Openwrt-EcoNet/TP-Link_Archer-XR500v
Archived
1
0
Fork 0
Code
This repository has been archived on 2024-07-22. You can view files and clone it, but cannot push or open issues or pull requests.
main
TP-Link_Archer-XR500v/BBA1.5_platform/apps/public/vsftpd-2.3.2/ptracesandbox.c
Matheus Sampaio Queiroga aaca98136a
Add gpl
2024-07-22 01:58:46 -03:00

1542 lines
32 KiB
C
Raw Permalink Blame History

/*
* Part of Very Secure FTPd
* Licence: GPL v2
* Author: Chris Evans
* ptracesandbox.c
*
* Generic routines to setup and run a process under a restrictive ptrace()
* based sandbox.
* Note that the style in this file is to not go via the helper functions in
* sysutil.c, but instead hit the system APIs directly. This is because I may
* very well release just this file to the public domain, and do not want
* dependencies on other parts of vsftpd.
*/
#include "ptracesandbox.h"
#if defined(__linux__) && defined(__i386__)
#include <sys/mman.h>
#include <sys/prctl.h>
#include <sys/ptrace.h>
/* For AF_MAX (NPROTO is defined to this) */
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/user.h>
#include <sys/wait.h>
#include <err.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <syslog.h>
#include <asm/unistd.h>
#ifndef __NR_sendfile64
#define __NR_sendfile64 239
#endif
#ifndef __NR_exit_group
#define __NR_exit_group 252
#endif
#ifndef __NR_utimes
#define __NR_utimes 271
#endif
/* For the socketcall() multiplex args. */
#include <linux/net.h>
#ifndef PTRACE_SETOPTIONS
#define PTRACE_SETOPTIONS 0x4200
#endif
#ifndef PTRACE_O_TRACESYSGOOD
#define PTRACE_O_TRACESYSGOOD 1
#endif
#ifndef PTRACE_O_TRACEFORK
#define PTRACE_O_TRACEFORK 2
#endif
#ifndef PTRACE_O_TRACEVFORK
#define PTRACE_O_TRACEVFORK 4
#endif
#ifndef PTRACE_O_TRACECLONE
#define PTRACE_O_TRACECLONE 8
#endif
#ifndef O_DIRECT
#define O_DIRECT 040000
#endif
static void sanitize_child();
static int get_action(struct pt_sandbox* p_sandbox);
static int validate_mmap2(struct pt_sandbox* p_sandbox, void* p_arg);
static int validate_open_default(struct pt_sandbox* p_sandbox, void* p_arg);
static int validate_open_readonly(struct pt_sandbox* p_sandbox, void* p_arg);
static int validate_fcntl(struct pt_sandbox* p_sandbox, void* p_arg);
static int validate_socketcall(struct pt_sandbox* p_sandbox, void* p_arg);
static void install_socketcall(struct pt_sandbox* p_sandbox);
#define MAX_SYSCALL 300
struct pt_sandbox
{
int read_event_fd;
int write_event_fd;
pid_t pid;
int is_allowed[MAX_SYSCALL];
ptrace_sandbox_validator_t validator[MAX_SYSCALL];
void* validator_arg[MAX_SYSCALL];
int is_exit;
struct user_regs_struct regs;
int is_socketcall_allowed[NPROTO];
ptrace_sandbox_validator_t socketcall_validator[NPROTO];
void* socketcall_validator_arg[NPROTO];
};
static int s_sigchld_fd = -1;
void
handle_sigchld(int sig)
{
int ret;
if (sig != SIGCHLD)
{
_exit(1);
}
if (s_sigchld_fd != -1)
{
do
{
static const char zero = '\0';
ret = write(s_sigchld_fd, &zero, sizeof(zero));
} while (ret == -1 && errno == EINTR);
if (ret != 1)
{
_exit(2);
}
}
}
struct pt_sandbox*
ptrace_sandbox_alloc()
{
int i;
struct sigaction sigact;
struct pt_sandbox* ret = malloc(sizeof(struct pt_sandbox));
if (ret == NULL)
{
return NULL;
}
ret->pid = -1;
ret->read_event_fd = -1;
ret->write_event_fd = -1;
ret->is_exit = 0;
memset(&ret->regs, '\0', sizeof(ret->regs));
for (i = 0; i < MAX_SYSCALL; ++i)
{
ret->is_allowed[i] = 0;
ret->validator[i] = 0;
ret->validator_arg[i] = 0;
}
for (i = 0; i < NPROTO; ++i)
{
ret->is_socketcall_allowed[i] = 0;
ret->socketcall_validator[i] = 0;
ret->socketcall_validator_arg[i] = 0;
}
memset((void*) &sigact, '\0', sizeof(sigact));
sigact.sa_handler = handle_sigchld;
if (sigaction(SIGCHLD, &sigact, NULL) != 0)
{
goto err_out;
}
return ret;
err_out:
ptrace_sandbox_free(ret);
return NULL;
}
void
ptrace_sandbox_free(struct pt_sandbox* p_sandbox)
{
if (p_sandbox->pid != -1)
{
warnx("bug: pid active in ptrace_sandbox_free");
/* We'll kill it for you so it doesn't escape the sandbox totally, but
* we won't reap the zombie.
