mirror of
https://github.com/jart/cosmopolitan.git
synced 2025-07-17 08:00:32 +00:00
Add pledge.com for launching commands in a sandbox
This commit is contained in:
parent
12d9f7ade6
commit
1d490fcb94
8 changed files with 308 additions and 297 deletions
|
@ -1,217 +0,0 @@
|
|||
/*-*- mode:c;indent-tabs-mode:nil;c-basic-offset:2;tab-width:8;coding:utf-8 -*-│
|
||||
│vi: set net ft=c ts=2 sts=2 sw=2 fenc=utf-8 :vi│
|
||||
╞══════════════════════════════════════════════════════════════════════════════╡
|
||||
│ Copyright 2022 Justine Alexandra Roberts Tunney │
|
||||
│ │
|
||||
│ Permission to use, copy, modify, and/or distribute this software for │
|
||||
│ any purpose with or without fee is hereby granted, provided that the │
|
||||
│ above copyright notice and this permission notice appear in all copies. │
|
||||
│ │
|
||||
│ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL │
|
||||
│ WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED │
|
||||
│ WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE │
|
||||
│ AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL │
|
||||
│ DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR │
|
||||
│ PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER │
|
||||
│ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR │
|
||||
│ PERFORMANCE OF THIS SOFTWARE. │
|
||||
╚─────────────────────────────────────────────────────────────────────────────*/
|
||||
#include "libc/calls/calls.h"
|
||||
#include "libc/calls/struct/filter.h"
|
||||
#include "libc/calls/struct/sigaction.h"
|
||||
#include "libc/calls/struct/siginfo.h"
|
||||
#include "libc/calls/struct/sigset.h"
|
||||
#include "libc/calls/struct/user_regs_struct.h"
|
||||
#include "libc/calls/ucontext.h"
|
||||
#include "libc/dce.h"
|
||||
#include "libc/errno.h"
|
||||
#include "libc/intrin/kprintf.h"
|
||||
#include "libc/log/check.h"
|
||||
#include "libc/log/log.h"
|
||||
#include "libc/runtime/runtime.h"
|
||||
#include "libc/sysv/consts/pr.h"
|
||||
#include "libc/sysv/consts/ptrace.h"
|
||||
#include "libc/sysv/consts/sa.h"
|
||||
#include "libc/sysv/consts/sig.h"
|
||||
#include "tool/net/sandbox.h"
|
||||
|
||||
#define __WALL 0x40000000
|
||||
|
||||
static const struct sock_filter kSandboxFilter[] = {
|
||||
_SECCOMP_MACHINE(AUDIT_ARCH_X86_64), //
|
||||
_SECCOMP_LOAD_SYSCALL_NR(), //
|
||||
_SECCOMP_ALLOW_SYSCALL(0x000), // read
|
||||
_SECCOMP_ALLOW_SYSCALL(0x001), // write
|
||||
_SECCOMP_ALLOW_SYSCALL(0x013), // readv
|
||||
_SECCOMP_ALLOW_SYSCALL(0x014), // writev
|
||||
_SECCOMP_ALLOW_SYSCALL(0x005), // fstat
|
||||
_SECCOMP_ALLOW_SYSCALL(0x007), // poll
|
||||
_SECCOMP_ALLOW_SYSCALL(0x008), // lseek
|
||||
_SECCOMP_ALLOW_SYSCALL(0x009), // mmap
|
||||
_SECCOMP_ALLOW_SYSCALL(0x00b), // munmap
|
||||
_SECCOMP_ALLOW_SYSCALL(0x04f), // getcwd
|
||||
_SECCOMP_ALLOW_SYSCALL(0x003), // close
|
||||
_SECCOMP_ALLOW_SYSCALL(0x010), // ioctl todo
|
||||
_SECCOMP_ALLOW_SYSCALL(0x016), // pipe
