mirrors/cosmopolitan
1
0
Fork 0
mirror of https://github.com/jart/cosmopolitan.git synced 2025-01-31 11:37:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
cosmopolitan/tool/build/jail.c
Justine Tunney c39d6111f2 Improve redbean ctrl-c handling
2022-04-21 15:24:44 -07:00

218 lines
9.3 KiB
C
Raw Blame History

/*-*- mode:c;indent-tabs-mode:nil;c-basic-offset:2;tab-width:8;coding:utf-8 -*-│
│vi: set net ft=c ts=2 sts=2 sw=2 fenc=utf-8 :vi│
╞══════════════════════════════════════════════════════════════════════════════╡
│ Copyright 2022 Justine Alexandra Roberts Tunney │
│ │
│ Permission to use, copy, modify, and/or distribute this software for │
│ any purpose with or without fee is hereby granted, provided that the │
│ above copyright notice and this permission notice appear in all copies. │
│ │
│ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL │
│ WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED │
│ WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE │
│ AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL │
│ DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR │
│ PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER │
│ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR │
│ PERFORMANCE OF THIS SOFTWARE. │
╚─────────────────────────────────────────────────────────────────────────────*/
#include "libc/calls/calls.h"
#include "libc/calls/sigbits.h"
#include "libc/calls/struct/filter.h"
#include "libc/calls/struct/sigaction.h"
#include "libc/calls/struct/siginfo.h"
#include "libc/calls/struct/sigset.h"
#include "libc/calls/struct/user_regs_struct.h"
#include "libc/calls/ucontext.h"
#include "libc/dce.h"
#include "libc/errno.h"
#include "libc/intrin/kprintf.h"
#include "libc/log/check.h"
#include "libc/log/log.h"
#include "libc/runtime/runtime.h"
#include "libc/sysv/consts/pr.h"
#include "libc/sysv/consts/ptrace.h"
#include "libc/sysv/consts/sa.h"
#include "libc/sysv/consts/sig.h"
#include "tool/net/sandbox.h"
#define __WALL 0x40000000
static const struct sock_filter kSandboxFilter[] = {
_SECCOMP_MACHINE(AUDIT_ARCH_X86_64), //
_SECCOMP_LOAD_SYSCALL_NR(), //
_SECCOMP_ALLOW_SYSCALL(0x000), // read
_SECCOMP_ALLOW_SYSCALL(0x001), // write
_SECCOMP_ALLOW_SYSCALL(0x013), // readv
_SECCOMP_ALLOW_SYSCALL(0x014), // writev
_SECCOMP_ALLOW_SYSCALL(0x005), // fstat
_SECCOMP_ALLOW_SYSCALL(0x007), // poll
_SECCOMP_ALLOW_SYSCALL(0x008), // lseek
_SECCOMP_ALLOW_SYSCALL(0x009), // mmap
_SECCOMP_ALLOW_SYSCALL(0x00b), // munmap
_SECCOMP_ALLOW_SYSCALL(0x04f), // getcwd
_SECCOMP_ALLOW_SYSCALL(0x003), // close
_SECCOMP_ALLOW_SYSCALL(0x010), // ioctl todo
_SECCOMP_ALLOW_SYSCALL(0x016), // pipe