* Killing it like this is a risk: if it's stopped in syscall entry,
* that syscall will execute before the pending kill takes effect.
* If that pending syscall were to be a fork(), there could be trouble.
*/
(void) kill(p_sandbox->pid, SIGKILL);
}
if (p_sandbox->read_event_fd != -1)
{
s_sigchld_fd = -1;
close(p_sandbox->read_event_fd);
close(p_sandbox->write_event_fd);
}
free(p_sandbox);
}
void
ptrace_sandbox_attach_point()
{
long pt_ret;
int ret;
pid_t pid = getpid();
if (pid <= 1)
{
warnx("weird pid");
_exit(1);
}
/* You don't have to use PTRACE_TRACEME, but if you don't, a rogue SIGCONT
* might wake you up from the STOP below before the tracer has attached.
*/
pt_ret = ptrace(PTRACE_TRACEME, 0, 0, 0);
if (pt_ret != 0)
{
warn("PTRACE_TRACEME failed");
_exit(2);
}
ret = kill(pid, SIGSTOP);
if (ret != 0)
{
warn("kill SIGSTOP failed");
_exit(3);
}
}
int
ptrace_sandbox_launch_process(struct pt_sandbox* p_sandbox,
void (*p_func)(void*),
void* p_arg)
{
long pt_ret;
pid_t ret;
int status;
if (p_sandbox->pid != -1)
{
warnx("bug: process already active");
return -1;
}
ret = fork();
if (ret < 0)
{
return -1;
}
else if (ret == 0)
{
/* Child context. */
sanitize_child();
(*p_func)(p_arg);
_exit(0);
}
/* Parent context */
p_sandbox->pid = ret;
do
{
ret = waitpid(p_sandbox->pid, &status, 0);
} while (ret == -1 && errno == EINTR);
if (ret == -1)
{
warn("waitpid failed");
goto kill_out;
}
else if (ret != p_sandbox->pid)
{
warnx("unknown pid %d", ret);
goto kill_out;
}
if (!WIFSTOPPED(status))
{
warnx("not stopped status %d\n", status);
goto kill_out;
}
if (WSTOPSIG(status) != SIGSTOP)
{
warnx("not SIGSTOP status %d\n", status);
goto kill_out;
}
/* The fork, etc. tracing options are worth a bit of explanation. We don't
* permit process launching syscalls at all as they are dangerous. But
* there's a small race if the untrusted process attempts a denied fork()
* and then takes a rouge SIGKILL before the supervisor gets a chance to
* clear the orig_eax register. In this case the syscall will still execute.
* (Policies may not include signal sending capabilities, thus mitigating this
* direct attack, however a rogue SIGKILL may come from a non-malicious
* source). Therefore, we'd rather any fork()ed process starts off traced,
* just in case this tiny race condition triggers.
