ftpz/seccompsandbox.c

/*
 * Part of Very Secure FTPd
 * Licence: GPL v2
 * Author: Chris Evans
 * seccompsandbox.c
 *
 * Code to lock down the accessible kernel API in a Linux seccomp filter
 * sandbox. Works in Ubuntu 11.10 and newer.
 */

#include "seccompsandbox.h"

#if defined(__linux__) && defined(__x86_64__)

#include "session.h"
#include "sysutil.h"
#include "tunables.h"
#include "utility.h"

#include <errno.h>

#include <netinet/in.h>
#include <netinet/tcp.h>

#include <sys/fcntl.h>
#include <sys/mman.h>
#include <sys/prctl.h>
#include <sys/socket.h>
#include <sys/types.h>

#include <linux/filter.h>

#include <asm/unistd.h>

/* #define DEBUG_SIGSYS 1 */

#ifndef PR_SET_SECCOMP
  #define PR_SET_SECCOMP 22
#endif

#ifndef PR_SET_NO_NEW_PRIVS
  #define PR_SET_NO_NEW_PRIVS 38
#endif

#ifndef __NR_openat
  #define __NR_openat 257
#endif

#ifndef O_LARGEFILE
  #define O_LARGEFILE 00100000
#endif

#ifndef O_DIRECTORY
  #define O_DIRECTORY 00200000
#endif

#ifndef O_CLOEXEC
  #define O_CLOEXEC 002000000
#endif

#define kMaxSyscalls 100

#ifdef DEBUG_SIGSYS

#include <signal.h>
#include <string.h>

void
handle_sigsys(int sig)
{
  (void) sig;
}
#endif

static const int kOpenFlags =
    O_CREAT|O_EXCL|O_APPEND|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_LARGEFILE;

static size_t s_syscall_index;
static size_t s_1_arg_validations;
static size_t s_2_arg_validations;
static size_t s_3_arg_validations;
static int s_syscalls[kMaxSyscalls];
static int s_errnos[kMaxSyscalls];
static int s_args_1[kMaxSyscalls];
static int s_vals_1[kMaxSyscalls];
static int s_args_2[kMaxSyscalls];
static int s_vals_2[kMaxSyscalls];
static int s_args_3[kMaxSyscalls];
static int s_vals_3[kMaxSyscalls];

static void
allow_nr(int nr)
{
  if (s_syscall_index >= kMaxSyscalls)
  {
    bug("out of syscall space");
  }
  if (nr < 0)
  {
    bug("negative syscall");
  }
  s_errnos[s_syscall_index] = 0;
  s_syscalls[s_syscall_index++] = nr;
}

static void
reject_nr(int nr, int errcode)
{
  if (s_syscall_index >= kMaxSyscalls)
  {
    bug("out of syscall space");
  }
  if (nr < 0)
  {
    bug("negative syscall");
  }
  if (errcode < 0 || errcode > 255)
  {
    bug("bad errcode");
  }
  s_errnos[s_syscall_index] = errcode;
  s_syscalls[s_syscall_index++] = nr;
}

static void
allow_nr_1_arg_match(int nr, int arg, int val)
{
  if (s_syscall_index >= kMaxSyscalls)
  {
    bug("out of syscall space");
  }
  if (nr < 0)
  {
    bug("negative syscall");
  }
  if (arg < 1 || arg > 6)
  {
    bug("arg out of range");
  }
  s_args_1[s_syscall_index] = arg;
  s_vals_1[s_syscall_index] = val;
  s_errnos[s_syscall_index] = 0;
  s_syscalls[s_syscall_index++] = nr;
  s_1_arg_validations++;
}

static void
allow_nr_1_arg_mask(int nr, int arg, int val)
{
  if (s_syscall_index >= kMaxSyscalls)
  {
    bug("out of syscall space");
  }
  if (nr < 0)
  {
    bug("negative syscall");
  }
  if (arg < 1 || arg > 6)
  {
    bug("arg out of range");
  }
  s_args_1[s_syscall_index] = 100 + arg;
  s_vals_1[s_syscall_index] = val;
  s_errnos[s_syscall_index] = 0;
  s_syscalls[s_syscall_index++] = nr;
  s_1_arg_validations++;
}

