init: Disable syscall sandbox in the bitcoin-qt process

2025-01-25 18:53:23 -03:00 · 2022-04-04 14:38:56 +02:00 · 2022-04-04 14:38:56 +02:00 · fa0c2aa826
commit fa0c2aa826
parent 24c6b20c14
5 changed files with 6 additions and 7 deletions
--- a/src/init.cpp
+++ b/src/init.cpp
@ -792,7 +792,7 @@ bool AppInitBasicSetup(const ArgsManager& args)
    return true;
 }

-bool AppInitParameterInteraction(const ArgsManager& args)
+bool AppInitParameterInteraction(const ArgsManager& args, bool use_syscall_sandbox)
 {
    const CChainParams& chainparams = Params();
    // ********************************************************* Step 2: parameter interactions
@ -1058,6 +1058,9 @@ bool AppInitParameterInteraction(const ArgsManager& args)
        if (!SetupSyscallSandbox(log_syscall_violation_before_terminating)) {
            return InitError(Untranslated("Installation of the syscall sandbox failed."));
        }
+        if (use_syscall_sandbox) {
+            SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION);
+        }
        LogPrintf("Experimental syscall sandbox enabled (-sandbox=%s): bitcoind will terminate if an unexpected (not allowlisted) syscall is invoked.\n", sandbox_arg);
    }
 #endif // USE_SYSCALL_SANDBOX
--- a/src/init.h
+++ b/src/init.h
@ -41,7 +41,7 @@ bool AppInitBasicSetup(const ArgsManager& args);
 * @note This can be done before daemonization. Do not call Shutdown() if this function fails.
 * @pre Parameters should be parsed and config file should be read, AppInitBasicSetup should have been called.
 */
-bool AppInitParameterInteraction(const ArgsManager& args);
+bool AppInitParameterInteraction(const ArgsManager& args, bool use_syscall_sandbox = true);
 /**
 * Initialization sanity checks: ecc init, sanity checks, dir lock.
 * @note This can be done before daemonization. Do not call Shutdown() if this function fails.
--- a/src/node/interfaces.cpp
+++ b/src/node/interfaces.cpp
@ -90,7 +90,7 @@ public:
    uint32_t getLogCategories() override { return LogInstance().GetCategoryMask(); }
    bool baseInitialize() override
    {
-        return AppInitBasicSetup(gArgs) && AppInitParameterInteraction(gArgs) && AppInitSanityChecks() &&
+        return AppInitBasicSetup(gArgs) && AppInitParameterInteraction(gArgs, /*use_syscall_sandbox=*/false) && AppInitSanityChecks() &&
               AppInitLockDataDirectory() && AppInitInterfaces(*m_context);
    }
    bool appInitMain(interfaces::BlockAndHeaderTipInfo* tip_info) override
--- a/src/util/syscall_sandbox.cpp
+++ b/src/util/syscall_sandbox.cpp
@ -823,7 +823,6 @@ bool SetupSyscallSandbox(bool log_syscall_violation_before_terminating)
            return false;
        }
    }
-    SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION);
    return true;
 }

--- a/src/util/syscall_sandbox.h
+++ b/src/util/syscall_sandbox.h
@ -45,9 +45,6 @@ void SetSyscallSandboxPolicy(SyscallSandboxPolicy syscall_policy);

 #if defined(USE_SYSCALL_SANDBOX)
 //! Setup and enable the experimental syscall sandbox for the running process.
-//!
-//! SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION) is called as part of
-//! SetupSyscallSandbox(...).
 [[nodiscard]] bool SetupSyscallSandbox(bool log_syscall_violation_before_terminating);

 //! Invoke a disallowed syscall. Use for testing purposes.