From 75f615905629f64f40363161281d640010153d64 Mon Sep 17 00:00:00 2001 From: shtrophic Date: Tue, 12 Nov 2024 21:01:09 +0100 Subject: sandboxing port to linux via landlock --- sandbox.c | 184 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 184 insertions(+) create mode 100644 sandbox.c (limited to 'sandbox.c') diff --git a/sandbox.c b/sandbox.c new file mode 100644 index 0000000..f83a947 --- /dev/null +++ b/sandbox.c @@ -0,0 +1,184 @@ +#include "xs.h" + +#include "snac.h" + +#include + +#if defined (__linux__) +# define __USE_GNU +# include +# include +# include +# include +# include +# include +#endif + +void sbox_enter(const char *basedir) +{ + if (xs_is_true(xs_dict_get(srv_config, "disable_openbsd_security"))) { + srv_log(xs_dup("disable_openbsd_security is deprecated. Use disable_sandbox instead.")); + return; + } + if (xs_is_true(xs_dict_get(srv_config, "disable_sandbox"))) { + srv_debug(0, xs_dup("Sandbox disabled by admin")); + return; + } + + const char *address = xs_dict_get(srv_config, "address"); + +#if defined (__OpenBSD__) + int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications")); + + srv_debug(1, xs_fmt("Calling unveil()")); + unveil(basedir, "rwc"); + unveil("/tmp", "rwc"); + unveil("/etc/resolv.conf", "r"); + unveil("/etc/hosts", "r"); + unveil("/etc/ssl/openssl.cnf", "r"); + unveil("/etc/ssl/cert.pem", "r"); + unveil("/usr/share/zoneinfo", "r"); + + if (smail) + unveil("/usr/sbin/sendmail", "x"); + + if (*address == '/') + unveil(address, "rwc"); + + unveil(NULL, NULL); + + srv_debug(1, xs_fmt("Calling pledge()")); + + xs *p = xs_str_new("stdio rpath wpath cpath flock inet proc dns fattr"); + + if (smail) + p = xs_str_cat(p, " exec"); + + if (*address == '/') + p = xs_str_cat(p, " unix"); + + pledge(p, NULL); + + xs_free(p); +#elif defined (__linux__) + int error, ruleset_fd, abi; + struct landlock_ruleset_attr rules = {0}; + struct landlock_path_beneath_attr path = {0}; + struct landlock_net_port_attr net = {0}; + + rules.handled_access_fs = + LANDLOCK_ACCESS_FS_EXECUTE | + LANDLOCK_ACCESS_FS_WRITE_FILE | + LANDLOCK_ACCESS_FS_READ_FILE | + LANDLOCK_ACCESS_FS_REMOVE_DIR | + LANDLOCK_ACCESS_FS_REMOVE_FILE | + LANDLOCK_ACCESS_FS_MAKE_CHAR | + LANDLOCK_ACCESS_FS_MAKE_DIR | + LANDLOCK_ACCESS_FS_MAKE_REG | + LANDLOCK_ACCESS_FS_MAKE_SOCK | + LANDLOCK_ACCESS_FS_MAKE_FIFO | + LANDLOCK_ACCESS_FS_MAKE_BLOCK | + LANDLOCK_ACCESS_FS_MAKE_SYM | + LANDLOCK_ACCESS_FS_REFER | + LANDLOCK_ACCESS_FS_TRUNCATE | + LANDLOCK_ACCESS_FS_IOCTL_DEV; + rules.handled_access_net = + LANDLOCK_ACCESS_NET_BIND_TCP | + LANDLOCK_ACCESS_NET_CONNECT_TCP; + + abi = syscall(SYS_landlock_create_ruleset, NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); + switch (abi) { + case -1: + srv_debug(0, xs_dup("Kernel without landlock support")); + return; + case 1: + rules.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER; + __attribute__((fallthrough)); + case 2: + rules.