|
||||
_SECCOMP_ALLOW_SYSCALL(0x125), // pipe2
|
||||
_SECCOMP_ALLOW_SYSCALL(0x035), // socketpair
|
||||
_SECCOMP_ALLOW_SYSCALL(0x020), // dup
|
||||
_SECCOMP_ALLOW_SYSCALL(0x021), // dup2
|
||||
_SECCOMP_ALLOW_SYSCALL(0x124), // dup3
|
||||
_SECCOMP_ALLOW_SYSCALL(0x039), // fork
|
||||
_SECCOMP_ALLOW_SYSCALL(0x03a), // vfork
|
||||
_SECCOMP_ALLOW_SYSCALL(0x011), // pread
|
||||
_SECCOMP_ALLOW_SYSCALL(0x012), // pwrite
|
||||
_SECCOMP_ALLOW_SYSCALL(0x127), // preadv
|
||||
_SECCOMP_ALLOW_SYSCALL(0x128), // pwritev
|
||||
_SECCOMP_ALLOW_SYSCALL(0x0d9), // getdents
|
||||
_SECCOMP_ALLOW_SYSCALL(0x027), // getpid
|
||||
_SECCOMP_ALLOW_SYSCALL(0x066), // getuid
|
||||
_SECCOMP_ALLOW_SYSCALL(0x068), // getgid
|
||||
_SECCOMP_ALLOW_SYSCALL(0x06e), // getppid
|
||||
_SECCOMP_ALLOW_SYSCALL(0x06f), // getpgrp
|
||||
_SECCOMP_ALLOW_SYSCALL(0x07c), // getsid
|
||||
_SECCOMP_ALLOW_SYSCALL(0x06b), // geteuid
|
||||
_SECCOMP_ALLOW_SYSCALL(0x06c), // getegid
|
||||
_SECCOMP_ALLOW_SYSCALL(0x061), // getrlimit
|
||||
_SECCOMP_ALLOW_SYSCALL(0x028), // sendfile
|
||||
_SECCOMP_ALLOW_SYSCALL(0x02d), // recvfrom
|
||||
_SECCOMP_ALLOW_SYSCALL(0x033), // getsockname
|
||||
_SECCOMP_ALLOW_SYSCALL(0x034), // getpeername
|
||||
_SECCOMP_ALLOW_SYSCALL(0x00f), // rt_sigreturn
|
||||
_SECCOMP_ALLOW_SYSCALL(0x082), // rt_sigsuspend
|
||||
_SECCOMP_ALLOW_SYSCALL(0x0e4), // clock_gettime
|
||||
_SECCOMP_ALLOW_SYSCALL(0x060), // gettimeofday
|
||||
_SECCOMP_ALLOW_SYSCALL(0x03f), // uname
|
||||
_SECCOMP_ALLOW_SYSCALL(0x03c), // exit
|
||||
_SECCOMP_ALLOW_SYSCALL(0x0e7), // exit_group
|
||||
_SECCOMP_TRACE_SYSCALL(0x03e, 0), // kill
|
||||
_SECCOMP_TRACE_SYSCALL(0x101, 0), // openat
|
||||
_SECCOMP_TRACE_SYSCALL(0x106, 0), // newfstatat
|
||||
_SECCOMP_TRACE_SYSCALL(0x029, 0), // socket
|
||||
_SECCOMP_TRACE_SYSCALL(0x031, 0), // bind
|
||||
_SECCOMP_TRACE_SYSCALL(0x02a, 0), // connect
|
||||
_SECCOMP_TRACE_SYSCALL(0x02c, 0), // sendto
|
||||
_SECCOMP_TRACE_SYSCALL(0x036, 0), // setsockopt
|
||||
_SECCOMP_TRACE_SYSCALL(0x048, 0), // fcntl
|
||||
_SECCOMP_TRACE_SYSCALL(0x03b, 0), // execve
|
||||
_SECCOMP_TRACE_SYSCALL(0x102, 0), // mkdirat
|
||||
_SECCOMP_TRACE_SYSCALL(0x104, 0), // chownat
|
||||
_SECCOMP_TRACE_SYSCALL(0x107, 0), // unlinkat
|
||||
_SECCOMP_TRACE_SYSCALL(0x108, 0), // renameat
|
||||
_SECCOMP_TRACE_SYSCALL(0x109, 0), // linkat
|
||||
_SECCOMP_TRACE_SYSCALL(0x10a, 0), // symlinkat
|
||||
_SECCOMP_TRACE_SYSCALL(0x10b, 0), // readlinkat
|
||||
_SECCOMP_TRACE_SYSCALL(0x10c, 0), // fchmodat
|
||||
_SECCOMP_TRACE_SYSCALL(0x10d, 0), // faccessat
|
||||
_SECCOMP_TRACE_SYSCALL(0x0eb, 0), // utimes
|
||||
_SECCOMP_TRACE_SYSCALL(0x105, 0), // futimesat
|
||||
_SECCOMP_TRACE_SYSCALL(0x118, 0), // utimensat
|
||||
_SECCOMP_LOG_AND_RETURN_ERRNO(1), // EPERM
|
||||
};
|
||||
|
||||
static const struct sock_fprog kSandbox = {
|
||||
.len = ARRAYLEN(kSandboxFilter),
|
||||
.filter = kSandboxFilter,
|
||||
};
|
||||
|
||||
