From 75f76f58ebd71e2251d1c50cc87a63672e651a11 Mon Sep 17 00:00:00 2001 From: Albert S Date: Sat, 26 Sep 2020 17:03:26 +0200 Subject: [PATCH] sandbox: First version using qssb.h --- qswiki.cpp | 1 - sandbox/sandbox-linux.cpp | 247 ++++++++------------------------------ sandbox/sandbox-linux.h | 5 - submodules/qssb.h | 2 +- 4 files changed, 48 insertions(+), 207 deletions(-) diff --git a/qswiki.cpp b/qswiki.cpp index c83c5af..46143cb 100644 --- a/qswiki.cpp +++ b/qswiki.cpp @@ -95,7 +95,6 @@ int main(int argc, char **argv) Config config = configreader.readConfig(); // TODO: config.connectiontring only works as long as we only support sqlite of course - if(!sandbox->enablePreWorker({ config.configVarResolver.getConfig("cache_fs_dir"), config.templatepath, diff --git a/sandbox/sandbox-linux.cpp b/sandbox/sandbox-linux.cpp index 09d34b0..5b3e43d 100644 --- a/sandbox/sandbox-linux.cpp +++ b/sandbox/sandbox-linux.cpp @@ -1,5 +1,3 @@ -#include -#include #include #include #include @@ -14,6 +12,7 @@ #include #include #include +#include #include "../logger.h" #include "../utils.h" #include "../random.h" @@ -24,172 +23,49 @@ * obvious systemcalls. To whitelist, we need to analyse our * dependencies (http library, sqlite wrapper, sqlite lib etc.) */ -/* TODO: cleanup our sandboxing directory (unmount and delete folders) after exit */ -bool SandboxLinux::seccomp_blacklist(std::initializer_list syscalls) -{ - scmp_filter_ctx ctx; - ctx = seccomp_init(SCMP_ACT_ALLOW); - if(ctx == NULL) - { - Logger::error() << "failed to init seccomp_init"; - return false; - } - - for(auto sc : syscalls) - { - if(seccomp_rule_add(ctx, SCMP_ACT_KILL_PROCESS, sc, 0) < 0) - { - Logger::error() << "Failed to add a seccomp rule"; - return false; - } - } - - bool success = seccomp_load(ctx) == 0; - if(!success) - { - Logger::error() << "Failed to load seccomp filter"; - return false; - } - seccomp_release(ctx); - return success; -} - -bool SandboxLinux::bindMountPaths(std::string target_root, const std::vector &paths) -{ - for(const std::string &path : paths) - { - std::string chroot_target_path = target_root + path; - if(std::filesystem::exists(chroot_target_path)) - { - continue; - } - if(std::filesystem::is_regular_file(path)) - { - std::fstream f1; - f1.open(chroot_target_path, std::ios::out); - f1.close(); - } - else - { - std::error_code ec; - // TODO: fails if the stuff already exists, but it shouldn't according to doc? - if(!std::filesystem::create_directories(chroot_target_path, ec)) - { - Logger::error() << "Error while trying to duplicate structure for sandbox. Dir creation failed. Path: " - << chroot_target_path << " Error: " << ec.message(); - return false; - } - - if(mount(path.c_str(), chroot_target_path.c_str(), NULL, MS_BIND, NULL) == -1) - { - Logger::error() << "Bind mount for " << path << " -> " << chroot_target_path << " failed! " - << strerror(errno); - return false; - } - } - } - return true; -} - -bool SandboxLinux::isolateNamespaces(std::vector fsPaths) -{ - std::sort(fsPaths.begin(), fsPaths.end(), - [](const std::string &a, const std::string &b) { return a.length() < b.length(); }); - - auto current_uid = getuid(); - auto current_gid = getgid(); - if(unshare(CLONE_NEWUSER) == -1) - { - Logger::error() << "Failed to unshare user namespace: " << strerror(errno); - return false; - } - - std::fstream setgroups; - setgroups.open("/proc/self/setgroups", std::ios::out | std::ios::app); - setgroups << "deny"; - setgroups.flush(); - setgroups.close(); - - std::fstream uid_map; - uid_map.open("/proc/self/uid_map", std::ios::out | std::ios::app); - uid_map << "0 " << current_uid << " 1\n"; - uid_map.flush(); - uid_map.close(); - - std::fstream gid_map; - gid_map.open("/proc/self/gid_map", std::ios::out); - uid_map << "0 " << current_gid << " 1\n"; - gid_map.flush(); - gid_map.close(); - - if(unshare(CLONE_NEWNS) == -1) - { - Logger::error() << "Failed to unshare mount namespace: " << strerror(errno); - return false; - } - - /* - * TODO: breaks server. - * TODO: fork? - * if(unshare(CLONE_NEWPID) == -1) - { - Logger::error() << "Failed to unshare pid namespace: " << strerror(errno); - return false; - }*/ - - // The purpose is to start with a clean sandbox dir. - // We maybe could work with mkdirat, and check whether it exists alrady, to avoid - // some attacks where an attacker gueses the dir, but in that case the system is already compromised - // TODO: still, check, whether this is something we must consider here or not... - Random random; - std::string rootpath = "/tmp/qswiki_sandbox_" + random.getRandomHexString(10) + "/"; - if(!std::filesystem::create_directory(rootpath)) - { - Logger::error() << "Failed to create chroot directory for sandbox"; - return false; - } - - if(!bindMountPaths(rootpath, fsPaths)) - { - Logger::error() << "Bind mounting paths failed!"; - return