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE; + __attribute__((fallthrough)); + case 3: + rules.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP); + __attribute__((fallthrough)); + case 4: + rules.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV; + } + srv_debug(1, xs_fmt("lanlock abi: %d", abi)); + + ruleset_fd = syscall(SYS_landlock_create_ruleset, &rules, sizeof(struct landlock_ruleset_attr), 0); + if (ruleset_fd == -1) { + srv_debug(0, xs_fmt("landlock_create_ruleset failed: %s", strerror(errno))); + return; + } + +#define LL_R LANDLOCK_ACCESS_FS_READ_FILE +#define LL_X LANDLOCK_ACCESS_FS_EXECUTE +#define LL_RWC (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_TRUNCATE) +#define LL_UNX (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_SOCK) +#define LL_CON LANDLOCK_ACCESS_NET_CONNECT_TCP +#define LL_BND LANDLOCK_ACCESS_NET_BIND_TCP + +#define LANDLOCK_PATH(p, r) do {\ + path.allowed_access = r;\ + if (abi < 3)\ + path.allowed_access &= ~LANDLOCK_ACCESS_FS_TRUNCATE;\ + path.parent_fd = open(p, O_PATH | O_CLOEXEC);\ + if (path.parent_fd == -1) {\ + srv_debug(2, xs_fmt("open %s: %s", p, strerror(errno)));\ + goto close;\ + }\ + error = syscall(SYS_landlock_add_rule, ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, &path, 0); \ + if (error) {\ + srv_debug(0, xs_fmt("LANDLOCK_PATH(%s): %s", p, strerror(errno)));\ + goto close;\ + }\ +} while (0) + +#define LANDLOCK_PORT(p, r) do {\ + uint16_t _p = p;\ + net.port = _p;\ + net.allowed_access = r;\ + error = syscall(SYS_landlock_add_rule, ruleset_fd, LANDLOCK_RULE_NET_PORT, &net, 0);\ + if (error) {\ + srv_debug(0, xs_fmt("LANDLOCK_PORT(%d): %s", _p, strerror(errno)));\ + goto close;\ + }\ +} while (0) + + LANDLOCK_PATH(basedir, LL_RWC); + LANDLOCK_PATH("/tmp", LL_RWC); + LANDLOCK_PATH("/dev/shm", LL_RWC); + LANDLOCK_PATH("/etc/resolv.conf", LL_R ); + LANDLOCK_PATH("/etc/hosts", LL_R ); + LANDLOCK_PATH("/etc/ssl/openssl.cnf", LL_R ); + LANDLOCK_PATH("/etc/ssl/cert.pem", LL_R ); + LANDLOCK_PATH("/usr/share/zoneinfo", LL_R ); + + if (*address == '/') + LANDLOCK_PATH(address, LL_UNX); + + if (abi > 3) { + if (*address != '/') { + LANDLOCK_PORT( + (uint16_t)xs_number_get(xs_dict_get(srv_config, "port")), LL_BND); + } + + LANDLOCK_PORT(80, LL_CON); + LANDLOCK_PORT(443, LL_CON); + } + + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { + srv_debug(0, xs_fmt("prctl SET_NO_NEW_PRIVS: %s", strerror(errno))); + goto close; + } + + if (syscall(SYS_landlock_restrict_self, ruleset_fd, 0)) + srv_debug(0, xs_fmt("landlock_restrict_self: %s", strerror(errno))); + + srv_log(xs_dup("landlocked")); + +close: + close(ruleset_fd); + +#endif +} -- cgit v1.2.3 From 559f23c8080806e95a43a25f917762121fbbeee2 Mon Sep 17 00:00:00 2001 From: shtrophic Date: Sat, 16 Nov 2024 13:47:26 +0100 Subject: add distinction between RWC with directories and without, include FS_REFER permission --- sandbox.c | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) (limited to 'sandbox.c') diff --git a/sandbox.c