sandbox: First version using qssb.h
This commit is contained in:
parent
0792d8890f
commit
a79450b68b
@ -96,8 +96,6 @@ int main(int argc, char **argv)
|
|||||||
Config config = configreader.readConfig();
|
Config config = configreader.readConfig();
|
||||||
|
|
||||||
//TODO: config.connectiontring only works as long as we only support sqlite of course
|
//TODO: config.connectiontring only works as long as we only support sqlite of course
|
||||||
|
|
||||||
|
|
||||||
if(!sandbox->enablePreWorker({
|
if(!sandbox->enablePreWorker({
|
||||||
config.configVarResolver.getConfig("cache_fs_dir"),
|
config.configVarResolver.getConfig("cache_fs_dir"),
|
||||||
config.templatepath,
|
config.templatepath,
|
||||||
|
@ -1,5 +1,3 @@
|
|||||||
#include <sys/prctl.h>
|
|
||||||
#include <seccomp.h>
|
|
||||||
#include <vector>
|
#include <vector>
|
||||||
#include <initializer_list>
|
#include <initializer_list>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
@ -14,6 +12,7 @@
|
|||||||
#include <filesystem>
|
#include <filesystem>
|
||||||
#include <sys/mount.h>
|
#include <sys/mount.h>
|
||||||
#include <sys/capability.h>
|
#include <sys/capability.h>
|
||||||
|
#include <qssb.h>
|
||||||
#include "../logger.h"
|
#include "../logger.h"
|
||||||
#include "../utils.h"
|
#include "../utils.h"
|
||||||
#include "../random.h"
|
#include "../random.h"
|
||||||
@ -24,178 +23,50 @@
|
|||||||
* obvious systemcalls. To whitelist, we need to analyse our
|
* obvious systemcalls. To whitelist, we need to analyse our
|
||||||
* dependencies (http library, sqlite wrapper, sqlite lib etc.) */
|
* dependencies (http library, sqlite wrapper, sqlite lib etc.) */
|
||||||
|
|
||||||
/* TODO: cleanup our sandboxing directory (unmount and delete folders) after exit */
|
|
||||||
bool SandboxLinux::seccomp_blacklist(std::initializer_list<int> syscalls)
|
|
||||||
{
|
|
||||||
scmp_filter_ctx ctx;
|
|
||||||
ctx = seccomp_init(SCMP_ACT_ALLOW);
|
|
||||||
if(ctx == NULL)
|
|
||||||
{
|
|
||||||
Logger::error() << "failed to init seccomp_init";
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
for(auto sc : syscalls)
|
|
||||||
{
|
|
||||||
if(seccomp_rule_add(ctx, SCMP_ACT_KILL_PROCESS, sc, 0) < 0)
|
|
||||||
{
|
|
||||||
Logger::error() << "Failed to add a seccomp rule";
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
bool success = seccomp_load(ctx) == 0;
|
|
||||||
if(!success)
|
|
||||||
{
|
|
||||||
Logger::error() << "Failed to load seccomp filter";
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
seccomp_release(ctx);
|
|
||||||
return success;
|
|
||||||
}
|
|
||||||
|
|
||||||
bool SandboxLinux::bindMountPaths(std::string target_root, const std::vector<std::string> &paths)
|
|
||||||
{
|
|
||||||
for(const std::string &path : paths)
|
|
||||||
{
|
|
||||||
std::string chroot_target_path = target_root + path;
|
|
||||||
if(std::filesystem::exists(chroot_target_path))
|
|
||||||
{
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
if(std::filesystem::is_regular_file(path))
|
|
||||||
{
|
|
||||||
std::fstream f1;
|
|
||||||
f1.open(chroot_target_path, std::ios::out);
|
|
||||||
f1.close();
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
std::error_code ec;
|
|
||||||
//TODO: fails if the stuff already exists, but it shouldn't according to doc?