false; - } - - if(chroot(rootpath.c_str()) == -1) - { - Logger::error() << "chroot to sandbox failed!"; - return false; - } - if(chdir("/") == -1) - { - Logger::error() << "chdir to sandbox failed!"; - return false; - } - - return true; -} - bool SandboxLinux::enableForInit() { umask(0027); - - // TODO. there is execv for SPARC. Sigh... - if(!seccomp_blacklist({SCMP_SYS(execveat), SCMP_SYS(execve)})) + struct qssb_policy policy = {0}; + int blacklisted_syscalls[] = {QSSB_SYS(execveat), QSSB_SYS(execve), -1}; + policy.blacklisted_syscalls = blacklisted_syscalls; + policy.no_new_privs = 1; + int result = qssb_enable_policy(&policy); + if(result != 0) { - Logger::error() << "Failed to install blacklisting seccomp filter"; + Logger::error() << "Failed to install sandboxing policy (init): " << result; return false; } - return true; } bool SandboxLinux::enablePreWorker(std::vector fsPaths) { - if(!isolateNamespaces(fsPaths)) + std::sort(fsPaths.begin(), fsPaths.end(), + [](const std::string &a, const std::string &b) { return a.length() < b.length(); }); + + struct qssb_path_policy *policies = new qssb_path_policy[fsPaths.size()]; + for(unsigned int i = 0; i < fsPaths.size(); i++) { - Logger::error() << "Failed to isolate namespaces"; + policies[i].next = policies + (i + 1); + policies[i].mountpoint = fsPaths[i].c_str(); + policies[i].policy = QSSB_MOUNT_ALLOW_READ | QSSB_MOUNT_ALLOW_WRITE; + } + policies[fsPaths.size() - 1].next = NULL; + + struct qssb_policy policy = {0}; + policy.path_policies = policies; + policy.namespace_options |= QSSB_UNSHARE_MOUNT; + policy.namespace_options |= QSSB_UNSHARE_USER; + int blacklisted_syscalls[] = {QSSB_SYS(execveat), QSSB_SYS(execve), -1}; + policy.blacklisted_syscalls = blacklisted_syscalls; + int result = qssb_enable_policy(&policy); + if(result != 0) + { + Logger::error() << "Failed to install sandboxing policy (preworker): %i" << result; return false; } + delete[] policies; return true; } @@ -212,55 +88,26 @@ bool SandboxLinux::supported() } bool SandboxLinux::enableForWorker() { - int cap = 0; - int res = 0; - while((res = prctl(PR_CAPBSET_DROP, cap++, 0, 0, 0)) == 0) - ; - if(res == -1 && errno != EINVAL) - { - Logger::error() << "Failed to drop the capability bounding set!"; - return false; - } - - __user_cap_header_struct h = {0}; - h.pid = 0; - h.version = _LINUX_CAPABILITY_VERSION_3; - __user_cap_data_struct drop[2]; - drop[0].effective = 0; - drop[0].permitted = 0; - drop[0].inheritable = 0; - drop[1].effective = 0; - drop[1].permitted = 0; - drop[1].inheritable = 0; - if(capset(&h, drop) == -1) - { - Logger::error() << "Failed to drop capabilities: " << strerror(errno); - return false; - } + struct qssb_policy policy = {0}; + policy.drop_caps = 1; + policy.not_dumpable = 1; + policy.no_new_privs = 1; /* TODO: as said, a whitelist approach is better. As such, this list is bound to be incomplete in the * sense that more could be listed here and some critical ones are probably missing */ - if(!seccomp_blacklist({SCMP_SYS(setuid), SCMP_SYS(setuid32), SCMP_SYS(connect), SCMP_SYS(chroot), - SCMP_SYS(pivot_root), SCMP_SYS(mount), SCMP_SYS(setns), SCMP_SYS(unshare), SCMP_SYS(ptrace), - SCMP_SYS(personality) - - })) - { - Logger::error() << "Sandbox: Activation of seccomp blacklist failed!"; - return false; - } - if(prctl(PR_SET_DUMPABLE, 0) == -1) - { - Logger::error() << "prctl: PR_SET_DUMPABLE failed"; - return false; - } - if(prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) - { - Logger::error() << "prctl: PR_SET_NO_NEW_PRIVS failed: " << strerror(errno); - return false; - } - - if(!seccomp_blacklist({SCMP_SYS(prctl)})) + int blacklisted_syscalls[] = {QSSB_SYS(setuid), + QSSB_SYS(connect), + QSSB_SYS(chroot), + QSSB_SYS(pivot_root), + QSSB_SYS(mount), + QSSB_SYS(setns), + QSSB_SYS(unshare), + QSSB_SYS(ptrace), + QSSB_SYS(personality), + QSSB_SYS(prctl), + -1}; + policy.blacklisted_syscalls = blacklisted_syscalls; + if(qssb_enable_policy(&policy) != 0) { Logger::error() << "Sandbox: Activation of seccomp blacklist failed!"; return false; diff --git a/sandbox/sandbox-linux.h b/sandbox/sandbox-linux.h index b97657e..dbd22b7 100644 --- a/sandbox/sandbox-linux.h +++ b/sandbox/sandbox-linux.h @@ -11,10 +11,5 @@ class SandboxLinux : public Sandbox bool enableForInit() override; bool enablePreWorker(std::vector fsPaths) override; bool enableForWorker() override; - - private: - bool isolateNamespaces(std::vector fsPaths); - bool seccomp_blacklist(std::initializer_list syscalls); - bool bindMountPaths(std::string target_root, const std::vector &paths); }; #endif diff --git a/submodules/qssb.h b/submodules/qssb.h index dbdb35d..763c65c 160000 --- a/submodules/qssb.h +++ b/submodules/qssb.h @@ -1 +1 @@ -Subproject commit dbdb35db371b79bb6a35cfbb9ef3815cdd5beff6 +Subproject commit 763c65c3fee87c500b149fab321d0d12eeccedde