b/sandbox.c index f83a947..c8fbdaf 100644 --- a/sandbox.c +++ b/sandbox.c @@ -113,13 +113,16 @@ void sbox_enter(const char *basedir) #define LL_R LANDLOCK_ACCESS_FS_READ_FILE #define LL_X LANDLOCK_ACCESS_FS_EXECUTE -#define LL_RWC (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_TRUNCATE) -#define LL_UNX (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_SOCK) -#define LL_CON LANDLOCK_ACCESS_NET_CONNECT_TCP -#define LL_BND LANDLOCK_ACCESS_NET_BIND_TCP +#define LL_RWCF (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_TRUNCATE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REFER) +#define LL_RWCD (LL_RWCF | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_REMOVE_DIR) +#define LL_UNIX (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_SOCK) +#define LL_CONN LANDLOCK_ACCESS_NET_CONNECT_TCP +#define LL_BIND LANDLOCK_ACCESS_NET_BIND_TCP #define LANDLOCK_PATH(p, r) do {\ path.allowed_access = r;\ + if (abi < 2)\ + path.allowed_access &= ~LANDLOCK_ACCESS_FS_REFER;\ if (abi < 3)\ path.allowed_access &= ~LANDLOCK_ACCESS_FS_TRUNCATE;\ path.parent_fd = open(p, O_PATH | O_CLOEXEC);\ @@ -145,9 +148,9 @@ void sbox_enter(const char *basedir) }\ } while (0) - LANDLOCK_PATH(basedir, LL_RWC); - LANDLOCK_PATH("/tmp", LL_RWC); - LANDLOCK_PATH("/dev/shm", LL_RWC); + LANDLOCK_PATH(basedir, LL_RWCD); + LANDLOCK_PATH("/tmp", LL_RWCD); + LANDLOCK_PATH("/dev/shm", LL_RWCF); LANDLOCK_PATH("/etc/resolv.conf", LL_R ); LANDLOCK_PATH("/etc/hosts", LL_R ); LANDLOCK_PATH("/etc/ssl/openssl.cnf", LL_R ); @@ -155,16 +158,16 @@ void sbox_enter(const char *basedir) LANDLOCK_PATH("/usr/share/zoneinfo", LL_R ); if (*address == '/') - LANDLOCK_PATH(address, LL_UNX); + LANDLOCK_PATH(address, LL_UNIX); if (abi > 3) { if (*address != '/') { LANDLOCK_PORT( - (uint16_t)xs_number_get(xs_dict_get(srv_config, "port")), LL_BND); + (uint16_t)xs_number_get(xs_dict_get(srv_config, "port")), LL_BIND); } - LANDLOCK_PORT(80, LL_CON); - LANDLOCK_PORT(443, LL_CON); + LANDLOCK_PORT(80, LL_CONN); + LANDLOCK_PORT(443, LL_CONN); } if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { -- cgit v1.2.3 From 017140f5235d5c379402715f2cbbe1fdd037ba16 Mon Sep 17 00:00:00 2001 From: shtrophic Date: Sat, 16 Nov 2024 13:50:16 +0100 Subject: remove unused headers --- sandbox.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'sandbox.c') diff --git a/sandbox.c b/sandbox.c index c8fbdaf..07a3094 100644 --- a/sandbox.c +++ b/sandbox.c @@ -7,11 +7,10 @@ #if defined (__linux__) # define __USE_GNU # include -# include # include # include +# include # include -# include #endif void sbox_enter(const char *basedir) -- cgit v1.2.3 From 972783fcb2d7855847f0ea0832da2abc71aa6b30 Mon Sep 17 00:00:00 2001 From: shtrophic Date: Tue, 19 Nov 2024 20:47:15 +0100 Subject: only rwc /dev/shm when WITHOUT_SHM is undefined --- sandbox.