1 files changed, 191 insertions, 0 deletions
diff --git a/sandbox.c b/sandbox.c
new file mode 100644
index 0000000..7f26d0a
--- /dev/null
+++ b/sandbox.c
@@ -0,0 +1,191 @@
+#include "xs.h"
+#include "snac.h"
+#include <unistd.h>
+#if defined (__linux__)
+#   define __USE_GNU
+#   include <linux/landlock.h>
+#   include <sys/syscall.h>
+#   include <sys/prctl.h>
+#   include <stdint.h>
+#   include <fcntl.h>
+#endif
+void sbox_enter(const char *basedir)
+{
+    if (xs_is_true(xs_dict_get(srv_config, "disable_openbsd_security"))) {
+        srv_log(xs_dup("disable_openbsd_security is deprecated. Use disable_sandbox instead."));
+        return;
+    }
+    if (xs_is_true(xs_dict_get(srv_config, "disable_sandbox"))) {
+        srv_debug(0, xs_dup("Sandbox disabled by admin"));
+        return;
+    }
+    const char *address = xs_dict_get(srv_config, "address");
+    int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications"));
+#if defined (__OpenBSD__)
+    srv_debug(1, xs_fmt("Calling unveil()"));
+    unveil(basedir,                "rwc");
+    unveil("/tmp",                 "rwc");
+    unveil("/etc/resolv.conf",     "r");
+    unveil("/etc/hosts",           "r");
+    unveil("/etc/ssl/openssl.cnf", "r");
+    unveil("/etc/ssl/cert.pem",    "r");
+    unveil("/usr/share/zoneinfo",  "r");
+    if (smail)
+        unveil("/usr/sbin/sendmail",   "x");
+    if (*address == '/')
+        unveil(address, "rwc");
+    unveil(NULL,                   NULL);
+    srv_debug(1, xs_fmt("Calling pledge()"));
+    xs *p = xs_str_new("stdio rpath wpath cpath flock inet proc dns fattr");
+    if (smail)
+        p = xs_str_cat(p, " exec");
+    if (*address == '/')
+        p = xs_str_cat(p, " unix");
+    pledge(p, NULL);
+    xs_free(p);
+#elif defined (__linux__)
+    int error, ruleset_fd, abi;
+    struct landlock_ruleset_attr      rules = {0};
+    struct landlock_path_beneath_attr path  = {0};
+    struct landlock_net_port_attr     net   = {0};
+    rules.handled_access_fs =
+        LANDLOCK_ACCESS_FS_EXECUTE     |
+        LANDLOCK_ACCESS_FS_WRITE_FILE  |
+        LANDLOCK_ACCESS_FS_READ_FILE   |
+        LANDLOCK_ACCESS_FS_REMOVE_DIR  |
+        LANDLOCK_ACCESS_FS_REMOVE_FILE |
+        LANDLOCK_ACCESS_FS_MAKE_CHAR   |
+        LANDLOCK_ACCESS_FS_MAKE_DIR    |
+        LANDLOCK_ACCESS_FS_MAKE_REG    |
+        LANDLOCK_ACCESS_FS_MAKE_SOCK   |
+        LANDLOCK_ACCESS_FS_MAKE_FIFO   |
+        LANDLOCK_ACCESS_FS_MAKE_BLOCK  |
+        LANDLOCK_ACCESS_FS_MAKE_SYM    |
+        LANDLOCK_ACCESS_FS_REFER       |
+        LANDLOCK_ACCESS_FS_TRUNCATE    |
+        LANDLOCK_ACCESS_FS_IOCTL_DEV;
+    rules.handled_access_net =
+        LANDLOCK_ACCESS_NET_BIND_TCP |
+        LANDLOCK_ACCESS_NET_CONNECT_TCP;
+    abi = syscall(SYS_landlock_create_ruleset, NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
+    switch (abi) {
+    case -1:
+        srv_debug(0, xs_dup("Kernel without landlock support"));
+        return;
+    case 1:
+        rules.handled_access_fs  &= ~LANDLOCK_ACCESS_FS_REFER;
+        __attribute__((fallthrough));
+    case 2:
+        rules.handled_access_fs  &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