_SECCOMP_ALLOW_SYSCALL(0x125), // pipe2
_SECCOMP_ALLOW_SYSCALL(0x035), // socketpair
_SECCOMP_ALLOW_SYSCALL(0x020), // dup
_SECCOMP_ALLOW_SYSCALL(0x021), // dup2
_SECCOMP_ALLOW_SYSCALL(0x124), // dup3
_SECCOMP_ALLOW_SYSCALL(0x039), // fork
_SECCOMP_ALLOW_SYSCALL(0x03a), // vfork
_SECCOMP_ALLOW_SYSCALL(0x011), // pread
_SECCOMP_ALLOW_SYSCALL(0x012), // pwrite
_SECCOMP_ALLOW_SYSCALL(0x127), // preadv
_SECCOMP_ALLOW_SYSCALL(0x128), // pwritev
_SECCOMP_ALLOW_SYSCALL(0x0d9), // getdents
_SECCOMP_ALLOW_SYSCALL(0x027), // getpid
_SECCOMP_ALLOW_SYSCALL(0x066), // getuid
_SECCOMP_ALLOW_SYSCALL(0x068), // getgid
_SECCOMP_ALLOW_SYSCALL(0x06e), // getppid
_SECCOMP_ALLOW_SYSCALL(0x06f), // getpgrp
_SECCOMP_ALLOW_SYSCALL(0x07c), // getsid
_SECCOMP_ALLOW_SYSCALL(0x06b), // geteuid
_SECCOMP_ALLOW_SYSCALL(0x06c), // getegid
_SECCOMP_ALLOW_SYSCALL(0x061), // getrlimit
_SECCOMP_ALLOW_SYSCALL(0x028), // sendfile
_SECCOMP_ALLOW_SYSCALL(0x02d), // recvfrom
_SECCOMP_ALLOW_SYSCALL(0x033), // getsockname
_SECCOMP_ALLOW_SYSCALL(0x034), // getpeername
_SECCOMP_ALLOW_SYSCALL(0x00f), // rt_sigreturn
_SECCOMP_ALLOW_SYSCALL(0x082), // rt_sigsuspend
_SECCOMP_ALLOW_SYSCALL(0x0e4), // clock_gettime
_SECCOMP_ALLOW_SYSCALL(0x060), // gettimeofday
_SECCOMP_ALLOW_SYSCALL(0x03f), // uname
_SECCOMP_ALLOW_SYSCALL(0x03c), // exit
_SECCOMP_ALLOW_SYSCALL(0x0e7), // exit_group
_SECCOMP_TRACE_SYSCALL(0x03e, 0), // kill
_SECCOMP_TRACE_SYSCALL(0x101, 0), // openat
_SECCOMP_TRACE_SYSCALL(0x106, 0), // newfstatat
_SECCOMP_TRACE_SYSCALL(0x029, 0), // socket
_SECCOMP_TRACE_SYSCALL(0x031, 0), // bind
_SECCOMP_TRACE_SYSCALL(0x02a, 0), // connect
_SECCOMP_TRACE_SYSCALL(0x02c, 0), // sendto
_SECCOMP_TRACE_SYSCALL(0x036, 0), // setsockopt
_SECCOMP_TRACE_SYSCALL(0x048, 0), // fcntl
_SECCOMP_TRACE_SYSCALL(0x03b, 0), // execve
_SECCOMP_TRACE_SYSCALL(0x102, 0), // mkdirat
_SECCOMP_TRACE_SYSCALL(0x104, 0), // chownat
_SECCOMP_TRACE_SYSCALL(0x107, 0), // unlinkat
_SECCOMP_TRACE_SYSCALL(0x108, 0), // renameat
_SECCOMP_TRACE_SYSCALL(0x109, 0), // linkat
_SECCOMP_TRACE_SYSCALL(0x10a, 0), // symlinkat
_SECCOMP_TRACE_SYSCALL(0x10b, 0), // readlinkat
_SECCOMP_TRACE_SYSCALL(0x10c, 0), // fchmodat
_SECCOMP_TRACE_SYSCALL(0x10d, 0), // faccessat
_SECCOMP_TRACE_SYSCALL(0x0eb, 0), // utimes
_SECCOMP_TRACE_SYSCALL(0x105, 0), // futimesat
_SECCOMP_TRACE_SYSCALL(0x118, 0), // utimensat
_SECCOMP_LOG_AND_RETURN_ERRNO(1), // EPERM
};
static const struct sock_fprog kSandbox = {
.len = ARRAYLEN(kSandboxFilter),
.filter = kSandboxFilter,
};
void OnSys(int sig, siginfo_t *si, ucontext_t *ctx) {
kprintf("Got SIGSYS%n");
}
int main(int argc, char *argv[]) {
sigset_t mask, origmask;
struct user_regs_struct regs;
