that.
- Landlock, currently, does not apply to syscalls such as stat().
TODO:
- ioctl does not know the fd, so checking values is kind of strange
- redundancies: some things are handled by capabilties, other by seccomp or both
- no magic, be reasonable, devs should not get sloppy, restrict IPC.
## Requirements
Kernel >=3.17
``sys/capabilities.h`` header. Depending on your distribution, libcap
might be needed for this.
While mostly transparent to users of this API, kernel >= 5.13 is required to take advantage of Landlock.
While mostly transparent to users of this API, kernel >= 5.13 is required to take advantage of Landlock. Furthermore, it depends on distro-provided kernels being reasonable and enabling it by default. In practise, Landlock maybe won't be used in some cases so exile.h will use a combination of namespaces, bind mounts and chroot as fallbacks.
## FAQ
### Does the process need to be priviliged to utilize the library?
### Does the process need to be privileged to utilize the library?
No.
No.
### It doesn't work on Debian!
You can thank a Debian-specific kernel patch for that. In the future,
the library may check against that. Execute
### It doesn't work on my Debian version!
You can thank a Debian-specific kernel patch for that. Execute
`echo 1 > /proc/sys/kernel/unprivileged_userns_clone` to disable that patch for now.
### Examples
Note that newer releases should not cause this problem any longer, as [explained](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#linux-user-namespaces) in the Debian release notes.
- qswiki: https://gitea.quitesimple.org/crtxcr/qswiki
- cgit sandboxed: https://gitea.quitesimple.org/crtxcr/cgitsb
- qpdfviewsb sandboxed (quick and dirty): https://gitea.quitesimple.org/crtxcr/qpdfviewsb
### Why "vows"?
pledge() cannot be properly implemented using seccomp. The "vow" concept here may look similiar, and it is, but it's not pledge().
### Other projects
- [sandbox2](https://developers.google.com/code-sandboxing/sandbox2/)
### Contributing
Contributions are very welcome. Options:
Contributions are very welcome. Options:
1. Pull-Request on [github](https://github.com/quitesimpleorg/qssb.h)
2. Mail to `qssb at quitesimple.org` with instructions on where to pull the changes from.
1. Pull-Request on [github](https://github.com/quitesimpleorg/exile.h)
2. Mail to `exile at quitesimple.org` with instructions on where to pull the changes from.
3. Mailing a classic patch/diff to the same address.

1959
exile.c Normal file

File diff suppressed because it is too large Load Diff

546
exile.h Normal file
View File

@ -0,0 +1,546 @@
/*
* Copyright (c) 2019-2022 Albert Schwarzkopf <mail at quitesimple dot org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef EXILE_H
#define EXILE_H
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
#include <sched.h>
#include <stdio.h>
#include <errno.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/random.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/socket.h>
#include <sys/mman.h>
#include <stdarg.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <linux/limits.h>
#include <linux/filter.h>
#include <linux/seccomp.h>
#include <linux/version.h>
#include <linux/audit.h>
#include <linux/capability.h>
#include <stddef.h>
#include <inttypes.h>
#include <asm/unistd.h>
#define capget(hdrp,datap) syscall(__NR_capget,hdrp,datap)
#define capset(hdrp,datap) syscall(__NR_capset,hdrp,datap)
#ifndef HAVE_LANDLOCK
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5,13,0)
/* TODO: Hopefully a fair assumption. But we need to runtime checks */
#define HAVE_LANDLOCK 1
#endif
#endif
#if HAVE_LANDLOCK == 1
#include <linux/landlock.h>
#if LANDLOCK_CREATE_RULESET_VERSION != (1U << 0)
#error "This landlock ABI version is not supported by exile.h (yet)"
#endif
#endif
#if defined(__x86_64__)
#define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
#else
#error Seccomp support has not been tested for exile.h for this platform yet
#endif
#define EXILE_UNSHARE_NETWORK 1<<1
#define EXILE_UNSHARE_USER 1<<2
#define EXILE_UNSHARE_MOUNT 1<<3
#define EXILE_UNSHARE_AUTOMATIC 1<<4
#ifndef EXILE_LOG_ERROR
#define EXILE_LOG_ERROR(...) do { fprintf(stderr, "exile.h: %s(): Error: ", __func__); fprintf(stderr, __VA_ARGS__); } while(0)
#endif
#ifndef EXILE_TEMP_DIR
#define EXILE_TEMP_DIR "/tmp"
#endif
#define EXILE_SYS(x) __NR_##x
/* Allow all read-effect operations on the path */
#define EXILE_FS_ALLOW_ALL_READ 1<<0
/* Allow all write-effect operations on the path, such as normal writes, creation/deletion of files */
#define EXILE_FS_ALLOW_ALL_WRITE (1<<1)
#define EXILE_FS_ALLOW_EXEC 1<<2
#define EXILE_FS_ALLOW_DEV 1<<3
#define EXILE_FS_ALLOW_SETUID 1<<4
//don't mount recursive
#define EXILE_MOUNT_NOT_REC 1<<5
#ifdef __cplusplus
extern "C" {
#endif
/* Fine-granular approach available with landlock */
#if HAVE_LANDLOCK == 1
#define EXILE_FS_ALLOW_REMOVE_DIR (1 << 7)
#define EXILE_FS_ALLOW_REMOVE_FILE (1 << 8)
#define EXILE_FS_ALLOW_MAKE_CHAR (1 << 9)
#define EXILE_FS_ALLOW_MAKE_DIR (1 << 10)
#define EXILE_FS_ALLOW_MAKE_REG (1 << 11)
#define EXILE_FS_ALLOW_MAKE_SOCK (1 << 12)
#define EXILE_FS_ALLOW_MAKE_FIFO (1 << 13)
#define EXILE_FS_ALLOW_MAKE_BLOCK (1 << 14)
#define EXILE_FS_ALLOW_MAKE_SYM (1 << 15)
#define EXILE_FS_ALLOW_WRITE_FILE (1 << 16)
#define EXILE_FS_ALLOW_READ_DIR (1 << 17)
#define EXILE_FS_ALLOW_REMOVE (1 << 18)
#ifndef landlock_create_ruleset
static inline int landlock_create_ruleset(
const struct landlock_ruleset_attr *const attr,
const size_t size, const __u32 flags)
{
return syscall(__NR_landlock_create_ruleset, attr, size, flags);
}
#endif
#ifndef landlock_add_rule
static inline int landlock_add_rule(const int ruleset_fd,
const enum landlock_rule_type rule_type,
const void *const rule_attr, const __u32 flags)
{
return syscall(__NR_landlock_add_rule, ruleset_fd, rule_type,
rule_attr, flags);
}
#endif
#ifndef landlock_restrict_self
static inline int landlock_restrict_self(const int ruleset_fd,
const __u32 flags)
{
return syscall(__NR_landlock_restrict_self, ruleset_fd, flags);
}
#endif
#endif
#if defined(__x86_64__)
#ifndef __NR_pkey_mprotect
#define __NR_pkey_mprotect 329
#endif
#ifndef __NR_pkey_alloc
#define __NR_pkey_alloc 330
#endif
#ifndef __NR_pkey_free
#define __NR_pkey_free 331
#endif
#ifndef __NR_statx
#define __NR_statx 332
#endif
#ifndef __NR_io_pgetevents