+        __attribute__((fallthrough));
+    case 3:
+        rules.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP);
+        __attribute__((fallthrough));
+    case 4:
+        rules.handled_access_fs  &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV;
+    }
+    srv_debug(1, xs_fmt("lanlock abi: %d", abi));
+    ruleset_fd = syscall(SYS_landlock_create_ruleset, &rules, sizeof(struct landlock_ruleset_attr), 0);
+    if (ruleset_fd == -1) {
+        srv_debug(0, xs_fmt("landlock_create_ruleset failed: %s", strerror(errno)));
+        return;
+    }
+#define LL_R LANDLOCK_ACCESS_FS_READ_FILE
+#define LL_X LANDLOCK_ACCESS_FS_EXECUTE
+#define LL_RWCF (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_TRUNCATE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REFER)
+#define LL_RWCD (LL_RWCF | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_REMOVE_DIR)
+#define LL_UNIX (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_SOCK)
+#define LL_CONN LANDLOCK_ACCESS_NET_CONNECT_TCP
+#define LL_BIND LANDLOCK_ACCESS_NET_BIND_TCP
+#define LANDLOCK_PATH(p, r) do {\
+    path.allowed_access = r;\
+    if (abi < 2)\
+        path.allowed_access &= ~LANDLOCK_ACCESS_FS_REFER;\
+    if (abi < 3)\
+        path.allowed_access &= ~LANDLOCK_ACCESS_FS_TRUNCATE;\
+    path.parent_fd = open(p, O_PATH | O_CLOEXEC);\
+    if (path.parent_fd == -1) {\
+        srv_debug(2, xs_fmt("open %s: %s", p, strerror(errno)));\
+        goto close;\
+    }\
+    error = syscall(SYS_landlock_add_rule, ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, &path, 0); \
+    if (error) {\
+        srv_debug(0, xs_fmt("LANDLOCK_PATH(%s): %s", p, strerror(errno)));\
+        goto close;\
+    }\
+} while (0)
+#define LANDLOCK_PORT(p, r) do {\
+    uint16_t _p = p;\
+    net.port = _p;\
+    net.allowed_access = r;\
+    error = syscall(SYS_landlock_add_rule, ruleset_fd, LANDLOCK_RULE_NET_PORT, &net, 0);\
+    if (error) {\
+        srv_debug(0, xs_fmt("LANDLOCK_PORT(%d): %s", _p, strerror(errno)));\
+        goto close;\
+    }\
+} while (0)
+    LANDLOCK_PATH(basedir,                LL_RWCD);
+    LANDLOCK_PATH("/tmp",                 LL_RWCD);
+#ifndef WITHOUT_SHM
+    LANDLOCK_PATH("/dev/shm",             LL_RWCF);
+#endif
+    LANDLOCK_PATH("/etc/resolv.conf",     LL_R  );
+    LANDLOCK_PATH("/etc/hosts",           LL_R  );
+    LANDLOCK_PATH("/etc/ssl/openssl.cnf", LL_R  );
+    LANDLOCK_PATH("/etc/ssl/cert.pem",    LL_R  );
+    LANDLOCK_PATH("/usr/share/zoneinfo",  LL_R  );
+    if (*address == '/')
+        LANDLOCK_PATH(address, LL_UNIX);
+    if (smail)
+        LANDLOCK_PATH("/usr/sbin/sendmail", LL_X);
+    if (abi > 3) {
+        if (*address != '/') {
+            LANDLOCK_PORT(
+                (uint16_t)xs_number_get(xs_dict_get(srv_config, "port")), LL_BIND);
+        }
+        LANDLOCK_PORT(80,  LL_CONN);
+        LANDLOCK_PORT(443, LL_CONN);
+    }
+    
+    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+        srv_debug(0, xs_fmt("prctl SET_NO_NEW_PRIVS: %s", strerror(errno)));
+        goto close;
+    }
+    if (syscall(SYS_landlock_restrict_self, ruleset_fd, 0))
+        srv_debug(0, xs_fmt("landlock_restrict_self: %s", strerror(errno)));
