phantom/bitcoin
1
0
Fork 0
mirror of https://github.com/bitcoin/bitcoin.git synced 2025-01-10 11:57:28 -03:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Add syscall sandboxing (seccomp-bpf)

Browse source
This commit is contained in:
practicalswift 2021-10-01 13:53:59 +00:00
parent e69cbac628
commit 4747da3a5b
27 changed files with 1125 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
ci/test/00_setup_env_i686_multiprocess.sh
View file

@ -14,4 +14,5 @@ export DEP_OPTS="DEBUG=1 MULTIPROCESS=1"
export GOAL="install"
export BITCOIN_CONFIG="--enable-debug CC='clang -m32' CXX='clang++ -m32' LDFLAGS='--rtlib=compiler-rt -lgcc_s'"
export TEST_RUNNER_ENV="BITCOIND=bitcoin-node"
export TEST_RUNNER_EXTRA="--nosandbox"
export PIP_PACKAGES="lief"

37
configure.ac
View file

@ -71,6 +71,12 @@ case $host in
;;
esac
AC_ARG_WITH([seccomp],
[AS_HELP_STRING([--with-seccomp],
[enable experimental syscall sandbox feature (-sandbox), default is yes if seccomp-bpf is detected under Linux x86_64])],
[seccomp_found=$withval],
[seccomp_found=auto])
dnl Require C++17 compiler (no GNU extensions)
AX_CXX_COMPILE_STDCXX([17], [noext], [mandatory])
@ -1443,6 +1449,36 @@ if test "x$use_external_signer" != xno; then
fi
AM_CONDITIONAL([ENABLE_EXTERNAL_SIGNER], [test "x$use_external_signer" = "xyes"])
dnl Do not compile with syscall sandbox support when compiling under the sanitizers.
dnl The sanitizers introduce use of syscalls that are not typically used in bitcoind
dnl (such as execve when the sanitizers execute llvm-symbolizer).
if test x$use_sanitizers != x; then
AC_MSG_WARN(Specifying --with-sanitizers forces --without-seccomp since the sanitizers introduce use of syscalls not allowed by the bitcoind syscall sandbox (-sandbox=<mode>).)
seccomp_found=no
fi
if test "x$seccomp_found" != "xno"; then
AC_MSG_CHECKING([for seccomp-bpf (Linux x86-64)])
AC_PREPROC_IFELSE([AC_LANG_PROGRAM([[
@%:@include <linux/seccomp.h>
]], [[
#if !defined(__x86_64__)
# error Syscall sandbox is an experimental feature currently available only under Linux x86-64.
#endif
]])],[
AC_MSG_RESULT(yes)
seccomp_found="yes"
AC_DEFINE(USE_SYSCALL_SANDBOX, 1, [Define this symbol to build with syscall sandbox support.])
],[
AC_MSG_RESULT(no)
seccomp_found="no"
])
fi
dnl Currently only enable -sandbox=<mode> feature if seccomp is found.
dnl In the future, sandboxing could be also be supported with other
dnl sandboxing mechanisms besides seccomp.
use_syscall_sandbox=$seccomp_found
AM_CONDITIONAL([ENABLE_SYSCALL_SANDBOX], [test "x$use_syscall_sandbox" != "xno"])
dnl Check for reduced exports
if test x$use_reduce_exports = xyes; then
AX_CHECK_COMPILE_FLAG([-fvisibility=hidden],[CXXFLAGS="$CXXFLAGS -fvisibility=hidden"],
@ -1933,6 +1969,7 @@ echo
echo "Options used to compile and link:"
echo " external signer = $use_external_signer"
echo " multiprocess = $build_multiprocess"
echo " with experimental syscall sandbox support = $use_syscall_sandbox"
echo " with libs = $build_bitcoin_libs"
echo " with wallet = $enable_wallet"
if test "x$enable_wallet" != "xno"; then

2
src/Makefile.am
View file

@ -261,6 +261,7 @@ BITCOIN_CORE_H = \
util/sock.h \
util/spanparsing.h \
util/string.h \
util/syscall_sandbox.h \
util/system.h \
util/thread.h \
util/threadnames.h \
@ -611,6 +612,7 @@ libbitcoin_util_a_SOURCES = \
util/spanparsing.cpp \
util/strencodings.cpp \
util/string.cpp \
util/syscall_sandbox.cpp \
util/time.cpp \
util/tokenpipe.cpp \
$(BITCOIN_CORE_H)

2
src/bitcoind.cpp
View file

@ -19,6 +19,7 @@
#include <shutdown.h>
#include <util/check.h>
#include <util/strencodings.h>
#include <util/syscall_sandbox.h>
#include <util/system.h>
#include <util/threadnames.h>
#include <util/tokenpipe.h>
@ -238,6 +239,7 @@ static bool AppInit(NodeContext& node, int argc, char* argv[])
daemon_ep.Close();
}
#endif
SetSyscallSandboxPolicy(SyscallSandboxPolicy::SHUTOFF);
if (fRet) {
WaitForShutdown();
}

2
src/checkqueue.h
View file

@ -7,6 +7,7 @@
#include <sync.h>
#include <tinyformat.h>
#include <util/syscall_sandbox.h>
#include <util/threadnames.h>
#include <algorithm>
@ -151,6 +152,7 @@ public:
for (int n = 0; n < threads_num; ++n) {
m_worker_threads.emplace_back([this, n]() {
util::ThreadRename(strprintf("scriptch.%i", n));
SetSyscallSandboxPolicy(SyscallSandboxPolicy::VALIDATION_SCRIPT_CHECK);
Loop(false /* worker thread */);
});
}

3
src/httpserver.cpp
View file

@ -12,6 +12,7 @@
#include <shutdown.h>
#include <sync.h>
#include <util/strencodings.h>
#include <util/syscall_sandbox.h>
#include <util/system.h>
#include <util/threadnames.h>
#include <util/translation.h>
@ -279,6 +280,7 @@ static void http_reject_request_cb(struct evhttp_request* req, void*)
static bool ThreadHTTP(struct event_base* base)
{
util::ThreadRename("http");
SetSyscallSandboxPolicy(SyscallSandboxPolicy::NET_HTTP_SERVER);
LogPrint(BCLog::HTTP, "Entering http event loop\n");
event_base_dispatch(base);
// Event loop will be interrupted by InterruptHTTPServer()
@ -332,6 +334,7 @@ static bool HTTPBindAddresses(struct evhttp* http)
static void HTTPWorkQueueRun(WorkQueue<HTTPClosure>* queue, int worker_num)
{
util::ThreadRename(strprintf("httpworker.%i", worker_num));
SetSyscallSandboxPolicy(SyscallSandboxPolicy::NET_HTTP_SERVER_WORKER);
queue->Run();
}

2
src/index/base.cpp
View file

@ -8,6 +8,7 @@
#include <node/ui_interface.h>
#include <shutdown.h>
#include <tinyformat.h>
#include <util/syscall_sandbox.h>
#include <util/thread.h>
#include <util/translation.h>
#include <validation.h> // For g_chainman
@ -123,6 +124,7 @@ static const CBlockIndex* NextSyncBlock(const CBlockIndex* pindex_prev, CChain&
void BaseIndex::ThreadSync()
{
SetSyscallSandboxPolicy(SyscallSandboxPolicy::TX_INDEX);
const CBlockIndex* pindex = m_best_block_index.load();
if (!m_synced) {
auto& consensus_params = Params().GetConsensus();