static void
allow_nr_2_arg_match(int nr, int arg1, int val1, int arg2, int val2)
{
  if (s_syscall_index >= kMaxSyscalls)
  {
    bug("out of syscall space");
  }
  if (nr < 0)
  {
    bug("negative syscall");
  }
  if (arg1 < 1 || arg1 > 6)
  {
    bug("arg1 out of range");
  }
  if (arg2 < 1 || arg2 > 6)
  {
    bug("arg2 out of range");
  }
  s_args_1[s_syscall_index] = arg1;
  s_vals_1[s_syscall_index] = val1;
  s_args_2[s_syscall_index] = arg2;
  s_vals_2[s_syscall_index] = val2;
  s_errnos[s_syscall_index] = 0;
  s_syscalls[s_syscall_index++] = nr;
  s_2_arg_validations++;
}

static void
allow_nr_2_arg_mask_match(int nr, int arg1, int val1, int arg2, int val2)
{
  if (s_syscall_index >= kMaxSyscalls)
  {
    bug("out of syscall space");
  }
  if (nr < 0)
  {
    bug("negative syscall");
  }
  if (arg1 < 1 || arg1 > 6)
  {
    bug("arg1 out of range");
  }
  if (arg2 < 1 || arg2 > 6)
  {
    bug("arg2 out of range");
  }
  s_args_1[s_syscall_index] = 100 + arg1;
  s_vals_1[s_syscall_index] = val1;
  s_args_2[s_syscall_index] = arg2;
  s_vals_2[s_syscall_index] = val2;
  s_errnos[s_syscall_index] = 0;
  s_syscalls[s_syscall_index++] = nr;
  s_2_arg_validations++;
}

static void
allow_nr_3_arg_match(int nr, int arg1, int val1, int arg2, int val2, int arg3,
                     int val3)
{
  if (s_syscall_index >= kMaxSyscalls)
  {
    bug("out of syscall space");
  }
  if (nr < 0)
  {
    bug("negative syscall");
  }
  if (arg1 < 1 || arg1 > 6)
  {
    bug("arg1 out of range");
  }
  if (arg2 < 1 || arg2 > 6)
  {
    bug("arg2 out of range");
  }
  if (arg3 < 1 || arg3 > 6)
  {
    bug("arg3 out of range");
  }
  s_args_1[s_syscall_index] = arg1;
  s_vals_1[s_syscall_index] = val1;
  s_args_2[s_syscall_index] = arg2;
  s_vals_2[s_syscall_index] = val2;
  s_args_3[s_syscall_index] = arg3;
  s_vals_3[s_syscall_index] = val3;
  s_errnos[s_syscall_index] = 0;
  s_syscalls[s_syscall_index++] = nr;
  s_3_arg_validations++;
}

static void
seccomp_sandbox_setup_data_connections()
{
  allow_nr_3_arg_match(__NR_socket, 1, PF_INET, 2, SOCK_STREAM, 3, IPPROTO_TCP);
  allow_nr_3_arg_match(__NR_socket,
                       1, PF_INET6,
                       2, SOCK_STREAM,
                       3, IPPROTO_TCP);
  allow_nr(__NR_bind);
  allow_nr(__NR_select);
  if (tunable_port_enable)
  {
    allow_nr(__NR_connect);
    allow_nr_2_arg_match(__NR_getsockopt, 2, SOL_SOCKET, 3, SO_ERROR);
    allow_nr_2_arg_match(__NR_setsockopt, 2, SOL_SOCKET, 3, SO_REUSEADDR);
    allow_nr_1_arg_match(__NR_fcntl, 2, F_GETFL);
    allow_nr_2_arg_match(__NR_fcntl, 2, F_SETFL, 3, O_RDWR|O_NONBLOCK);
    allow_nr_2_arg_match(__NR_fcntl, 2, F_SETFL, 3, O_RDWR);
  }
  if (tunable_pasv_enable)
  {
    allow_nr(__NR_listen);
    allow_nr(__NR_accept);
  }
}

static void
seccomp_sandbox_setup_base()
{
  /* Simple reads and writes on existing descriptors. */
  allow_nr(__NR_read);
  allow_nr(__NR_write);

  /* Needed for memory management. */
  allow_nr_2_arg_match(__NR_mmap,
                       3, PROT_READ|PROT_WRITE,
                       4, MAP_PRIVATE|MAP_ANON);
  allow_nr_1_arg_mask(__NR_mprotect, 3, PROT_READ);
  allow_nr(__NR_munmap);
  allow_nr(__NR_brk);
  /* glibc falls back gracefully if mremap() fails during realloc(). */
  reject_nr(__NR_mremap, ENOSYS);