+    srv_log(xs_dup("landlocked"));
+close:
+    close(ruleset_fd);
+#endif
+}

diff --git a/sandbox.c b/sandbox.c new file mode 100644 index 0000000..7f26d0a --- /dev/null +++ b/sandbox.c
@@ -0,0 +1,191 @@
	1	#include "xs.h"
	2
	3	#include "snac.h"
	4
	5	#include <unistd.h>
	6
	7	#if defined (__linux__)
	8	# define __USE_GNU
	9	# include <linux/landlock.h>
	10	# include <sys/syscall.h>
	11	# include <sys/prctl.h>
	12	# include <stdint.h>
	13	# include <fcntl.h>
	14	#endif
	15
	16	void sbox_enter(const char *basedir)
	17	{
	18	if (xs_is_true(xs_dict_get(srv_config, "disable_openbsd_security"))) {
	19	srv_log(xs_dup("disable_openbsd_security is deprecated. Use disable_sandbox instead."));
	20	return;
	21	}
	22	if (xs_is_true(xs_dict_get(srv_config, "disable_sandbox"))) {
	23	srv_debug(0, xs_dup("Sandbox disabled by admin"));
	24	return;
	25	}
	26
	27	const char *address = xs_dict_get(srv_config, "address");
	28
	29	int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications"));
	30
	31	#if defined (__OpenBSD__)
	32	srv_debug(1, xs_fmt("Calling unveil()"));
	33	unveil(basedir, "rwc");
	34	unveil("/tmp", "rwc");
	35	unveil("/etc/resolv.conf", "r");
	36	unveil("/etc/hosts", "r");
	37	unveil("/etc/ssl/openssl.cnf", "r");
	38	unveil("/etc/ssl/cert.pem", "r");
	39	unveil("/usr/share/zoneinfo", "r");
	40
	41	if (smail)
	42	unveil("/usr/sbin/sendmail", "x");
	43
	44	if (*address == '/')
	45	unveil(address, "rwc");
	46
	47	unveil(NULL, NULL);
	48
	49	srv_debug(1, xs_fmt("Calling pledge()"));
	50
	51	xs *p = xs_str_new("stdio rpath wpath cpath flock inet proc dns fattr");
	52
	53	if (smail)
	54	p = xs_str_cat(p, " exec");
	55
	56	if (*address == '/')
	57	p = xs_str_cat(p, " unix");
	58
	59	pledge(p, NULL);
	60
	61	xs_free(p);
	62	#elif defined (__linux__)
	63	int error, ruleset_fd, abi;
	64	struct landlock_ruleset_attr rules = {0};
	65	struct landlock_path_beneath_attr path = {0};
	66	struct landlock_net_port_attr net = {0};
	67
	68	rules.handled_access_fs =
	69	LANDLOCK_ACCESS_FS_EXECUTE \|
	70	LANDLOCK_ACCESS_FS_WRITE_FILE \|
	71	LANDLOCK_ACCESS_FS_READ_FILE \|
	72	LANDLOCK_ACCESS_FS_REMOVE_DIR \|
	73	LANDLOCK_ACCESS_FS_REMOVE_FILE \|
	74	LANDLOCK_ACCESS_FS_MAKE_CHAR \|
	75	LANDLOCK_ACCESS_FS_MAKE_DIR \|
	76	LANDLOCK_ACCESS_FS_MAKE_REG \|
	77	LANDLOCK_ACCESS_FS_MAKE_SOCK \|
	78	LANDLOCK_ACCESS_FS_MAKE_FIFO \|
	79	LANDLOCK_ACCESS_FS_MAKE_BLOCK \|
	80	LANDLOCK_ACCESS_FS_MAKE_SYM \|
	81	LANDLOCK_ACCESS_FS_REFER \|
	82	LANDLOCK_ACCESS_FS_TRUNCATE \|
	83	LANDLOCK_ACCESS_FS_IOCTL_DEV;
	84	rules.handled_access_net =
	85	LANDLOCK_ACCESS_NET_BIND_TCP \|
	86	LANDLOCK_ACCESS_NET_CONNECT_TCP;
	87
	88	abi = syscall(SYS_landlock_create_ruleset, NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
	89	switch (abi) {
	90	case -1:
	91	srv_debug(0, xs_dup("Kernel without landlock support"));
	92	return;
	93	case 1:
	94	rules.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
	95	__attribute__((fallthrough));
	96	case 2:
	97	rules.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
	98	__attribute__((fallthrough));
	99	case 3:
	100	rules.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP \| LANDLOCK_ACCESS_NET_CONNECT_TCP);