*/
pt_ret = ptrace(PTRACE_SETOPTIONS,
p_sandbox->pid,
0,
PTRACE_O_TRACESYSGOOD | PTRACE_O_TRACEFORK |
PTRACE_O_TRACEVFORK | PTRACE_O_TRACECLONE);
if (pt_ret != 0)
{
warn("PTRACE_SETOPTIONS failure");
goto kill_out;
}
return p_sandbox->pid;
kill_out:
(void) kill(p_sandbox->pid, SIGKILL);
p_sandbox->pid = -1;
return -1;
}
int
ptrace_sandbox_continue_process(struct pt_sandbox* p_sandbox, int sig)
{
long pt_ret = ptrace(PTRACE_SYSCALL, p_sandbox->pid, 0, sig);
if (pt_ret != 0)
{
warn("PTRACE_SYSCALL failure");
if (errno == ESRCH)
{
return PTRACE_SANDBOX_ERR_DEAD;
}
return PTRACE_SANDBOX_ERR_PTRACE;
}
return 0;
}
int
ptrace_sandbox_get_event_fd(struct pt_sandbox* p_sandbox)
{
/* TODO: allocate pipe fds */
(void) p_sandbox;
return -1;
}
int
ptrace_sandbox_get_event(struct pt_sandbox* p_sandbox, int* status, int block)
{
pid_t pid;
int options = 0;
if (!block)
{
options = WNOHANG;
}
do
{
pid = waitpid(p_sandbox->pid, status, options);
} while (pid == -1 && errno == EINTR);
if (pid == -1)
{
warn("waitpid failure");
if (errno == ECHILD)
{
return PTRACE_SANDBOX_ERR_DEAD;
}
return PTRACE_SANDBOX_ERR_WAITPID;
}
return pid;
}
int
ptrace_sandbox_handle_event(struct pt_sandbox* p_sandbox, int status)
{
int sig;
int action;
if (WIFEXITED(status) || WIFSIGNALED(status))
{
p_sandbox->pid = -1;
return 1;
}
if (!WIFSTOPPED(status))
{
warnx("weird status: %d\n", status);
return PTRACE_SANDBOX_ERR_WAIT_STATUS;
}
sig = WSTOPSIG(status);
if (sig >= 0 && sig < 0x80)
{
/* It's a normal signal; deliver it right on. SIGSTOP / SIGCONT handling
* are buggy in the kernel and I'm not sure it's safe to pass either on,
* so the signal becomes a little more... robust :)
*/
if (sig == SIGSTOP || sig == SIGCONT)
{
sig = SIGKILL;
}
return ptrace_sandbox_continue_process(p_sandbox, sig);
}
if (!(sig & 0x80))
{
warnx("weird status: %d\n", status);
return PTRACE_SANDBOX_ERR_WAIT_STATUS;
}
/* Syscall trap. */
if (p_sandbox->is_exit)
{
p_sandbox->is_exit = 0;
}
else
{
p_sandbox->is_exit = 1;
action = get_action(p_sandbox);
if (action != 0)
{
return action;
}
}
return ptrace_sandbox_continue_process(p_sandbox, 0);
}
int
ptrace_sandbox_run_processes(struct pt_sandbox* p_sandbox)
{
if (ptrace_sandbox_continue_process(p_sandbox, 0) != 0)
{
goto kill_out;
}
while (1)
{
int status;
int ret = ptrace_sandbox_get_event(p_sandbox, &status, 1);
if (ret <= 0)
{
goto kill_out;
}
ret = ptrace_sandbox_handle_event(p_sandbox, status);
if (ret < 0)
{
warnx("couldn't handle sandbox event");
goto kill_out;
}
if (ret == 1)
{
return 0;
}
}
kill_out:
ptrace_sandbox_kill_processes(p_sandbox);
return -1;
}
void
ptrace_sandbox_kill_processes(struct pt_sandbox* p_sandbox)
{
long pt_ret;
struct user_regs_struct regs;
pid_t pid = p_sandbox->pid;
if (pid == -1)
{
return;
}
p_sandbox->pid = -1;
pt_ret = ptrace(PTRACE_GETREGS, pid, 0, &regs);
if (pt_ret != 0)
{
warn("PTRACE_GETREGS failure");
/* This API is supposed to be called with the process stopped; but if it
* is still running, we can at least help a bit. See security related
* comment in ptrace_sandbox_free(), though.
*/
(void) kill(pid, SIGKILL);
return;
}
/* Kind of nasty, but the only way of stopping a started syscall from
* executing is to rewrite the registers to execute a different syscall.