void OnSys(int sig, siginfo_t *si, ucontext_t *ctx) {
|
||||
kprintf("Got SIGSYS%n");
|
||||
}
|
||||
|
||||
int main(int argc, char *argv[]) {
|
||||
sigset_t mask, origmask;
|
||||
struct user_regs_struct regs;
|
||||
int child, evpid, signal, wstatus;
|
||||
|
||||
if (!IsLinux()) {
|
||||
kprintf("error: %s is only supported on linux right now%n", argv[0]);
|
||||
return 1;
|
||||
}
|
||||
if (argc < 2) {
|
||||
kprintf("Usage: %s PROGRAM [ARGS...]%n", argv[0]);
|
||||
return 1;
|
||||
}
|
||||
/* ShowCrashReports(); */
|
||||
|
||||
sigaction(SIGINT, &(struct sigaction){.sa_handler = SIG_IGN}, 0);
|
||||
sigaction(SIGQUIT, &(struct sigaction){.sa_handler = SIG_IGN}, 0);
|
||||
sigaction(SIGSYS,
|
||||
&((struct sigaction){
|
||||
.sa_sigaction = OnSys,
|
||||
.sa_flags = SA_SIGINFO,
|
||||
}),
|
||||
0);
|
||||
|
||||
sigemptyset(&mask);
|
||||
sigaddset(&mask, SIGCHLD);
|
||||
sigprocmask(SIG_BLOCK, &mask, &origmask);
|
||||
|
||||
CHECK_NE(-1, (child = fork()));
|
||||
if (!child) {
|
||||
sigaction(SIGINT, &(struct sigaction){.sa_handler = SIG_DFL}, 0);
|
||||
sigaction(SIGQUIT, &(struct sigaction){.sa_handler = SIG_DFL}, 0);
|
||||
kprintf("CHILD ptrace(PTRACE_TRACEME)%n");
|
||||
if (ptrace(PTRACE_TRACEME) == -1) {
|
||||
kprintf("CHILD ptrace(PTRACE_TRACEME) failed %m%n");
|
||||
_Exit(124);
|
||||
}
|
||||
kprintf("CHILD prctl(PR_SET_NO_NEW_PRIVS)%n");
|
||||
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) {
|
||||
kprintf("CHILD prctl(PR_SET_NO_NEW_PRIVS) failed %m%n");
|
||||
_Exit(125);
|
||||
}
|
||||
kprintf("CHILD prctl(PR_SET_SECCOMP)%n");
|
||||
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &kSandbox) == -1) {
|
||||
kprintf("CHILD prctl(PR_SET_SECCOMP) failed %m%n");
|
||||
_Exit(126);
|
||||
}
|
||||
kprintf("CHILD sigsuspend()%n");
|
||||
if (sigsuspend(0) == -1) {
|
||||
kprintf("CHILD sigsuspend() failed %m%n");
|
||||
}
|
||||
sigaction(SIGSYS, &(struct sigaction){.sa_handler = SIG_DFL}, 0);
|
||||
sigprocmask(SIG_SETMASK, &origmask, 0);
|
||||
execv(argv[1], argv + 1);
|
||||
kprintf("CHILD execve(%#s) failed %m%n", argv[1]);
|
||||
_Exit(127);
|
||||
}
|
||||
|
||||
// wait for ptrace(PTRACE_TRACEME) to be called
|
||||
kprintf("PARENT waitpid(child, &wstatus)%n");
|
||||
CHECK_EQ(child, waitpid(child, &wstatus, 0));
|
||||
|
||||
// configure linux process tracing
|
||||
kprintf("PARENT ptrace(PTRACE_SETOPTIONS)%n");
|
||||
CHECK_NE(-1, ptrace(PTRACE_SETOPTIONS, child, 0, PTRACE_O_TRACESECCOMP));
|
||||
|
||||
// continue child process
|
||||
kprintf("PARENT ptrace(PTRACE_CONT)%n");
|
||||
CHECK_NE(-1, ptrace(PTRACE_CONT, child, 0, 0));
|
||||
|
||||
kprintf("PARENT kill(child, SIGSYS)%n");
|
||||
kill(child, SIGSYS);
|
||||
|
||||
for (;;) {
|
||||
kprintf("PARENT waitpid()%n");
|
||||
CHECK_NE(-1, (evpid = waitpid(-1, &wstatus, __WALL)));
|
||||
if (WIFSTOPPED(wstatus)) {
|
||||
signal = (wstatus >> 8) & 0xffff;
|
||||
if (signal == SIGTRAP | PTRACE_EVENT_SECCOMP) {
|
||||