36
src/init.cpp
View file

@ -60,6 +60,7 @@
#include <util/check.h>
#include <util/moneystr.h>
#include <util/string.h>
#include <util/syscall_sandbox.h>
#include <util/system.h>
#include <util/thread.h>
#include <util/threadnames.h>
@ -562,6 +563,10 @@ void SetupServerArgs(ArgsManager& argsman)
hidden_args.emplace_back("-daemonwait");
#endif
#if defined(USE_SYSCALL_SANDBOX)
argsman.AddArg("-sandbox=<mode>", "Use the experimental syscall sandbox in the specified mode (-sandbox=log-and-abort or -sandbox=abort). Allow only expected syscalls to be used by bitcoind. Note that this is an experimental new feature that may cause bitcoind to exit or crash unexpectedly: use with caution. In the \"log-and-abort\" mode the invocation of an unexpected syscall results in a debug handler being invoked which will log the incident and terminate the program (without executing the unexpected syscall). In the \"abort\" mode the invocation of an unexpected syscall results in the entire process being killed immediately by the kernel without executing the unexpected syscall.", ArgsManager::ALLOW_ANY, OptionsCategory::OPTIONS);
#endif // USE_SYSCALL_SANDBOX
// Add the hidden options
argsman.AddHiddenArgs(hidden_args);
}
@ -1018,6 +1023,37 @@ bool AppInitParameterInteraction(const ArgsManager& args)
return InitError(_("No proxy server specified. Use -proxy=<ip> or -proxy=<ip:port>."));
}
#if defined(USE_SYSCALL_SANDBOX)
if (args.IsArgSet("-sandbox") && !args.IsArgNegated("-sandbox")) {
const std::string sandbox_arg{args.GetArg("-sandbox", "")};
bool log_syscall_violation_before_terminating{false};
if (sandbox_arg == "log-and-abort") {
log_syscall_violation_before_terminating = true;
} else if (sandbox_arg == "abort") {
// log_syscall_violation_before_terminating is false by default.
} else {
return InitError(Untranslated("Unknown syscall sandbox mode (-sandbox=<mode>). Available modes are \"log-and-abort\" and \"abort\"."));
}
// execve(...) is not allowed by the syscall sandbox.
const std::vector<std::string> features_using_execve{
"-alertnotify",
"-blocknotify",
"-signer",
"-startupnotify",
"-walletnotify",
};
for (const std::string& feature_using_execve : features_using_execve) {
if (!args.GetArg(feature_using_execve, "").empty()) {
return InitError(Untranslated(strprintf("The experimental syscall sandbox feature (-sandbox=<mode>) is incompatible with %s (which uses execve).", feature_using_execve)));
}
}
if (!SetupSyscallSandbox(log_syscall_violation_before_terminating)) {
return InitError(Untranslated("Installation of the syscall sandbox failed."));
}
LogPrintf("Experimental syscall sandbox enabled (-sandbox=%s): bitcoind will terminate if an unexpected (not allowlisted) syscall is invoked.\n", sandbox_arg);
}
#endif // USE_SYSCALL_SANDBOX
return true;
}

1
src/logging.cpp
View file

@ -160,6 +160,7 @@ const CLogCategoryDesc LogCategories[] =
{BCLog::I2P, "i2p"},
{BCLog::IPC, "ipc"},
{BCLog::LOCK, "lock"},
{BCLog::UTIL, "util"},
{BCLog::ALL, "1"},
{BCLog::ALL, "all"},
};

1
src/logging.h
View file

@ -60,6 +60,7 @@ namespace BCLog {
I2P = (1 << 22),
IPC = (1 << 23),
LOCK = (1 << 24),
UTIL = (1 << 25),
ALL = ~(uint32_t)0,
};

2
src/mapport.cpp
View file

@ -14,6 +14,7 @@
#include <netaddress.h>
#include <netbase.h>
#include <threadinterrupt.h>
#include <util/syscall_sandbox.h>
#include <util/system.h>
#include <util/thread.h>
@ -222,6 +223,7 @@ static bool ProcessUpnp()
static void ThreadMapPort()
{
SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION_MAP_PORT);
bool ok;
do {
ok = false;

6
src/net.cpp
View file

@ -25,6 +25,7 @@
#include <scheduler.h>
#include <util/sock.h>
#include <util/strencodings.h>
#include <util/syscall_sandbox.h>
#include <util/system.h>
#include <util/thread.h>
#include <util/trace.h>
@ -1615,6 +1616,7 @@ void CConnman::SocketHandler()
void CConnman::ThreadSocketHandler()
{
SetSyscallSandboxPolicy(SyscallSandboxPolicy::NET);
while (!interruptNet)
{
DisconnectNodes();
@ -1634,6 +1636,7 @@ void CConnman::WakeMessageHandler()
void CConnman::ThreadDNSAddressSeed()
{
SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION_DNS_SEED);
FastRandomContext rng;
std::vector<std::string> seeds = Params().DNSSeeds();
Shuffle(seeds.begin(), seeds.end(), rng);
@ -1816,6 +1819,7 @@ int CConnman::GetExtraBlockRelayCount() const
void CConnman::ThreadOpenConnections(const std::vector<std::string> connect)
{
SetSyscallSandboxPolicy(SyscallSandboxPolicy::NET_OPEN_CONNECTION);
// Connect to specific addresses
if (!connect.empty())
{
@ -2155,6 +2159,7 @@ std::vector<AddedNodeInfo> CConnman::GetAddedNodeInfo() const
void CConnman::ThreadOpenAddedConnections()
{
SetSyscallSandboxPolicy(SyscallSandboxPolicy::NET_ADD_CONNECTION);
while (true)
{
CSemaphoreGrant grant(*semAddnode);
@ -2218,6 +2223,7 @@ void CConnman::OpenNetworkConnection(const CAddress& addrConnect, bool fCountFai
void CConnman::ThreadMessageHandler()
{
SetSyscallSandboxPolicy(SyscallSandboxPolicy::MESSAGE_HANDLER);
FastRandomContext rng;
while (!flagInterruptMsgProc)
{

2
src/node/blockstorage.cpp
View file

@ -16,6 +16,7 @@
#include <signet.h>
#include <streams.h>
#include <undo.h>
#include <util/syscall_sandbox.h>
#include <util/system.h>
#include <validation.h>
@ -489,6 +490,7 @@ struct CImportingNow {
void ThreadImport(ChainstateManager& chainman, std::vector<fs::path> vImportFiles, const ArgsManager& args)
{
SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION_LOAD_BLOCKS);
ScheduleBatchPriority();
{

25
src/rpc/misc.cpp
View file

@ -22,6 +22,7 @@
#include <util/check.h>
#include <util/message.h> // For MessageSign(), MessageVerify()
#include <util/strencodings.h>
#include <util/syscall_sandbox.h>
#include <util/system.h>
#include <optional>
@ -417,6 +418,27 @@ static RPCHelpMan setmocktime()
};
}
#if defined(USE_SYSCALL_SANDBOX)
static RPCHelpMan invokedisallowedsyscall()
{
return RPCHelpMan{
"invokedisallowedsyscall",
"\nInvoke a disallowed syscall to trigger a syscall sandbox violation. Used for testing purposes.\n",
{},
RPCResult{RPCResult::Type::NONE, "", ""},
RPCExamples{
HelpExampleCli("invokedisallowedsyscall", "") + HelpExampleRpc("invokedisallowedsyscall", "")},
[&](const RPCHelpMan& self, const JSONRPCRequest& request) -> UniValue {
if (!Params().IsTestChain()) {
throw std::runtime_error("invokedisallowedsyscall is used for testing only.");
}
TestDisallowedSandboxCall();
return NullUniValue;
},
};
}
#endif // USE_SYSCALL_SANDBOX
static RPCHelpMan mockscheduler()
{
return RPCHelpMan{"mockscheduler",
@ -777,6 +799,9 @@ static const CRPCCommand commands[] =
{ "hidden", &echo, },
{ "hidden", &echojson, },
{ "hidden", &echoipc, },
#if defined(USE_SYSCALL_SANDBOX)
{ "hidden", &invokedisallowedsyscall, },
#endif // USE_SYSCALL_SANDBOX
};
// clang-format on
for (const auto& c : commands) {

2
src/scheduler.cpp
View file

@ -5,6 +5,7 @@
#include <scheduler.h>
#include <random.h>
#include <util/syscall_sandbox.h>
#include <util/time.h>
#include <assert.h>
@ -24,6 +25,7 @@ CScheduler::~CScheduler()
void CScheduler::serviceQueue()
{
SetSyscallSandboxPolicy(SyscallSandboxPolicy::SCHEDULER);
WAIT_LOCK(newTaskMutex, lock);
++nThreadsServicingQueue;