*/
regs.orig_eax = __NR_exit_group;
regs.eip = 0xffffffff;
pt_ret = ptrace(PTRACE_SETREGS, pid, 0, &regs);
if (pt_ret != 0)
{
warn("PTRACE_SETREGS failure");
/* Deliberate fall-thru. */
}
pt_ret = ptrace(PTRACE_KILL, pid, 0, 0);
if (pt_ret != 0)
{
warn("PTRACE_KILL failure");
/* Deliberate fall-thru. */
}
/* Just to make ourselves clear. */
(void) kill(pid, SIGKILL);
/* So the GETREGS succeeded, so the process definitely _was_ there. We can
* safely wait for it to reap the zombie.
*/
(void) waitpid(pid, NULL, 0);
}
int
ptrace_sandbox_get_arg(struct pt_sandbox* p_sandbox,
int arg,
unsigned long* p_out)
{
long ret = 0;
struct user_regs_struct* p_regs = &p_sandbox->regs;
if (p_regs->orig_eax == 0)
{
return PTRACE_SANDBOX_ERR_API_ABUSE_STOPIT;
}
if (arg < 0 || arg > 5)
{
return PTRACE_SANDBOX_ERR_API_ABUSE_STOPIT;
}
switch (arg)
{
case 0:
ret = p_regs->ebx;
break;
case 1:
ret = p_regs->ecx;
break;
case 2:
ret = p_regs->edx;
break;
case 3:
ret = p_regs->esi;
break;
case 4:
ret = p_regs->edi;
break;
case 5:
ret = p_regs->ebp;
break;
}
*p_out = ret;
return 0;
}
int
ptrace_sandbox_get_socketcall_arg(struct pt_sandbox* p_sandbox,
int arg,
unsigned long* p_out)
{
unsigned long ptr;
int ret;
struct user_regs_struct* p_regs = &p_sandbox->regs;
if (p_regs->orig_eax == 0)
{
return PTRACE_SANDBOX_ERR_API_ABUSE_STOPIT;
}
if (arg < 0 || arg > 2)
{
return PTRACE_SANDBOX_ERR_API_ABUSE_STOPIT;
}
ret = ptrace_sandbox_get_arg(p_sandbox, 1, &ptr);
if (ret != 0)
{
return ret;
}
ptr += (arg * 4);
ret = ptrace_sandbox_get_long(p_sandbox, ptr, p_out);
return ret;
}
int
ptrace_sandbox_get_long(struct pt_sandbox* p_sandbox,
unsigned long ptr,
unsigned long* p_out)
{
return ptrace_sandbox_get_buf(p_sandbox, ptr, sizeof(long), (void*) p_out);
}
int
ptrace_sandbox_get_buf(struct pt_sandbox* p_sandbox,
unsigned long ptr,
unsigned long len,
void* p_buf)
{
long pt_ret;
char* p_out = (char*) p_buf;
for (; len > 0; len -= sizeof(long))
{
errno = 0;
pt_ret = ptrace(PTRACE_PEEKDATA, p_sandbox->pid, (void*) ptr, 0);
if (pt_ret == -1 && errno != 0)
{
warn("PTRACE_GETREGS failure");
if (errno == ESRCH)
{
return PTRACE_SANDBOX_ERR_DEAD;
}
return PTRACE_SANDBOX_ERR_PTRACE;
}
if (len >= sizeof(long))
{
memcpy(p_out, &pt_ret, sizeof(long));
}
else
{
memcpy(p_out, &pt_ret, len);
}
p_out += sizeof(long);
ptr += sizeof(long);
}
return 0;
}
static void
sanitize_child()
{
/* Ensure that if our sandbox supervisor goes down, so do we. */
int ret = prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
if (ret != 0)
{
_exit(3);
}
}
static int
get_action(struct pt_sandbox* p_sandbox)
{
int ret;
int call;
int cs;
long pt_ret = ptrace(PTRACE_GETREGS, p_sandbox->pid, 0, &(p_sandbox->regs));
if (pt_ret != 0)
{
warn("PTRACE_GETREGS failure");
if (errno == ESRCH)
{
return PTRACE_SANDBOX_ERR_DEAD;
}
return PTRACE_SANDBOX_ERR_PTRACE;
}
/* We need to be sure that the child is attempting a syscall against the
* 32-bit syscall table, otherwise they can bypass the policy by abusing the
* fact that e.g. syscall 200 is getgid32() on 32-bit but tkill() on 64-bit.
* If the syscall instruct was int80 or sysenter, is it guaranteed to hit
* the 32-bit table. If it is syscall, the current CS selector determines
* the table. Therefore, we can check the current CS selector references a
* known system-only selector that is guaranteed 32-bit (not long mode).
*/
cs = p_sandbox->regs.xcs;
if (cs != 0x73 && cs != 0x23)
{
warnx("bad CS %d", cs);
ret = PTRACE_SANDBOX_ERR_BAD_SYSCALL;
goto out;
}
call = (int) p_sandbox->regs.orig_eax;
if (call < 0 || call >= MAX_SYSCALL)
{
warnx("syscall %d out of bounds", call);
ret = PTRACE_SANDBOX_ERR_BAD_SYSCALL;
goto out;
}
if (p_sandbox->is_allowed[call] != 1)
{
syslog(LOG_LOCAL0 | LOG_DEBUG, "syscall not permitted: %d", call);
warnx("syscall not permitted: %d", call);
ret = PTRACE_SANDBOX_ERR_POLICY_SYSCALL;
goto out;
}
if (p_sandbox->validator[call])
{
ptrace_sandbox_validator_t p_validate = p_sandbox->validator[call];
int validate_ret = (*p_validate)(p_sandbox, p_sandbox->validator_arg[call]);
if (validate_ret != 0)
{
syslog(LOG_LOCAL0 | LOG_DEBUG,
"syscall validate fail: %d (%d)",
call,
validate_ret);
warnx("syscall validate failed: %d (%d)", call, validate_ret);
ret = PTRACE_SANDBOX_ERR_POLICY_ARGS;
goto out;
}
}
ret = 0;
out:
memset(&p_sandbox->regs, '\0', sizeof(&p_sandbox->regs));
return ret;
}
void
ptrace_sandbox_permit_exit(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_exit] = 1;
p_sandbox->is_allowed[__NR_exit_group] = 1;
}
void
ptrace_sandbox_permit_read(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_read] = 1;
}
void
ptrace_sandbox_permit_write(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_write] = 1;
}
void
ptrace_sandbox_permit_sigaction(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_sigaction] = 1;
p_sandbox->is_allowed[__NR_rt_sigaction] = 1;
}
void
ptrace_sandbox_permit_alarm(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_alarm] = 1;
}
void
ptrace_sandbox_permit_query_time(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_gettimeofday] = 1;
p_sandbox->is_allowed[__NR_time] = 1;
}
void
ptrace_sandbox_permit_mmap(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_mmap2] = 1;
p_sandbox->validator[__NR_mmap2] = validate_mmap2;
}
static int
validate_mmap2(struct pt_sandbox* p_sandbox, void* p_arg)
{
unsigned long arg4;
int ret = ptrace_sandbox_get_arg(p_sandbox, 3, &arg4);
(void) p_arg;
if (ret != 0)
{
return ret;
}
if (arg4 & MAP_SHARED)
{
return -1;
}
return 0;
}
void
ptrace_sandbox_permit_mprotect(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_mprotect] = 1;
}
void
ptrace_sandbox_permit_file_stats(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_stat] = 1;
p_sandbox->is_allowed[__NR_stat64] = 1;
p_sandbox->is_allowed[__NR_lstat] = 1;
p_sandbox->is_allowed[__NR_lstat64] = 1;
}
void
ptrace_sandbox_permit_fd_stats(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_fstat] = 1;
p_sandbox->is_allowed[__NR_fstat64] = 1;
}
void
ptrace_sandbox_permit_getcwd(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_getcwd] = 1;
}
void
ptrace_sandbox_permit_chdir(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_chdir] = 1;
}
void
ptrace_sandbox_permit_umask(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_umask] = 1;
}
void
ptrace_sandbox_permit_open(struct pt_sandbox* p_sandbox, int writeable)
{
p_sandbox->is_allowed[__NR_open] = 1;
if (writeable == 1)
{
p_sandbox->validator[__NR_open] = validate_open_default;
}
else
{
p_sandbox->validator[__NR_open] = validate_open_readonly;
}
}
static int
validate_open_default(struct pt_sandbox* p_sandbox, void* p_arg)
{
unsigned long arg2;
int ret = ptrace_sandbox_get_arg(p_sandbox, 1, &arg2);
(void) p_arg;
if (ret != 0)
{
return ret;
}
if (arg2 & (O_ASYNC | O_DIRECT | O_SYNC))
{
return -1;
}
return 0;
}
static int
validate_open_readonly(struct pt_sandbox* p_sandbox, void* p_arg)
{
unsigned long arg2;
int ret = validate_open_default(p_sandbox, p_arg);
if (ret != 0)
{
return ret;
}
ret = ptrace_sandbox_get_arg(p_sandbox, 1, &arg2);
if (ret != 0)
{
return ret;
}
if ((arg2 & O_ACCMODE) != O_RDONLY)
{
return -1;
}
return 0;
}
void
ptrace_sandbox_permit_close(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_close] = 1;