  /* Misc simple low-risk calls. */
  allow_nr(__NR_gettimeofday); /* Used by logging. */
  allow_nr(__NR_rt_sigreturn); /* Used to handle SIGPIPE. */
  allow_nr(__NR_restart_syscall);
  allow_nr(__NR_close);

  /* Always need to be able to exit ! */
  allow_nr(__NR_exit_group);
}

void
seccomp_sandbox_init()
{
  if (s_syscall_index != 0)
  {
    bug("bad state in seccomp_sandbox_init");
  }
}

void
seccomp_sandbox_setup_prelogin(const struct vsf_session* p_sess)
{
  (void) p_sess;

  seccomp_sandbox_setup_base();

  /* Peeking FTP commands from the network. */
  allow_nr_1_arg_match(__NR_recvfrom, 4, MSG_PEEK);

  /* Misc simple low-risk calls */
  allow_nr(__NR_nanosleep); /* Used for bandwidth / login throttling. */
  allow_nr(__NR_getpid); /* Used by logging. */
  allow_nr(__NR_shutdown); /* Used for QUIT or a timeout. */
  allow_nr_1_arg_match(__NR_fcntl, 2, F_GETFL);
  /* It's safe to allow O_RDWR in fcntl because these flags cannot be changed.
   * Also, sockets are O_RDWR.
   */
  allow_nr_2_arg_mask_match(__NR_fcntl, 3, kOpenFlags|O_ACCMODE, 2, F_SETFL);

  /* Config-dependent items follow. */
  if (tunable_idle_session_timeout > 0)
  {
    allow_nr(__NR_rt_sigaction);
    allow_nr(__NR_alarm);
  }
  if (tunable_xferlog_enable || tunable_dual_log_enable)
  {
    /* For file locking. */
    allow_nr_1_arg_match(__NR_fcntl, 2, F_SETLKW);
    allow_nr_1_arg_match(__NR_fcntl, 2, F_SETLK);
  }
  if (tunable_ssl_enable)
  {
    allow_nr_1_arg_match(__NR_recvmsg, 3, 0);
    allow_nr_2_arg_match(__NR_setsockopt, 2, IPPROTO_TCP, 3, TCP_NODELAY);
  }
  if (tunable_syslog_enable)
  {
    reject_nr(__NR_socket, EACCES);
  }
}

void
seccomp_sandbox_setup_postlogin(const struct vsf_session* p_sess)
{
  int is_anon = p_sess->is_anonymous;
  int open_flag = kOpenFlags;
  if (tunable_write_enable)
  {
    open_flag |= O_ACCMODE;
  }

  /* Put lstat() first because it is a very hot syscall for large directory
   * listings. And the current BPF only allows a linear scan of allowed
   * syscalls.
   */
  allow_nr(__NR_lstat);

  /* Allow all the simple pre-login things and then expand upon them. */
  seccomp_sandbox_setup_prelogin(p_sess);

  /* Simple file descriptor-based operations. */
  if (tunable_xferlog_enable || tunable_dual_log_enable ||
      tunable_lock_upload_files)
  {
    allow_nr_1_arg_match(__NR_fcntl, 2, F_SETLKW);
    allow_nr_1_arg_match(__NR_fcntl, 2, F_SETLK);
  }
  if (tunable_async_abor_enable)
  {
    allow_nr_2_arg_match(__NR_fcntl, 2, F_SETOWN, 3, vsf_sysutil_getpid());
  }
  allow_nr_2_arg_match(__NR_setsockopt, 2, SOL_SOCKET, 3, SO_KEEPALIVE);
  allow_nr_2_arg_match(__NR_setsockopt, 2, SOL_SOCKET, 3, SO_LINGER);
  allow_nr_2_arg_match(__NR_setsockopt, 2, IPPROTO_IP, 3, IP_TOS);
  allow_nr(__NR_fstat);
  allow_nr(__NR_lseek);
  /* Since we use chroot() to restrict filesystem access, we can just blanket
   * allow open().
   */
  allow_nr_1_arg_mask(__NR_open, 2, open_flag);
  allow_nr_1_arg_mask(__NR_openat, 3, open_flag);
  /* Other pathname-based metadata queries. */
  allow_nr(__NR_stat);
  allow_nr(__NR_readlink);
  /* Directory handling: query, change, read. */
  allow_nr(__NR_getcwd);
  allow_nr(__NR_chdir);
  allow_nr(__NR_getdents);
  /* Misc */
  allow_nr(__NR_umask);