#define __NR_io_pgetevents 333
#endif
#ifndef __NR_rseq
#define __NR_rseq 334
#endif
#ifndef __NR_pidfd_send_signal
#define __NR_pidfd_send_signal 424
#endif
#ifndef __NR_io_uring_setup
#define __NR_io_uring_setup 425
#endif
#ifndef __NR_io_uring_enter
#define __NR_io_uring_enter 426
#endif
#ifndef __NR_io_uring_register
#define __NR_io_uring_register 427
#endif
#ifndef __NR_open_tree
#define __NR_open_tree 428
#endif
#ifndef __NR_move_mount
#define __NR_move_mount 429
#endif
#ifndef __NR_fsopen
#define __NR_fsopen 430
#endif
#ifndef __NR_fsconfig
#define __NR_fsconfig 431
#endif
#ifndef __NR_fsmount
#define __NR_fsmount 432
#endif
#ifndef __NR_fspick
#define __NR_fspick 433
#endif
#ifndef __NR_pidfd_open
#define __NR_pidfd_open 434
#endif
#ifndef __NR_clone3
#define __NR_clone3 435
#endif
#ifndef __NR_futex_waitv
#define __NR_futex_waitv 449
#endif
#ifndef __NR_close_range
#define __NR_close_range 436
#endif
#ifndef __NR_openat2
#define __NR_openat2 437
#endif
#ifndef __NR_pidfd_getfd
#define __NR_pidfd_getfd 438
#endif
#ifndef __NR_faccessat2
#define __NR_faccessat2 439
#endif
#ifndef __NR_process_madvise
#define __NR_process_madvise 440
#endif
#ifndef __NR_epoll_pwait2
#define __NR_epoll_pwait2 441
#endif
#ifndef __NR_mount_setattr
#define __NR_mount_setattr 442
#endif
#ifndef __NR_quotactl_fd
#define __NR_quotactl_fd 443
#endif
#ifndef __NR_landlock_create_ruleset
#define __NR_landlock_create_ruleset 444
#endif
#ifndef __NR_landlock_add_rule
#define __NR_landlock_add_rule 445
#endif
#ifndef __NR_landlock_restrict_self
#define __NR_landlock_restrict_self 446
#endif
#ifndef __NR_memfd_secret
#define __NR_memfd_secret 447
#endif
#ifndef __NR_process_mrelease
#define __NR_process_mrelease 448
#endif
#endif
struct syscall_vow_map
{
long syscall;
uint64_t vowmask;
};
struct str_to_vow_map
{
const char *str;
uint64_t value;
};
struct exile_path_policy
{
const char *path;
unsigned int policy;
struct exile_path_policy *next;
};
/* Special values */
#define EXILE_SYSCALL_MATCH_ALL -1
/* exit the bpf filter, not matching policy. Go to the next syscall (or the default action, if none left to check) */
#define EXILE_SYSCALL_EXIT_BPF_NO_MATCH 255
/* exit the bpf filter, go directly to the action for the syscall (skip all other args checks) */
#define EXILE_SYSCALL_EXIT_BPF_RETURN 254
#define EXILE_SYSCALL_ALLOW 1
#define EXILE_SYSCALL_DENY_KILL_PROCESS 2
#define EXILE_SYSCALL_DENY_RET_ERROR 3
#define EXILE_SYSCALL_DENY_RET_NOSYS 4
#define EXILE_BPF_NOP \
BPF_STMT(BPF_JMP+BPF_JA,0)
/* A few more dirty markers to simplify array block initializers. We replace those
in append_syscall_to_bpf(). The k value is meaningless here and we don't expect
to ever have filter code actually wanting to jump that many steps forward. So
they serve as an special value we will replace with actual ones. */
#define EXILE_BPF_RETURN_MATCHING \
BPF_STMT(BPF_JMP+BPF_JA,1234)
#define EXILE_BPF_RETURN_NOT_MATCHING \
BPF_STMT(BPF_JMP+BPF_JA,5678)
#define EXILE_BPF_LOAD_SECCOMP_ARG(nr) \
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[nr])))
#define EXILE_BPF_CMP_EQ(val,t,f) \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, val, t, f)
#define EXILE_BPF_CMP_SET(val,t,f) \
BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, val, t, f)
/* Immediatly go to the syscall action, do not process any other arg filters */
#define EXILE_BPF_MATCH(argval) \
EXILE_BPF_CMP_EQ(argval, EXILE_SYSCALL_EXIT_BPF_RETURN, 0)
#define EXILE_BPF_MATCH_SET(argval) \
EXILE_BPF_CMP_SET(argval, EXILE_SYSCALL_EXIT_BPF_RETURN, 0)
/* Immediatly go beyond the syscall action, do not process any other arg filters. What to do with this syscall
is thus up to the default policy */
#define EXILE_BPF_NO_MATCH(argval) \
EXILE_BPF_CMP_EQ(argval, EXILE_SYSCALL_EXIT_BPF_NO_MATCH, 0)
#define EXILE_BPF_NO_MATCH_SET(argval) \
EXILE_BPF_CMP_SET(argval, EXILE_SYSCALL_EXIT_BPF_NO_MATCH, 0)
/* Pledge definitions */
#define EXILE_SYSCALL_VOW_CHOWN ((uint64_t)1<<1)
#define EXILE_SYSCALL_VOW_CLONE ((uint64_t)1<<2)
#define EXILE_SYSCALL_VOW_CPATH ((uint64_t)1<<3)
#define EXILE_SYSCALL_VOW_DPATH ((uint64_t)1<<4)
#define EXILE_SYSCALL_VOW_EXEC ((uint64_t)1<<5)
#define EXILE_SYSCALL_VOW_FATTR ((uint64_t)1<<6)
#define EXILE_SYSCALL_VOW_FSNOTIFY ((uint64_t)1<<7)
#define EXILE_SYSCALL_VOW_ID ((uint64_t)1<<8)
#define EXILE_SYSCALL_VOW_INET ((uint64_t)1<<9)
#define EXILE_SYSCALL_VOW_IOCTL ((uint64_t)1<<10)
#define EXILE_SYSCALL_VOW_PRCTL ((uint64_t)1<<11)
#define EXILE_SYSCALL_VOW_PROC ((uint64_t)1<<12)
#define EXILE_SYSCALL_VOW_PROT_EXEC ((uint64_t)1<<13)
#define EXILE_SYSCALL_VOW_RPATH ((uint64_t)1<<14)
#define EXILE_SYSCALL_VOW_SCHED ((uint64_t)1<<15)
#define EXILE_SYSCALL_VOW_SECCOMP_INSTALL ((uint64_t)1<<16)
#define EXILE_SYSCALL_VOW_SHM ((uint64_t)1<<17)
#define EXILE_SYSCALL_VOW_STDIO ((uint64_t)1<<18)
#define EXILE_SYSCALL_VOW_THREAD ((uint64_t)1<<19)
#define EXILE_SYSCALL_VOW_UNIX ((uint64_t)1<<20)
#define EXILE_SYSCALL_VOW_WPATH ((uint64_t)1<<21)
#define EXILE_SYSCALL_VOW_DENY_ERROR ((uint64_t)1<<63)
#define EXILE_ARGFILTERS_COUNT 60
#define EXILE_FLAG_ADD_PATH_POLICY_FAIL (1u<<1)
#define EXILE_FLAG_ADD_SYSCALL_POLICY_FAIL (1u<<2)
struct exile_syscall_policy
{
struct sock_filter argfilters[EXILE_ARGFILTERS_COUNT];
size_t argfilterscount;
long syscall;
unsigned int policy;
struct exile_syscall_policy *next;
};
/* Policy tells exile what to do */
struct exile_policy
{
int drop_caps;
int preserve_cwd;
int not_dumpable;
int no_new_privs;
int no_fs;
int no_new_fds;
int keep_fds_open;
int namespace_options;
int disable_syscall_filter;
/* Bind mounts all paths in path_policies into the chroot and applies
non-landlock policies */
int mount_path_policies_to_chroot;
char chroot_target_path[PATH_MAX];
const char *chdir_path;
uint64_t vow_promises;
uid_t namespace_uid;
gid_t namespace_gid;
/* Do not manually add policies here, use exile_append_path_policies() */
struct exile_path_policy *path_policies;
struct exile_path_policy **path_policies_tail;
/* Do not manually add policies here, use exile_append_syscall_policy() */
struct exile_syscall_policy *syscall_policies;
struct exile_syscall_policy **syscall_policies_tail;
uint32_t exile_flags;
};
/* Converts the whitespace separated vows strings to vows flags
*
* This mainly helps readability, as lots of flags ORed together is not
* very readable.
