mirrors/cosmopolitan
1
0
Fork 0
mirror of https://github.com/jart/cosmopolitan.git synced 2025-03-03 07:29:23 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Make unveil() improvements (#493)

Browse source 
- Merge the multiple masks to just one.
- Add documentation to for sys_unveil.
- Inline the chomp function in the unveil tool.
This commit is contained in:
Stephen Gregoratto 2022-07-19 01:26:40 +10:00 committed by GitHub
parent e81edf7b04
commit 6598940d8a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 89 additions and 45 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

115
libc/mem/unveil.c
View file

@ -36,43 +36,44 @@
#include "libc/sysv/consts/s.h"
#include "libc/sysv/errfuns.h"
#define UNVEIL_READ \
(LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | \
LANDLOCK_ACCESS_FS_REFER)
#define UNVEIL_WRITE (LANDLOCK_ACCESS_FS_WRITE_FILE)
#define UNVEIL_EXEC (LANDLOCK_ACCESS_FS_EXECUTE)
#define UNVEIL_CREATE \
(LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | \
LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | \
LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | \
LANDLOCK_ACCESS_FS_MAKE_SYM)
#define FILE_BITS \
(LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_WRITE_FILE | \
LANDLOCK_ACCESS_FS_EXECUTE)
/*
/**
* Long living state for landlock calls.
* The bits are set at runtime to handle future API additions.
* fs_mask is set to use all the access rights from the latest landlock ABI.
* On init, the current supported abi is checked and unavailable rights are
* masked off.
*
* As of 5.19, the latest abi is v2.
*
* TODO:
* - Documentation for sys_unveil.
* - Integrate with pledge and remove the file access?
* - Stuff state into the .protected section?
*/
_Thread_local static struct {
int abi;
uint64_t fs_mask;
int fd;
uint64_t read;
uint64_t write;
uint64_t exec;
uint64_t create;
} State = {
.abi = 2,
.read = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR |
LANDLOCK_ACCESS_FS_REFER,
.write = LANDLOCK_ACCESS_FS_WRITE_FILE,
.exec = LANDLOCK_ACCESS_FS_EXECUTE,
.create = LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR |
LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG |
LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO |
LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM,
.fs_mask = UNVEIL_READ | UNVEIL_WRITE | UNVEIL_EXEC | UNVEIL_CREATE,
.fd = 0,
};
static int unveil_final(void) {
int rc;
if (State.fd == -1) return 0;
assert(State.fd > 0);
if (State.fd == -1) return eperm();
if ((rc = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) != -1 &&
(rc = landlock_restrict_self(State.fd, 0)) != -1 &&
(rc = sys_close(State.fd)) != -1)
@ -89,12 +90,13 @@ static int err_close(int rc, int fd) {
static int unveil_init(void) {
int rc, fd;
if ((rc = landlock_create_ruleset(0, 0, LANDLOCK_CREATE_RULESET_VERSION)) < 0)
if ((rc = landlock_create_ruleset(0, 0, LANDLOCK_CREATE_RULESET_VERSION)) < 0) {
if (errno == EOPNOTSUPP) errno = ENOSYS;
return -1;
State.abi = rc;
if (State.abi < 2) State.read &= ~LANDLOCK_ACCESS_FS_REFER;
}
if (rc < 2) State.fs_mask &= ~LANDLOCK_ACCESS_FS_REFER;
const struct landlock_ruleset_attr attr = {
.handled_access_fs = State.read | State.write | State.exec | State.create,
.handled_access_fs = State.fs_mask,
};
if ((rc = landlock_create_ruleset(&attr, sizeof(attr), 0)) < 0) return -1;
// grant file descriptor a higher number that's less likely to interfere
@ -107,26 +109,21 @@ static int unveil_init(void) {
static int sys_unveil_linux(const char *path, const char *permissions) {
int rc;
if (!State.fd && (rc = unveil_init()) == -1) return rc;
if ((path && !permissions) || (!path && permissions)) return einval();
if (!path && !permissions) return unveil_final();
struct landlock_path_beneath_attr pb = {0};
for (const char *c = permissions; *c != '\0'; c++) {
switch (*c) {
case 'r':
pb.allowed_access |= State.read;
break;
case 'w':
pb.allowed_access |= State.write;
break;
case 'x':
pb.allowed_access |= State.exec;
break;
case 'c':
pb.allowed_access |= State.create;
break;
default:
return einval();
// clang-format off
case 'r': pb.allowed_access |= UNVEIL_READ; break;
case 'w': pb.allowed_access |= UNVEIL_WRITE; break;
case 'x': pb.allowed_access |= UNVEIL_EXEC; break;
case 'c': pb.allowed_access |= UNVEIL_CREATE; break;
default: return einval();
// clang-format on
}
}
pb.allowed_access &= State.fs_mask;
if ((rc = sys_open(path, O_PATH | O_CLOEXEC, 0)) == -1) return rc;
pb.parent_fd = rc;
struct stat st;
@ -142,7 +139,49 @@ static int sys_unveil_linux(const char *path, const char *permissions) {
}
/**
* Unveil parts of a restricted filesystem view.
* Restricts filesystem operations, e.g.
*
* unveil("/etc", "r");
*
* Unveiling restricts the visibility of the filesystem to a set of allowed
* paths with specific operations. This system call is supported natively on
* OpenBSD and polyfilled on Linux using the Landlock LSM[1].
*
* On OpenBSD, accessing paths outside of the allowed set raises ENOENT, and
* accessing ones with incorrect permissions raises EACCES. On Linux, both these
* cases raise EACCES.
*
* Using unveil is irreversible. On OpenBSD, the first call immediately enforces
* the filesystem visibilty, and existing paths can only be updated with equal
* or lesser permissions. Filesystem operations that try to access invisible
* paths will raise ENOENT, and operations without the correct permissions raise
* EACCES. Unveiling can be disabled by either passing two NULL arguments or by
* calling pledge() without the "unveil" promise.
*
* Landlock is more permissive than OpenBSD's unveil. Filesystem visibility is
* only enforced after disabling, and path permissions can be increased at any
* time. Finally, both accessing invisible paths or ones with incorrect
* permissions will raise EACCES.
*
* `permissions` is a string consisting of zero or more of the following
* characters:
*
* - 'r' makes `path` available for read-only path operations, corresponding to
* the pledge promise "rpath".
* - `w` makes `path` available for write operations, corresponding to the
* pledge promise "wpath".
* - `x` makes `path` available for execute operations, corresponding to the
* pledge promises "exec" and "execnative".
* - `c` allows `path` to be created and removed, corresponding to the pledge
* promise "cpath".
*
* [1] https://docs.kernel.org/userspace-api/landlock.html
*
* @return 0 on success, or -1 w/ errno
* @raise ENOSYS if host os isn't Linux or OpenBSD
* @raise ENOSYS if Landlock isn't supported on this kernel
* @raise EINVAL if one argument is set and the other is not
* @raise EINVAL if an invalid character in `permissions` was found
*/
int unveil(const char *path, const char *permissions) {
int rc;