2
src/torcontrol.cpp
View file

@ -14,6 +14,7 @@
#include <netbase.h>
#include <util/readwritefile.h>
#include <util/strencodings.h>
#include <util/syscall_sandbox.h>
#include <util/system.h>
#include <util/thread.h>
#include <util/time.h>
@ -585,6 +586,7 @@ static std::thread torControlThread;
static void TorControlThread(CService onion_service_target)
{
SetSyscallSandboxPolicy(SyscallSandboxPolicy::TOR_CONTROL);
TorController ctrl(gBase, gArgs.GetArg("-torcontrol", DEFAULT_TOR_CONTROL), onion_service_target);
event_base_dispatch(gBase);

882
src/util/syscall_sandbox.cpp Normal file
View file

@ -0,0 +1,882 @@
// Copyright (c) 2020 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
#if defined(HAVE_CONFIG_H)
#include <config/bitcoin-config.h>
#endif // defined(HAVE_CONFIG_H)
#include <util/syscall_sandbox.h>
#if defined(USE_SYSCALL_SANDBOX)
#include <array>
#include <cassert>
#include <cstdint>
#include <exception>
#include <map>
#include <new>
#include <set>
#include <string>
#include <vector>
#include <logging.h>
#include <tinyformat.h>
#include <util/threadnames.h>
#include <linux/audit.h>
#include <linux/filter.h>
#include <linux/seccomp.h>
#include <linux/unistd.h>
#include <signal.h>
#include <sys/prctl.h>
#include <sys/types.h>
#include <unistd.h>
namespace {
bool g_syscall_sandbox_enabled{false};
bool g_syscall_sandbox_log_violation_before_terminating{false};
#if !defined(__x86_64__)
#error Syscall sandbox is an experimental feature currently available only under Linux x86-64.
#endif // defined(__x86_64__)
// This list of syscalls in LINUX_SYSCALLS is only used to map syscall numbers to syscall names in
// order to be able to print user friendly error messages which include the syscall name in addition
// to the syscall number.
//
// Example output in case of a syscall violation where the syscall is present in LINUX_SYSCALLS:
//
// ```
// 2021-06-09T12:34:56Z ERROR: The syscall "execve" (syscall number 59) is not allowed by the syscall sandbox in thread "msghand". Please report.
// ```
//
// Example output in case of a syscall violation where the syscall is not present in LINUX_SYSCALLS:
//
// ```
// 2021-06-09T12:34:56Z ERROR: The syscall "*unknown*" (syscall number 314) is not allowed by the syscall sandbox in thread "msghand". Please report.
// ``
//
// LINUX_SYSCALLS contains two types of syscalls:
// 1.) Syscalls that are present under all architectures or relevant Linux kernel versions for which
// we support the syscall sandbox feature (currently only Linux x86-64). Examples include read,
// write, open, close, etc.
// 2.) Syscalls that are present under a subset of architectures or relevant Linux kernel versions
// for which we support the syscall sandbox feature. This type of syscalls should be added to
// LINUX_SYSCALLS conditional on availability like in the following example:
// ...
// #if defined(__NR_arch_dependent_syscall)
// {__NR_arch_dependent_syscall, "arch_dependent_syscall"},
// #endif // defined(__NR_arch_dependent_syscall)
// ...
const std::map<uint32_t, std::string> LINUX_SYSCALLS{
{__NR_accept, "accept"},
{__NR_accept4, "accept4"},
{__NR_access, "access"},
{__NR_acct, "acct"},
{__NR_add_key, "add_key"},
{__NR_adjtimex, "adjtimex"},
{__NR_afs_syscall, "afs_syscall"},
{__NR_alarm, "alarm"},
{__NR_arch_prctl, "arch_prctl"},
{__NR_bind, "bind"},
{__NR_bpf, "bpf"},
{__NR_brk, "brk"},
{__NR_capget, "capget"},
{__NR_capset, "capset"},
{__NR_chdir, "chdir"},
{__NR_chmod, "chmod"},
{__NR_chown, "chown"},
{__NR_chroot, "chroot"},
{__NR_clock_adjtime, "clock_adjtime"},
{__NR_clock_getres, "clock_getres"},
{__NR_clock_gettime, "clock_gettime"},
{__NR_clock_nanosleep, "clock_nanosleep"},
{__NR_clock_settime, "clock_settime"},
{__NR_clone, "clone"},
{__NR_close, "close"},
{__NR_connect, "connect"},
{__NR_copy_file_range, "copy_file_range"},
{__NR_creat, "creat"},
{__NR_create_module, "create_module"},
{__NR_delete_module, "delete_module"},
{__NR_dup, "dup"},
{__NR_dup2, "dup2"},
{__NR_dup3, "dup3"},
{__NR_epoll_create, "epoll_create"},
{__NR_epoll_create1, "epoll_create1"},
{__NR_epoll_ctl, "epoll_ctl"},
{__NR_epoll_ctl_old, "epoll_ctl_old"},
{__NR_epoll_pwait, "epoll_pwait"},
{__NR_epoll_wait, "epoll_wait"},
{__NR_epoll_wait_old, "epoll_wait_old"},
{__NR_eventfd, "eventfd"},
{__NR_eventfd2, "eventfd2"},
{__NR_execve, "execve"},
{__NR_execveat, "execveat"},
{__NR_exit, "exit"},
{__NR_exit_group, "exit_group"},
{__NR_faccessat, "faccessat"},
{__NR_fadvise64, "fadvise64"},
{__NR_fallocate, "fallocate"},
{__NR_fanotify_init, "fanotify_init"},
{__NR_fanotify_mark, "fanotify_mark"},
{__NR_fchdir, "fchdir"},
{__NR_fchmod, "fchmod"},
{__NR_fchmodat, "fchmodat"},
{__NR_fchown, "fchown"},
{__NR_fchownat, "fchownat"},
{__NR_fcntl, "fcntl"},
{__NR_fdatasync, "fdatasync"},
{__NR_fgetxattr, "fgetxattr"},
{__NR_finit_module, "finit_module"},
{__NR_flistxattr, "flistxattr"},
{__NR_flock, "flock"},
{__NR_fork, "fork"},
{__NR_fremovexattr, "fremovexattr"},
{__NR_fsetxattr, "fsetxattr"},
{__NR_fstat, "fstat"},
{__NR_fstatfs, "fstatfs"},
{__NR_fsync, "fsync"},
{__NR_ftruncate, "ftruncate"},
{__NR_futex, "futex"},
{__NR_futimesat, "futimesat"},
{__NR_getcpu, "getcpu"},
{__NR_getcwd, "getcwd"},
{__NR_getdents, "getdents"},
{__NR_getdents64, "getdents64"},
{__NR_getegid, "getegid"},
{__NR_geteuid, "geteuid"},
{__NR_getgid, "getgid"},
{__NR_getgroups, "getgroups"},
{__NR_getitimer, "getitimer"},
{__NR_get_kernel_syms, "get_kernel_syms"},
{__NR_get_mempolicy, "get_mempolicy"},
{__NR_getpeername, "getpeername"},
{__NR_getpgid, "getpgid"},
{__NR_getpgrp, "getpgrp"},
{__NR_getpid, "getpid"},
{__NR_getpmsg, "getpmsg"},
{__NR_getppid, "getppid"},
{__NR_getpriority, "getpriority"},
#if defined(__NR_getrandom)
{__NR_getrandom, "getrandom"},
#endif // defined(__NR_getrandom)
{__NR_getresgid, "getresgid"},
{__NR_getresuid, "getresuid"},
{__NR_getrlimit, "getrlimit"},
{__NR_get_robust_list, "get_robust_list"},
{__NR_getrusage, "getrusage"},
{__NR_getsid, "getsid"},
{__NR_getsockname, "getsockname"},
{__NR_getsockopt, "getsockopt"},
{__NR_get_thread_area, "get_thread_area"},
{__NR_gettid, "gettid"},
{__NR_gettimeofday, "gettimeofday"},
{__NR_getuid, "getuid"},
{__NR_getxattr, "getxattr"},
{__NR_init_module, "init_module"},
{__NR_inotify_add_watch, "inotify_add_watch"},
{__NR_inotify_init, "inotify_init"},
{__NR_inotify_init1, "inotify_init1"},
{__NR_inotify_rm_watch, "inotify_rm_watch"},
{__NR_io_cancel, "io_cancel"},
{__NR_ioctl, "ioctl"},
{__NR_io_destroy, "io_destroy"},
{__NR_io_getevents, "io_getevents"},
{__NR_ioperm, "ioperm"},
{__NR_iopl, "iopl"},