// CHECK_NE(-1, ptrace(PTRACE_GETEVENTMSG, evpid, 0, &msg));
|
||||
CHECK_NE(-1, ptrace(PTRACE_GETREGS, evpid, 0, regs));
|
||||
regs.rax = -EPERM;
|
||||
CHECK_NE(-1, ptrace(PTRACE_GETREGS, evpid, 0, regs));
|
||||
ptrace(PTRACE_CONT, evpid, 0, 0);
|
||||
} else {
|
||||
ptrace(PTRACE_CONT, evpid, 0, signal & 127);
|
||||
}
|
||||
} else if (WIFEXITED(wstatus)) {
|
||||
exit(WEXITSTATUS(wstatus));
|
||||
} else {
|
||||
exit(128 + WTERMSIG(wstatus));
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
136
tool/build/pledge.c
Normal file
136
tool/build/pledge.c
Normal file
|
@ -0,0 +1,136 @@
|
|||
/*-*- mode:c;indent-tabs-mode:nil;c-basic-offset:2;tab-width:8;coding:utf-8 -*-│
|
||||
│vi: set net ft=c ts=2 sts=2 sw=2 fenc=utf-8 :vi│
|
||||
╞══════════════════════════════════════════════════════════════════════════════╡
|
||||
│ Copyright 2022 Justine Alexandra Roberts Tunney │
|
||||
│ │
|
||||
│ Permission to use, copy, modify, and/or distribute this software for │
|
||||
│ any purpose with or without fee is hereby granted, provided that the │
|
||||
│ above copyright notice and this permission notice appear in all copies. │
|
||||
│ │
|
||||
│ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL │
|
||||
│ WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED │
|
||||
│ WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE │
|
||||
│ AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL │
|
||||
│ DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR │
|
||||
│ PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER │
|
||||
│ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR │
|
||||
│ PERFORMANCE OF THIS SOFTWARE. │
|
||||
╚─────────────────────────────────────────────────────────────────────────────*/
|
||||
#include "libc/calls/calls.h"
|
||||
#include "libc/errno.h"
|
||||
#include "libc/fmt/conv.h"
|
||||
#include "libc/intrin/kprintf.h"
|
||||
#include "libc/runtime/runtime.h"
|
||||
#include "libc/stdio/stdio.h"
|
||||
#include "libc/str/str.h"
|
||||
#include "third_party/getopt/getopt.h"
|
||||
|
||||
// options used: hpugc
|
||||
// letters not used: ABCDEFGHIJKLMNOPQRSTUVWXYZabdefijklmnoqrstvwxyz
|
||||
// digits not used: 0123456789
|
||||
// puncts not used: !"#$%&'()*+,-./;<=>@[\]^_`{|}~
|
||||
// letters duplicated: none
|
||||
#define GETOPTS "hp:u:g:c:"
|
||||
|
||||
#define USAGE \
|
||||
"\
|
||||
usage: pledge.com [-h] PROG ARGS...\n\
|
||||
-h show help\n\
|
||||
-g GID call setgid()\n\
|
||||
-u UID call setuid()\n\
|
||||
-c PATH call chroot()\n\
|
||||
-p PLEDGE may contain any of following separated by spaces\n\
|
||||
- stdio: allow stdio and benign system calls\n\
|
||||
- rpath: read-only path ops\n\
|
||||
- wpath: write path ops\n\
|
||||
- cpath: create path ops\n\
|
||||
- dpath: create special files\n\
|
||||
- flock: file locks\n\
|
||||
- tty: terminal ioctls\n\
|
||||
- recvfd: allow SCM_RIGHTS\n\
|
||||
- fattr: allow changing some struct stat bits\n\