int child, evpid, signal, wstatus;
if (!IsLinux()) {
kprintf("error: %s is only supported on linux right now%n", argv[0]);
return 1;
}
if (argc < 2) {
kprintf("Usage: %s PROGRAM [ARGS...]%n", argv[0]);
return 1;
}
/* ShowCrashReports(); */
sigaction(SIGINT, &(struct sigaction){.sa_handler = SIG_IGN}, 0);
sigaction(SIGQUIT, &(struct sigaction){.sa_handler = SIG_IGN}, 0);
sigaction(SIGSYS,
&((struct sigaction){
.sa_sigaction = OnSys,
.sa_flags = SA_SIGINFO,
}),
0);
sigemptyset(&mask);
sigaddset(&mask, SIGCHLD);
sigprocmask(SIG_BLOCK, &mask, &origmask);
CHECK_NE(-1, (child = fork()));
if (!child) {
sigaction(SIGINT, &(struct sigaction){.sa_handler = SIG_DFL}, 0);
sigaction(SIGQUIT, &(struct sigaction){.sa_handler = SIG_DFL}, 0);
kprintf("CHILD ptrace(PTRACE_TRACEME)%n");
if (ptrace(PTRACE_TRACEME) == -1) {
kprintf("CHILD ptrace(PTRACE_TRACEME) failed %m%n");
_Exit(124);
}
kprintf("CHILD prctl(PR_SET_NO_NEW_PRIVS)%n");
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) {
kprintf("CHILD prctl(PR_SET_NO_NEW_PRIVS) failed %m%n");
_Exit(125);
}
kprintf("CHILD prctl(PR_SET_SECCOMP)%n");
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &kSandbox) == -1) {
kprintf("CHILD prctl(PR_SET_SECCOMP) failed %m%n");
_Exit(126);
}
kprintf("CHILD sigsuspend()%n");
if (sigsuspend(0) == -1) {
kprintf("CHILD sigsuspend() failed %m%n");
}
sigaction(SIGSYS, &(struct sigaction){.sa_handler = SIG_DFL}, 0);
sigprocmask(SIG_SETMASK, &origmask, 0);
execv(argv[1], argv + 1);
kprintf("CHILD execve(%#s) failed %m%n", argv[1]);
_Exit(127);
}
// wait for ptrace(PTRACE_TRACEME) to be called
kprintf("PARENT waitpid(child, &wstatus)%n");
CHECK_EQ(child, waitpid(child, &wstatus, 0));
// configure linux process tracing
kprintf("PARENT ptrace(PTRACE_SETOPTIONS)%n");
CHECK_NE(-1, ptrace(PTRACE_SETOPTIONS, child, 0, PTRACE_O_TRACESECCOMP));
// continue child process
kprintf("PARENT ptrace(PTRACE_CONT)%n");
CHECK_NE(-1, ptrace(PTRACE_CONT, child, 0, 0));
kprintf("PARENT kill(child, SIGSYS)%n");
kill(child, SIGSYS);
for (;;) {
kprintf("PARENT waitpid()%n");
CHECK_NE(-1, (evpid = waitpid(-1, &wstatus, __WALL)));
if (WIFSTOPPED(wstatus)) {
signal = (wstatus >> 8) & 0xffff;
if (signal == SIGTRAP | PTRACE_EVENT_SECCOMP) {
// CHECK_NE(-1, ptrace(PTRACE_GETEVENTMSG, evpid, 0, &msg));
CHECK_NE(-1, ptrace(PTRACE_GETREGS, evpid, 0, regs));
regs.rax = -EPERM;
CHECK_NE(-1, ptrace(PTRACE_GETREGS, evpid, 0, regs));
ptrace(PTRACE_CONT, evpid, 0, 0);
} else {
ptrace(PTRACE_CONT, evpid, 0, signal & 127);
}
} else if (WIFEXITED(wstatus)) {
exit(WEXITSTATUS(wstatus));
} else {
exit(128 + WTERMSIG(wstatus));
}
}
return 0;
}
Reference in a new issue View git blame Copy permalink