*
* If an unkown string is found, abort() is called.
*/
uint64_t exile_vows_from_str(const char *str);
/*
* If we can use landlock, return 1, otherwise 0
*/
int exile_landlock_is_available();
int exile_append_syscall_policy(struct exile_policy *exile_policy, long syscall, unsigned int syscall_policy, struct sock_filter *argfilters, size_t n);
int exile_append_syscall_default_policy(struct exile_policy *exile_policy, unsigned int default_policy);
struct exile_syscall_filter
{
uint64_t vowmask; /* Apply filter if this mask is set. 0 = ignore mask, apply always */
struct sock_filter filter;
int whenset; /* 1 = Filter should be added if vowmask is contained in pledge mask, otherwise won't be added. */
};
#define COUNT_EXILE_SYSCALL_FILTER(f) \
sizeof(f)/sizeof(f[0])
#define EXILE_SYSCALL_FILTER_LOAD_ARG(val) \
{ 0, EXILE_BPF_LOAD_SECCOMP_ARG(val), 0}
/* Returns, for the specific syscall, the correct sock_filter struct for the provided vow_promises
*
* Returns: 0 if none copied, otherwise the number of entries in "filter".
*/
int get_vow_argfilter(long syscall, uint64_t vow_promises, struct sock_filter *filter , int *policy);
int exile_append_vow_promises(struct exile_policy *policy, uint64_t vow_promises);
/* Creates an empty policy struct without opinionated defaults.
*
* Must be freed using exile_free_policy()
* @returns: empty policy
*/
struct exile_policy *exile_create_policy();
/* Creates the default policy
* Must be freed using exile_free_policy()
*
* @returns: default policy
*/
struct exile_policy *exile_init_policy();
/* Appends path policies to the exile_policy object
* The last paramater must be NULL
*
* This function does not copy parameters. All passed paths
* MUST NOT be freed until exile_enable_policy() is called!
*
* @returns: 0 on success, -1 on failure */
int exile_append_path_policies(struct exile_policy *exile_policy, unsigned int path_policy, ...);
#define exile_append_path_policies(e, p, ...) exile_append_path_policies(e, p, __VA_ARGS__, NULL)
int path_policy_needs_landlock(struct exile_path_policy *path_policy);
/*
* Frees the memory taken by a exile_policy object
*/
void exile_free_policy(struct exile_policy *ctxt);
/*
* Enables the seccomp policy
*
* policy: exile policy object
*
* @returns: 0 on success, -1 on error
*/
int exile_enable_syscall_policy(struct exile_policy *policy);
int exile_enable_policy(struct exile_policy *policy);
/* Convenience wrapper for the vow-related subset of exile.h
*
* Only installs seccomp filters for the specified vow promises.
*
* Useful if only vow is required from exile.h, but nothing else
*
* Comparable with OpenBSD's pledge(), subsequent calls can only reduce allowed syscalls.
*
* Here, adding more promises than a previous call set may return success, but
* won't be allowed during execution.
*
* Due to the nature of seccomp, it's furthermore required the EXILE_SYSCALL_VOW_SECCOMP_INSTALL promise
* is set if further calls are expected. Generally, it's reasonable for the last call to
* exile_vow() a program makes to not set EXILE_SYSCALL_VOW_SECCOMP_INSTALL.
*
* There are no seperate exec_promises. All children of the process inherit the filter.
* .
* Return value: 0 on success, any other value on failure.
*/
int exile_vow(uint64_t promises);
struct exile_launch_params
{
struct exile_policy *policy; /* Policy to activate before jumping to func */
int (*func)(void *); /* Function to be sandboxed */
void *funcarg; /* Arg to be passed */
int child_read_pipe[2];
int child_write_pipe[2];
};
struct exile_launch_result
{
int tid;
int read_fd;
int write_fd;
};
int exile_clone_handle(void *arg);
/* Helper to easily execute a single function sandboxed.
*
* Creates a child-process, then activates the policy contained in launch_params,
* and jumps to the specified function, passing the specified argument to it.
* Returns a fd connected to stdout in the child process, as well as a fd allowing to write
* to the child.
*
* if cloneflags is 0, the default ones are passed to clone(), otherwise the value of cloneflags
*
* Return value: Negative on error, otherwise the file descriptor to read from*/
int exile_launch(struct exile_launch_params *launch_params, struct exile_launch_result *launch_result);
/* Helper for exile_launch, to easily read all output from a function
* This function will read all output from a sandboxed function. It's up to the caller to ensure
* that enough memory will be available.
*
* The result is \0 terminated. The "n" parameter contains the size of the result, not including the \0.
*
* Return value: All data written by the function. The result should be passed to free() once not needed. NULL will
* be returned on error.
*/
char *exile_launch_get(struct exile_launch_params *launch_params, size_t *n);
#ifdef __cplusplus
}
#endif
#endif

201
exile.hpp Normal file
View File

@ -0,0 +1,201 @@
#include "exile.h"
#include <functional>
#include <iostream>
#include <string>
#include <tuple>
#include <memory>
#include <sys/wait.h>
#ifndef EXILE_MMAP_SIZE
#define EXILE_MMAP_SIZE 128 * 1024 * 1024 //128MB
#endif
template<typename T, typename U, typename ... Args>
class launch_arg
{
static_assert(std::is_trivially_copyable_v<T>);
static_assert(!std::is_pointer_v<T>);
public:
struct exile_policy *policy;
T *result_shm;
U fn;
std::tuple<Args...> args;
launch_arg(struct exile_policy *policy, T *result_shm, U fn, Args && ... args) : policy(policy),
result_shm(result_shm), fn(fn), args(std::forward<Args>(args)...) {}
};
template<typename T, typename U, typename ... Args>
class launch_arg_serializer
{
static_assert(std::is_copy_constructible_v<T>);
public:
struct exile_policy *policy;
char *serialize_buffer;
size_t n;
U fn;
std::tuple<Args...> args;
const std::function<size_t (const T &, char *, size_t n)> &serializer;
const std::function<T(const char * buf, size_t n)> &deserializer;
launch_arg_serializer(struct exile_policy *policy, char *serialize_buffer, size_t n, const std::function<size_t (const T &, char *, size_t)> &serializer, const std::function<T(const char *, size_t)> &deserializer, U fn, Args && ... args) : policy(policy), serialize_buffer(serialize_buffer), n(n), fn(fn), args(std::forward<Args>(args)...), serializer(serializer), deserializer(deserializer) {}
};
template<typename T, typename U, typename ... Args>