|
||||
- inet: allow IPv4 and IPv6\n\
|
||||
- unix: allow local sockets\n\
|
||||
- dns: allow dns\n\
|
||||
- proc: allow fork, clone and friends\n\
|
||||
- thread: allow clone\n\
|
||||
- id: allow setuid and friends\n\
|
||||
- exec: allow executing ape binaries\n\
|
||||
"
|
||||
|
||||
int g_gflag;
|
||||
int g_uflag;
|
||||
int g_hflag;
|
||||
const char *g_pflag;
|
||||
const char *g_cflag;
|
||||
|
||||
static void GetOpts(int argc, char *argv[]) {
|
||||
int opt;
|
||||
g_pflag = "";
|
||||
while ((opt = getopt(argc, argv, GETOPTS)) != -1) {
|
||||
switch (opt) {
|
||||
case 'p':
|
||||
g_pflag = optarg;
|
||||
break;
|
||||
case 'c':
|
||||
g_cflag = optarg;
|
||||
break;
|
||||
case 'g':
|
||||
g_gflag = atoi(optarg);
|
||||
break;
|
||||
case 'u':
|
||||
g_uflag = atoi(optarg);
|
||||
break;
|
||||
case 'h':
|
||||
case '?':
|
||||
write(1, USAGE, sizeof(USAGE) - 1);
|
||||
exit(0);
|
||||
default:
|
||||
write(2, USAGE, sizeof(USAGE) - 1);
|
||||
exit(64);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
const char *prog;
|
||||
char pledges[1024];
|
||||
char pathbuf[PATH_MAX];
|
||||
|
||||
int main(int argc, char *argv[]) {
|
||||
GetOpts(argc, argv);
|
||||
if (optind == argc) {
|
||||
kprintf("error: too few args\n", g_pflag);
|
||||
write(2, USAGE, sizeof(USAGE) - 1);
|
||||
exit(64);
|
||||
}
|
||||
if (g_cflag) {
|
||||
if (chroot(g_cflag) == -1) {
|
||||
kprintf("error: chroot(%`'s) failed: %s\n", g_cflag, strerror(errno));
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
if (!(prog = commandv(argv[optind], pathbuf, sizeof(pathbuf)))) {
|
||||
kprintf("error: command not found: %s\n", argv[optind]);
|
||||
return 2;
|
||||
}
|
||||
if (g_gflag) {
|
||||
if (setgid(g_gflag) == -1) {
|
||||
kprintf("error: setgid(%d) failed: %s\n", g_gflag, strerror(errno));
|
||||
return 3;
|
||||
}
|
||||
}
|
||||
if (g_uflag) {
|
||||
if (setuid(g_uflag) == -1) {
|
||||
kprintf("error: setuid(%d) failed: %s\n", g_uflag, strerror(errno));
|
||||
return 4;
|
||||
}
|
||||
}
|
||||
ksnprintf(pledges, sizeof(pledges), "%s execnative", g_pflag);
|
||||
if (pledge(pledges, 0) == -1) {
|
||||
kprintf("error: pledge(%`'s) failed: %s\n", pledges, strerror(errno));
|
||||
return 5;
|
||||
}
|
||||
execv(prog, argv + optind);
|
||||
kprintf("error: execve(%`'s) failed: %s\n", prog, strerror(errno));
|
||||
return 127;
|
||||
}
|
|
@ -765,7 +765,7 @@ FUNCTIONS
|
|||
|
||||
If the raw length of a table is reported as zero, then we
|
||||
check for the magic element `[0]=false`. If it's present, then
|
||||
your table will be serialized as empty array `[]`. That entry
|
||||
your table will be serialized as empty array `[]`. An entry is
|
||||
inserted by DecodeJson() automatically, only when encountering
|
||||
empty arrays, and it's necessary in order to make empty arrays
|
||||
round-trip. If raw length is zero and `[0]=false` is absent,
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue