Merge pull request 'Port sandboxing to linux via landlock' (#226) from shtrophic/snac2:master into master

Reviewed-on: https://codeberg.org/grunfink/snac2/pulls/226
author: grunfink 2025-01-05 12:16:27 +0000
committer: grunfink 2025-01-05 12:16:27 +0000
commit: fced3aa3abae94c97d71ed60bd617c3de47a835d (patch)
tree: 204900c59f112272a759858e9b7641750f97c330
parent: Moved post language setting to msg_note(), where it really belongs. (diff)
parent: update landloc.h (diff)
download: snac2-fced3aa3abae94c97d71ed60bd617c3de47a835d.tar.gz
snac2-fced3aa3abae94c97d71ed60bd617c3de47a835d.tar.xz
snac2-fced3aa3abae94c97d71ed60bd617c3de47a835d.zip
5 files changed, 358 insertions, 39 deletions
diff --git a/Makefile b/Makefile
index 05e65f5..2977cd4 100644
--- a/Makefile
+++ b/Makefile
@@ -4,7 +4,7 @@ CFLAGS?=-g -Wall -Wextra -pedantic
 all: snac
-snac: snac.o main.o data.o http.o httpd.o webfinger.o \
+snac: snac.o main.o sandbox.o data.o http.o httpd.o webfinger.o \
    activitypub.o html.o utils.o format.o upgrade.o mastoapi.o
        $(CC) $(CFLAGS) -L$(PREFIX)/lib *.o -lcurl -lcrypto $(LDFLAGS) -pthread -o $@
@@ -36,6 +36,9 @@ uninstall:
 activitypub.o: activitypub.c xs.h xs_json.h xs_curl.h xs_mime.h \
 xs_openssl.h xs_regex.h xs_time.h xs_set.h xs_match.h snac.h \
 http_codes.h
+sandbox.o: sandbox.c xs.h xs_hex.h xs_io.h xs_json.h xs_openssl.h \
+ xs_glob.h xs_set.h xs_time.h xs_regex.h xs_match.h xs_unicode.h \
+ landloc.h snac.h
 data.o: data.c xs.h xs_hex.h xs_io.h xs_json.h xs_openssl.h xs_glob.h \
 xs_set.h xs_time.h xs_regex.h xs_match.h xs_unicode.h xs_random.h snac.h \
 http_codes.h
diff --git a/data.c b/data.c
index e5d7258..0fd3528 100644
--- a/data.c
+++ b/data.c
@@ -115,44 +115,7 @@ int srv_open(const char *basedir, int auto_upgrade)
 #define st_mtim st_mtimespec
 #endif
-#ifdef __OpenBSD__
+    sbox_enter(srv_basedir);
-    if (xs_is_true(xs_dict_get(srv_config, "disable_openbsd_security"))) {
-        srv_debug(1, xs_dup("OpenBSD security disabled by admin"));
-    }
-    else {
-        int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications"));
-        const char *address = xs_dict_get(srv_config, "address");
-        srv_debug(1, xs_fmt("Calling unveil()"));
-        unveil(basedir,                "rwc");
-        unveil("/tmp",                 "rwc");
-        unveil("/etc/resolv.conf",     "r");
-        unveil("/etc/hosts",           "r");
-        unveil("/etc/ssl/openssl.cnf", "r");
-        unveil("/etc/ssl/cert.pem",    "r");
-        unveil("/usr/share/zoneinfo",  "r");
-        if (smail)
-            unveil("/usr/sbin/sendmail",   "x");
-        if (*address == '/')
-            unveil(address, "rwc");
-        unveil(NULL,                   NULL);
-        srv_debug(1, xs_fmt("Calling pledge()"));
-        xs *p = xs_str_new("stdio rpath wpath cpath flock inet proc dns fattr");
-        if (smail)
-            p = xs_str_cat(p, " exec");
-        if (*address == '/')
-            p = xs_str_cat(p, " unix");
-        pledge(p, NULL);
-    }
-#endif /* __OpenBSD__ */
    /* read (and drop) emojis.json, possibly creating it */
    xs_free(emojis());
diff --git a/landloc.h b/landloc.h
new file mode 100644
index 0000000..1e717c9
--- /dev/null
+++ b/landloc.h
@@ -0,0 +1,238 @@
+/**
+ *  Zero-Clause BSD
+ *  ===============
+ *
+ *  Copyright 2024 shtrophic <christoph@liebender.dev>
+ *
+ *  Permission to use, copy, modify, and/or distribute this software for
+ *  any purpose with or without fee is hereby granted.
+ *
+ *  THE SOFTWARE IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL
+ *  WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ *  OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE
+ *  FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY
+ *  DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
+ *  AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ *  OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ */
+/**
+ * Repository: https://git.sr.ht/~shtrophic/landloc.h
+ */
+/**
+ * Usage:
+ *
+ * Define a sandboxing function using the LL_BEGIN(...) and LL_END macros.
+ * the arguments of LL_BEGIN are the function's signature.
+ * Between those macros, implement your sandbox using LL_PATH() and LL_PORT() macros.
+ * Calling LL_PATH() and LL_PORT() anywhere else will not work.
+ * You may prepend `static` before LL_BEGIN to make the function static.
+ * You need (should) wrap your sandboxing code in another set of braces:
+ *
+LL_BEGIN(my_sandbox_function, const char *rw_path) {
+    LL_PATH(rw_path, LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_EXECUTE);
+    LL_PORT(443, LANDLOCK_ACCESS_NET_CONNECT_TCP);
+} LL_END
+ *
+ * Then, call it in your application's code.
+ *
+int main(void) {
+    int status = my_sandbox_function("some/path");
+    if (status != 0) {
+        // error
+    }
+}
+ *
+ * You may define LL_PRINTERR(fmt, ...) before including this header to enable debug output:
+ *
+#define LL_PRINTERR(fmt, ...) fprintf(stderr, fmt "\n", __VA_ARGS__)
+#include "landloc.h"
+ */
+#ifndef __LANDLOC_H__
+#define __LANDLOC_H__
+#ifndef __linux__
+#   error "no landlock without linux"
+#endif
+#include <linux/version.h>
+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 13, 0)
+#   error "no landlock on kernels older than 5.13.0"
+#endif
+#include <unistd.h>
+#include <linux/landlock.h>
+#include <sys/syscall.h>
+#include <sys/prctl.h>
+#include <fcntl.h>
+#ifndef O_PATH
+#   define O_PATH               010000000
+#endif
+#ifndef LL_PRINTERR
+#   define LL_PRINTERR(fmt, ...) (void)fmt;
+#else
+#   include <string.h>
+#   include <errno.h>
+#endif
+#ifdef LANDLOCK_ACCESS_FS_REFER
+#   define LANDLOCK_ACCESS_FS_REFER_COMPAT LANDLOCK_ACCESS_FS_REFER
+#   define __LL_SWITCH_FS_REFER __rattr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER_COMPAT
+#else
+#   define LANDLOCK_ACCESS_FS_REFER_COMPAT 0
+#   define __LL_SWITCH_FS_REFER (void)0
+#endif
+#ifdef LANDLOCK_ACCESS_FS_TRUNCATE
+#   define LANDLOCK_ACCESS_FS_TRUNCATE_COMPAT LANDLOCK_ACCESS_FS_TRUNCATE
+#   define __LL_SWITCH_FS_TRUNCATE __rattr.handled_access_fs  &= ~LANDLOCK_ACCESS_FS_TRUNCATE_COMPAT
+#else
+#   define LANDLOCK_ACCESS_FS_TRUNCATE_COMPAT 0
+#   define __LL_SWITCH_FS_TRUNCATE (void)0
+#endif
+#ifdef LANDLOCK_ACCESS_FS_IOCTL_DEV
+#   define LANDLOCK_ACCESS_FS_IOCTL_DEV_COMPAT LANDLOCK_ACCESS_FS_IOCTL_DEV
+#   define __LL_SWITCH_FS_IOCTL_DEV __rattr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV_COMPAT
+#else
+#   define LANDLOCK_ACCESS_FS_IOCTL_DEV_COMPAT 0
+#   define __LL_SWITCH_FS_IOCTL_DEV (void)0
+#endif
+#define LL_FS_ALL                           (\
+    LANDLOCK_ACCESS_FS_EXECUTE              |\
+    LANDLOCK_ACCESS_FS_WRITE_FILE           |\
+    LANDLOCK_ACCESS_FS_READ_FILE            |\
+    LANDLOCK_ACCESS_FS_READ_DIR             |\
+    LANDLOCK_ACCESS_FS_REMOVE_DIR           |\
+    LANDLOCK_ACCESS_FS_REMOVE_FILE          |\
+    LANDLOCK_ACCESS_FS_MAKE_CHAR            |\
+    LANDLOCK_ACCESS_FS_MAKE_DIR             |\
+    LANDLOCK_ACCESS_FS_MAKE_REG             |\
+    LANDLOCK_ACCESS_FS_MAKE_SOCK            |\
+    LANDLOCK_ACCESS_FS_MAKE_FIFO            |\
+    LANDLOCK_ACCESS_FS_MAKE_BLOCK           |\
+    LANDLOCK_ACCESS_FS_MAKE_SYM             |\
+    LANDLOCK_ACCESS_FS_REFER_COMPAT         |\
+    LANDLOCK_ACCESS_FS_TRUNCATE_COMPAT      |\
+    LANDLOCK_ACCESS_FS_IOCTL_DEV_COMPAT     )
+#if defined(LANDLOCK_ACCESS_NET_BIND_TCP) && defined(LANDLOCK_ACCESS_NET_CONNECT_TCP)
+#   define LL_HAVE_NET 1
+#   define LANDLOCK_ACCESS_NET_BIND_TCP_COMPAT LANDLOCK_ACCESS_NET_BIND_TCP
+#   define LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT LANDLOCK_ACCESS_NET_CONNECT_TCP
+#   define LL_NET_ALL (LANDLOCK_ACCESS_NET_BIND_TCP_COMPAT | LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT)
+#   define __LL_DECLARE_NET struct landlock_net_port_attr __nattr = {0}
+#   define __LL_INIT_NET __rattr.handled_access_net = LL_NET_ALL
+#   define __LL_SWITCH_NET do { __rattr.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP); } while (0)
+#else
+#   define LL_HAVE_NET 0
+#   define LANDLOCK_ACCESS_NET_BIND_TCP_COMPAT 0
+#   define LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT 0
+#   define LL_NET_ALL 0
+#   define __LL_DECLARE_NET (void)0
+#   define __LL_INIT_NET (void)0
+#   define __LL_SWITCH_NET (void)0
+#endif
+#define LL_BEGIN(function, ...) int function(__VA_ARGS__) {\
+    int ll_rule_fd, ll_abi;\
+    struct landlock_ruleset_attr      __rattr = {0};\
+    struct landlock_path_beneath_attr __pattr = {0};\
+    __LL_DECLARE_NET;\
+    int __err = 0;\
+    __rattr.handled_access_fs  = LL_FS_ALL;\
+    __LL_INIT_NET;\
+    ll_abi = (int)syscall(SYS_landlock_create_ruleset, NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);\
+    switch (ll_abi) {\
+    case -1: return -1;\
+    case  1: __LL_SWITCH_FS_REFER; __attribute__((fallthrough));\
+    case  2: __LL_SWITCH_FS_TRUNCATE; __attribute__((fallthrough));\
+    case  3: __LL_SWITCH_NET; __attribute__((fallthrough));\
+    case  4: __LL_SWITCH_FS_IOCTL_DEV;\
+    default: break;\
+    }\
+    ll_rule_fd = (int)syscall(SYS_landlock_create_ruleset, &__rattr, sizeof(struct landlock_ruleset_attr), 0);\
+    if (-1 == ll_rule_fd) {\
+        LL_PRINTERR("landlock_create_ruleset: %s", strerror(errno));\
+        return -1;\
+    }
+#define LL_END \
+    __err = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);\
+    if (-1 == __err) {\
+        LL_PRINTERR("set_no_new_privs: %s", strerror(errno));\
+        goto __close;\
+    }\
+    __err = (int)syscall(SYS_landlock_restrict_self, ll_rule_fd, 0);\
+    if (__err)\
+        LL_PRINTERR("landlock_restrict_self: %s", strerror(errno));\
+    __close: close(ll_rule_fd);\
+    return __err; }
+#define LL_PATH(p, rules) do {\
+    const char *__path = (p);\
+    __pattr.allowed_access = (rules) & __rattr.handled_access_fs;\
+    if (__pattr.allowed_access != 0) {\
+        __pattr.parent_fd = open(__path, O_PATH | O_CLOEXEC);\
+        if (-1 == __pattr.parent_fd) {\
+            LL_PRINTERR("open(%s): %s", __path, strerror(errno));\
+            __err = -1;\
+            goto __close;\
+        }\
+        __err = (int)syscall(SYS_landlock_add_rule, ll_rule_fd, LANDLOCK_RULE_PATH_BENEATH, &__pattr, 0);\
+        if (__err) {\
+            LL_PRINTERR("landlock_add_rule(%s): %s", __path, strerror(errno));\
+            goto __close;\
+        }\
+        close(__pattr.parent_fd);\
+    }\
+} while (0)
+#if LL_HAVE_NET
+#define LL_PORT(p, rules) do {\
+    unsigned short __port = (p);\
+    __nattr.allowed_access = (rules);\
+    if (ll_abi > 3 && __nattr.allowed_access != 0) {\
+        __nattr.port = __port;\
+        __err = (int)syscall(SYS_landlock_add_rule, ll_rule_fd, LANDLOCK_RULE_NET_PORT, &__nattr, 0);\
+        if (__err) {\
+            LL_PRINTERR("landlock_add_rule(%u): %s", __port, strerror(errno));\
+            goto __close;\
+        }\
+    }\
+} while (0)
+#else
+#define LL_PORT(p, rules) do {\
+    unsigned short __port = (p);\
+    __u64 __rules = (rules);\
+    (void)__port;\
+    (void)__rules;\
+} while (0)
+#endif /* LL_HAVE_NET */
+#endif /* __LANDLOC_H__ */
diff --git a/sandbox.c b/sandbox.c
new file mode 100644
index 0000000..f417e86
--- /dev/null
+++ b/sandbox.c
@@ -0,0 +1,113 @@
+#include "xs.h"
+#include "snac.h"
+#include <unistd.h>
+#if defined (__linux__)
+#define LL_PRINTERR(fmt, ...) srv_debug(0, xs_fmt(fmt, __VA_ARGS__))
+#include "landloc.h"
+static
+LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail) {
+    const unsigned long long
+        rd = LANDLOCK_ACCESS_FS_READ_DIR,
+        rf = LANDLOCK_ACCESS_FS_READ_FILE,
+        w  = LANDLOCK_ACCESS_FS_WRITE_FILE      |
+             LANDLOCK_ACCESS_FS_TRUNCATE_COMPAT,
+        c  = LANDLOCK_ACCESS_FS_MAKE_DIR        |
+             LANDLOCK_ACCESS_FS_MAKE_REG        |
+             LANDLOCK_ACCESS_FS_TRUNCATE_COMPAT |
+             LANDLOCK_ACCESS_FS_MAKE_SYM        |
+             LANDLOCK_ACCESS_FS_REMOVE_DIR      |
+             LANDLOCK_ACCESS_FS_REMOVE_FILE     |
+             LANDLOCK_ACCESS_FS_REFER_COMPAT,
+        s  = LANDLOCK_ACCESS_FS_MAKE_SOCK,
+        x  = LANDLOCK_ACCESS_FS_EXECUTE;
+    LL_PATH(basedir,                rf|rd|w|c);
+    LL_PATH("/tmp",                 rf|rd|w|c);
+#ifndef WITHOUT_SHM
+    LL_PATH("/dev/shm",             rf|w|c   );
+#endif
+    LL_PATH("/etc/resolv.conf",     rf       );
+    LL_PATH("/etc/hosts",           rf       );
+    LL_PATH("/etc/ssl/openssl.cnf", rf       );
+    LL_PATH("/etc/ssl/cert.pem",    rf       );
+    LL_PATH("/usr/share/zoneinfo",  rf       );
+    if (*address == '/')
+        LL_PATH(address, s);
+    if (smail)
+        LL_PATH("/usr/sbin/sendmail", x);
+    if (*address != '/') {
+        unsigned short listen_port = xs_number_get(xs_dict_get(srv_config, "port"));
+        LL_PORT(listen_port, LANDLOCK_ACCESS_NET_BIND_TCP_COMPAT);
+    }
+    LL_PORT(80,  LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT);
+    LL_PORT(443, LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT);
+} LL_END
+#endif
+void sbox_enter(const char *basedir)
+{
+    if (xs_is_true(xs_dict_get(srv_config, "disable_openbsd_security"))) {
+        srv_log(xs_dup("disable_openbsd_security is deprecated. Use disable_sandbox instead."));
+        return;
+    }
+    if (xs_is_true(xs_dict_get(srv_config, "disable_sandbox"))) {
+        srv_debug(0, xs_dup("Sandbox disabled by admin"));
+        return;
+    }
+    const char *address = xs_dict_get(srv_config, "address");
+    int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications"));
+#if defined (__OpenBSD__)
+    srv_debug(1, xs_fmt("Calling unveil()"));
+    unveil(basedir,                "rwc");
+    unveil("/tmp",                 "rwc");
+    unveil("/etc/resolv.conf",     "r");
+    unveil("/etc/hosts",           "r");
+    unveil("/etc/ssl/openssl.cnf", "r");
+    unveil("/etc/ssl/cert.pem",    "r");
+    unveil("/usr/share/zoneinfo",  "r");
+    if (smail)
+        unveil("/usr/sbin/sendmail",   "x");
+    if (*address == '/')
+        unveil(address, "rwc");
+    unveil(NULL,                   NULL);
+    srv_debug(1, xs_fmt("Calling pledge()"));
+    xs *p = xs_str_new("stdio rpath wpath cpath flock inet proc dns fattr");
+    if (smail)
+        p = xs_str_cat(p, " exec");
+    if (*address == '/')
+        p = xs_str_cat(p, " unix");
+    pledge(p, NULL);
+    xs_free(p);
+#elif defined (__linux__)
+    
+    if (sbox_enter_linux_(basedir, address, smail) == 0)
+        srv_log(xs_dup("landlocked"));
+    else
+        srv_log(xs_dup("landlocking failed"));
+#endif
+}
diff --git a/snac.h b/snac.h
index c9ba28b..ec3ee5c 100644
--- a/snac.h
+++ b/snac.h
@@ -75,6 +75,8 @@ void snac_log(snac *user, xs_str *str);
 int srv_open(const char *basedir, int auto_upgrade);
 void srv_free(void);
+void sbox_enter(const char *basedir);
 int user_open(snac *snac, const char *uid);
 void user_free(snac *snac);
 xs_list *user_list(void);
author	grunfink	2025-01-05 12:16:27 +0000
committer	grunfink	2025-01-05 12:16:27 +0000
commit	fced3aa3abae94c97d71ed60bd617c3de47a835d (patch)
tree	204900c59f112272a759858e9b7641750f97c330
parent	Moved post language setting to msg_note(), where it really belongs. (diff)
parent	update landloc.h (diff)
download	snac2-fced3aa3abae94c97d71ed60bd617c3de47a835d.tar.gz snac2-fced3aa3abae94c97d71ed60bd617c3de47a835d.tar.xz snac2-fced3aa3abae94c97d71ed60bd617c3de47a835d.zip

diff --git a/Makefile b/Makefile index 05e65f5..2977cd4 100644 --- a/Makefile +++ b/Makefile
@@ -4,7 +4,7 @@ CFLAGS?=-g -Wall -Wextra -pedantic
4		4
5	all: snac	5	all: snac
6		6
7	snac: snac.o main.o data.o http.o httpd.o webfinger.o \	7	snac: snac.o main.o sandbox.o data.o http.o httpd.o webfinger.o \
8	activitypub.o html.o utils.o format.o upgrade.o mastoapi.o	8	activitypub.o html.o utils.o format.o upgrade.o mastoapi.o
9	$(CC) $(CFLAGS) -L$(PREFIX)/lib *.o -lcurl -lcrypto $(LDFLAGS) -pthread -o $@	9	$(CC) $(CFLAGS) -L$(PREFIX)/lib *.o -lcurl -lcrypto $(LDFLAGS) -pthread -o $@
10		10
@@ -36,6 +36,9 @@ uninstall:
36	activitypub.o: activitypub.c xs.h xs_json.h xs_curl.h xs_mime.h \	36	activitypub.o: activitypub.c xs.h xs_json.h xs_curl.h xs_mime.h \
37	xs_openssl.h xs_regex.h xs_time.h xs_set.h xs_match.h snac.h \	37	xs_openssl.h xs_regex.h xs_time.h xs_set.h xs_match.h snac.h \
38	http_codes.h	38	http_codes.h
		39	sandbox.o: sandbox.c xs.h xs_hex.h xs_io.h xs_json.h xs_openssl.h \
		40	xs_glob.h xs_set.h xs_time.h xs_regex.h xs_match.h xs_unicode.h \
		41	landloc.h snac.h
39	data.o: data.c xs.h xs_hex.h xs_io.h xs_json.h xs_openssl.h xs_glob.h \	42	data.o: data.c xs.h xs_hex.h xs_io.h xs_json.h xs_openssl.h xs_glob.h \
40	xs_set.h xs_time.h xs_regex.h xs_match.h xs_unicode.h xs_random.h snac.h \	43	xs_set.h xs_time.h xs_regex.h xs_match.h xs_unicode.h xs_random.h snac.h \
41	http_codes.h	44	http_codes.h


diff --git a/data.c b/data.c index e5d7258..0fd3528 100644 --- a/data.c +++ b/data.c
@@ -115,44 +115,7 @@ int srv_open(const char *basedir, int auto_upgrade)
115	#define st_mtim st_mtimespec	115	#define st_mtim st_mtimespec
116	#endif	116	#endif
117		117
118	#ifdef __OpenBSD__	118	sbox_enter(srv_basedir);
119	if (xs_is_true(xs_dict_get(srv_config, "disable_openbsd_security"))) {
120	srv_debug(1, xs_dup("OpenBSD security disabled by admin"));
121	}
122	else {
123	int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications"));
124	const char *address = xs_dict_get(srv_config, "address");
125
126	srv_debug(1, xs_fmt("Calling unveil()"));
127	unveil(basedir, "rwc");
128	unveil("/tmp", "rwc");
129	unveil("/etc/resolv.conf", "r");
130	unveil("/etc/hosts", "r");
131	unveil("/etc/ssl/openssl.cnf", "r");
132	unveil("/etc/ssl/cert.pem", "r");
133	unveil("/usr/share/zoneinfo", "r");
134
135	if (smail)
136	unveil("/usr/sbin/sendmail", "x");
137
138	if (*address == '/')
139	unveil(address, "rwc");
140
141	unveil(NULL, NULL);
142
143	srv_debug(1, xs_fmt("Calling pledge()"));
144
145	xs *p = xs_str_new("stdio rpath wpath cpath flock inet proc dns fattr");
146
147	if (smail)
148	p = xs_str_cat(p, " exec");
149
150	if (*address == '/')
151	p = xs_str_cat(p, " unix");
152
153	pledge(p, NULL);
154	}
155	#endif /* __OpenBSD__ */
156		119
157	/* read (and drop) emojis.json, possibly creating it */	120	/* read (and drop) emojis.json, possibly creating it */
158	xs_free(emojis());	121	xs_free(emojis());


diff --git a/landloc.h b/landloc.h new file mode 100644 index 0000000..1e717c9 --- /dev/null +++ b/landloc.h
@@ -0,0 +1,238 @@
		1	/**
		2	* Zero-Clause BSD
		3	* ===============
		4	*
		5	* Copyright 2024 shtrophic <christoph@liebender.dev>
		6	*
		7	* Permission to use, copy, modify, and/or distribute this software for
		8	* any purpose with or without fee is hereby granted.
		9	*
		10	* THE SOFTWARE IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL
		11	* WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
		12	* OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE
		13	* FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY
		14	* DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
		15	* AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
		16	* OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		17	*
		18	*/
		19
		20	/**
		21	* Repository: https://git.sr.ht/~shtrophic/landloc.h
		22	*/
		23
		24	/**
		25	* Usage:
		26	*
		27	* Define a sandboxing function using the LL_BEGIN(...) and LL_END macros.
		28	* the arguments of LL_BEGIN are the function's signature.
		29	* Between those macros, implement your sandbox using LL_PATH() and LL_PORT() macros.
		30	* Calling LL_PATH() and LL_PORT() anywhere else will not work.
		31	* You may prepend `static` before LL_BEGIN to make the function static.
		32	* You need (should) wrap your sandboxing code in another set of braces:
		33	*
		34	LL_BEGIN(my_sandbox_function, const char *rw_path) {
		35
		36	LL_PATH(rw_path, LANDLOCK_ACCESS_FS_READ_FILE \| LANDLOCK_ACCESS_FS_READ_DIR \| LANDLOCK_ACCESS_FS_EXECUTE);
		37	LL_PORT(443, LANDLOCK_ACCESS_NET_CONNECT_TCP);
		38
		39	} LL_END
		40
		41	*
		42	* Then, call it in your application's code.
		43	*
		44
		45	int main(void) {
		46
		47	int status = my_sandbox_function("some/path");
		48
		49	if (status != 0) {
		50	// error
		51	}
		52
		53	}
		54
		55	*
		56	* You may define LL_PRINTERR(fmt, ...) before including this header to enable debug output:
		57	*
		58
		59	#define LL_PRINTERR(fmt, ...) fprintf(stderr, fmt "\n", __VA_ARGS__)
		60	#include "landloc.h"
		61
		62	*/
		63
		64	#ifndef __LANDLOC_H__
		65	#define __LANDLOC_H__
		66
		67	#ifndef __linux__
		68	# error "no landlock without linux"
		69	#endif
		70
		71	#include <linux/version.h>
		72
		73	#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 13, 0)
		74	# error "no landlock on kernels older than 5.13.0"
		75	#endif
		76
		77	#include <unistd.h>
		78	#include <linux/landlock.h>
		79	#include <sys/syscall.h>
		80	#include <sys/prctl.h>
		81	#include <fcntl.h>
		82
		83	#ifndef O_PATH
		84	# define O_PATH 010000000
		85	#endif
		86
		87	#ifndef LL_PRINTERR
		88	# define LL_PRINTERR(fmt, ...) (void)fmt;
		89	#else
		90	# include <string.h>
		91	# include <errno.h>
		92	#endif
		93
		94	#ifdef LANDLOCK_ACCESS_FS_REFER
		95	# define LANDLOCK_ACCESS_FS_REFER_COMPAT LANDLOCK_ACCESS_FS_REFER
		96	# define __LL_SWITCH_FS_REFER __rattr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER_COMPAT
		97	#else
		98	# define LANDLOCK_ACCESS_FS_REFER_COMPAT 0
		99	# define __LL_SWITCH_FS_REFER (void)0
		100	#endif
		101
		102	#ifdef LANDLOCK_ACCESS_FS_TRUNCATE
		103	# define LANDLOCK_ACCESS_FS_TRUNCATE_COMPAT LANDLOCK_ACCESS_FS_TRUNCATE
		104	# define __LL_SWITCH_FS_TRUNCATE __rattr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE_COMPAT
		105	#else
		106	# define LANDLOCK_ACCESS_FS_TRUNCATE_COMPAT 0
		107	# define __LL_SWITCH_FS_TRUNCATE (void)0
		108	#endif
		109
		110	#ifdef LANDLOCK_ACCESS_FS_IOCTL_DEV
		111	# define LANDLOCK_ACCESS_FS_IOCTL_DEV_COMPAT LANDLOCK_ACCESS_FS_IOCTL_DEV
		112	# define __LL_SWITCH_FS_IOCTL_DEV __rattr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV_COMPAT
		113	#else
		114	# define LANDLOCK_ACCESS_FS_IOCTL_DEV_COMPAT 0
		115	# define __LL_SWITCH_FS_IOCTL_DEV (void)0
		116	#endif
		117
		118	#define LL_FS_ALL (\
		119	LANDLOCK_ACCESS_FS_EXECUTE \|\
		120	LANDLOCK_ACCESS_FS_WRITE_FILE \|\
		121	LANDLOCK_ACCESS_FS_READ_FILE \|\
		122	LANDLOCK_ACCESS_FS_READ_DIR \|\
		123	LANDLOCK_ACCESS_FS_REMOVE_DIR \|\
		124	LANDLOCK_ACCESS_FS_REMOVE_FILE \|\
		125	LANDLOCK_ACCESS_FS_MAKE_CHAR \|\
		126	LANDLOCK_ACCESS_FS_MAKE_DIR \|\
		127	LANDLOCK_ACCESS_FS_MAKE_REG \|\
		128	LANDLOCK_ACCESS_FS_MAKE_SOCK \|\
		129	LANDLOCK_ACCESS_FS_MAKE_FIFO \|\
		130	LANDLOCK_ACCESS_FS_MAKE_BLOCK \|\
		131	LANDLOCK_ACCESS_FS_MAKE_SYM \|\
		132	LANDLOCK_ACCESS_FS_REFER_COMPAT \|\
		133	LANDLOCK_ACCESS_FS_TRUNCATE_COMPAT \|\
		134	LANDLOCK_ACCESS_FS_IOCTL_DEV_COMPAT )
		135
		136	#if defined(LANDLOCK_ACCESS_NET_BIND_TCP) && defined(LANDLOCK_ACCESS_NET_CONNECT_TCP)
		137	# define LL_HAVE_NET 1
		138
		139	# define LANDLOCK_ACCESS_NET_BIND_TCP_COMPAT LANDLOCK_ACCESS_NET_BIND_TCP
		140	# define LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT LANDLOCK_ACCESS_NET_CONNECT_TCP
		141
		142	# define LL_NET_ALL (LANDLOCK_ACCESS_NET_BIND_TCP_COMPAT \| LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT)
		143	# define __LL_DECLARE_NET struct landlock_net_port_attr __nattr = {0}
		144	# define __LL_INIT_NET __rattr.handled_access_net = LL_NET_ALL
		145	# define __LL_SWITCH_NET do { __rattr.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP \| LANDLOCK_ACCESS_NET_CONNECT_TCP); } while (0)
		146	#else
		147	# define LL_HAVE_NET 0
		148
		149	# define LANDLOCK_ACCESS_NET_BIND_TCP_COMPAT 0
		150	# define LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT 0
		151
		152	# define LL_NET_ALL 0
		153	# define __LL_DECLARE_NET (void)0
		154	# define __LL_INIT_NET (void)0
		155	# define __LL_SWITCH_NET (void)0
		156	#endif
		157
		158	#define LL_BEGIN(function, ...) int function(__VA_ARGS__) {\
		159	int ll_rule_fd, ll_abi;\
		160	struct landlock_ruleset_attr __rattr = {0};\
		161	struct landlock_path_beneath_attr __pattr = {0};\
		162	__LL_DECLARE_NET;\
		163	int __err = 0;\
		164	__rattr.handled_access_fs = LL_FS_ALL;\
		165	__LL_INIT_NET;\
		166	ll_abi = (int)syscall(SYS_landlock_create_ruleset, NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);\
		167	switch (ll_abi) {\
		168	case -1: return -1;\
		169	case 1: __LL_SWITCH_FS_REFER; __attribute__((fallthrough));\
		170	case 2: __LL_SWITCH_FS_TRUNCATE; __attribute__((fallthrough));\
		171	case 3: __LL_SWITCH_NET; __attribute__((fallthrough));\
		172	case 4: __LL_SWITCH_FS_IOCTL_DEV;\
		173	default: break;\
		174	}\
		175	ll_rule_fd = (int)syscall(SYS_landlock_create_ruleset, &__rattr, sizeof(struct landlock_ruleset_attr), 0);\
		176	if (-1 == ll_rule_fd) {\
		177	LL_PRINTERR("landlock_create_ruleset: %s", strerror(errno));\
		178	return -1;\
		179	}
		180
		181	#define LL_END \
		182	__err = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);\
		183	if (-1 == __err) {\
		184	LL_PRINTERR("set_no_new_privs: %s", strerror(errno));\
		185	goto __close;\
		186	}\
		187	__err = (int)syscall(SYS_landlock_restrict_self, ll_rule_fd, 0);\
		188	if (__err)\
		189	LL_PRINTERR("landlock_restrict_self: %s", strerror(errno));\
		190	__close: close(ll_rule_fd);\
		191	return __err; }
		192
		193	#define LL_PATH(p, rules) do {\
		194	const char *__path = (p);\
		195	__pattr.allowed_access = (rules) & __rattr.handled_access_fs;\
		196	if (__pattr.allowed_access != 0) {\
		197	__pattr.parent_fd = open(__path, O_PATH \| O_CLOEXEC);\
		198	if (-1 == __pattr.parent_fd) {\
		199	LL_PRINTERR("open(%s): %s", __path, strerror(errno));\
		200	__err = -1;\
		201	goto __close;\
		202	}\
		203	__err = (int)syscall(SYS_landlock_add_rule, ll_rule_fd, LANDLOCK_RULE_PATH_BENEATH, &__pattr, 0);\
		204	if (__err) {\
		205	LL_PRINTERR("landlock_add_rule(%s): %s", __path, strerror(errno));\
		206	goto __close;\
		207	}\
		208	close(__pattr.parent_fd);\
		209	}\
		210	} while (0)
		211
		212	#if LL_HAVE_NET
		213
		214	#define LL_PORT(p, rules) do {\
		215	unsigned short __port = (p);\
		216	__nattr.allowed_access = (rules);\
		217	if (ll_abi > 3 && __nattr.allowed_access != 0) {\
		218	__nattr.port = __port;\
		219	__err = (int)syscall(SYS_landlock_add_rule, ll_rule_fd, LANDLOCK_RULE_NET_PORT, &__nattr, 0);\
		220	if (__err) {\
		221	LL_PRINTERR("landlock_add_rule(%u): %s", __port, strerror(errno));\
		222	goto __close;\
		223	}\
		224	}\
		225	} while (0)
		226
		227	#else
		228
		229	#define LL_PORT(p, rules) do {\
		230	unsigned short __port = (p);\
		231	__u64 __rules = (rules);\
		232	(void)__port;\
		233	(void)__rules;\
		234	} while (0)
		235
		236	#endif /* LL_HAVE_NET */
		237
		238	#endif /* __LANDLOC_H__ */


diff --git a/sandbox.c b/sandbox.c new file mode 100644 index 0000000..f417e86 --- /dev/null +++ b/sandbox.c
@@ -0,0 +1,113 @@
		1	#include "xs.h"
		2
		3	#include "snac.h"
		4
		5	#include <unistd.h>
		6
		7	#if defined (__linux__)
		8
		9	#define LL_PRINTERR(fmt, ...) srv_debug(0, xs_fmt(fmt, __VA_ARGS__))
		10	#include "landloc.h"
		11
		12	static
		13	LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail) {
		14
		15	const unsigned long long
		16	rd = LANDLOCK_ACCESS_FS_READ_DIR,
		17	rf = LANDLOCK_ACCESS_FS_READ_FILE,
		18	w = LANDLOCK_ACCESS_FS_WRITE_FILE \|
		19	LANDLOCK_ACCESS_FS_TRUNCATE_COMPAT,
		20	c = LANDLOCK_ACCESS_FS_MAKE_DIR \|
		21	LANDLOCK_ACCESS_FS_MAKE_REG \|
		22	LANDLOCK_ACCESS_FS_TRUNCATE_COMPAT \|
		23	LANDLOCK_ACCESS_FS_MAKE_SYM \|
		24	LANDLOCK_ACCESS_FS_REMOVE_DIR \|
		25	LANDLOCK_ACCESS_FS_REMOVE_FILE \|
		26	LANDLOCK_ACCESS_FS_REFER_COMPAT,
		27	s = LANDLOCK_ACCESS_FS_MAKE_SOCK,
		28	x = LANDLOCK_ACCESS_FS_EXECUTE;
		29
		30	LL_PATH(basedir, rf\|rd\|w\|c);
		31	LL_PATH("/tmp", rf\|rd\|w\|c);
		32	#ifndef WITHOUT_SHM
		33	LL_PATH("/dev/shm", rf\|w\|c );
		34	#endif
		35	LL_PATH("/etc/resolv.conf", rf );
		36	LL_PATH("/etc/hosts", rf );
		37	LL_PATH("/etc/ssl/openssl.cnf", rf );
		38	LL_PATH("/etc/ssl/cert.pem", rf );
		39	LL_PATH("/usr/share/zoneinfo", rf );
		40
		41	if (*address == '/')
		42	LL_PATH(address, s);
		43
		44	if (smail)
		45	LL_PATH("/usr/sbin/sendmail", x);
		46
		47	if (*address != '/') {
		48	unsigned short listen_port = xs_number_get(xs_dict_get(srv_config, "port"));
		49	LL_PORT(listen_port, LANDLOCK_ACCESS_NET_BIND_TCP_COMPAT);
		50	}
		51
		52	LL_PORT(80, LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT);
		53	LL_PORT(443, LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT);
		54
		55	} LL_END
		56
		57	#endif
		58
		59	void sbox_enter(const char *basedir)
		60	{
		61	if (xs_is_true(xs_dict_get(srv_config, "disable_openbsd_security"))) {
		62	srv_log(xs_dup("disable_openbsd_security is deprecated. Use disable_sandbox instead."));
		63	return;
		64	}
		65	if (xs_is_true(xs_dict_get(srv_config, "disable_sandbox"))) {
		66	srv_debug(0, xs_dup("Sandbox disabled by admin"));
		67	return;
		68	}
		69
		70	const char *address = xs_dict_get(srv_config, "address");
		71
		72	int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications"));
		73
		74	#if defined (__OpenBSD__)
		75	srv_debug(1, xs_fmt("Calling unveil()"));
		76	unveil(basedir, "rwc");
		77	unveil("/tmp", "rwc");
		78	unveil("/etc/resolv.conf", "r");
		79	unveil("/etc/hosts", "r");
		80	unveil("/etc/ssl/openssl.cnf", "r");
		81	unveil("/etc/ssl/cert.pem", "r");
		82	unveil("/usr/share/zoneinfo", "r");
		83
		84	if (smail)
		85	unveil("/usr/sbin/sendmail", "x");
		86
		87	if (*address == '/')
		88	unveil(address, "rwc");
		89
		90	unveil(NULL, NULL);
		91
		92	srv_debug(1, xs_fmt("Calling pledge()"));
		93
		94	xs *p = xs_str_new("stdio rpath wpath cpath flock inet proc dns fattr");
		95
		96	if (smail)
		97	p = xs_str_cat(p, " exec");
		98
		99	if (*address == '/')
		100	p = xs_str_cat(p, " unix");
		101
		102	pledge(p, NULL);
		103
		104	xs_free(p);
		105	#elif defined (__linux__)
		106
		107	if (sbox_enter_linux_(basedir, address, smail) == 0)
		108	srv_log(xs_dup("landlocked"));
		109	else
		110	srv_log(xs_dup("landlocking failed"));
		111
		112	#endif
		113	}


diff --git a/snac.h b/snac.h index c9ba28b..ec3ee5c 100644 --- a/snac.h +++ b/snac.h
@@ -75,6 +75,8 @@ void snac_log(snac user, xs_str str);
75	int srv_open(const char *basedir, int auto_upgrade);	75	int srv_open(const char *basedir, int auto_upgrade);
76	void srv_free(void);	76	void srv_free(void);
77		77
		78	void sbox_enter(const char *basedir);
		79
78	int user_open(snac snac, const char uid);	80	int user_open(snac snac, const char uid);
79	void user_free(snac *snac);	81	void user_free(snac *snac);
80	xs_list *user_list(void);	82	xs_list *user_list(void);