int exile_clone_handle_trivial(void * arg)
{
static_assert(std::is_trivially_copyable_v<T>);
static_assert(!std::is_pointer_v<T>);
launch_arg<T, U, Args...> *launchargs = (launch_arg<T, U, Args...> *) arg;
int ret = exile_enable_policy(launchargs->policy);
if(ret != 0)
{
EXILE_LOG_ERROR("exile_enable_policy() failed: %s\n", strerror(errno));
return 1;
}
T result = std::apply(launchargs->fn, launchargs->args);
std::cout << result;
memcpy(launchargs->result_shm, &result, sizeof(T));
return 0;
}
template<typename T, typename U, typename ... Args>
int exile_clone_handle_serializer(void * arg)
{
static_assert(std::is_copy_constructible_v<T>);
launch_arg_serializer<T, U, Args...> *launchargs = (launch_arg_serializer<T, U, Args...> *) arg;
int ret = exile_enable_policy(launchargs->policy);
if(ret != 0)
{
EXILE_LOG_ERROR("exile_enable_policy() failed: %s\n", strerror(errno));
return 1;
}
T result = std::apply(launchargs->fn, launchargs->args);
/* TODO: exception handling */
/* TODO: ugly :S */
char *target = launchargs->serialize_buffer + sizeof(size_t);
size_t n = launchargs->n - sizeof(size_t);
size_t size = launchargs->serializer(result, target, n);
memcpy(launchargs->serialize_buffer, &size, sizeof(size_t));
return 0;
}
inline int do_clone(int (*clonefn)(void *), void *launcharg)
{
struct rlimit rlimit;
int ret = getrlimit(RLIMIT_STACK, &rlimit);
if(ret != 0)
{
EXILE_LOG_ERROR("Failed to get stack size: %s\n", strerror(errno));
return ret;
}
size_t size = rlimit.rlim_cur;
char *stack = (char *) calloc(1, size);
char *stackbegin = stack;
if(stack == NULL)
{
EXILE_LOG_ERROR("Failed to allocate stack memory for child\n");
return 1;
}
stack += size;
ret = clone(clonefn, stack, 17 /* SIGCHLD */, launcharg);
int status = 0;
waitpid(ret, &status, __WALL);
free(stackbegin);
if(WIFEXITED(status))
{
return WEXITSTATUS(status);
}
/* TODO: exception or what? */
return 23;
}
template<typename T, typename U, typename ... Args>
typename std::enable_if_t<std::is_trivially_copyable_v<T> && !std::is_pointer_v<T>, T> exile_launch(struct exile_policy *policy, U fn, Args && ... args)
{
size_t mapsize = sizeof(T);
T * sharedbuf = (T *) mmap(NULL, mapsize , PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANON, -1, 0);
if(sharedbuf == NULL)
{
throw std::runtime_error(std::string("mmap failed: ") + strerror(errno));
}
std::shared_ptr<void> deleter(nullptr, [sharedbuf, mapsize](...){ munmap(sharedbuf, mapsize); });
launch_arg<T, U, Args...> launcharg(policy, sharedbuf, fn, std::forward<Args>(args)...);
int (*clonefn)(void *) = &exile_clone_handle_trivial<T, U, Args...>;
/* TODO: exception or what? */
int ret = do_clone(clonefn, &launcharg);
if(ret == 0)
{
return *sharedbuf;
}
throw std::runtime_error(std::string("clone() failed: " + std::to_string(ret)));
return T();
}
template<typename T, typename U, typename ... Args>
typename std::enable_if_t<std::is_pointer_v<T> || (!std::is_trivially_copyable_v<T> && std::is_copy_constructible_v<T>), T>
exile_launch(struct exile_policy *policy, const std::function<size_t (const T &, char *, size_t)> &serializer, const std::function<T(const char *, size_t)> &deserializer, U fn, Args && ... args)
{
size_t mapsize = EXILE_MMAP_SIZE;
char *sharedbuf = (char *) mmap(NULL, mapsize , PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANON, -1, 0);
if(sharedbuf == NULL)
{
throw std::runtime_error(std::string("mmap failed: ") + strerror(errno));
}
std::shared_ptr<void> deleter(nullptr, [sharedbuf, mapsize](...){ munmap(sharedbuf, mapsize); });
launch_arg_serializer<T, U, Args...> launcharg(policy, sharedbuf, mapsize, serializer, deserializer, fn, std::forward<Args>(args)...);
int (*clonefn)(void *) = &exile_clone_handle_serializer<T, U, Args...>;
/* TODO: exception or what? */
int ret = do_clone(clonefn, &launcharg);
if(ret == 0)
{
size_t size = 0;
memcpy(&size, sharedbuf, sizeof(size));
return deserializer(sharedbuf + sizeof(size_t), size);
}
throw std::runtime_error(std::string("clone() failed: " + std::to_string(ret)));
return T();
}
template<class T>
std::basic_string<typename T::value_type> deserialize_stdstring(const char *buf, size_t n)
{
return std::basic_string<typename T::value_type> { buf, n };
}
template<class T>
size_t serialize_stdstring(const std::basic_string<typename T::value_type> &t, char *buf, size_t n)
{
if(n < t.size())
{
return 0;
}
memcpy(buf, t.data(), t.size());
return t.size();
}
template<typename T, typename U, typename ... Args>
std::basic_string<typename T::value_type> exile_launch(struct exile_policy *policy, U fn, Args && ... args)
{
return exile_launch<T, U, Args...>(policy, &serialize_stdstring<T>, &deserialize_stdstring<T>, fn, std::forward<Args>(args) ...);
}

1092
qssb.h

File diff suppressed because it is too large Load Diff

837
test.c
View File

@ -1,74 +1,414 @@
#include "qssb.h"
#include "exile.h"
#include <stdbool.h>
#include <sys/types.h>
#include <dirent.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
int test_default_main(int argc, char *argv[])
#define LOG(...) do { fprintf(stdout, "%s(): ", __func__); fprintf(stdout, __VA_ARGS__); } while(0)
int xexile_enable_policy(struct exile_policy *policy)
{
struct qssb_policy *policy = qssb_init_policy();
int ret = qssb_enable_policy(policy);
return ret;
}
int test_both_syscalls(int argc, char *argv[])
{
struct qssb_policy *policy = qssb_init_policy();
int syscalls[] = {1,2,3};
qssb_append_denied_syscalls(policy, syscalls, 3);
qssb_append_allowed_syscalls(policy, syscalls, 3);
int ret = qssb_enable_policy(policy);
int ret = exile_enable_policy(policy);
if(ret != 0)
{
return 0;
LOG("failed: %i\n", ret);
exit(EXIT_FAILURE);
}
return 1;
}
int test_seccomp_blacklisted(int argc, char *argv[])
{
struct qssb_policy *policy = qssb_init_policy();
qssb_append_denied_syscall(policy, QSSB_SYS(getuid));
int ret = qssb_enable_policy(policy);
uid_t pid = geteuid();
pid = getuid();
return 0;
}
int test_seccomp_blacklisted_call_permitted(int argc, char *argv[])
int test_default_main()
{
struct qssb_policy *policy = qssb_init_policy();
struct exile_policy *policy = exile_init_policy();
return xexile_enable_policy(policy);
}
qssb_append_denied_syscall(policy, QSSB_SYS(getuid));
static int test_expected_kill(int (*f)())
{
pid_t pid = fork();
if(pid == 0)
{
return f();
}
int status = 0;
waitpid(pid, &status, 0);