19
tool/build/unveil.c
View file

@ -38,9 +38,7 @@ https://justine.lol/pledge/\n\
https://github.com/jart\n\
\n\
this program lets you launch linux commands in a filesystem sandbox\n\
inspired by the design of openbsd's unveil() system call. Visit\n\
the https://justine.lol/pledge/ page for online documentation.\n\
\n\
inspired by the design of openbsd's unveil() system call.\n\
"
wontreturn void usage(void) {
@ -61,7 +59,6 @@ int main(int argc, char *argv[]) {
if (!(IsLinux() || IsOpenbsd()))
errx(1, "this program is only intended for Linux and OpenBSD");
// parse flags
while ((opt = getopt(argc, argv, "h")) != -1) {
switch (opt) {
case 'h':
@ -79,7 +76,13 @@ int main(int argc, char *argv[]) {
while ((len = getline(&line, &size, stdin)) != -1) {
count++;
_chomp(line);
bool chomped = false;
while (!chomped)
if (line[len-1] == '\r' || line[len-1] == '\n')
line[--len] = '\0';
else
chomped = true;
char *tok = line;
const char *p;
@ -98,9 +101,11 @@ int main(int argc, char *argv[]) {
err(1, "unveil(%s, %s)", fields[0], fields[1]);
}
free(line);
if (ferror(stdin)) err(1, "getline");
if (ferror(stdin))
err(1, "getline");
if (unveil(NULL, NULL) == -1) err(1, "unveil disable");
if (unveil(NULL, NULL) == -1)
err(1, "unveil(NULL, NULL)");
__sys_execve(prog, argv + optind, environ);
err(127, "execve");