Sandbox: Remove multiple stages
While interesitng in theory, there is nothing to be gained here, because we don't really have user input at those early stages. As we are also not a privileged process, those early stage sandboxes in the end are not worth it, since they increase complexity while there is no benefit in practise. So, reduce those 3 stages to a single one (enable()), which we activate after CLI server has launched.
Tá an tiomantas seo le fáil i:
@ -23,68 +23,6 @@
|
||||
* obvious systemcalls. To whitelist, we need to analyse our
|
||||
* dependencies (http library, sqlite wrapper, sqlite lib etc.) */
|
||||
|
||||
bool SandboxLinux::enableForInit()
|
||||
{
|
||||
umask(0027);
|
||||
struct qssb_policy *policy = qssb_init_policy();
|
||||
if(policy == NULL)
|
||||
{
|
||||
Logger::error() << "Failed to init sandboxing policy (init)";
|
||||
return false;
|
||||
}
|
||||
policy->namespace_options = QSSB_UNSHARE_USER;
|
||||
policy->drop_caps = 0;
|
||||
qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(execveat));
|
||||
qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(execve));
|
||||
qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
|
||||
|
||||
int result = qssb_enable_policy(policy);
|
||||
if(result != 0)
|
||||
{
|
||||
Logger::error() << "Failed to enable sandboxing policy (init): " << result;
|
||||
qssb_free_policy(policy);
|
||||
return false;
|
||||
}
|
||||
qssb_free_policy(policy);
|
||||
return true;
|
||||
}
|
||||
|
||||
bool SandboxLinux::enablePreWorker(std::vector<std::string> fsPaths)
|
||||
{
|
||||
std::sort(fsPaths.begin(), fsPaths.end(),
|
||||
[](const std::string &a, const std::string &b) { return a.length() < b.length(); });
|
||||
|
||||
struct qssb_policy *policy = qssb_init_policy();
|
||||
if(policy == NULL)
|
||||
{
|
||||
Logger::error() << "Failed to init sandboxing policy (pre)";
|
||||
return false;
|
||||
}
|
||||
|
||||
for(unsigned int i = 0; i < fsPaths.size(); i++)
|
||||
{
|
||||
qssb_append_path_policy(policy, QSSB_FS_ALLOW_READ | QSSB_FS_ALLOW_WRITE, fsPaths[i].c_str());
|
||||
}
|
||||
|
||||
policy->namespace_options = QSSB_UNSHARE_MOUNT;
|
||||
policy->drop_caps = 0;
|
||||
policy->mount_path_policies_to_chroot = 1;
|
||||
|
||||
qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(execveat));
|
||||
qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(execve));
|
||||
qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
|
||||
|
||||
int result = qssb_enable_policy(policy);
|
||||
if(result != 0)
|
||||
{
|
||||
Logger::error() << "Failed to install sandboxing policy (preworker): %i" << result;
|
||||
qssb_free_policy(policy);
|
||||
return false;
|
||||
}
|
||||
qssb_free_policy(policy);
|
||||
return true;
|
||||
}
|
||||
|
||||
bool SandboxLinux::supported()
|
||||
{
|
||||
std::fstream stream;
|
||||
@ -102,27 +40,33 @@ bool SandboxLinux::supported()
|
||||
}
|
||||
return true;
|
||||
}
|
||||
bool SandboxLinux::enableForWorker()
|
||||
bool SandboxLinux::enable(std::vector<std::string> fsPaths)
|
||||
{
|
||||
std::sort(fsPaths.begin(), fsPaths.end(),
|
||||
[](const std::string &a, const std::string &b) { return a.length() < b.length(); });
|
||||
|
||||
struct qssb_policy *policy = qssb_init_policy();
|
||||
if(policy == NULL)
|
||||
{
|
||||
Logger::error() << "Failed to init sandboxing policy (worker) ";
|
||||
return false;
|
||||
}
|
||||
for(unsigned int i = 0; i < fsPaths.size(); i++)
|
||||
{
|
||||
qssb_append_path_policy(policy, QSSB_FS_ALLOW_READ | QSSB_FS_ALLOW_WRITE, fsPaths[i].c_str());
|
||||
}
|
||||
policy->drop_caps = 1;
|
||||
policy->not_dumpable = 1;
|
||||
policy->no_new_privs = 1;
|
||||
policy->namespace_options = 0;
|
||||
|
||||
policy->mount_path_policies_to_chroot = 1;
|
||||
/* TODO: as said, a whitelist approach is better. As such, this list is bound to be incomplete in the
|
||||
* sense that more could be listed here and some critical ones are probably missing */
|
||||
|
||||
/* TODO: use qssb groups */
|
||||
long blacklisted_syscalls[] = {QSSB_SYS(setuid), QSSB_SYS(connect), QSSB_SYS(chroot), QSSB_SYS(pivot_root),
|
||||
QSSB_SYS(mount), QSSB_SYS(setns), QSSB_SYS(unshare), QSSB_SYS(ptrace),
|
||||
QSSB_SYS(personality), QSSB_SYS(prctl)};
|
||||
|
||||
long blacklisted_syscalls[] = {QSSB_SYS(setuid), QSSB_SYS(connect), QSSB_SYS(chroot), QSSB_SYS(pivot_root),
|
||||
QSSB_SYS(mount), QSSB_SYS(setns), QSSB_SYS(unshare), QSSB_SYS(ptrace),
|
||||
QSSB_SYS(personality), QSSB_SYS(prctl), QSSB_SYS(execveat), QSSB_SYS(execve),
|
||||
QSSB_SYS(fork)};
|
||||
qssb_append_syscalls_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, blacklisted_syscalls,
|
||||
sizeof(blacklisted_syscalls) / sizeof(blacklisted_syscalls[0]));
|
||||
qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
|
||||
|
||||
Tagairt in Eagrán Nua
Cuir bac ar úsáideoir