int ret = qssb_enable_policy(policy);
if(WIFSIGNALED(status))
{
int c = WTERMSIG(status);
if(c == SIGSYS)
{
LOG("Got expected signal\n");
return 0;
}
LOG("Unexpected status code: %i\n", c);
return 1;
}
else
{
int c = WEXITSTATUS(status);
LOG("Process was not killed, test fails. Status code of exit: %i\n", c);
return 1;
}
return 0;
}
static int test_successful_exit(int (*f)())
{
pid_t pid = fork();
if(pid == 0)
{
return f();
}
int status = 0;
waitpid(pid, &status, 0);
if(WIFSIGNALED(status))
{
int c = WTERMSIG(status);
LOG("Received signal, which was not expected. Signal was: %i\n", c);
return 1;
}
else
{
int c = WEXITSTATUS(status);
if(c != 0)
{
LOG("Process failed to exit properly. Status code is: %i\n", c);
}
return c;
}
LOG("Process exited sucessfully as expected");
return 0;
}
static int do_test_seccomp_blacklisted()
{
struct exile_policy *policy = exile_init_policy();
exile_append_syscall_policy(policy,EXILE_SYS(getuid), EXILE_SYSCALL_DENY_KILL_PROCESS, NULL, 0);
exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
xexile_enable_policy(policy);
uid_t pid = syscall(EXILE_SYS(geteuid));
pid = syscall(EXILE_SYS(getuid));
return 0;
}
int test_seccomp_blacklisted()
{
return test_expected_kill(&do_test_seccomp_blacklisted);
}
static int do_test_seccomp_blacklisted_call_permitted()
{
struct exile_policy *policy = exile_init_policy();
exile_append_syscall_policy(policy, EXILE_SYS(getuid), EXILE_SYSCALL_DENY_KILL_PROCESS, NULL, 0);
exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
xexile_enable_policy(policy);
//geteuid is not blacklisted, so must succeed
uid_t pid = geteuid();
uid_t pid = syscall(EXILE_SYS(geteuid));
return 0;
}
int test_seccomp_x32_kill(int argc, char *argv[])
int test_seccomp_blacklisted_call_permitted()
{
struct qssb_policy *policy = qssb_init_policy();
return test_successful_exit(&do_test_seccomp_blacklisted_call_permitted);
}
qssb_append_denied_syscall(policy, QSSB_SYS(getuid));
static int do_test_seccomp_x32_kill()
{
struct exile_policy *policy = exile_init_policy();
int ret = qssb_enable_policy(policy);
exile_append_syscall_policy(policy, EXILE_SYS(getuid), EXILE_SYSCALL_DENY_KILL_PROCESS, NULL, 0);
exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
xexile_enable_policy(policy);
/* Attempt to bypass by falling back to x32 should be blocked */
syscall(QSSB_SYS(getuid)+__X32_SYSCALL_BIT);
syscall(EXILE_SYS(getuid)+__X32_SYSCALL_BIT);
return 0;
}
int test_landlock(int argc, char *argv[])
int test_seccomp_x32_kill()
{
struct qssb_policy *policy = qssb_init_policy();
qssb_append_path_policy(policy, QSSB_FS_ALLOW_READ, "/proc/self/fd");
int ret = qssb_enable_policy(policy);
return test_expected_kill(&do_test_seccomp_x32_kill);
}
/* Tests whether seccomp rules end with a policy matching all syscalls */
int test_seccomp_require_last_matchall()
{
struct exile_policy *policy = exile_init_policy();
exile_append_syscall_policy(policy, EXILE_SYS(getuid), EXILE_SYSCALL_DENY_KILL_PROCESS, NULL, 0);
int status = exile_enable_policy(policy);
if(status == 0)
{
LOG("Failed. Should not have been enabled!");
return 1;
}
return 0;
}
static int do_test_seccomp_errno()
{
struct exile_policy *policy = exile_init_policy();
exile_append_syscall_policy(policy, EXILE_SYS(close),EXILE_SYSCALL_DENY_RET_ERROR, NULL, 0);
exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
xexile_enable_policy(policy);
uid_t id = syscall(EXILE_SYS(getuid));
int fd = syscall(EXILE_SYS(close), 0);
LOG("close() return code: %i, errno: %s\n", fd, strerror(errno));
return fd == -1 ? 0 : 1;
}
int test_seccomp_errno()
{
return test_successful_exit(&do_test_seccomp_errno);
}
int test_seccomp_argfilter_allowed()
{
struct exile_policy *policy = exile_init_policy();
struct sock_filter argfilter[2] =
{
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[1]))),
BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, O_WRONLY, 0, EXILE_SYSCALL_EXIT_BPF_NO_MATCH)
};
exile_append_syscall_policy(policy, EXILE_SYS(open),EXILE_SYSCALL_DENY_RET_ERROR, argfilter, 2);
exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
xexile_enable_policy(policy);
char *t = "/dev/random";
int ret = (int) syscall(EXILE_SYS(open),t, O_RDONLY);
if(ret == -1)
{
printf("Failed: open was expected to succeed, but returned %i\n", ret);
return 1;
}
return 0;
}
int test_seccomp_argfilter_filtered()
{
struct exile_policy *policy = exile_init_policy();
struct sock_filter argfilter[2] =
{
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[1]))),
BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, O_WRONLY, 0, EXILE_SYSCALL_EXIT_BPF_NO_MATCH)
};
exile_append_syscall_policy(policy, EXILE_SYS(open),EXILE_SYSCALL_DENY_RET_ERROR, argfilter, 2);
exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
xexile_enable_policy(policy);
char *t = "/dev/random";
int ret = (int) syscall(EXILE_SYS(open),t, O_WRONLY);
if(ret != -1)
{
printf("Failed: open was expected to fail, but returned %i\n", ret);
return 1;
}
return 0;
}
int test_seccomp_argfilter_mixed()
{
struct exile_policy *policy = exile_init_policy();
struct sock_filter argfilter[2] =
{
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[1]))),
BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, O_WRONLY, 0, EXILE_SYSCALL_EXIT_BPF_NO_MATCH)
};
exile_append_syscall_policy(policy, EXILE_SYS(stat),EXILE_SYSCALL_DENY_RET_ERROR, NULL,0);
exile_append_syscall_policy(policy, EXILE_SYS(open),EXILE_SYSCALL_DENY_RET_ERROR, argfilter, 2);
exile_append_syscall_policy(policy, EXILE_SYS(getpid),EXILE_SYSCALL_DENY_RET_ERROR, NULL, 0);
exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
xexile_enable_policy(policy);
struct stat statbuf;
int s = (int) syscall(EXILE_SYS(stat), "/dev/urandom", &statbuf);
if(s != -1)
{
LOG("Failed: stat was expected to fail, but returned %i\n", s);
return 1;
}
pid_t p = (pid_t) syscall(EXILE_SYS(getpid));
if(p != -1)
{
LOG("Failed: getpid was expected to fail, but returned %i\n", p);
return 1;
}
char *t = "/dev/random";
int ret = (int) syscall(EXILE_SYS(open),t, O_WRONLY);
if(ret != -1)
{
LOG("Failed: open was expected to fail, but returned %i\n", ret);
return 1;
}
ret = (int) syscall(EXILE_SYS(open), t, O_RDONLY);
if(ret == -1)
{
LOG("Failed: open with O_RDONLY was expected to succeed, but returned %i\n", ret);
return 1;
}
return 0;
}
int do_test_seccomp_vow_socket()
{