}
void
ptrace_sandbox_permit_getdents(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_getdents] = 1;
p_sandbox->is_allowed[__NR_getdents64] = 1;
}
void
ptrace_sandbox_permit_fcntl(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_fcntl] = 1;
p_sandbox->validator[__NR_fcntl] = validate_fcntl;
p_sandbox->is_allowed[__NR_fcntl64] = 1;
p_sandbox->validator[__NR_fcntl64] = validate_fcntl;
}
static int
validate_fcntl(struct pt_sandbox* p_sandbox, void* p_arg)
{
unsigned long arg2;
unsigned long arg3;
int ret = ptrace_sandbox_get_arg(p_sandbox, 1, &arg2);
(void) p_arg;
if (ret != 0)
{
return ret;
}
ret = ptrace_sandbox_get_arg(p_sandbox, 2, &arg3);
if (ret != 0)
{
return ret;
}
if (arg2 != F_GETFL &&
arg2 != F_SETFL &&
arg2 != F_SETOWN &&
arg2 != F_SETLK &&
arg2 != F_SETLKW &&
arg2 != F_SETLK64 &&
arg2 != F_SETLKW64 &&
arg2 != F_SETFD &&
arg2 != F_GETFD)
{
syslog(LOG_LOCAL0 | LOG_DEBUG, "fcntl not permitted: %ld", arg2);
warnx("fcntl not permitted: %ld", arg2);
return -1;
}
if (arg2 == F_SETFL && (arg3 & (O_ASYNC | O_DIRECT)))
{
return -2;
}
if (arg2 == F_SETOWN && (int) arg3 != p_sandbox->pid)
{
return -3;
}
return 0;
}
void
ptrace_sandbox_permit_sendfile(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_sendfile] = 1;
p_sandbox->is_allowed[__NR_sendfile64] = 1;
}
void
ptrace_sandbox_permit_seek(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_lseek] = 1;
p_sandbox->is_allowed[__NR__llseek] = 1;
}
void
ptrace_sandbox_permit_select(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_select] = 1;
p_sandbox->is_allowed[__NR__newselect] = 1;
}
void
ptrace_sandbox_permit_unlink(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_unlink] = 1;
}
void
ptrace_sandbox_permit_mkdir(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_mkdir] = 1;
}
void
ptrace_sandbox_permit_rmdir(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_rmdir] = 1;
}
void
ptrace_sandbox_permit_rename(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_rename] = 1;
}
void
ptrace_sandbox_permit_utime(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_utime] = 1;
p_sandbox->is_allowed[__NR_utimes] = 1;
}
void
ptrace_sandbox_permit_sigreturn(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_sigreturn] = 1;
}
void
ptrace_sandbox_permit_recv(struct pt_sandbox* p_sandbox)
{
install_socketcall(p_sandbox);
p_sandbox->is_socketcall_allowed[SYS_RECV] = 1;
}
static void
install_socketcall(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_socketcall] = 1;
p_sandbox->validator[__NR_socketcall] = validate_socketcall;
}
static int
validate_socketcall(struct pt_sandbox* p_sandbox, void* p_arg)
{
unsigned long arg1;
int ret = ptrace_sandbox_get_arg(p_sandbox, 0, &arg1);
(void) p_arg;
if (ret != 0)
{
return ret;
}
if (arg1 < 1 || arg1 >= NPROTO)
{
return -1;
}
if (p_sandbox->is_socketcall_allowed[arg1] != 1)
{
syslog(LOG_LOCAL0 | LOG_DEBUG, "socketcall not permitted: %ld", arg1);
warnx("socketcall not permitted: %ld", arg1);
return -2;
}
if (p_sandbox->socketcall_validator[arg1])
{
ptrace_sandbox_validator_t p_val = p_sandbox->socketcall_validator[arg1];
ret = (*p_val)(p_sandbox, p_sandbox->socketcall_validator_arg[arg1]);
if (ret != 0)
{
syslog(LOG_LOCAL0 | LOG_DEBUG,
"socketcall validate fail: %ld (%d)",
arg1,
ret);
warnx("socketcall validate fail: %ld (%d)", arg1, ret);
return -3;
}
}
return 0;
}
void
ptrace_sandbox_permit_readlink(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_readlink] = 1;
}
void
ptrace_sandbox_permit_brk(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_brk] = 1;
}
void
ptrace_sandbox_permit_sleep(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_nanosleep] = 1;
}
void
ptrace_sandbox_permit_fchmod(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_fchmod] = 1;
}
void
ptrace_sandbox_permit_chmod(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_chmod] = 1;