	101	__attribute__((fallthrough));
	102	case 4:
	103	rules.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV;
	104	}
	105	srv_debug(1, xs_fmt("lanlock abi: %d", abi));
	106
	107	ruleset_fd = syscall(SYS_landlock_create_ruleset, &rules, sizeof(struct landlock_ruleset_attr), 0);
	108	if (ruleset_fd == -1) {
	109	srv_debug(0, xs_fmt("landlock_create_ruleset failed: %s", strerror(errno)));
	110	return;
	111	}
	112
	113	#define LL_R LANDLOCK_ACCESS_FS_READ_FILE
	114	#define LL_X LANDLOCK_ACCESS_FS_EXECUTE
	115	#define LL_RWCF (LL_R \| LANDLOCK_ACCESS_FS_WRITE_FILE \| LANDLOCK_ACCESS_FS_MAKE_REG \| LANDLOCK_ACCESS_FS_TRUNCATE \| LANDLOCK_ACCESS_FS_REMOVE_FILE \| LANDLOCK_ACCESS_FS_REFER)
	116	#define LL_RWCD (LL_RWCF \| LANDLOCK_ACCESS_FS_MAKE_DIR \| LANDLOCK_ACCESS_FS_REMOVE_DIR)
	117	#define LL_UNIX (LL_R \| LANDLOCK_ACCESS_FS_WRITE_FILE \| LANDLOCK_ACCESS_FS_MAKE_SOCK)
	118	#define LL_CONN LANDLOCK_ACCESS_NET_CONNECT_TCP
	119	#define LL_BIND LANDLOCK_ACCESS_NET_BIND_TCP
	120
	121	#define LANDLOCK_PATH(p, r) do {\
	122	path.allowed_access = r;\
	123	if (abi < 2)\
	124	path.allowed_access &= ~LANDLOCK_ACCESS_FS_REFER;\
	125	if (abi < 3)\
	126	path.allowed_access &= ~LANDLOCK_ACCESS_FS_TRUNCATE;\
	127	path.parent_fd = open(p, O_PATH \| O_CLOEXEC);\
	128	if (path.parent_fd == -1) {\
	129	srv_debug(2, xs_fmt("open %s: %s", p, strerror(errno)));\
	130	goto close;\
	131	}\
	132	error = syscall(SYS_landlock_add_rule, ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, &path, 0); \
	133	if (error) {\
	134	srv_debug(0, xs_fmt("LANDLOCK_PATH(%s): %s", p, strerror(errno)));\
	135	goto close;\
	136	}\
	137	} while (0)
	138
	139	#define LANDLOCK_PORT(p, r) do {\
	140	uint16_t _p = p;\
	141	net.port = _p;\
	142	net.allowed_access = r;\
	143	error = syscall(SYS_landlock_add_rule, ruleset_fd, LANDLOCK_RULE_NET_PORT, &net, 0);\
	144	if (error) {\
	145	srv_debug(0, xs_fmt("LANDLOCK_PORT(%d): %s", _p, strerror(errno)));\
	146	goto close;\
	147	}\
	148	} while (0)
	149
	150	LANDLOCK_PATH(basedir, LL_RWCD);
	151	LANDLOCK_PATH("/tmp", LL_RWCD);
	152	#ifndef WITHOUT_SHM
	153	LANDLOCK_PATH("/dev/shm", LL_RWCF);
	154	#endif
	155	LANDLOCK_PATH("/etc/resolv.conf", LL_R );
	156	LANDLOCK_PATH("/etc/hosts", LL_R );
	157	LANDLOCK_PATH("/etc/ssl/openssl.cnf", LL_R );
	158	LANDLOCK_PATH("/etc/ssl/cert.pem", LL_R );
	159	LANDLOCK_PATH("/usr/share/zoneinfo", LL_R );
	160
	161	if (*address == '/')
	162	LANDLOCK_PATH(address, LL_UNIX);
	163
	164	if (smail)
	165	LANDLOCK_PATH("/usr/sbin/sendmail", LL_X);
	166
	167	if (abi > 3) {
	168	if (*address != '/') {
	169	LANDLOCK_PORT(
	170	(uint16_t)xs_number_get(xs_dict_get(srv_config, "port")), LL_BIND);
	171	}
	172
	173	LANDLOCK_PORT(80, LL_CONN);
	174	LANDLOCK_PORT(443, LL_CONN);
	175	}
	176
	177	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
	178	srv_debug(0, xs_fmt("prctl SET_NO_NEW_PRIVS: %s", strerror(errno)));
	179	goto close;
	180	}
	181
	182	if (syscall(SYS_landlock_restrict_self, ruleset_fd, 0))
	183	srv_debug(0, xs_fmt("landlock_restrict_self: %s", strerror(errno)));
	184
	185	srv_log(xs_dup("landlocked"));
	186
	187	close:
	188	close(ruleset_fd);
	189
	190	#endif
	191	}