struct exile_policy *policy = exile_init_policy();
policy->vow_promises = EXILE_SYSCALL_VOW_STDIO | EXILE_SYSCALL_VOW_INET | EXILE_SYSCALL_VOW_DENY_ERROR;
xexile_enable_policy(policy);
int s = socket(AF_INET, SOCK_STREAM, 0);
if(s == -1)
{
LOG("Failed: socket was expected to succeed, but returned %i\n", s);
return 1;
}
s = socket(AF_UNIX, SOCK_DGRAM, 0);
if(s != -1)
{
LOG("Failed: socket was expected to fail, but returned %i\n", s);
return 1;
}
return 0;
}
int do_test_seccomp_vow_open()
{
struct exile_policy *policy = exile_init_policy();
policy->vow_promises = EXILE_SYSCALL_VOW_STDIO | EXILE_SYSCALL_VOW_RPATH | EXILE_SYSCALL_VOW_DENY_ERROR;
xexile_enable_policy(policy);
int ret = open("/dev/urandom", O_WRONLY | O_APPEND);
if(ret != -1)
{
LOG("Failed: open was expected to fail, but returned %i\n", ret);
return 1;
}
ret = open("/dev/urandom", O_RDWR);
if(ret != -1)
{
LOG("Failed: open O_RDWR was expected to fail, but returned %i\n", ret);
return 1;
}
ret = open("/dev/urandom", O_RDONLY);
if(ret == -1)
{
LOG("Failed: open was expected to succceed, but returned %i\n", ret);
return 1;
}
return 0;
}
int test_seccomp_vow()
{
int ret = test_successful_exit(&do_test_seccomp_vow_open);
if(ret != 0)
{
LOG("Failed: do_test_seccomp_vow_open()\n");
return 1;
}
ret = test_successful_exit(&do_test_seccomp_vow_socket);
if(ret != 0)
{
LOG("Failed: do_test_seccomp_vow_socket()\n");
return 1;
}
return 0;
}
int test_seccomp_exile_vow_multiple()
{
int ret = exile_vow(EXILE_SYSCALL_VOW_STDIO | EXILE_SYSCALL_VOW_UNIX | EXILE_SYSCALL_VOW_SECCOMP_INSTALL | EXILE_SYSCALL_VOW_DENY_ERROR);
if(ret != 0)
{
LOG("Failed: exile_vow() call 1 failed\n");
return 1;
}
int s = socket(AF_UNIX, SOCK_STREAM, 0);
if(s == -1)
{
LOG("Failed: socket was expected to succeed, but returned %i\n", s);
return 1;
}
/* Let's take away unix sockets, so it should not be possible anymore */
ret = exile_vow(EXILE_SYSCALL_VOW_STDIO | EXILE_SYSCALL_VOW_SECCOMP_INSTALL | EXILE_SYSCALL_VOW_DENY_ERROR);
if(ret != 0)
{
LOG("Failed: exile_vow() call 2 failed\n");
return 1;
}
s = socket(AF_UNIX, SOCK_STREAM, 0);
if(s != -1)
{
LOG("Failed: socket was expected to fail, but returned %i\n", s);
return 1;
}
/* Let's try to regain unix sockets again */
ret = exile_vow(EXILE_SYSCALL_VOW_STDIO | EXILE_SYSCALL_VOW_UNIX | EXILE_SYSCALL_VOW_SECCOMP_INSTALL | EXILE_SYSCALL_VOW_DENY_ERROR);
if(ret != 0)
{
LOG("Failed: exile_vow() call 3 failed\n");
return 1;
}
s = socket(AF_UNIX, SOCK_STREAM, 0);
if(s != -1)
{
LOG("Failed: socket was still expected to fail, but returned %i\n", s);
return 1;
}
return 0;
}
#if HAVE_LANDLOCK == 1
int test_landlock()
{
if(!exile_landlock_is_available())
{
LOG("landlock not available, so cannot test\n");
return 1;
}
struct exile_policy *policy = exile_init_policy();
exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ, "/proc/self/fd");
xexile_enable_policy(policy);
int fd = open("/", O_RDONLY | O_CLOEXEC);
if(fd < 0)
{
@ -77,11 +417,12 @@ int test_landlock(int argc, char *argv[])
return 1;
}
int test_landlock_deny_write(int argc, char *argv[])
int test_landlock_deny_write()
{
struct qssb_policy *policy = qssb_init_policy();
qssb_append_path_policy(policy, QSSB_FS_ALLOW_READ, "/tmp/");
int ret = qssb_enable_policy(policy);
struct exile_policy *policy = exile_init_policy();
exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ, "/tmp/");
xexile_enable_policy(policy);
int fd = open("/tmp/a", O_WRONLY | O_CLOEXEC);
if(fd < 0)
{
@ -89,59 +430,58 @@ int test_landlock_deny_write(int argc, char *argv[])
}
return 1;
}
int test_nofs(int argc, char *argv[])
#else
int test_landlock()
{
struct qssb_policy *policy = qssb_init_policy();
policy->no_fs = 1;
return 2;
}
int ret = qssb_enable_policy(policy);
if(ret != 0)
{
fprintf(stderr, "Failed to activate nofs sandbox\n");
return -1;
}
int test_landlock_deny_write()
{
return 2;
}
#endif
int test_nofs()
{
struct exile_policy *policy = exile_init_policy();
policy->no_fs = 1;
xexile_enable_policy(policy);
int s = socket(AF_INET,SOCK_STREAM,0);
if(s == -1)
{
fprintf(stderr, "Failed to open socket but this was not requested by policy\n");
return 0;
LOG("Failed to open socket but this was not requested by policy\n");
return 1;
}
/* Expect seccomp to take care of this */
if(open("/test", O_CREAT | O_WRONLY) >= 0)
{
fprintf(stderr, "Failed: Do not expect write access\n");
return -1;
LOG("Failed: We do not expect write access\n");
return 1;
}
return 0;
}
int test_no_new_fds(int argc, char *argv[])
int test_no_new_fds()
{
struct qssb_policy *policy = qssb_init_policy();
struct exile_policy *policy = exile_init_policy();
policy->no_new_fds = 1;
int ret = qssb_enable_policy(policy);
if(ret != 0)
{
fprintf(stderr, "Failed to activate no_new_fd sandbox\n");
return -1;
}
xexile_enable_policy(policy);
if(open("/tmp/test", O_CREAT | O_WRONLY) >= 0)
{
fprintf(stderr, "Failed: Could open new file descriptor\n");
LOG("Failed: Could open new file descriptor\n");
return -1;
}
int s = socket(AF_INET,SOCK_STREAM,0);
if(s >= 0)
{
fprintf(stderr, "Failed: socket got opened but policy denied\n");
LOG("Failed: socket got opened but policy denied\n");
return -1;
}
@ -149,27 +489,354 @@ int test_no_new_fds(int argc, char *argv[])
}
extern int mkpath(const char *p, mode_t mode, int baseisfile);
int test_mkpath()
{
system("rm -rf /tmp/.exile.h/");
const char *filepath = "/tmp/.exile.h/test_mkpath/some/sub/dir/file";
const char *dirpath = "/tmp/.exile.h/test_mkpath/some/other/sub/dir";
int ret = mkpath(filepath, 0700, 1);
if(ret != 0)
{
LOG("Failed: mkpath(file) returned: %i\n", ret);
return 1;
}
ret = mkpath(dirpath, 0700, 0);
if(ret != 0)
{
LOG("Failed: mkpath(dirpath) returned: %i\n", ret);
return 1;
}
struct stat statbuf;
ret = stat(filepath, &statbuf);
if(ret != 0)
{
LOG("Failed: stat on filepath returned: %i\n", ret);
return 1;
}
if(!S_ISREG(statbuf.st_mode))
{
LOG("Failed: mkpath did not create a file: %i\n", ret);
return 1;
}
ret = stat(dirpath, &statbuf);
if(ret != 0)
{
LOG("Failed: stat on dirpath returned: %i\n", ret);
return 1;
}
if(!S_ISDIR(statbuf.st_mode))
{
LOG("Failed: mkpath did not create a directory: %i\n", ret);
return 1;
}
system("rm -rf /tmp/.exile.h/");
return 0;
}
int test_fail_flags()
{
struct exile_policy *policy = exile_init_policy();
exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ, "/nosuchpathexists");