  /* Config-dependent items follow. */
  if (tunable_use_sendfile)
  {
    allow_nr(__NR_sendfile);
  }
  if (tunable_idle_session_timeout > 0 ||
      tunable_data_connection_timeout > 0 ||
      tunable_async_abor_enable)
  {
    allow_nr(__NR_rt_sigaction);
  }
  if (tunable_idle_session_timeout > 0 || tunable_data_connection_timeout > 0)
  {
    allow_nr(__NR_alarm);
  }

  if (tunable_one_process_model)
  {
    seccomp_sandbox_setup_data_connections();
    if (is_anon && tunable_chown_uploads)
    {
      allow_nr(__NR_fchmod);
      allow_nr(__NR_fchown);
    }
  }
  else
  {
    /* Need to receieve file descriptors from privileged broker. */
    allow_nr_1_arg_match(__NR_recvmsg, 3, 0);
    if ((is_anon && tunable_chown_uploads) || tunable_ssl_enable)
    {
      /* Need to send file descriptors to privileged broker. */
      allow_nr_1_arg_match(__NR_sendmsg, 3, 0);
    }
  }

  if (tunable_syslog_enable)
  {
    /* The ability to pass an address spec isn't needed so disable it. We ensure
     * the 6th arg (socklen) is 0. We could have checked the 5th arg (sockptr)
     * but I don't know if 64-bit compares work in the kernel filter, so we're
     * happy to check the socklen arg, which is 32 bits.
     */
    allow_nr_1_arg_match(__NR_sendto, 6, 0);
  }

  if (tunable_text_userdb_names)
  {
    reject_nr(__NR_socket, EACCES);
    allow_nr_2_arg_match(__NR_mmap, 3, PROT_READ, 4, MAP_SHARED);
  }

  if (tunable_write_enable)
  {
    if (!is_anon || tunable_anon_mkdir_write_enable)
    {
      allow_nr(__NR_mkdir);
    }
    if (!is_anon ||
        tunable_anon_other_write_enable ||
        tunable_delete_failed_uploads)
    {
      allow_nr(__NR_unlink);
    }
    if (!is_anon || tunable_anon_other_write_enable)
    {
      allow_nr(__NR_rmdir);
      allow_nr(__NR_rename);
      allow_nr(__NR_ftruncate);
      if (tunable_mdtm_write)
      {
        allow_nr(__NR_utime);
        allow_nr(__NR_utimes);
      }
    }
    if (!is_anon && tunable_chmod_enable)
    {
      allow_nr(__NR_chmod);
    }
  }
}

void
seccomp_sandbox_setup_postlogin_broker()
{
  seccomp_sandbox_setup_base();
  seccomp_sandbox_setup_data_connections();
  allow_nr_1_arg_match(__NR_sendmsg, 3, 0);
}

void
seccomp_sandbox_lockdown()
{
  size_t len = (s_syscall_index * 2) +
               (s_1_arg_validations * 3) +
               (s_2_arg_validations * 5) +
               (s_3_arg_validations * 7) +
               5;
  struct sock_filter filters[len];
  struct sock_filter* p_filter = filters;
  struct sock_fprog prog;
  size_t i;
  int ret;

  prog.len = len;
  prog.filter = filters;
  /* Validate the syscall architecture. */
  p_filter->code = BPF_LD+BPF_W+BPF_ABS;
  p_filter->jt = 0;
  p_filter->jf = 0;
  /* Offset 4 for syscall architecture. */
  p_filter->k = 4;
  p_filter++;
  p_filter->code = BPF_JMP+BPF_JEQ+BPF_K;
  p_filter->jt = 1;
  p_filter->jf = 0;
  /* AUDIT_ARCH_X86_64 */
  p_filter->k = 0xc000003e;
  p_filter++;
  p_filter->code = BPF_RET+BPF_K;
  p_filter->jt = 0;
  p_filter->jf = 0;
  /* SECCOMP_RET_KILL */
  p_filter->k = 0;
  p_filter++;