{__NR_ioprio_get, "ioprio_get"},
{__NR_ioprio_set, "ioprio_set"},
{__NR_io_setup, "io_setup"},
{__NR_io_submit, "io_submit"},
{__NR_kcmp, "kcmp"},
{__NR_kexec_file_load, "kexec_file_load"},
{__NR_kexec_load, "kexec_load"},
{__NR_keyctl, "keyctl"},
{__NR_kill, "kill"},
{__NR_lchown, "lchown"},
{__NR_lgetxattr, "lgetxattr"},
{__NR_link, "link"},
{__NR_linkat, "linkat"},
{__NR_listen, "listen"},
{__NR_listxattr, "listxattr"},
{__NR_llistxattr, "llistxattr"},
{__NR_lookup_dcookie, "lookup_dcookie"},
{__NR_lremovexattr, "lremovexattr"},
{__NR_lseek, "lseek"},
{__NR_lsetxattr, "lsetxattr"},
{__NR_lstat, "lstat"},
{__NR_madvise, "madvise"},
{__NR_mbind, "mbind"},
#if defined(__NR_membarrier)
{__NR_membarrier, "membarrier"},
#endif // defined(__NR_membarrier)
{__NR_memfd_create, "memfd_create"},
{__NR_migrate_pages, "migrate_pages"},
{__NR_mincore, "mincore"},
{__NR_mkdir, "mkdir"},
{__NR_mkdirat, "mkdirat"},
{__NR_mknod, "mknod"},
{__NR_mknodat, "mknodat"},
{__NR_mlock, "mlock"},
{__NR_mlock2, "mlock2"},
{__NR_mlockall, "mlockall"},
{__NR_mmap, "mmap"},
{__NR_modify_ldt, "modify_ldt"},
{__NR_mount, "mount"},
{__NR_move_pages, "move_pages"},
{__NR_mprotect, "mprotect"},
{__NR_mq_getsetattr, "mq_getsetattr"},
{__NR_mq_notify, "mq_notify"},
{__NR_mq_open, "mq_open"},
{__NR_mq_timedreceive, "mq_timedreceive"},
{__NR_mq_timedsend, "mq_timedsend"},
{__NR_mq_unlink, "mq_unlink"},
{__NR_mremap, "mremap"},
{__NR_msgctl, "msgctl"},
{__NR_msgget, "msgget"},
{__NR_msgrcv, "msgrcv"},
{__NR_msgsnd, "msgsnd"},
{__NR_msync, "msync"},
{__NR_munlock, "munlock"},
{__NR_munlockall, "munlockall"},
{__NR_munmap, "munmap"},
{__NR_name_to_handle_at, "name_to_handle_at"},
{__NR_nanosleep, "nanosleep"},
{__NR_newfstatat, "newfstatat"},
{__NR_nfsservctl, "nfsservctl"},
{__NR_open, "open"},
{__NR_openat, "openat"},
{__NR_open_by_handle_at, "open_by_handle_at"},
{__NR_pause, "pause"},
{__NR_perf_event_open, "perf_event_open"},
{__NR_personality, "personality"},
{__NR_pipe, "pipe"},
{__NR_pipe2, "pipe2"},
{__NR_pivot_root, "pivot_root"},
{__NR_pkey_alloc, "pkey_alloc"},
{__NR_pkey_free, "pkey_free"},
{__NR_pkey_mprotect, "pkey_mprotect"},
{__NR_poll, "poll"},
{__NR_ppoll, "ppoll"},
{__NR_prctl, "prctl"},
{__NR_pread64, "pread64"},
{__NR_preadv, "preadv"},
{__NR_preadv2, "preadv2"},
{__NR_prlimit64, "prlimit64"},
{__NR_process_vm_readv, "process_vm_readv"},
{__NR_process_vm_writev, "process_vm_writev"},
{__NR_pselect6, "pselect6"},
{__NR_ptrace, "ptrace"},
{__NR_putpmsg, "putpmsg"},
{__NR_pwrite64, "pwrite64"},
{__NR_pwritev, "pwritev"},
{__NR_pwritev2, "pwritev2"},
{__NR_query_module, "query_module"},
{__NR_quotactl, "quotactl"},
{__NR_read, "read"},
{__NR_readahead, "readahead"},
{__NR_readlink, "readlink"},
{__NR_readlinkat, "readlinkat"},
{__NR_readv, "readv"},
{__NR_reboot, "reboot"},
{__NR_recvfrom, "recvfrom"},
{__NR_recvmmsg, "recvmmsg"},
{__NR_recvmsg, "recvmsg"},
{__NR_remap_file_pages, "remap_file_pages"},
{__NR_removexattr, "removexattr"},
{__NR_rename, "rename"},
{__NR_renameat, "renameat"},
{__NR_renameat2, "renameat2"},
{__NR_request_key, "request_key"},
{__NR_restart_syscall, "restart_syscall"},
{__NR_rmdir, "rmdir"},
{__NR_rt_sigaction, "rt_sigaction"},
{__NR_rt_sigpending, "rt_sigpending"},
{__NR_rt_sigprocmask, "rt_sigprocmask"},
{__NR_rt_sigqueueinfo, "rt_sigqueueinfo"},
{__NR_rt_sigreturn, "rt_sigreturn"},
{__NR_rt_sigsuspend, "rt_sigsuspend"},
{__NR_rt_sigtimedwait, "rt_sigtimedwait"},
{__NR_rt_tgsigqueueinfo, "rt_tgsigqueueinfo"},
{__NR_sched_getaffinity, "sched_getaffinity"},
{__NR_sched_getattr, "sched_getattr"},
{__NR_sched_getparam, "sched_getparam"},
{__NR_sched_get_priority_max, "sched_get_priority_max"},
{__NR_sched_get_priority_min, "sched_get_priority_min"},
{__NR_sched_getscheduler, "sched_getscheduler"},
{__NR_sched_rr_get_interval, "sched_rr_get_interval"},
{__NR_sched_setaffinity, "sched_setaffinity"},
{__NR_sched_setattr, "sched_setattr"},
{__NR_sched_setparam, "sched_setparam"},
{__NR_sched_setscheduler, "sched_setscheduler"},
{__NR_sched_yield, "sched_yield"},
{__NR_seccomp, "seccomp"},
{__NR_security, "security"},
{__NR_select, "select"},
{__NR_semctl, "semctl"},
{__NR_semget, "semget"},
{__NR_semop, "semop"},
{__NR_semtimedop, "semtimedop"},
{__NR_sendfile, "sendfile"},
{__NR_sendmmsg, "sendmmsg"},
{__NR_sendmsg, "sendmsg"},
{__NR_sendto, "sendto"},
{__NR_setdomainname, "setdomainname"},
{__NR_setfsgid, "setfsgid"},
{__NR_setfsuid, "setfsuid"},
{__NR_setgid, "setgid"},
{__NR_setgroups, "setgroups"},
{__NR_sethostname, "sethostname"},
{__NR_setitimer, "setitimer"},
{__NR_set_mempolicy, "set_mempolicy"},
{__NR_setns, "setns"},
{__NR_setpgid, "setpgid"},
{__NR_setpriority, "setpriority"},
{__NR_setregid, "setregid"},
{__NR_setresgid, "setresgid"},
{__NR_setresuid, "setresuid"},
{__NR_setreuid, "setreuid"},
{__NR_setrlimit, "setrlimit"},
{__NR_set_robust_list, "set_robust_list"},
{__NR_setsid, "setsid"},
{__NR_setsockopt, "setsockopt"},
{__NR_set_thread_area, "set_thread_area"},
{__NR_set_tid_address, "set_tid_address"},
{__NR_settimeofday, "settimeofday"},
{__NR_setuid, "setuid"},
{__NR_setxattr, "setxattr"},
{__NR_shmat, "shmat"},
{__NR_shmctl, "shmctl"},
{__NR_shmdt, "shmdt"},
{__NR_shmget, "shmget"},
{__NR_shutdown, "shutdown"},
{__NR_sigaltstack, "sigaltstack"},
{__NR_signalfd, "signalfd"},
{__NR_signalfd4, "signalfd4"},
{__NR_socket, "socket"},
{__NR_socketpair, "socketpair"},
{__NR_splice, "splice"},
{__NR_stat, "stat"},
{__NR_statfs, "statfs"},
{__NR_statx, "statx"},
{__NR_swapoff, "swapoff"},
{__NR_swapon, "swapon"},
{__NR_symlink, "symlink"},
{__NR_symlinkat, "symlinkat"},
{__NR_sync, "sync"},
{__NR_sync_file_range, "sync_file_range"},
{__NR_syncfs, "syncfs"},
{__NR__sysctl, "_sysctl"},
{__NR_sysfs, "sysfs"},
{__NR_sysinfo, "sysinfo"},
{__NR_syslog, "syslog"},
{__NR_tee, "tee"},
{__NR_tgkill, "tgkill"},
{__NR_time, "time"},
{__NR_timer_create, "timer_create"},
{__NR_timer_delete, "timer_delete"},
{__NR_timerfd_create, "timerfd_create"},
{__NR_timerfd_gettime, "timerfd_gettime"},
{__NR_timerfd_settime, "timerfd_settime"},
{__NR_timer_getoverrun, "timer_getoverrun"},
{__NR_timer_gettime, "timer_gettime"},
{__NR_timer_settime, "timer_settime"},
{__NR_times, "times"},
{__NR_tkill, "tkill"},
{__NR_truncate, "truncate"},
{__NR_tuxcall, "tuxcall"},
{__NR_umask, "umask"},
{__NR_umount2, "umount2"},
{__NR_uname, "uname"},
{__NR_unlink, "unlink"},
{__NR_unlinkat, "unlinkat"},
{__NR_unshare, "unshare"},
{__NR_uselib, "uselib"},
{__NR_userfaultfd, "userfaultfd"},
{__NR_ustat, "ustat"},
{__NR_utime, "utime"},
{__NR_utimensat, "utimensat"},