int ret = exile_enable_policy(policy);
if(ret == 0)
{
fprintf(stderr, "Failed: A path that does not exist should have set the error flag %i\n", ret);
return 1;
}
return 0;
}
static int *read_pipe = NULL;
int do_launch_test(void *arg)
{
int num = *(int *)(arg);
num += 1;
char buffer[512] = { 0 };
read(*read_pipe, buffer, sizeof(buffer)-1);
printf("Sandboxed +1: %i\n", num);
printf("Echoing: %s\n", buffer);
fflush(stdout);
return 0;
}
int test_launch()
{
struct exile_policy *policy = exile_init_policy();
struct exile_launch_params params = { 0 };
struct exile_launch_result res = {0};
int num = 22;
params.func = &do_launch_test;
params.funcarg = &num;
params.policy = policy;
read_pipe = &params.child_write_pipe[0];
int launchfd = exile_launch(&params, &res);
if(launchfd < 0)
{
LOG("Failed to launch\n");
return 1;
}
char buffer[4096] = { 0 };
write(res.write_fd, "1234", 4);
int s = read(res.read_fd, buffer, sizeof(buffer)-1);
write(1, buffer, s);
LOG("Before wait, got: %i\n", s);
fflush(stdout);
if(strstr(buffer, "Echoing: 1234") == NULL)
{
LOG("Failed: Did not get back what we wrote\n");
}
int status = 0;
waitpid(res.tid, &status, __WALL);
if(WIFEXITED(status))
{
status = WEXITSTATUS(status);
return status;
}
return 1;
}
#define LAUNCH_GET_TEST_STR "Control yourself. Take only what you need from it.\n"
int do_launch_get_test(void *a)
{
fprintf(stdout, LAUNCH_GET_TEST_STR);
return 0;
}
int test_launch_get()
{
struct exile_policy *policy = exile_init_policy();
struct exile_launch_params params = { 0 };
params.func = &do_launch_get_test;
params.funcarg = NULL;
params.policy = policy;
size_t n = 0;
char *content = exile_launch_get(&params, &n);
unsigned int len = strlen(LAUNCH_GET_TEST_STR);
if(n != len)
{
LOG("Lenght does not match: %lu vs %u\n", n, len);
return 1;
}
if(strcmp(content, LAUNCH_GET_TEST_STR) != 0)
{
LOG("Received content differs\n");
return 1;
}
return 0;
}
int test_vows_from_str()
{
uint64_t expected = EXILE_SYSCALL_VOW_CHOWN | EXILE_SYSCALL_VOW_WPATH | EXILE_SYSCALL_VOW_INET | EXILE_SYSCALL_VOW_DENY_ERROR;
uint64_t actual = exile_vows_from_str("chown wpath inet error");
if(expected != actual)
{
LOG("Masks don't match: %lu vs %lu\n", expected, actual);
return 1;
}
return 0;
}
int test_clone3_nosys()
{
struct exile_policy *policy = exile_init_policy();
policy->vow_promises = exile_vows_from_str("stdio rpath wpath cpath thread error");
exile_enable_policy(policy);
/* While args are invalid, it should never reach clone3 syscall handler, so it's irrelevant for
our test*/
long ret = syscall(__NR_clone3, NULL, 0);
if(ret == -1 && errno != ENOSYS)
{
LOG("clone3() was not allowed but did not return ENOSYS. It returned: %li, errno: %i\n", ret, errno);
return 1;
}
return 0;
}
int do_test_nsuidmap(const char *path, const char *firstfield, const char *secondfield, const char *thirdfield)
{
char *line = NULL;
size_t n = 0;
FILE *fp = fopen(path, "r");
int ret = getdelim(&line, &n, ' ', fp);
while(ret != -1 && strlen(line) == 1 && *line == ' ')
ret = getdelim(&line, &n, ' ', fp);
if(ret == -1)
{
LOG("getdelim() failed to read a line from %s\n", path);
return 1;
}
line[ret-1] = '\0';
if(strcmp(line, firstfield) != 0)
{
LOG("Invalid value for first entry in map: Expected: %s, was: %s\n", firstfield, line);
return 1;
}
ret = getdelim(&line, &n, ' ', fp);
while(ret != -1 && strlen(line) == 1 && *line == ' ')
ret = getdelim(&line, &n, ' ', fp);
if(ret == -1)
{
LOG("getdelim() failed to read a line from map\n");
return 1;
}
line[ret-1] = '\0';
if(strcmp(line, secondfield) != 0)
{
LOG("Invalid value for second entry in map: Expected: %s, was: %s\n", secondfield, line);
return 1;
}
ret = getdelim(&line, &n, ' ', fp);
while(ret != -1 && strlen(line) == 1 && *line == ' ')
ret = getdelim(&line, &n, ' ', fp);
if(ret == -1)
{
LOG("getdelim() failed to read a line from uid_map\n");
return 1;
}
line[ret-1] = '\0';
if(strcmp(line, thirdfield) != 0)
{
LOG("Invalid value for second entry in map: Expected: %s, was: %s\n", thirdfield, line);
return 1;
}
fclose(fp);
return 0;
}
int test_unshare_user()
{
char uidstr[64];
snprintf(uidstr, sizeof(uidstr), "%u", getuid());
char gidstr[64];
snprintf(gidstr, sizeof(gidstr), "%u", getgid());
struct exile_policy *policy = exile_init_policy();
policy->namespace_options = EXILE_UNSHARE_USER;
xexile_enable_policy(policy);
if(do_test_nsuidmap("/proc/self/uid_map", "0", uidstr, "1") != 0)
{
LOG("/proc/self/uid_map failed\n");
return 1;
}
if(do_test_nsuidmap("/proc/self/gid_map", "0", gidstr, "1") != 0)
{
LOG("/proc/self/gid_map failed\n");
return 1;
}
FILE *fp = fopen("/proc/self/setgroups", "r");
char buffer[4096] = { 0 };
fread(buffer, sizeof(buffer), 1, fp);
fclose(fp);
if(strcmp(buffer, "deny\n") != 0)
{
LOG("/proc/self/setgroups does not contain 'deny'\n");
return 1;
}
return 0;
}
int test_unshare_user_own_uid()
{
uid_t uid = getuid();
gid_t gid = getgid();
char uidstr[64];
snprintf(uidstr, sizeof(uidstr), "%u", uid);
char gidstr[64];
snprintf(gidstr, sizeof(gidstr), "%u", gid);
struct exile_policy *policy = exile_init_policy();
policy->namespace_options = EXILE_UNSHARE_USER;
policy->namespace_gid = gid;
policy->namespace_uid = uid;
xexile_enable_policy(policy);
if(do_test_nsuidmap("/proc/self/uid_map", uidstr, uidstr, "1") != 0)
{
LOG("/proc/self/uid_map failed\n");
return 1;
}
if(do_test_nsuidmap("/proc/self/gid_map", gidstr, gidstr, "1") != 0)
{
LOG("/proc/self/gid_map failed\n");
return 1;
}
FILE *fp = fopen("/proc/self/setgroups", "r");
char buffer[4096] = { 0 };
fread(buffer, sizeof(buffer), 1, fp);
fclose(fp);
if(strcmp(buffer, "deny\n") != 0)
{
LOG("/proc/self/setgroups does not contain 'deny'\n");
return 1;
}
return 0;
}
struct dispatcher
{
char *name;
int (*f)(int, char **);
bool must_exit_zero;
int (*f)();
};
struct dispatcher dispatchers[] = {
{ "default", &test_default_main, true },
{ "seccomp-blacklisted", &test_seccomp_blacklisted, false },
{ "seccomp-blacklisted-permitted", &test_seccomp_blacklisted_call_permitted, true },
{ "seccomp-x32-kill", &test_seccomp_x32_kill, false},
{ "landlock", &test_landlock, true },
{ "landlock-deny-write", &test_landlock_deny_write, true },
{ "no_fs", &test_nofs, false},
{ "no_new_fds", &test_no_new_fds, true}
{ "default", &test_default_main },
{ "seccomp-blacklisted", &test_seccomp_blacklisted},