}
void
ptrace_sandbox_permit_fchown(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_fchown] = 1;
p_sandbox->is_allowed[__NR_fchown32] = 1;
}
void
ptrace_sandbox_permit_mremap(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_mremap] = 1;
}
void
ptrace_sandbox_permit_ftruncate(struct pt_sandbox* p_sandbox)
{
p_sandbox->is_allowed[__NR_ftruncate] = 1;
p_sandbox->is_allowed[__NR_ftruncate64] = 1;
}
void
ptrace_sandbox_permit_socket(struct pt_sandbox* p_sandbox)
{
install_socketcall(p_sandbox);
p_sandbox->is_socketcall_allowed[SYS_SOCKET] = 1;
}
void
ptrace_sandbox_set_socket_validator(struct pt_sandbox* p_sandbox,
ptrace_sandbox_validator_t val,
void* p_arg)
{
p_sandbox->socketcall_validator[SYS_SOCKET] = val;
p_sandbox->socketcall_validator_arg[SYS_SOCKET] = p_arg;
}
void
ptrace_sandbox_permit_bind(struct pt_sandbox* p_sandbox)
{
install_socketcall(p_sandbox);
p_sandbox->is_socketcall_allowed[SYS_BIND] = 1;
}
void
ptrace_sandbox_set_bind_validator(struct pt_sandbox* p_sandbox,
ptrace_sandbox_validator_t val,
void* p_arg)
{
p_sandbox->socketcall_validator[SYS_BIND] = val;
p_sandbox->socketcall_validator_arg[SYS_BIND] = p_arg;
}
void
ptrace_sandbox_permit_connect(struct pt_sandbox* p_sandbox)
{
install_socketcall(p_sandbox);
p_sandbox->is_socketcall_allowed[SYS_CONNECT] = 1;
}
void
ptrace_sandbox_set_connect_validator(struct pt_sandbox* p_sandbox,
ptrace_sandbox_validator_t val,
void* p_arg)
{
p_sandbox->socketcall_validator[SYS_CONNECT] = val;
p_sandbox->socketcall_validator_arg[SYS_CONNECT] = p_arg;
}
void
ptrace_sandbox_permit_listen(struct pt_sandbox* p_sandbox)
{
install_socketcall(p_sandbox);
p_sandbox->is_socketcall_allowed[SYS_LISTEN] = 1;
}
void
ptrace_sandbox_permit_accept(struct pt_sandbox* p_sandbox)
{
install_socketcall(p_sandbox);
p_sandbox->is_socketcall_allowed[SYS_ACCEPT] = 1;
}
void
ptrace_sandbox_permit_setsockopt(struct pt_sandbox* p_sandbox)
{
install_socketcall(p_sandbox);
p_sandbox->is_socketcall_allowed[SYS_SETSOCKOPT] = 1;
}
void
ptrace_sandbox_set_setsockopt_validator(struct pt_sandbox* p_sandbox,
ptrace_sandbox_validator_t val,
void* p_arg)
{
p_sandbox->socketcall_validator[SYS_SETSOCKOPT] = val;
p_sandbox->socketcall_validator_arg[SYS_SETSOCKOPT] = p_arg;
}
void
ptrace_sandbox_permit_getsockopt(struct pt_sandbox* p_sandbox)
{
install_socketcall(p_sandbox);
p_sandbox->is_socketcall_allowed[SYS_GETSOCKOPT] = 1;
}
void
ptrace_sandbox_set_getsockopt_validator(struct pt_sandbox* p_sandbox,
ptrace_sandbox_validator_t val,
void* p_arg)
{
p_sandbox->socketcall_validator[SYS_GETSOCKOPT] = val;
p_sandbox->socketcall_validator_arg[SYS_GETSOCKOPT] = p_arg;
}
void
ptrace_sandbox_permit_shutdown(struct pt_sandbox* p_sandbox)
{
install_socketcall(p_sandbox);
p_sandbox->is_socketcall_allowed[SYS_SHUTDOWN] = 1;
}
#else /* __linux__ && __i386__ */
struct pt_sandbox*
ptrace_sandbox_alloc()
{
return 0;
}
void
ptrace_sandbox_free(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
int
ptrace_sandbox_launch_process(struct pt_sandbox* p_sandbox,
void (*p_func)(void*),
void* p_arg)
{
(void) p_sandbox;
(void) p_func;
(void) p_arg;
return -1;
}
int
ptrace_sandbox_run_processes(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
return -1;
}
void
ptrace_sandbox_attach_point(void)
{
}
void
ptrace_sandbox_permit_exit(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_read(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_write(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_sigaction(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_alarm(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_query_time(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_mmap(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_mprotect(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_file_stats(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_fd_stats(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_getcwd(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_chdir(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_umask(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_open(struct pt_sandbox* p_sandbox, int writeable)
