diff --git a/changes/bug24198 b/changes/bug24198 new file mode 100644 index 0000000000..6790706872 --- /dev/null +++ b/changes/bug24198 @@ -0,0 +1,4 @@ + o Minor bugfixes (controller, linux seccomp2 sandbox): + - Avoid a crash when attempting to use the seccomp2 sandbox + together with the OwningControllerProcess feature. + Fixes bug 24198; bugfix on 0.2.5.1-alpha. diff --git a/changes/ticket24315 b/changes/ticket24315 new file mode 100644 index 0000000000..df34dbf412 --- /dev/null +++ b/changes/ticket24315 @@ -0,0 +1,3 @@ + o Major features (linux seccomp2 sandbox): + - Update the sandbox rules so that they should now work correctly with + Glibc 2.26. Closes ticket 24315. diff --git a/configure.ac b/configure.ac index 93b18a326a..6b0e04e7fc 100644 --- a/configure.ac +++ b/configure.ac @@ -498,6 +498,7 @@ AC_CHECK_FUNCS( getrlimit \ gettimeofday \ gmtime_r \ + gnu_get_libc_version \ htonll \ inet_aton \ ioctl \ @@ -1216,6 +1217,7 @@ AC_CHECK_HEADERS([assert.h \ arpa/inet.h \ crt_externs.h \ execinfo.h \ + gnu/libc-version.h \ grp.h \ ifaddrs.h \ inttypes.h \ diff --git a/src/common/sandbox.c b/src/common/sandbox.c index 8cb78bd28e..92fdd60221 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -62,6 +62,9 @@ #include #include +#ifdef HAVE_GNU_LIBC_VERSION_H +#include +#endif #ifdef HAVE_LINUX_NETFILTER_IPV4_H #include #endif @@ -133,6 +136,9 @@ static int filter_nopar_gen[] = { SCMP_SYS(clone), SCMP_SYS(epoll_create), SCMP_SYS(epoll_wait), +#ifdef __NR_epoll_pwait + SCMP_SYS(epoll_pwait), +#endif #ifdef HAVE_EVENTFD SCMP_SYS(eventfd2), #endif @@ -397,6 +403,52 @@ sb_mmap2(scmp_filter_ctx ctx, sandbox_cfg_t *filter) } #endif /* defined(__NR_mmap2) */ +#ifdef HAVE_GNU_LIBC_VERSION_H +#ifdef HAVE_GNU_GET_LIBC_VERSION +#define CHECK_LIBC_VERSION +#endif +#endif + +/* Return true if we think we're running with a libc that always uses + * openat on linux. */ +static int +libc_uses_openat_for_everything(void) +{ +#ifdef CHECK_LIBC_VERSION + const char *version = gnu_get_libc_version(); + if (version == NULL) + return 0; + + int major = -1; + int minor = -1; + + tor_sscanf(version, "%d.%d", &major, &minor); + if (major >= 3) + return 1; + else if (major == 2 && minor >= 26) + return 1; + else + return 0; +#else + return 0; +#endif +} + +/** Allow a single file to be opened. If use_openat is true, + * we're using a libc that remaps all the opens into openats. */ +static int +allow_file_open(scmp_filter_ctx ctx, int use_openat, const char *file) +{ + if (use_openat) { + return seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), + SCMP_CMP_STR(0, SCMP_CMP_EQ, AT_FDCWD), + SCMP_CMP_STR(1, SCMP_CMP_EQ, file)); + } else { + return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), + SCMP_CMP_STR(0, SCMP_CMP_EQ, file)); + } +} + /** * Function responsible for setting up the open syscall for * the seccomp filter sandbox. @@ -407,14 +459,15 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter) int rc; sandbox_cfg_t *elem = NULL; + int use_openat = libc_uses_openat_for_everything(); + // for each dynamic parameter filters for (elem = filter; elem != NULL; elem = elem->next) { smp_param_t *param = elem->param; if (param != NULL && param->prot == 1 && param->syscall == SCMP_SYS(open)) { - rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), - SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value)); + rc = allow_file_open(ctx, use_openat, param->value); if (rc != 0) { log_err(LD_BUG,"(Sandbox) failed to add open syscall, received " "libseccomp error %d", rc); @@ -432,6 +485,15 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter) return rc; } + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(openat), + SCMP_CMP_MASKED(2, O_CLOEXEC|O_NONBLOCK|O_NOCTTY|O_NOFOLLOW, + O_RDONLY)); + if (rc != 0) { + log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received " + "libseccomp error %d", rc); + return rc; + } + return 0; } @@ -621,7 +683,7 @@ sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter) rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK), - SCMP_CMP(1, SCMP_CMP_EQ, SOCK_RAW), + SCMP_CMP_MASKED(1, SOCK_CLOEXEC, SOCK_RAW), SCMP_CMP(2, SCMP_CMP_EQ, 0)); if (rc) return rc; @@ -1054,6 +1116,19 @@ sb_stat64(scmp_filter_ctx ctx, sandbox_cfg_t *filter) } #endif /* defined(__NR_stat64) */ +static int +sb_kill(scmp_filter_ctx ctx, sandbox_cfg_t *filter) +{ + (void) filter; +#ifdef __NR_kill + /* Allow killing anything with signal 0 -- it isn't really a kill. */ + return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(kill), + SCMP_CMP(1, SCMP_CMP_EQ, 0)); +#else + return 0; +#endif +} + /** * Array of function pointers responsible for filtering different syscalls at * a parameter level. @@ -1090,10 +1165,10 @@ static sandbox_filter_func_t filter_func[] = { sb_setsockopt, sb_getsockopt, sb_socketpair, - #ifdef HAVE_KIST_SUPPORT sb_ioctl, #endif + sb_kill }; const char * @@ -1601,7 +1676,8 @@ add_param_filter(scmp_filter_ctx ctx, sandbox_cfg_t* cfg) // function pointer for (i = 0; i < ARRAY_LENGTH(filter_func); i++) { - if ((filter_func[i])(ctx, cfg)) { + rc = filter_func[i](ctx, cfg); + if (rc) { log_err(LD_BUG,"(Sandbox) failed to add syscall %d, received libseccomp " "error %d", i, rc); return rc;