Sandbox: Remove multiple stages

While interesitng in theory, there is nothing to be gained here,
because we don't really have user input at those early stages.

As we are also not a privileged process, those early stage
sandboxes in the end are not worth it, since they increase
complexity while there is no benefit in practise.

So, reduce those 3 stages to a single one (enable()), which we
activate after CLI server has launched.
This commit is contained in:
Albert S. 2021-10-03 23:46:40 +02:00
parent 257675485d
commit c4072a7e95
5 changed files with 30 additions and 110 deletions

View File

@ -123,29 +123,12 @@ int main(int argc, char **argv)
return 1;
}
std::string configpath = std::filesystem::absolute(configfilepath).string();
if(!sandbox->enableForInit())
{
Logger::error() << "Sandboxing for init mode could not be activated.";
exit(EXIT_FAILURE);
}
try
{
ConfigReader configreader(configpath);
Config config = configreader.readConfig();
// TODO: config.connectiontring only works as long as we only support sqlite of course
if(!sandbox->enablePreWorker({
config.configVarResolver.getConfig("cache_fs_dir"),
config.templatepath,
std::filesystem::path(config.logfile).parent_path(),
std::filesystem::path(config.connectionstring).parent_path(),
}))
{
Logger::error() << "Sandboxing for pre worker stage could not be activated.";
exit(EXIT_FAILURE);
}
setup_signal_handlers();
std::fstream logstream;
@ -162,6 +145,19 @@ int main(int argc, char **argv)
console.startInteractive();
return 0;
}
// TODO: config.connectiontring only works as long as we only support sqlite of course
if(!sandbox->enable({
config.configVarResolver.getConfig("cache_fs_dir"),
config.templatepath,
std::filesystem::path(config.logfile).parent_path(),
std::filesystem::path(config.connectionstring).parent_path(),
}))
{
Logger::error() << "Sandboxing for worker could not be enabled!";
exit(EXIT_FAILURE);
}
CLIServer cliServer{cliHandler};
if(!cliServer.detachServer(socketPath))
{
@ -195,11 +191,6 @@ int main(int argc, char **argv)
auto interface = createGateway(config);
if(!sandbox->enableForWorker())
{
Logger::error() << "Sandboxing for worker could not be enabled!";
exit(EXIT_FAILURE);
}
interface->work(requestWorker);
}
catch(const std::exception &e)

View File

@ -23,68 +23,6 @@
* obvious systemcalls. To whitelist, we need to analyse our
* dependencies (http library, sqlite wrapper, sqlite lib etc.) */
bool SandboxLinux::enableForInit()
{
umask(0027);
struct qssb_policy *policy = qssb_init_policy();
if(policy == NULL)
{
Logger::error() << "Failed to init sandboxing policy (init)";
return false;
}
policy->namespace_options = QSSB_UNSHARE_USER;
policy->drop_caps = 0;
qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(execveat));
qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(execve));
qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
int result = qssb_enable_policy(policy);
if(result != 0)
{
Logger::error() << "Failed to enable sandboxing policy (init): " << result;
qssb_free_policy(policy);
return false;
}
qssb_free_policy(policy);
return true;
}
bool SandboxLinux::enablePreWorker(std::vector<std::string> fsPaths)
{
std::sort(fsPaths.begin(), fsPaths.end(),
[](const std::string &a, const std::string &b) { return a.length() < b.length(); });
struct qssb_policy *policy = qssb_init_policy();
if(policy == NULL)
{
Logger::error() << "Failed to init sandboxing policy (pre)";
return false;
}
for(unsigned int i = 0; i < fsPaths.size(); i++)
{
qssb_append_path_policy(policy, QSSB_FS_ALLOW_READ | QSSB_FS_ALLOW_WRITE, fsPaths[i].c_str());
}
policy->namespace_options = QSSB_UNSHARE_MOUNT;
policy->drop_caps = 0;
policy->mount_path_policies_to_chroot = 1;
qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(execveat));
qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(execve));
qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
int result = qssb_enable_policy(policy);
if(result != 0)
{
Logger::error() << "Failed to install sandboxing policy (preworker): %i" << result;
qssb_free_policy(policy);
return false;
}
qssb_free_policy(policy);
return true;
}
bool SandboxLinux::supported()
{
std::fstream stream;
@ -102,27 +40,33 @@ bool SandboxLinux::supported()
}
return true;
}
bool SandboxLinux::enableForWorker()
bool SandboxLinux::enable(std::vector<std::string> fsPaths)
{
std::sort(fsPaths.begin(), fsPaths.end(),
[](const std::string &a, const std::string &b) { return a.length() < b.length(); });
struct qssb_policy *policy = qssb_init_policy();
if(policy == NULL)
{
Logger::error() << "Failed to init sandboxing policy (worker) ";
return false;
}
for(unsigned int i = 0; i < fsPaths.size(); i++)
{
qssb_append_path_policy(policy, QSSB_FS_ALLOW_READ | QSSB_FS_ALLOW_WRITE, fsPaths[i].c_str());
}
policy->drop_caps = 1;
policy->not_dumpable = 1;
policy->no_new_privs = 1;
policy->namespace_options = 0;
policy->mount_path_policies_to_chroot = 1;
/* TODO: as said, a whitelist approach is better. As such, this list is bound to be incomplete in the
* sense that more could be listed here and some critical ones are probably missing */
/* TODO: use qssb groups */
long blacklisted_syscalls[] = {QSSB_SYS(setuid), QSSB_SYS(connect), QSSB_SYS(chroot), QSSB_SYS(pivot_root),
QSSB_SYS(mount), QSSB_SYS(setns), QSSB_SYS(unshare), QSSB_SYS(ptrace),
QSSB_SYS(personality), QSSB_SYS(prctl)};
QSSB_SYS(personality), QSSB_SYS(prctl), QSSB_SYS(execveat), QSSB_SYS(execve),
QSSB_SYS(fork)};
qssb_append_syscalls_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, blacklisted_syscalls,
sizeof(blacklisted_syscalls) / sizeof(blacklisted_syscalls[0]));
qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);

View File

@ -8,8 +8,6 @@ class SandboxLinux : public Sandbox
public:
using Sandbox::Sandbox;
bool supported() override;
bool enableForInit() override;
bool enablePreWorker(std::vector<std::string> fsPaths) override;
bool enableForWorker() override;
bool enable(std::vector<std::string> fsPaths) override;
};
#endif

View File

@ -6,10 +6,6 @@ class SandboxOpenBSD : public Sandbox
{
public:
bool supported() override;
bool enableForInit() override;
bool enableForWorker() override;
private:
bool seccomp_blacklist(std::vector<int> syscalls);
bool enable(std::vector<std::string> fsPaths) override;
};
#endif

View File

@ -10,16 +10,7 @@ class Sandbox
/* Whether the platform has everything required to active all sandbnox modes */
virtual bool supported() = 0;
/* Activated early. At this point, we need more system calls
* than later on */
virtual bool enableForInit() = 0;
/* Activated after config has been read. Now we now which paths we need access to */
virtual bool enablePreWorker(std::vector<std::string> fsPaths) = 0;
/* Activated after we have acquired resources (bound to ports etc.)
*
* This should allow us to further restrcit the process */
virtual bool enableForWorker() = 0;
/* Activated after we have acquired resources (bound to ports etc.)*/
virtual bool enable(std::vector<std::string> fsPaths) = 0;
};
#endif