{ "seccomp-blacklisted-permitted", &test_seccomp_blacklisted_call_permitted},
{ "seccomp-x32-kill", &test_seccomp_x32_kill},
{ "seccomp-require-last-matchall", &test_seccomp_require_last_matchall},
{ "seccomp-errno", &test_seccomp_errno},
{ "seccomp-argfilter-allowed", &test_seccomp_argfilter_allowed},
{ "seccomp-argfilter-filtered", &test_seccomp_argfilter_filtered},
{ "seccomp-argfilter-mixed", &test_seccomp_argfilter_mixed},
{ "seccomp-vow", &test_seccomp_vow},
{ "seccomp-vow-exile_vow-multi", &test_seccomp_exile_vow_multiple},
{ "landlock", &test_landlock},
{ "landlock-deny-write", &test_landlock_deny_write },
{ "no_fs", &test_nofs},
{ "no_new_fds", &test_no_new_fds},
{ "mkpath", &test_mkpath},
{ "failflags", &test_fail_flags},
{ "launch", &test_launch},
{ "launch-get", &test_launch_get},
{ "vow_from_str", &test_vows_from_str},
{ "clone3_nosys", &test_clone3_nosys},
{ "unshare-user", &test_unshare_user},
{ "unshare-user-own-uid", &test_unshare_user_own_uid},
};
int main(int argc, char *argv[])
{
if(argc < 2)
{
fprintf(stderr, "Usage: %s [testname]\n", argv[0]);
@ -180,7 +847,7 @@ int main(int argc, char *argv[])
{
for(unsigned int i = 0; i < sizeof(dispatchers)/sizeof(dispatchers[0]); i++)
{
printf("%s:%i\n", dispatchers[i].name, dispatchers[i].must_exit_zero ? 1 : 0);
printf("%s\n", dispatchers[i].name);
}
return EXIT_SUCCESS;
}
@ -190,7 +857,7 @@ int main(int argc, char *argv[])
struct dispatcher *current = &dispatchers[i];
if(strcmp(current->name, test) == 0)
{
return current->f(argc, argv);
return current->f();
}
}
fprintf(stderr, "Unknown test\n");

92
test.cpp Normal file
View File

@ -0,0 +1,92 @@
#include "exile.hpp"
#include "assert.h"
#include <map>
std::string sandboxed_reverse(std::string str)
{
std::reverse(str.begin(), str.end());
return str;
}
size_t stdstrlen(const std::string &str)
{
return str.size();
}
int incrementer(int arg)
{
return ++arg;
}
int test_exile_launch_trivial()
{
int u = 22;
int result = exile_launch<int>(exile_init_policy(), &incrementer, u);
assert(result == 23);
return 0;
}
int test_exile_launch_stdstring()
{
std::string str = "abc123";
std::string reversed = exile_launch<std::string>(exile_init_policy(), &sandboxed_reverse, str);
assert(reversed == "321cba");
return 0;
}
struct not_trivially_copyable
{
public:
std::string somecontent;
};
int test_exile_launch_serializer()
{
static_assert(! std::is_trivially_copyable_v<not_trivially_copyable>);
auto serializer = [](const not_trivially_copyable &obj, char *buf, size_t n){
serialize_stdstring<std::string>(obj.somecontent, buf, n);
return obj.somecontent.size();
};
auto deserializer = [](const char *buffer, size_t n) {
not_trivially_copyable obj;
obj.somecontent = deserialize_stdstring<std::string>(buffer, n);
return obj;
};
not_trivially_copyable result = exile_launch<not_trivially_copyable>(exile_init_policy(), serializer, deserializer, []() {not_trivially_copyable obj; obj.somecontent = "Just something"; return obj;});
assert(result.somecontent == "Just something");
return 0;
}
int main(int argc, char *argv[])
{
if(argc < 2)
{
std::cerr << "Missing test" << std::endl;
return 1;
}
std::map<std::string, int (*)()> map = {
{ "launch-trivial-cpp", &test_exile_launch_trivial} ,
{ "launch-stdstring-cpp", &test_exile_launch_stdstring },
{ "launch-serializer-cpp", &test_exile_launch_serializer },
};
std::string test = argv[1];
if(test == "--dumptests")
{
for(auto &entry : map)
{
std::cout << entry.first << std::endl;
}
return 0;
}
int (*fn)() = map[test];
if(fn != nullptr)
{
return fn();
}
std::cerr << "Unknown test" << std::endl;
return 1;
}

79
test.sh
View File

@ -1,65 +1,72 @@
#!/bin/sh
GREEN='\033[0;32m'
RED='\033[0;31m'
YELLOW='\033[1;33m'
NC='\033[0m'
COUNT_SUCCEEDED=0
COUNT_FAILED=0
COUNT_SKIPPED=0
function print_fail()
print_fail()
{
echo -e "${RED}$@${NC}" 1>&2
printf "${RED}$@${NC}\n" 1>&2
}
function print_success()
print_success()
{
echo -e "${GREEN}$@${NC}"
printf "${GREEN}$@${NC}\n"
}
function runtest_fail()
print_skipped()
{
printf "${YELLOW}$@${NC}\n"
}
runtest_fail()
{
print_fail "failed"
COUNT_FAILED=$(($COUNT_FAILED+1))
}
function runtest_success()
runtest_success()
{
print_success "ok"
COUNT_SUCCEEDED=$((COUNT_SUCCEEDED+1))
}
function runtest()
runtest_skipped()
{
testname="$1"
must_exit_zero="$2"
print_skipped "skipped"
COUNT_SKIPPED=$((COUNT_SKIPPED+1))
}
runtest()
{
testbin="$1"
testname="$2"
test_log_file="$3"
echo "Running: $testname. Date: $(date)" > "${test_log_file}"
echo -n "Running $1... "
#exit 1 to suppress shell message like "./test.sh: line 18: pid Bad system call"
(./test $1 || exit 1) &>> "${test_log_file}"
echo -n "Running $testname... "
#exit $? to suppress shell message like "./test.sh: line 18: pid Bad system call"
(./$testbin "$testname" || exit $?) >> "${test_log_file}" 2>&1
ret=$?
SUCCESS=0
if [ $must_exit_zero -eq 1 ] ; then
if [ $ret -eq 0 ] ; then
runtest_success
SUCCESS=1
else
runtest_fail
fi
SUCCESS="no"
if [ $ret -eq 0 ] ; then
runtest_success
SUCCESS="yes"
elif [ $ret -eq 2 ] ; then
runtest_skipped
SUCCESS="skipped"
else
if [ $ret -eq 0 ] ; then
runtest_fail
else
runtest_success
SUCCESS=1
fi
runtest_fail
fi
echo "Finished: ${testname}. Date: $(date). Success: $SUCCESS" >> "${test_log_file}"
echo "Finished: ${testname} (${testbin}). Date: $(date). Success: $SUCCESS" >> "${test_log_file}"
}
GIT_ID=$( git log --pretty="format:%h" -n1 )
@ -69,19 +76,23 @@ if [ -z "$LOG_OUTPUT_DIR" ] ; then
LOG_OUTPUT_DIR="./logs/"
fi
LOG_OUTPUT_DIR_PATH="${LOG_OUTPUT_DIR}/qssb_test_${GIT_ID}_${TIMESTAMP}"
LOG_OUTPUT_DIR_PATH="${LOG_OUTPUT_DIR}/exile_test_${GIT_ID}_${TIMESTAMP}"
[ -d "$LOG_OUTPUT_DIR_PATH" ] || mkdir -p "$LOG_OUTPUT_DIR_PATH"
for test in $( ./test --dumptests ) ; do
testname=$( echo $test | cut -d":" -f1 )
must_exit_zero=$( echo "$test" | cut -d":" -f2 )
runtest "$testname" $must_exit_zero "${LOG_OUTPUT_DIR_PATH}/log.${testname}"
testname=$( echo $test )
runtest test "$testname" "${LOG_OUTPUT_DIR_PATH}/log.${testname}"
done
for test in $( ./testcpp --dumptests ) ; do
testname=$( echo $test )
runtest testcpp "$testname" "${LOG_OUTPUT_DIR_PATH}/log.${testname}"
done
echo
echo "Tests finished. Logs in $(realpath ${LOG_OUTPUT_DIR_PATH})"
echo "Succeeded: $COUNT_SUCCEEDED"
echo "Failed: $COUNT_FAILED"
echo "Skipped: $COUNT_SKIPPED"
if [ $COUNT_FAILED -gt 0 ] ; then
exit 1