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'sandbox.c') diff --git a/sandbox.c b/sandbox.c index 07a3094..c45587a 100644 --- a/sandbox.c +++ b/sandbox.c @@ -149,7 +149,9 @@ void sbox_enter(const char *basedir) LANDLOCK_PATH(basedir, LL_RWCD); LANDLOCK_PATH("/tmp", LL_RWCD); +#ifndef WITHOUT_SHM LANDLOCK_PATH("/dev/shm", LL_RWCF); +#endif LANDLOCK_PATH("/etc/resolv.conf", LL_R ); LANDLOCK_PATH("/etc/hosts", LL_R ); LANDLOCK_PATH("/etc/ssl/openssl.cnf", LL_R ); -- cgit v1.2.3 From 80ff16b21c7081165d346ff94b450f432a82ee47 Mon Sep 17 00:00:00 2001 From: shtrophic Date: Tue, 19 Nov 2024 21:45:21 +0100 Subject: make sendmail executable if configured --- sandbox.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'sandbox.c') diff --git a/sandbox.c b/sandbox.c index c45587a..7f26d0a 100644 --- a/sandbox.c +++ b/sandbox.c @@ -26,9 +26,9 @@ void sbox_enter(const char *basedir) const char *address = xs_dict_get(srv_config, "address"); -#if defined (__OpenBSD__) int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications")); +#if defined (__OpenBSD__) srv_debug(1, xs_fmt("Calling unveil()")); unveil(basedir, "rwc"); unveil("/tmp", "rwc"); @@ -161,6 +161,9 @@ void sbox_enter(const char *basedir) if (*address == '/') LANDLOCK_PATH(address, LL_UNIX); + if (smail) + LANDLOCK_PATH("/usr/sbin/sendmail", LL_X); + if (abi > 3) { if (*address != '/') { LANDLOCK_PORT( -- cgit v1.2.3 From e52b4bf39b7236b2a89e34aaf5c54db2e2b285d8 Mon Sep 17 00:00:00 2001 From: shtrophic Date: Thu, 5 Dec 2024 17:24:04 +0100 Subject: import landloc.h --- sandbox.c | 173 ++++++++++++++++---------------------------------------------- 1 file changed, 44 insertions(+), 129 deletions(-) (limited to 'sandbox.c') diff --git a/sandbox.c b/sandbox.c index 7f26d0a..6dd9360 100644 --- a/sandbox.c +++ b/sandbox.c @@ -5,12 +5,49 @@ #include #if defined (__linux__) -# define __USE_GNU -# include -# include -# include -# include -# include + +#define LL_PRINTERR(fmt, ...) srv_debug(0, xs_fmt(fmt, __VA_ARGS__)) +#include "landloc.h" + +#define LL_R LANDLOCK_ACCESS_FS_READ_FILE +#define LL_X LANDLOCK_ACCESS_FS_EXECUTE +#define LL_RWCF (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_TRUNCATE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REFER) +#define LL_RWCD (LL_RWCF | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_REMOVE_DIR) +#define LL_UNIX (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_SOCK) +#define LL_CONN LANDLOCK_ACCESS_NET_CONNECT_TCP +#define LL_BIND LANDLOCK_ACCESS_NET_BIND_TCP + +static +LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail) { + + LL_PATH(basedir, LL_RWCD); + LL_PATH("/tmp", LL_RWCD); +#ifndef WITHOUT_SHM + LL_PATH("/dev/shm", LL_RWCF); +#endif + LL_PATH("/etc/resolv.conf", LL_R ); + LL_PATH("/etc/hosts", LL_R ); + LL_PATH("/etc/ssl/openssl.cnf", LL_R ); + LL_PATH("/etc/ssl/cert.pem", LL_R ); + LL_PATH("/usr/share/zoneinfo", LL_R ); + + if (*address == '/') + LL_PATH(address, LL_UNIX); + + if (smail) + LL_PATH("/usr/sbin/sendmail", LL_X); + + + if (*address != '/') { + LL_PORT( + (unsigned