|
|
||||||
if(!std::filesystem::create_directories(chroot_target_path, ec))
|
|
||||||
{
|
|
||||||
Logger::error() << "Error while trying to duplicate structure for sandbox. Dir creation failed. Path: " << chroot_target_path << " Error: " << ec.message();
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
if(mount(path.c_str(), chroot_target_path.c_str(), NULL, MS_BIND, NULL) == -1)
|
|
||||||
{
|
|
||||||
Logger::error() << "Bind mount for " << path << " -> " << chroot_target_path << " failed! " << strerror(errno);
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
bool SandboxLinux::isolateNamespaces(std::vector<std::string> fsPaths)
|
|
||||||
{
|
|
||||||
std::sort(fsPaths.begin(), fsPaths.end(), [](const std::string &a, const std::string &b){ return a.length() < b.length(); });
|
|
||||||
|
|
||||||
auto current_uid = getuid();
|
|
||||||
auto current_gid = getgid();
|
|
||||||
if(unshare(CLONE_NEWUSER) == -1)
|
|
||||||
{
|
|
||||||
Logger::error() << "Failed to unshare user namespace: " << strerror(errno);
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
std::fstream setgroups;
|
|
||||||
setgroups.open("/proc/self/setgroups", std::ios::out | std::ios::app);
|
|
||||||
setgroups << "deny";
|
|
||||||
setgroups.flush();
|
|
||||||
setgroups.close();
|
|
||||||
|
|
||||||
std::fstream uid_map;
|
|
||||||
uid_map.open("/proc/self/uid_map", std::ios::out | std::ios::app);
|
|
||||||
uid_map << "0 " << current_uid << " 1\n";
|
|
||||||
uid_map.flush();
|
|
||||||
uid_map.close();
|
|
||||||
|
|
||||||
std::fstream gid_map;
|
|
||||||
gid_map.open("/proc/self/gid_map", std::ios::out);
|
|
||||||
uid_map << "0 " << current_gid << " 1\n";
|
|
||||||
gid_map.flush();
|
|
||||||
gid_map.close();
|
|
||||||
|
|
||||||
if(unshare(CLONE_NEWNS) == -1)
|
|
||||||
{
|
|
||||||
Logger::error() << "Failed to unshare mount namespace: " << strerror(errno);
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
* TODO: breaks server.
|
|
||||||
* TODO: fork?
|
|
||||||
* if(unshare(CLONE_NEWPID) == -1)
|
|
||||||
{
|
|
||||||
Logger::error() << "Failed to unshare pid namespace: " << strerror(errno);
|
|
||||||
return false;
|
|
||||||
}*/
|
|
||||||
|
|
||||||
|
|
||||||
//The purpose is to start with a clean sandbox dir.
|
|
||||||
//We maybe could work with mkdirat, and check whether it exists alrady, to avoid
|
|
||||||
//some attacks where an attacker gueses the dir, but in that case the system is already compromised
|
|
||||||
//TODO: still, check, whether this is something we must consider here or not...
|
|
||||||
Random random;
|
|
||||||
std::string rootpath = "/tmp/qswiki_sandbox_" + random.getRandomHexString(10) + "/";
|
|
||||||
if(!std::filesystem::create_directory(rootpath))
|
|
||||||
{
|
|
||||||
Logger::error() << "Failed to create chroot directory for sandbox";
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
if(!bindMountPaths(rootpath, fsPaths ))
|
|
||||||
{
|
|
||||||
Logger::error() << "Bind mounting paths failed!";
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
if(chroot(rootpath.c_str()) == -1)
|
|
||||||
{
|
|
||||||
Logger::error() << "chroot to sandbox failed!";
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
if(chdir("/") == -1)
|
|
||||||
{
|
|
||||||
Logger::error() << "chdir to sandbox failed!";
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
bool SandboxLinux::enableForInit()
|
bool SandboxLinux::enableForInit()
|
||||||
{
|
{
|
||||||
umask(0027);
|
umask(0027);
|
||||||
|
struct qssb_policy policy = {0};
|
||||||
//TODO. there is execv for SPARC. Sigh...