{__NR_utimes, "utimes"},
{__NR_vfork, "vfork"},
{__NR_vhangup, "vhangup"},
{__NR_vmsplice, "vmsplice"},
{__NR_vserver, "vserver"},
{__NR_wait4, "wait4"},
{__NR_waitid, "waitid"},
{__NR_write, "write"},
{__NR_writev, "writev"},
};
std::string GetLinuxSyscallName(uint32_t syscall_number)
{
const auto element = LINUX_SYSCALLS.find(syscall_number);
if (element != LINUX_SYSCALLS.end()) {
return element->second;
}
return "*unknown*";
}
// See Linux kernel developer Kees Cook's seccomp guide at <https://outflux.net/teach-seccomp/> for
// an accessible introduction to using seccomp.
//
// This function largely follows <https://outflux.net/teach-seccomp/step-3/syscall-reporter.c> and
// <https://outflux.net/teach-seccomp/step-3/seccomp-bpf.h>.
//
// Seccomp BPF resources:
// * Seccomp BPF documentation: <https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html>
// * seccomp(2) manual page: <https://www.kernel.org/doc/man-pages/online/pages/man2/seccomp.2.html>
// * Seccomp BPF demo code samples: <https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/samples/seccomp>
void SyscallSandboxDebugSignalHandler(int, siginfo_t* signal_info, void* void_signal_context)
{
// The si_code field inside the siginfo_t argument that is passed to a SA_SIGINFO signal handler
// is a value indicating why the signal was sent.
//
// The following value can be placed in si_code for a SIGSYS signal:
// * SYS_SECCOMP (since Linux 3.5): Triggered by a seccomp(2) filter rule.
constexpr int32_t SYS_SECCOMP_SI_CODE{1};
assert(signal_info->si_code == SYS_SECCOMP_SI_CODE);
// The ucontext_t structure contains signal context information that was saved on the user-space
// stack by the kernel.
const ucontext_t* signal_context = static_cast<ucontext_t*>(void_signal_context);
assert(signal_context != nullptr);
std::set_new_handler(std::terminate);
// Portability note: REG_RAX is Linux x86_64 specific.
const uint32_t syscall_number = static_cast<uint32_t>(signal_context->uc_mcontext.gregs[REG_RAX]);
const std::string syscall_name = GetLinuxSyscallName(syscall_number);
const std::string thread_name = !util::ThreadGetInternalName().empty() ? util::ThreadGetInternalName() : "*unnamed*";
const std::string error_message = strprintf("ERROR: The syscall \"%s\" (syscall number %d) is not allowed by the syscall sandbox in thread \"%s\". Please report.", syscall_name, syscall_number, thread_name);
tfm::format(std::cerr, "%s\n", error_message);
LogPrintf("%s\n", error_message);
std::terminate();
}
// This function largely follows install_syscall_reporter from Kees Cook's seccomp guide:
// <https://outflux.net/teach-seccomp/step-3/syscall-reporter.c>
bool SetupSyscallSandboxDebugHandler()
{
struct sigaction action = {};
sigset_t mask;
sigemptyset(&mask);
sigaddset(&mask, SIGSYS);
action.sa_sigaction = &SyscallSandboxDebugSignalHandler;
action.sa_flags = SA_SIGINFO;
if (sigaction(SIGSYS, &action, nullptr) < 0) {
return false;
}
if (sigprocmask(SIG_UNBLOCK, &mask, nullptr)) {
return false;
}
return true;
}
enum class SyscallSandboxAction {
KILL_PROCESS,
INVOKE_SIGNAL_HANDLER,
};
class SeccompPolicyBuilder
{
std::set<uint32_t> allowed_syscalls;
public:
SeccompPolicyBuilder()
{
// Allowed by default.
AllowAddressSpaceAccess();
AllowEpoll();
AllowEventFd();
AllowFutex();
AllowGeneralIo();
AllowGetRandom();
AllowGetSimpleId();
AllowGetTime();
AllowGlobalProcessEnvironment();
AllowGlobalSystemStatus();
AllowKernelInternalApi();
AllowNetworkSocketInformation();
AllowOperationOnExistingFileDescriptor();
AllowPipe();
AllowPrctl();
AllowProcessStartOrDeath();
AllowScheduling();
AllowSignalHandling();
AllowSleep();
AllowUmask();
}
void AllowAddressSpaceAccess()
{
allowed_syscalls.insert(__NR_brk); // change data segment size
allowed_syscalls.insert(__NR_madvise); // give advice about use of memory
#if defined(__NR_membarrier)
allowed_syscalls.insert(__NR_membarrier); // issue memory barriers on a set of threads
#endif // defined(__NR_membarrier)
allowed_syscalls.insert(__NR_mlock); // lock memory
allowed_syscalls.insert(__NR_mmap); // map files or devices into memory
allowed_syscalls.insert(__NR_mprotect); // set protection on a region of memory
allowed_syscalls.insert(__NR_munlock); // unlock memory
allowed_syscalls.insert(__NR_munmap); // unmap files or devices into memory
}
void AllowEpoll()
{
allowed_syscalls.insert(__NR_epoll_create1); // open an epoll file descriptor
allowed_syscalls.insert(__NR_epoll_ctl); // control interface for an epoll file descriptor
allowed_syscalls.insert(__NR_epoll_pwait); // wait for an I/O event on an epoll file descriptor
allowed_syscalls.insert(__NR_epoll_wait); // wait for an I/O event on an epoll file descriptor
}
void AllowEventFd()
{
allowed_syscalls.insert(__NR_eventfd2); // create a file descriptor for event notification
}
void AllowFileSystem()
{
allowed_syscalls.insert(__NR_access); // check user's permissions for a file
allowed_syscalls.insert(__NR_chdir); // change working directory
allowed_syscalls.insert(__NR_chmod); // change permissions of a file
allowed_syscalls.insert(__NR_fallocate); // manipulate file space
allowed_syscalls.insert(__NR_fchmod); // change permissions of a file
allowed_syscalls.insert(__NR_fchown); // change ownership of a file
allowed_syscalls.insert(__NR_fdatasync); // synchronize a file's in-core state with storage device
allowed_syscalls.insert(__NR_flock); // apply or remove an advisory lock on an open file
allowed_syscalls.insert(__NR_fstat); // get file status
allowed_syscalls.insert(__NR_fsync); // synchronize a file's in-core state with storage device
allowed_syscalls.insert(__NR_ftruncate); // truncate a file to a specified length
allowed_syscalls.insert(__NR_getcwd); // get current working directory
allowed_syscalls.insert(__NR_getdents); // get directory entries
allowed_syscalls.insert(__NR_getdents64); // get directory entries
allowed_syscalls.insert(__NR_lstat); // get file status
allowed_syscalls.insert(__NR_mkdir); // create a directory
allowed_syscalls.insert(__NR_open); // open and possibly create a file
allowed_syscalls.insert(__NR_openat); // open and possibly create a file
allowed_syscalls.insert(__NR_readlink); // read value of a symbolic link
allowed_syscalls.insert(__NR_rename); // change the name or location of a file
allowed_syscalls.insert(__NR_rmdir); // delete a directory
allowed_syscalls.insert(__NR_stat); // get file status
allowed_syscalls.insert(__NR_statfs); // get filesystem statistics
allowed_syscalls.insert(__NR_statx); // get file status (extended)