  /* Load the syscall number. */
  p_filter->code = BPF_LD+BPF_W+BPF_ABS;
  p_filter->jt = 0;
  p_filter->jf = 0;
  /* Offset 0 for syscall number. */
  p_filter->k = 0;
  p_filter++;

  for (i = 0; i < s_syscall_index; ++i)
  {
    int block_size = 1;
    if (s_args_3[i])
    {
      block_size = 8;
    }
    else if (s_args_2[i])
    {
      block_size = 6;
    }
    else if (s_args_1[i])
    {
      block_size = 4;
    }
    /* Check for syscall number match. */
    p_filter->code = BPF_JMP+BPF_JEQ+BPF_K;
    p_filter->jt = 0;
    p_filter->jf = block_size;
    p_filter->k = s_syscalls[i];
    p_filter++;
    /* Check argument matches if necessary. */
    if (s_args_3[i])
    {
      p_filter->code = BPF_LD+BPF_W+BPF_ABS;
      p_filter->jt = 0;
      p_filter->jf = 0;
      p_filter->k = 16 + ((s_args_3[i] - 1) * 8);
      p_filter++;
      p_filter->code = BPF_JMP+BPF_JEQ+BPF_K;
      p_filter->jt = 0;
      p_filter->jf = 5;
      p_filter->k = s_vals_3[i];
      p_filter++;
    }
    if (s_args_2[i])
    {
      p_filter->code = BPF_LD+BPF_W+BPF_ABS;
      p_filter->jt = 0;
      p_filter->jf = 0;
      p_filter->k = 16 + ((s_args_2[i] - 1) * 8);
      p_filter++;
      p_filter->code = BPF_JMP+BPF_JEQ+BPF_K;
      p_filter->jt = 0;
      p_filter->jf = 3;
      p_filter->k = s_vals_2[i];
      p_filter++;
    }
    if (s_args_1[i])
    {
      int arg = s_args_1[i];
      int code = BPF_JMP+BPF_JEQ+BPF_K;
      int val = s_vals_1[i];
      int jt = 0;
      int jf = 1;
      if (arg > 100)
      {
        arg -= 100;
        code = BPF_JMP+BPF_JSET+BPF_K;
        val = ~val;
        jt = 1;
        jf = 0;
      }
      p_filter->code = BPF_LD+BPF_W+BPF_ABS;
      p_filter->jt = 0;
      p_filter->jf = 0;
      p_filter->k = 16 + ((arg - 1) * 8);
      p_filter++;
      p_filter->code = code;
      p_filter->jt = jt;
      p_filter->jf = jf;
      p_filter->k = val;
      p_filter++;
    }
    p_filter->code = BPF_RET+BPF_K;
    p_filter->jt = 0;
    p_filter->jf = 0;
    if (!s_errnos[i])
    {
      /* SECCOMP_RET_ALLOW */
      p_filter->k = 0x7fff0000;
    }
    else
    {
      /* SECCOMP_RET_ERRNO */
      p_filter->k = 0x00050000 + s_errnos[i];
    }
    p_filter++;
    if (s_args_1[i])
    {
      /* We trashed the accumulator so put it back. */
      p_filter->code = BPF_LD+BPF_W+BPF_ABS;
      p_filter->jt = 0;
      p_filter->jf = 0;
      p_filter->k = 0;
      p_filter++;
    }
  }
  /* No "allow" matches so kill. */
  p_filter->code = BPF_RET+BPF_K;
  p_filter->jt = 0;
  p_filter->jf = 0;
#ifdef DEBUG_SIGSYS
  /* SECCOMP_RET_TRAP */
  p_filter->k = 0x00030000;
#else
  /* SECCOMP_RET_KILL */
  p_filter->k = 0;
#endif

  ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
  if (ret != 0)
  {
    if (errno == EINVAL)
    {
      /* Kernel isn't good enough. */
      return;
    }
    die("prctl PR_SET_NO_NEW_PRIVS");
  }

  if (!tunable_seccomp_sandbox)
  {
    return;
  }

#ifdef DEBUG_SIGSYS
  {
    struct sigaction sa;
    memset(&sa, '\0', sizeof(sa));
    sa.sa_handler = handle_sigsys;
    sigaction(SIGSYS, &sa, NULL);
  }
#endif

  ret = prctl(PR_SET_SECCOMP, 2, &prog, 0, 0);
  if (ret != 0)
  {
    if (errno == EINVAL)
    {
      /* Kernel isn't good enough. */
      return;
    }
    die("prctl PR_SET_SECCOMP failed");
  }
}

#else /* __linux__ && __x86_64__ */

void
seccomp_sandbox_init()
{
}

void
seccomp_sandbox_setup_prelogin(const struct vsf_session* p_sess)
{
  (void) p_sess;
}

void
seccomp_sandbox_setup_postlogin(const struct vsf_session* p_sess)
{
  (void) p_sess;
}

void
seccomp_sandbox_setup_postlogin_broker()
{
}

void
seccomp_sandbox_lockdown()
{
}

#endif /* __linux__ && __x86_64__ */