|
int blacklisted_syscalls[] = {QSSB_SYS(execveat), QSSB_SYS(execve), -1};
|
||||||
if(!seccomp_blacklist({ SCMP_SYS(execveat), SCMP_SYS(execve) }))
|
policy.blacklisted_syscalls = blacklisted_syscalls;
|
||||||
|
policy.no_new_privs = 1;
|
||||||
|
int result = qssb_enable_policy(&policy);
|
||||||
|
if(result != 0)
|
||||||
{
|
{
|
||||||
Logger::error() << "Failed to install blacklisting seccomp filter";
|
Logger::error() << "Failed to install sandboxing policy (init): " << result;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
bool SandboxLinux::enablePreWorker(std::vector<std::string> fsPaths)
|
bool SandboxLinux::enablePreWorker(std::vector<std::string> fsPaths)
|
||||||
{
|
{
|
||||||
if(!isolateNamespaces(fsPaths))
|
std::sort(fsPaths.begin(), fsPaths.end(),
|
||||||
|
[](const std::string &a, const std::string &b) { return a.length() < b.length(); });
|
||||||
|
|
||||||
|
struct qssb_path_policy *policies = new qssb_path_policy[fsPaths.size()];
|
||||||
|
for(unsigned int i = 0; i < fsPaths.size(); i++)
|
||||||
{
|
{
|
||||||
Logger::error() << "Failed to isolate namespaces";
|
policies[i].next = policies + (i + 1);
|
||||||
|
policies[i].mountpoint = fsPaths[i].c_str();
|
||||||
|
policies[i].policy = QSSB_MOUNT_ALLOW_READ | QSSB_MOUNT_ALLOW_WRITE;
|
||||||
|
}
|
||||||
|
policies[fsPaths.size() - 1].next = NULL;
|
||||||
|
|
||||||
|
struct qssb_policy policy = {0};
|
||||||
|
policy.path_policies = policies;
|
||||||
|
policy.namespace_options |= QSSB_UNSHARE_MOUNT;
|
||||||
|
policy.namespace_options |= QSSB_UNSHARE_USER;
|
||||||
|
int blacklisted_syscalls[] = {QSSB_SYS(execveat), QSSB_SYS(execve), -1};
|
||||||
|
policy.blacklisted_syscalls = blacklisted_syscalls;
|
||||||
|
int result = qssb_enable_policy(&policy);
|
||||||
|
if(result != 0)
|
||||||
|
{
|
||||||
|
Logger::error() << "Failed to install sandboxing policy (preworker): %i" << result;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
delete[] policies;
|
||||||
return true;
|
return true;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
bool SandboxLinux::supported()
|
bool SandboxLinux::supported()
|
||||||
@ -208,7 +79,8 @@ bool SandboxLinux::supported()
|
|||||||
stream >> str;
|
stream >> str;
|
||||||
if(str[0] == '0')
|
if(str[0] == '0')
|
||||||
{
|
{
|
||||||
Logger::error() << "Please write '1' to /proc/sys/kernel/unprivileged_userns_clone in order to enable sandboxing support on this system";
|
Logger::error() << "Please write '1' to /proc/sys/kernel/unprivileged_userns_clone in order to enable "
|
||||||
|
"sandboxing support on this system";
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -216,65 +88,26 @@ bool SandboxLinux::supported()
|
|||||||
}
|
}
|
||||||
bool SandboxLinux::enableForWorker()
|
bool SandboxLinux::enableForWorker()
|
||||||
{
|
{
|
||||||
int cap = 0;
|
struct qssb_policy policy = {0};
|
||||||
int res = 0;
|
policy.drop_caps = 1;
|
||||||
while((res = prctl(PR_CAPBSET_DROP, cap++, 0, 0, 0)) == 0);
|
policy.not_dumpable = 1;
|
||||||
if(res == -1 && errno != EINVAL)
|
policy.no_new_privs = 1;
|
||||||
{
|
|
||||||
Logger::error() << "Failed to drop the capability bounding set!";
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
__user_cap_header_struct h = { 0 };
|
|
||||||
h.pid = 0;
|
|
||||||
h.version = _LINUX_CAPABILITY_VERSION_3;
|
|
||||||
__user_cap_data_struct drop[2];
|
|
||||||
drop[0].effective = 0;
|
|
||||||
drop[0].permitted = 0;
|
|
||||||
drop[0].inheritable = 0;
|
|
||||||
drop[1].effective = 0;
|
|
||||||
drop[1].permitted = 0;
|
|
||||||
drop[1].inheritable = 0;
|
|
||||||
if(capset(&h, drop) == -1)
|
|
||||||
{
|
|
||||||
Logger::error() << "Failed to drop capabilities: " << strerror(errno);
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