allowed_syscalls.insert(__NR_unlink); // delete a name and possibly the file it refers to
}
void AllowFutex()
{
allowed_syscalls.insert(__NR_futex); // fast user-space locking
allowed_syscalls.insert(__NR_set_robust_list); // set list of robust futexes
}
void AllowGeneralIo()
{
allowed_syscalls.insert(__NR_ioctl); // control device
allowed_syscalls.insert(__NR_lseek); // reposition read/write file offset
allowed_syscalls.insert(__NR_poll); // wait for some event on a file descriptor
allowed_syscalls.insert(__NR_ppoll); // wait for some event on a file descriptor
allowed_syscalls.insert(__NR_pread64); // read from a file descriptor at a given offset
allowed_syscalls.insert(__NR_pwrite64); // write to a file descriptor at a given offset
allowed_syscalls.insert(__NR_read); // read from a file descriptor
allowed_syscalls.insert(__NR_readv); // read data into multiple buffers
allowed_syscalls.insert(__NR_recvfrom); // receive a message from a socket
allowed_syscalls.insert(__NR_recvmsg); // receive a message from a socket
allowed_syscalls.insert(__NR_select); // synchronous I/O multiplexing
allowed_syscalls.insert(__NR_sendmmsg); // send multiple messages on a socket
allowed_syscalls.insert(__NR_sendmsg); // send a message on a socket
allowed_syscalls.insert(__NR_sendto); // send a message on a socket
allowed_syscalls.insert(__NR_write); // write to a file descriptor
allowed_syscalls.insert(__NR_writev); // write data into multiple buffers
}
void AllowGetRandom()
{
#if defined(__NR_getrandom)
allowed_syscalls.insert(__NR_getrandom); // obtain a series of random bytes
#endif // defined(__NR_getrandom)
}
void AllowGetSimpleId()
{
allowed_syscalls.insert(__NR_getegid); // get group identity
allowed_syscalls.insert(__NR_geteuid); // get user identity
allowed_syscalls.insert(__NR_getgid); // get group identity
allowed_syscalls.insert(__NR_getpgid); // get process group
allowed_syscalls.insert(__NR_getpid); // get process identification
allowed_syscalls.insert(__NR_getppid); // get process identification
allowed_syscalls.insert(__NR_getresgid); // get real, effective and saved group IDs
allowed_syscalls.insert(__NR_getresuid); // get real, effective and saved user IDs
allowed_syscalls.insert(__NR_getsid); // get session ID
allowed_syscalls.insert(__NR_gettid); // get thread identification
allowed_syscalls.insert(__NR_getuid); // get user identity
}
void AllowGetTime()
{
allowed_syscalls.insert(__NR_clock_getres); // find the resolution (precision) of the specified clock
allowed_syscalls.insert(__NR_clock_gettime); // retrieve the time of the specified clock
}
void AllowGlobalProcessEnvironment()
{
allowed_syscalls.insert(__NR_getrlimit); // get resource limits
allowed_syscalls.insert(__NR_getrusage); // get resource usage
allowed_syscalls.insert(__NR_prlimit64); // get/set resource limits
}
void AllowGlobalSystemStatus()
{
allowed_syscalls.insert(__NR_sysinfo); // return system information
allowed_syscalls.insert(__NR_uname); // get name and information about current kernel
}
void AllowKernelInternalApi()
{
allowed_syscalls.insert(__NR_restart_syscall); // restart a system call after interruption by a stop signal
}
void AllowNetwork()
{
allowed_syscalls.insert(__NR_accept); // accept a connection on a socket
allowed_syscalls.insert(__NR_accept4); // accept a connection on a socket
allowed_syscalls.insert(__NR_bind); // bind a name to a socket
allowed_syscalls.insert(__NR_connect); // initiate a connection on a socket
allowed_syscalls.insert(__NR_listen); // listen for connections on a socket
allowed_syscalls.insert(__NR_setsockopt); // set options on sockets
allowed_syscalls.insert(__NR_socket); // create an endpoint for communication
allowed_syscalls.insert(__NR_socketpair); // create a pair of connected sockets
}
void AllowNetworkSocketInformation()
{
allowed_syscalls.insert(__NR_getpeername); // get name of connected peer socket
allowed_syscalls.insert(__NR_getsockname); // get socket name
allowed_syscalls.insert(__NR_getsockopt); // get options on sockets
}
void AllowOperationOnExistingFileDescriptor()
{
allowed_syscalls.insert(__NR_close); // close a file descriptor
allowed_syscalls.insert(__NR_dup); // duplicate a file descriptor
allowed_syscalls.insert(__NR_dup2); // duplicate a file descriptor
allowed_syscalls.insert(__NR_fcntl); // manipulate file descriptor
allowed_syscalls.insert(__NR_shutdown); // shut down part of a full-duplex connection
}
void AllowPipe()
{
allowed_syscalls.insert(__NR_pipe); // create pipe
allowed_syscalls.insert(__NR_pipe2); // create pipe
}
void AllowPrctl()
{
allowed_syscalls.insert(__NR_arch_prctl); // set architecture-specific thread state
allowed_syscalls.insert(__NR_prctl); // operations on a process
}
void AllowProcessStartOrDeath()
{
allowed_syscalls.insert(__NR_clone); // create a child process
allowed_syscalls.insert(__NR_exit); // terminate the calling process
allowed_syscalls.insert(__NR_exit_group); // exit all threads in a process
allowed_syscalls.insert(__NR_fork); // create a child process
allowed_syscalls.insert(__NR_tgkill); // send a signal to a thread
allowed_syscalls.insert(__NR_wait4); // wait for process to change state, BSD style
}
void AllowScheduling()
{
allowed_syscalls.insert(__NR_sched_getaffinity); // set a thread's CPU affinity mask
allowed_syscalls.insert(__NR_sched_getparam); // get scheduling parameters
allowed_syscalls.insert(__NR_sched_getscheduler); // get scheduling policy/parameters
allowed_syscalls.insert(__NR_sched_setscheduler); // set scheduling policy/parameters
allowed_syscalls.insert(__NR_sched_yield); // yield the processor
}
void AllowSignalHandling()
{
allowed_syscalls.insert(__NR_rt_sigaction); // examine and change a signal action
allowed_syscalls.insert(__NR_rt_sigprocmask); // examine and change blocked signals
allowed_syscalls.insert(__NR_rt_sigreturn); // return from signal handler and cleanup stack frame
allowed_syscalls.insert(__NR_sigaltstack); // set and/or get signal stack context
}
void AllowSleep()
{
allowed_syscalls.insert(__NR_clock_nanosleep); // high-resolution sleep with specifiable clock
allowed_syscalls.insert(__NR_nanosleep); // high-resolution sleep
}
void AllowUmask()
{
allowed_syscalls.insert(__NR_umask); // set file mode creation mask
}
// See Linux kernel developer Kees Cook's seccomp guide at <https://outflux.net/teach-seccomp/>
// for an accessible introduction to using seccomp.
//
// This function largely follows <https://outflux.net/teach-seccomp/step-3/seccomp-bpf.h>.
std::vector<sock_filter> BuildFilter(SyscallSandboxAction default_action)
{
std::vector<sock_filter> bpf_policy;