{
(void) p_sandbox;
(void) writeable;
}
void
ptrace_sandbox_permit_close(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_getdents(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_fcntl(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_sendfile(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_seek(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_select(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_unlink(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_mkdir(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_rmdir(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_rename(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_utime(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_utimes(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_sigreturn(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_recv(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_kill_processes(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
int
ptrace_sandbox_get_arg(struct pt_sandbox* p_sandbox,
int arg,
unsigned long* p_out)
{
(void) p_sandbox;
(void) arg;
(void) p_out;
return -1;
}
int
ptrace_sandbox_get_socketcall_arg(struct pt_sandbox* p_sandbox,
int arg,
unsigned long* p_out)
{
(void) p_sandbox;
(void) arg;
(void) p_out;
return -1;
}
int
ptrace_sandbox_get_long(struct pt_sandbox* p_sandbox,
unsigned long ptr,
unsigned long* p_out)
{
(void) p_sandbox;
(void) ptr;
(void) p_out;
return -1;
}
int
ptrace_sandbox_get_buf(struct pt_sandbox* p_sandbox,
unsigned long ptr,
unsigned long len,
void* p_buf)
{
(void) p_sandbox;
(void) ptr;
(void) len;
(void) p_buf;
return -1;
}
void
ptrace_sandbox_permit_readlink(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_brk(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_sleep(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_fchmod(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_chmod(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_fchown(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_mremap(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_ftruncate(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_socket(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_set_socket_validator(struct pt_sandbox* p_sandbox,
ptrace_sandbox_validator_t val,
void* p_arg)
{
(void) p_sandbox;
(void) val;
(void) p_arg;
}
void
ptrace_sandbox_permit_bind(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_set_bind_validator(struct pt_sandbox* p_sandbox,
ptrace_sandbox_validator_t val,
void* p_arg)
{
(void) p_sandbox;
(void) val;
(void) p_arg;
}
void
ptrace_sandbox_permit_connect(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_set_connect_validator(struct pt_sandbox* p_sandbox,
ptrace_sandbox_validator_t val,
void* p_arg)
{
(void) p_sandbox;
(void) val;
(void) p_arg;
}
void
ptrace_sandbox_permit_listen(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_accept(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_permit_setsockopt(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_set_setsockopt_validator(struct pt_sandbox* p_sandbox,
ptrace_sandbox_validator_t val,
void* p_arg)
{
(void) p_sandbox;
(void) val;
(void) p_arg;
}
void
ptrace_sandbox_permit_getsockopt(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
void
ptrace_sandbox_set_getsockopt_validator(struct pt_sandbox* p_sandbox,
ptrace_sandbox_validator_t val,
void* p_arg)
{
(void) p_sandbox;
(void) val;
(void) p_arg;
}
void
ptrace_sandbox_permit_shutdown(struct pt_sandbox* p_sandbox)
{
(void) p_sandbox;
}
#endif /* __linux__ && __i386__ */
View Git Blame Copy Permalink