/* TODO: as said, a whitelist approach is better. As such, this list is bound to be incomplete in the
|
/* TODO: as said, a whitelist approach is better. As such, this list is bound to be incomplete in the
|
||||||
* sense that more could be listed here and some critical ones are probably missing */
|
* sense that more could be listed here and some critical ones are probably missing */
|
||||||
if(! seccomp_blacklist({
|
int blacklisted_syscalls[] = {QSSB_SYS(setuid),
|
||||||
SCMP_SYS(setuid),
|
QSSB_SYS(connect),
|
||||||
SCMP_SYS(setuid32),
|
QSSB_SYS(chroot),
|
||||||
SCMP_SYS(connect),
|
QSSB_SYS(pivot_root),
|
||||||
SCMP_SYS(chroot),
|
QSSB_SYS(mount),
|
||||||
SCMP_SYS(pivot_root),
|
QSSB_SYS(setns),
|
||||||
SCMP_SYS(mount),
|
QSSB_SYS(unshare),
|
||||||
SCMP_SYS(setns),
|
QSSB_SYS(ptrace),
|
||||||
SCMP_SYS(unshare),
|
QSSB_SYS(personality),
|
||||||
SCMP_SYS(ptrace),
|
QSSB_SYS(prctl),
|
||||||
SCMP_SYS(personality)
|
-1};
|
||||||
|
policy.blacklisted_syscalls = blacklisted_syscalls;
|
||||||
}))
|
if(qssb_enable_policy(&policy) != 0)
|
||||||
{
|
|
||||||
Logger::error() << "Sandbox: Activation of seccomp blacklist failed!";
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
if(prctl(PR_SET_DUMPABLE, 0) == -1)
|
|
||||||
{
|
|
||||||
Logger::error() << "prctl: PR_SET_DUMPABLE failed";
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
if(prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
|
|
||||||
{
|
|
||||||
Logger::error() << "prctl: PR_SET_NO_NEW_PRIVS failed: " << strerror(errno);
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
if(! seccomp_blacklist({ SCMP_SYS(prctl) }))
|
|
||||||
{
|
{
|
||||||
Logger::error() << "Sandbox: Activation of seccomp blacklist failed!";
|
Logger::error() << "Sandbox: Activation of seccomp blacklist failed!";
|
||||||
return false;
|
return false;
|
||||||
@ -282,4 +115,3 @@ bool SandboxLinux::enableForWorker()
|
|||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -11,9 +11,5 @@ public:
|
|||||||
bool enableForInit() override;
|
bool enableForInit() override;
|
||||||
bool enablePreWorker(std::vector<std::string> fsPaths) override;
|
bool enablePreWorker(std::vector<std::string> fsPaths) override;
|
||||||
bool enableForWorker() override;
|
bool enableForWorker() override;
|
||||||
private :
|
|
||||||
bool isolateNamespaces(std::vector<std::string> fsPaths);
|
|
||||||
bool seccomp_blacklist(std::initializer_list<int> syscalls);
|
|
||||||
bool bindMountPaths(std::string target_root, const std::vector<std::string> &paths);
|
|
||||||
};
|
};
|
||||||
#endif
|
#endif
|
||||||
|
@ -6,7 +6,6 @@ class Sandbox
|
|||||||
public:
|
public:
|
||||||
Sandbox()
|
Sandbox()
|
||||||
{
|
{
|
||||||
|
|
||||||
}
|
}
|
||||||
/* Whether the platform has everything required to active all sandbnox modes */
|
/* Whether the platform has everything required to active all sandbnox modes */
|
||||||
virtual bool supported() = 0;
|
virtual bool supported() = 0;
|
||||||
@ -18,7 +17,6 @@ public:
|
|||||||
/* Activated after config has been read. Now we now which paths we need access to */
|
/* Activated after config has been read. Now we now which paths we need access to */
|
||||||
virtual bool enablePreWorker(std::vector<std::string> fsPaths) = 0;
|
virtual bool enablePreWorker(std::vector<std::string> fsPaths) = 0;
|
||||||
|
|
||||||
|
|
||||||
/* Activated after we have acquired resources (bound to ports etc.)
|
/* Activated after we have acquired resources (bound to ports etc.)
|
||||||
*
|
*
|
||||||
* This should allow us to further restrcit the process */
|
* This should allow us to further restrcit the process */
|
||||||
|
@ -1 +1 @@
|
|||||||
Subproject commit 60776be4160fe7e2178b3790cd43a76d412843b6
|
Subproject commit 763c65c3fee87c500b149fab321d0d12eeccedde
|
Loading…
Reference in New Issue
Block a user