// See VALIDATE_ARCHITECTURE in seccomp-bpf.h referenced above.
bpf_policy.push_back(BPF_STMT(BPF_LD + BPF_W + BPF_ABS, offsetof(struct seccomp_data, arch)));
// Portability note: AUDIT_ARCH_X86_64 is Linux x86_64 specific.
bpf_policy.push_back(BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, AUDIT_ARCH_X86_64, 1, 0));
bpf_policy.push_back(BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_KILL_PROCESS));
// See EXAMINE_SYSCALL in seccomp-bpf.h referenced above.
bpf_policy.push_back(BPF_STMT(BPF_LD + BPF_W + BPF_ABS, offsetof(struct seccomp_data, nr)));
for (const uint32_t allowed_syscall : allowed_syscalls) {
// See ALLOW_SYSCALL in seccomp-bpf.h referenced above.
bpf_policy.push_back(BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, allowed_syscall, 0, 1));
bpf_policy.push_back(BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW));
}
switch (default_action) {
case SyscallSandboxAction::KILL_PROCESS:
// Disallow syscall and kill the process.
//
// See KILL_PROCESS in seccomp-bpf.h referenced above.
//
// Note that we're using SECCOMP_RET_KILL_PROCESS (kill the process) instead
// of SECCOMP_RET_KILL_THREAD (kill the thread). The SECCOMP_RET_KILL_PROCESS
// action was introduced in Linux 4.14.
//
// SECCOMP_RET_KILL_PROCESS: Results in the entire process exiting immediately without
// executing the system call.
//
// SECCOMP_RET_KILL_PROCESS documentation:
// <https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html>
bpf_policy.push_back(BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_KILL_PROCESS));
break;
case SyscallSandboxAction::INVOKE_SIGNAL_HANDLER:
// Disallow syscall and force a SIGSYS to trigger syscall debug reporter.
//
// SECCOMP_RET_TRAP: Results in the kernel sending a SIGSYS signal to the triggering
// task without executing the system call.
//
// SECCOMP_RET_TRAP documentation:
// <https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html>
bpf_policy.push_back(BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_TRAP));
break;
}
return bpf_policy;
}
};
} // namespace
bool SetupSyscallSandbox(bool log_syscall_violation_before_terminating)
{
assert(!g_syscall_sandbox_enabled && "SetupSyscallSandbox(...) should only be called once.");
g_syscall_sandbox_enabled = true;
g_syscall_sandbox_log_violation_before_terminating = log_syscall_violation_before_terminating;
if (log_syscall_violation_before_terminating) {
if (!SetupSyscallSandboxDebugHandler()) {
return false;
}
}
SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION);
return true;
}
void TestDisallowedSandboxCall()
{
// The getgroups syscall is assumed NOT to be allowed by the syscall sandbox policy.
std::array<gid_t, 1> groups;
[[maybe_unused]] int32_t ignored = getgroups(groups.size(), groups.data());
}
#endif // defined(USE_SYSCALL_SANDBOX)
void SetSyscallSandboxPolicy(SyscallSandboxPolicy syscall_policy)
{
#if defined(USE_SYSCALL_SANDBOX)
if (!g_syscall_sandbox_enabled) {
return;
}
SeccompPolicyBuilder seccomp_policy_builder;
switch (syscall_policy) {
case SyscallSandboxPolicy::INITIALIZATION: // Thread: main thread (state: init)
// SyscallSandboxPolicy::INITIALIZATION is the first policy loaded.
//
// Subsequently loaded policies can reduce the abilities further, but
// abilities can never be regained.
//
// SyscallSandboxPolicy::INITIALIZATION must thus be a superset of all
// other policies.
seccomp_policy_builder.AllowFileSystem();
seccomp_policy_builder.AllowNetwork();
break;
case SyscallSandboxPolicy::INITIALIZATION_DNS_SEED: // Thread: dnsseed
seccomp_policy_builder.AllowFileSystem();
seccomp_policy_builder.AllowNetwork();
break;
case SyscallSandboxPolicy::INITIALIZATION_LOAD_BLOCKS: // Thread: loadblk
seccomp_policy_builder.AllowFileSystem();
break;
case SyscallSandboxPolicy::INITIALIZATION_MAP_PORT: // Thread: mapport
seccomp_policy_builder.AllowFileSystem();
seccomp_policy_builder.AllowNetwork();
break;
case SyscallSandboxPolicy::MESSAGE_HANDLER: // Thread: msghand
seccomp_policy_builder.AllowFileSystem();
break;
case SyscallSandboxPolicy::NET: // Thread: net
seccomp_policy_builder.AllowFileSystem();
seccomp_policy_builder.AllowNetwork();
break;
case SyscallSandboxPolicy::NET_ADD_CONNECTION: // Thread: addcon
seccomp_policy_builder.AllowFileSystem();
seccomp_policy_builder.AllowNetwork();
break;
case SyscallSandboxPolicy::NET_HTTP_SERVER: // Thread: http
seccomp_policy_builder.AllowFileSystem();
seccomp_policy_builder.AllowNetwork();
break;
case SyscallSandboxPolicy::NET_HTTP_SERVER_WORKER: // Thread: httpworker.<N>
seccomp_policy_builder.AllowFileSystem();
seccomp_policy_builder.AllowNetwork();
break;
case SyscallSandboxPolicy::NET_OPEN_CONNECTION: // Thread: opencon
seccomp_policy_builder.AllowFileSystem();
seccomp_policy_builder.AllowNetwork();
break;
case SyscallSandboxPolicy::SCHEDULER: // Thread: scheduler
seccomp_policy_builder.AllowFileSystem();
break;
case SyscallSandboxPolicy::TOR_CONTROL: // Thread: torcontrol
seccomp_policy_builder.AllowFileSystem();
seccomp_policy_builder.AllowNetwork();
break;
case SyscallSandboxPolicy::TX_INDEX: // Thread: txindex
seccomp_policy_builder.AllowFileSystem();
break;
case SyscallSandboxPolicy::VALIDATION_SCRIPT_CHECK: // Thread: scriptch.<N>
break;
case SyscallSandboxPolicy::SHUTOFF: // Thread: main thread (state: shutoff)
seccomp_policy_builder.AllowFileSystem();
break;
}
const SyscallSandboxAction default_action = g_syscall_sandbox_log_violation_before_terminating ? SyscallSandboxAction::INVOKE_SIGNAL_HANDLER : SyscallSandboxAction::KILL_PROCESS;
std::vector<sock_filter> filter = seccomp_policy_builder.BuildFilter(default_action);
const sock_fprog prog = {
.len = static_cast<uint16_t>(filter.size()),
.filter = filter.data(),
};
// Do not allow abilities to be regained after being dropped.
//
// PR_SET_NO_NEW_PRIVS documentation: <https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html>
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) {
throw std::runtime_error("Syscall sandbox enforcement failed: prctl(PR_SET_NO_NEW_PRIVS)");
}
// Install seccomp-bpf syscall filter.
//
// PR_SET_SECCOMP documentation: <https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html>
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) != 0) {
throw std::runtime_error("Syscall sandbox enforcement failed: prctl(PR_SET_SECCOMP)");
}
const std::string thread_name = !util::ThreadGetInternalName().empty() ? util::ThreadGetInternalName() : "*unnamed*";
LogPrint(BCLog::UTIL, "Syscall filter installed for thread \"%s\"\n", thread_name);
#endif // defined(USE_SYSCALL_SANDBOX)
}