short)xs_number_get(xs_dict_get(srv_config, "port")), LL_BIND); + } + + LL_PORT(80, LL_CONN); + LL_PORT(443, LL_CONN); + +} LL_END + #endif void sbox_enter(const char *basedir) @@ -60,132 +97,10 @@ void sbox_enter(const char *basedir) xs_free(p); #elif defined (__linux__) - int error, ruleset_fd, abi; - struct landlock_ruleset_attr rules = {0}; - struct landlock_path_beneath_attr path = {0}; - struct landlock_net_port_attr net = {0}; - - rules.handled_access_fs = - LANDLOCK_ACCESS_FS_EXECUTE | - LANDLOCK_ACCESS_FS_WRITE_FILE | - LANDLOCK_ACCESS_FS_READ_FILE | - LANDLOCK_ACCESS_FS_REMOVE_DIR | - LANDLOCK_ACCESS_FS_REMOVE_FILE | - LANDLOCK_ACCESS_FS_MAKE_CHAR | - LANDLOCK_ACCESS_FS_MAKE_DIR | - LANDLOCK_ACCESS_FS_MAKE_REG | - LANDLOCK_ACCESS_FS_MAKE_SOCK | - LANDLOCK_ACCESS_FS_MAKE_FIFO | - LANDLOCK_ACCESS_FS_MAKE_BLOCK | - LANDLOCK_ACCESS_FS_MAKE_SYM | - LANDLOCK_ACCESS_FS_REFER | - LANDLOCK_ACCESS_FS_TRUNCATE | - LANDLOCK_ACCESS_FS_IOCTL_DEV; - rules.handled_access_net = - LANDLOCK_ACCESS_NET_BIND_TCP | - LANDLOCK_ACCESS_NET_CONNECT_TCP; - - abi = syscall(SYS_landlock_create_ruleset, NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); - switch (abi) { - case -1: - srv_debug(0, xs_dup("Kernel without landlock support")); - return; - case 1: - rules.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER; - __attribute__((fallthrough)); - case 2: - rules.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE; - __attribute__((fallthrough)); - case 3: - rules.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP); - __attribute__((fallthrough)); - case 4: - rules.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV; - } - srv_debug(1, xs_fmt("lanlock abi: %d", abi)); - - ruleset_fd = syscall(SYS_landlock_create_ruleset, &rules, sizeof(struct landlock_ruleset_attr), 0); - if (ruleset_fd == -1) { - srv_debug(0, xs_fmt("landlock_create_ruleset failed: %s", strerror(errno))); - return; - } - -#define LL_R LANDLOCK_ACCESS_FS_READ_FILE -#define LL_X LANDLOCK_ACCESS_FS_EXECUTE -#define LL_RWCF (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_TRUNCATE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REFER) -#define LL_RWCD (LL_RWCF | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_REMOVE_DIR) -#define LL_UNIX (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_SOCK) -#define LL_CONN LANDLOCK_ACCESS_NET_CONNECT_TCP -#define LL_BIND LANDLOCK_ACCESS_NET_BIND_TCP - -#define LANDLOCK_PATH(p, r) do {\ - path.allowed_access = r;\ - if (abi < 2)\ - path.allowed_access &= ~LANDLOCK_ACCESS_FS_REFER;\ - if (abi < 3)\ - path.allowed_access &= ~LANDLOCK_ACCESS_FS_TRUNCATE;\ - path.parent_fd = open(p, O_PATH | O_CLOEXEC);\ - if (path.parent_fd == -1) {\ - srv_debug(2, xs_fmt("open %s: %s", p, strerror(errno)));\ - goto close;\ - }\ - error = syscall(SYS_landlock_add_rule, ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, &path, 0); \ - if (error) {\ - srv_debug(0, xs_fmt("LANDLOCK_PATH(%s): %s", p, strerror(errno)));\ - goto close;\ - }\ -} while (0) - -#define LANDLOCK_PORT(p, r) do {\ - uint16_t _p = p;\ - net.port = _p;\ - net.allowed_access = r;\ - error = syscall(SYS_landlock_add_rule, ruleset_fd, LANDLOCK_RULE_NET_PORT, &net, 0);\ - if (error) {\ - srv_debug(0, xs_fmt("LANDLOCK_PORT(%d): %s", _p, strerror(errno)));\ - goto close;\ - }\ -} while (0) - - LANDLOCK_PATH(basedir, LL_RWCD); - LANDLOCK_PATH("/tmp", LL_RWCD); -#ifndef WITHOUT_SHM - LANDLOCK_PATH("/dev/shm", LL_RWCF); -#endif - LANDLOCK_PATH("/etc/resolv.conf", LL_R ); - LANDLOCK_PATH("/etc/hosts", LL_R ); - LANDLOCK_PATH("/etc/ssl/openssl.cnf", LL_R ); - LANDLOCK_PATH("/etc/ssl/cert.pem", LL_R ); - LANDLOCK_PATH("/usr/share/zoneinfo", LL_R ); - - if (*address == '/') - LANDLOCK_PATH(address, LL_UNIX); - - if (smail) - LANDLOCK_PATH("/usr/sbin/sendmail", LL_X); - - if (abi > 3) { - if (*address != '/') { - LANDLOCK_PORT( - (uint16_t)xs_number_get(xs_dict_get(srv_config, "port")), LL_BIND); - } - - LANDLOCK_PORT(80, LL_CONN); - LANDLOCK_PORT(443, LL_CONN); - } - if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { - srv_debug(0, xs_fmt("prctl SET_NO_NEW_PRIVS: %s", strerror(errno))); - goto close; - } - - if (syscall(SYS_landlock_restrict_self, ruleset_fd, 0)) - srv_debug(0, xs_fmt("landlock_restrict_self: %s", strerror(errno))); + sbox_enter_linux_(basedir, address, smail); srv_log(xs_dup("landlocked")); -close: - close(ruleset_fd); - #endif } -- cgit v1.2.3 From 7d07d3bffd2994055165d10a57e93327fc86d961 Mon Sep 17 00:00:00 2001 From: shtrophic Date: Sun, 8 Dec 2024 08:48:44 +0100 Subject: cleanup rules --- sandbox.c | 52 +++++++++++++++++++++++++++++----------------------- 1 file changed, 29 insertions(+), 23 deletions(-) (limited to 'sandbox.c') diff --git a/sandbox.c b/sandbox.c index 6dd9360..abced68 100644 --- a/sandbox.c +++ b/sandbox.c @@ -9,42 +9,48 @@ #define LL_PRINTERR(fmt, ...) srv_debug(0, xs_fmt(fmt, __VA_ARGS__)) #include "landloc.h" -#define LL_R LANDLOCK_ACCESS_FS_READ_FILE -#define LL_X LANDLOCK_ACCESS_FS_EXECUTE -#define LL_RWCF (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_TRUNCATE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REFER) -#define LL_RWCD (LL_RWCF | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_REMOVE_DIR) -#define LL_UNIX (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_SOCK) -#define LL_CONN LANDLOCK_ACCESS_NET_CONNECT_TCP -#define LL_BIND LANDLOCK_ACCESS_NET_BIND_TCP - static LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail) { - LL_PATH(basedir, LL_RWCD); - LL_PATH("/tmp", LL_RWCD); + const unsigned long long + r = LANDLOCK_ACCESS_FS_READ_DIR | + LANDLOCK_ACCESS_FS_READ_FILE, + w = LANDLOCK_ACCESS_FS_WRITE_FILE | + LANDLOCK_ACCESS_FS_TRUNCATE, + c = LANDLOCK_ACCESS_FS_MAKE_DIR | + LANDLOCK_ACCESS_FS_MAKE_REG | + LANDLOCK_ACCESS_FS_TRUNCATE | + LANDLOCK_ACCESS_FS_MAKE_SYM | + LANDLOCK_ACCESS_FS_REMOVE_DIR | + LANDLOCK_ACCESS_FS_REMOVE_FILE | + LANDLOCK_ACCESS_FS_REFER, + s = LANDLOCK_ACCESS_FS_MAKE_SOCK, + x = LANDLOCK_ACCESS_FS_EXECUTE; + + LL_PATH(basedir, r|w|c); + LL_PATH("/tmp", r|w|c); #ifndef WITHOUT_SHM - LL_PATH("/dev/shm", LL_RWCF); + LL_PATH("/dev/shm", r|w|c); #endif - LL_PATH("/etc/resolv.conf", LL_R ); - LL_PATH("/etc/hosts", LL_R ); - LL_PATH("/etc/ssl/openssl.cnf", LL_R ); - LL_PATH("/etc/ssl/cert.pem", LL_R ); - LL_PATH("/usr/share/zoneinfo", LL_R ); + LL_PATH("/etc/resolv.conf", r ); + LL_PATH("/etc/hosts", r ); + LL_PATH("/etc/ssl/openssl.cnf", r ); + LL_PATH("/etc/ssl/cert.pem", r ); + LL_PATH("/usr/share/zoneinfo", r ); if (*address == '/') - LL_PATH(address, LL_UNIX); + LL_PATH(address, s); if (smail) - LL_PATH("/usr/sbin/sendmail", LL_X); - + LL_PATH("/usr/sbin/sendmail", x); if (*address != '/') { - LL_PORT( - (unsigned short)xs_number_get(xs_dict_get(srv_config, "port")), LL_BIND); + unsigned short listen_port = xs_number_get(xs_dict_get(srv_config, "port")); + LL_PORT(listen_port, LANDLOCK_ACCESS_NET_BIND_TCP); } - LL_PORT(80, LL_CONN); - LL_PORT(443, LL_CONN); + LL_PORT(80, LANDLOCK_ACCESS_NET_CONNECT_TCP); + LL_PORT(443, LANDLOCK_ACCESS_NET_CONNECT_TCP); } LL_END -- cgit v1.2.3 From fb8145297c45c8fdfbdc3872c8345e51569a4a01 Mon Sep 17 00:00:00 2001 From: shtrophic Date: Sun, 8 Dec 2024 08:54:00 +0100 Subject: make log output specific to landlock status --- sandbox.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'sandbox.c') diff --git a/sandbox.c b/sandbox.c index abced68..3a5ca48 100644 --- a/sandbox.c +++ b/sandbox.c @@ -104,9 +104,10 @@ void sbox_enter(const char *basedir) xs_free(p); #elif defined (__linux__) - sbox_enter_linux_(basedir, address, smail); - - srv_log(xs_dup("landlocked")); + if (sbox_enter_linux_(basedir, address, smail) == 0) + srv_log(xs_dup("landlocked")); + else + srv_log(xs_dup("landlocking failed")); #endif } -- cgit v1.2.3 From f625b7f729c816ea17e69dfa5bf4c09399dece6f Mon Sep 17 00:00:00 2001 From: shtrophic Date: Sun, 8 Dec 2024 09:01:57 +0100 Subject: don't try to make files directory-readable --- sandbox.c | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) (limited to 'sandbox.c') diff --git a/sandbox.c b/sandbox.c index 3a5ca48..6eafc43 100644 --- a/sandbox.c +++ b/sandbox.c @@ -13,30 +13,30 @@ static LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail) { const unsigned long long - r = LANDLOCK_ACCESS_FS_READ_DIR | - LANDLOCK_ACCESS_FS_READ_FILE, - w = LANDLOCK_ACCESS_FS_WRITE_FILE | - LANDLOCK_ACCESS_FS_TRUNCATE, - c = LANDLOCK_ACCESS_FS_MAKE_DIR | - LANDLOCK_ACCESS_FS_MAKE_REG | - LANDLOCK_ACCESS_FS_TRUNCATE | - LANDLOCK_ACCESS_FS_MAKE_SYM | - LANDLOCK_ACCESS_FS_REMOVE_DIR | - LANDLOCK_ACCESS_FS_REMOVE_FILE | - LANDLOCK_ACCESS_FS_REFER, - s = LANDLOCK_ACCESS_FS_MAKE_SOCK, - x = LANDLOCK_ACCESS_FS_EXECUTE; - - LL_PATH(basedir, r|w|c); - LL_PATH("/tmp", r|w|c); + rd = LANDLOCK_ACCESS_FS_READ_DIR, + rf = LANDLOCK_ACCESS_FS_READ_FILE, + w = LANDLOCK_ACCESS_FS_WRITE_FILE | + LANDLOCK_ACCESS_FS_TRUNCATE, + c = LANDLOCK_ACCESS_FS_MAKE_DIR | + LANDLOCK_ACCESS_FS_MAKE_REG | + LANDLOCK_ACCESS_FS_TRUNCATE | + LANDLOCK_ACCESS_FS_MAKE_SYM | + LANDLOCK_ACCESS_FS_REMOVE_DIR | + LANDLOCK_ACCESS_FS_REMOVE_FILE | + LANDLOCK_ACCESS_FS_REFER, + s = LANDLOCK_ACCESS_FS_MAKE_SOCK, + x = LANDLOCK_ACCESS_FS_EXECUTE; + + LL_PATH(basedir, rf|rd|w|c); + LL_PATH("/tmp", rf|rd|w|c); #ifndef WITHOUT_SHM - LL_PATH("/dev/shm", r|w|c); + LL_PATH("/dev/shm", rf|w|c ); #endif - LL_PATH("/etc/resolv.conf", r ); - LL_PATH("/etc/hosts", r ); - LL_PATH("/etc/ssl/openssl.cnf", r ); - LL_PATH("/etc/ssl/cert.pem", r ); - LL_PATH("/usr/share/zoneinfo", r ); + LL_PATH("/etc/resolv.conf", rf ); + LL_PATH("/etc/hosts", rf ); + LL_PATH("/etc/ssl/openssl.cnf", rf ); + LL_PATH("/etc/ssl/cert.pem", rf ); + LL_PATH("/usr/share/zoneinfo", rf ); if (*address == '/') LL_PATH(address, s); -- cgit v1.2.3 From 629a7953f99191ac3b1d74f44ddd5b94e097adee Mon Sep 17 00:00:00 2001 From: shtrophic Date: Thu, 26 Dec 2024 15:53:51 +0100 Subject: use compat macros to compile on kernels without LANDLOCK_ACCESS_NET_* --- sandbox.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'sandbox.c') diff --git a/sandbox.c b/sandbox.c index 6eafc43..b7c602e 100644 --- a/sandbox.c +++ b/sandbox.c @@ -46,11 +46,11 @@ LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail) if (*address != '/') { unsigned short listen_port = xs_number_get(xs_dict_get(srv_config, "port")); - LL_PORT(listen_port, LANDLOCK_ACCESS_NET_BIND_TCP); + LL_PORT(listen_port, LANDLOCK_ACCESS_NET_BIND_TCP_COMPAT); } - LL_PORT(80, LANDLOCK_ACCESS_NET_CONNECT_TCP); - LL_PORT(443, LANDLOCK_ACCESS_NET_CONNECT_TCP); + LL_PORT(80, LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT); + LL_PORT(443, LANDLOCK_ACCESS_NET_CONNECT_TCP_COMPAT); } LL_END -- cgit v1.2.3 From bbce5e32caeb6ff86eabf08200db701151829884 Mon Sep 17 00:00:00 2001 From: shtrophic Date: Mon, 30 Dec 2024 11:18:08 +0100 Subject: use correct macros for compatibility --- sandbox.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'sandbox.c') diff --git a/sandbox.c b/sandbox.c index b7c602e..f417e86 100644 --- a/sandbox.c +++ b/sandbox.c @@ -15,15 +15,15 @@ LL_BEGIN(sbox_enter_linux_, const char* basedir, const char *address, int smail) const unsigned long long rd = LANDLOCK_ACCESS_FS_READ_DIR, rf = LANDLOCK_ACCESS_FS_READ_FILE, - w = LANDLOCK_ACCESS_FS_WRITE_FILE | - LANDLOCK_ACCESS_FS_TRUNCATE, - c = LANDLOCK_ACCESS_FS_MAKE_DIR | - LANDLOCK_ACCESS_FS_MAKE_REG | - LANDLOCK_ACCESS_FS_TRUNCATE | - LANDLOCK_ACCESS_FS_MAKE_SYM | - LANDLOCK_ACCESS_FS_REMOVE_DIR | - LANDLOCK_ACCESS_FS_REMOVE_FILE | - LANDLOCK_ACCESS_FS_REFER, + w = LANDLOCK_ACCESS_FS_WRITE_FILE | + LANDLOCK_ACCESS_FS_TRUNCATE_COMPAT, + c = LANDLOCK_ACCESS_FS_MAKE_DIR | + LANDLOCK_ACCESS_FS_MAKE_REG | + LANDLOCK_ACCESS_FS_TRUNCATE_COMPAT | + LANDLOCK_ACCESS_FS_MAKE_SYM | + LANDLOCK_ACCESS_FS_REMOVE_DIR | + LANDLOCK_ACCESS_FS_REMOVE_FILE | + LANDLOCK_ACCESS_FS_REFER_COMPAT, s = LANDLOCK_ACCESS_FS_MAKE_SOCK, x = LANDLOCK_ACCESS_FS_EXECUTE; -- cgit v1.2.3