57
src/util/syscall_sandbox.h Normal file
View file

@ -0,0 +1,57 @@
// Copyright (c) 2020 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
#ifndef BITCOIN_UTIL_SYSCALL_SANDBOX_H
#define BITCOIN_UTIL_SYSCALL_SANDBOX_H
enum class SyscallSandboxPolicy {
// 1. Initialization
INITIALIZATION,
INITIALIZATION_DNS_SEED,
INITIALIZATION_LOAD_BLOCKS,
INITIALIZATION_MAP_PORT,
// 2. Steady state (non-initialization, non-shutdown)
MESSAGE_HANDLER,
NET,
NET_ADD_CONNECTION,
NET_HTTP_SERVER,
NET_HTTP_SERVER_WORKER,
NET_OPEN_CONNECTION,
SCHEDULER,
TOR_CONTROL,
TX_INDEX,
VALIDATION_SCRIPT_CHECK,
// 3. Shutdown
SHUTOFF,
};
//! Force the current thread (and threads created from the current thread) into a restricted-service
//! operating mode where only a subset of all syscalls are available.
//!
//! Subsequent calls to this function can reduce the abilities further, but abilities can never be
//! regained.
//!
//! This function is a no-op unless SetupSyscallSandbox(...) has been called.
//!
//! SetupSyscallSandbox(...) is called during bitcoind initialization if Bitcoin Core was compiled
//! with seccomp-bpf support (--with-seccomp) *and* the parameter -sandbox=<mode> was passed to
//! bitcoind.
//!
//! This experimental feature is available under Linux x86_64 only.
void SetSyscallSandboxPolicy(SyscallSandboxPolicy syscall_policy);
#if defined(USE_SYSCALL_SANDBOX)
//! Setup and enable the experimental syscall sandbox for the running process.
//!
//! SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION) is called as part of
//! SetupSyscallSandbox(...).
[[nodiscard]] bool SetupSyscallSandbox(bool log_syscall_violation_before_terminating);
//! Invoke a disallowed syscall. Use for testing purposes.
void TestDisallowedSandboxCall();
#endif // defined(USE_SYSCALL_SANDBOX)
#endif // BITCOIN_UTIL_SYSCALL_SANDBOX_H

1
test/config.ini.in
View file

@ -24,3 +24,4 @@ RPCAUTH=@abs_top_srcdir@/share/rpcauth/rpcauth.py
@ENABLE_FUZZ_TRUE@ENABLE_FUZZ=true
@ENABLE_ZMQ_TRUE@ENABLE_ZMQ=true
@ENABLE_EXTERNAL_SIGNER_TRUE@ENABLE_EXTERNAL_SIGNER=true
@ENABLE_SYSCALL_SANDBOX_TRUE@ENABLE_SYSCALL_SANDBOX=true

3
test/functional/feature_notifications.py
View file

@ -27,6 +27,9 @@ class NotificationsTest(BitcoinTestFramework):
def set_test_params(self):
self.num_nodes = 2
self.setup_clean_chain = True
# The experimental syscall sandbox feature (-sandbox) is not compatible with -alertnotify,
# -blocknotify or -walletnotify (which all invoke execve).
self.disable_syscall_sandbox = True
def setup_network(self):
self.wallet = ''.join(chr(i) for i in range(FILE_CHAR_START, FILE_CHAR_END) if chr(i) not in FILE_CHARS_DISALLOWED)

34
test/functional/feature_syscall_sandbox.py Executable file
View file

@ -0,0 +1,34 @@
#!/usr/bin/env python3
# Copyright (c) 2021 The Bitcoin Core developers
# Distributed under the MIT software license, see the accompanying
# file COPYING or http://www.opensource.org/licenses/mit-license.php.
"""Test bitcoind aborts if a disallowed syscall is used when compiled with the syscall sandbox."""
from test_framework.test_framework import BitcoinTestFramework, SkipTest
class SyscallSandboxTest(BitcoinTestFramework):
def set_test_params(self):
self.num_nodes = 1
def skip_test_if_missing_module(self):
if not self.is_syscall_sandbox_compiled():
raise SkipTest("bitcoind has not been built with syscall sandbox enabled.")
if self.options.nosandbox:
raise SkipTest("--nosandbox passed to test runner.")
def run_test(self):
disallowed_syscall_terminated_bitcoind = False
expected_log_entry = 'ERROR: The syscall "getgroups" (syscall number 115) is not allowed by the syscall sandbox'
with self.nodes[0].assert_debug_log([expected_log_entry]):
self.log.info("Invoking disallowed syscall")
try:
self.nodes[0].invokedisallowedsyscall()
except ConnectionError:
disallowed_syscall_terminated_bitcoind = True
assert disallowed_syscall_terminated_bitcoind
self.nodes = []
if __name__ == "__main__":
SyscallSandboxTest().main()

3
test/functional/feature_versionbits_warning.py
View file

@ -28,6 +28,9 @@ class VersionBitsWarningTest(BitcoinTestFramework):
def set_test_params(self):
self.setup_clean_chain = True
self.num_nodes = 1
# The experimental syscall sandbox feature (-sandbox) is not compatible with -alertnotify
# (which invokes execve).
self.disable_syscall_sandbox = True
def setup_network(self):
self.alert_filename = os.path.join(self.options.tmpdir, "alert.txt")

2
test/functional/rpc_misc.py
View file

@ -57,7 +57,7 @@ class RpcMiscTest(BitcoinTestFramework):
self.log.info("test logging rpc and help")
# Test logging RPC returns the expected number of logging categories.
assert_equal(len(node.logging()), 25)
assert_equal(len(node.logging()), 26)
# Test toggling a logging category on/off/on with the logging RPC.
assert_equal(node.logging()['qt'], True)

3
test/functional/rpc_signer.py
View file

@ -27,6 +27,9 @@ class RPCSignerTest(BitcoinTestFramework):
def set_test_params(self):
self.num_nodes = 4
# The experimental syscall sandbox feature (-sandbox) is not compatible with -signer (which
# invokes execve).
self.disable_syscall_sandbox = True
self.extra_args = [
[],

11
test/functional/test_framework/test_framework.py
View file

@ -101,6 +101,7 @@ class BitcoinTestFramework(metaclass=BitcoinTestMetaClass):
self.supports_cli = True
self.bind_to_localhost_only = True
self.parse_args()
self.disable_syscall_sandbox = self.options.nosandbox
self.default_wallet_name = "default_wallet" if self.options.descriptors else ""
self.wallet_data_filename = "wallet.dat"
# Optional list of wallet names that can be set in set_test_params to
@ -159,6 +160,8 @@ class BitcoinTestFramework(metaclass=BitcoinTestMetaClass):
parser = argparse.ArgumentParser(usage="%(prog)s [options]")
parser.add_argument("--nocleanup", dest="nocleanup", default=False, action="store_true",
help="Leave bitcoinds and test.* datadir on exit or error")
parser.add_argument("--nosandbox", dest="nosandbox", default=False, action="store_true",
help="Don't use the syscall sandbox")
parser.add_argument("--noshutdown", dest="noshutdown", default=False, action="store_true",
help="Don't stop bitcoinds after the test execution")
parser.add_argument("--cachedir", dest="cachedir", default=os.path.abspath(os.path.dirname(os.path.realpath(__file__)) + "/../../cache"),
@ -468,6 +471,10 @@ class BitcoinTestFramework(metaclass=BitcoinTestMetaClass):
extra_args = [[]] * num_nodes
if versions is None:
versions = [None] * num_nodes
if self.is_syscall_sandbox_compiled() and not self.disable_syscall_sandbox:
for i in range(len(extra_args)):
if versions[i] is None or versions[i] >= 219900:
extra_args[i] = extra_args[i] + ["-sandbox=log-and-abort"]
if binary is None:
binary = [get_bin_from_version(v, 'bitcoind', self.options.bitcoind) for v in versions]
if binary_cli is None:
@ -886,3 +893,7 @@ class BitcoinTestFramework(metaclass=BitcoinTestMetaClass):
def is_bdb_compiled(self):
"""Checks whether the wallet module was compiled with BDB support."""
return self.config["components"].getboolean("USE_BDB")
def is_syscall_sandbox_compiled(self):
"""Checks whether the syscall sandbox was compiled."""
return self.config["components"].getboolean("ENABLE_SYSCALL_SANDBOX")

1
test/functional/test_runner.py
View file

@ -170,6 +170,7 @@ BASE_SCRIPTS = [
'rpc_users.py',
'rpc_whitelist.py',
'feature_proxy.py',
'feature_syscall_sandbox.py',
'rpc_signrawtransaction.py --legacy-wallet',
'rpc_signrawtransaction.py --descriptors',
'rpc_rawtransaction.py --legacy-wallet',

3
test/functional/wallet_signer.py
View file

@ -27,6 +27,9 @@ class WalletSignerTest(BitcoinTestFramework):
def set_test_params(self):
self.num_nodes = 2
# The experimental syscall sandbox feature (-sandbox) is not compatible with -signer (which
# invokes execve).
self.disable_syscall_sandbox = True
self.extra_args = [
[],