#include <sys/types.h>
#include <unistd.h>
-#if USE_KAFEL
-#include <kafel.h>
-#endif
-
#include "log.h"
#include "util.h"
("Jail parameters: hostname:'%s', chroot:'%s', process:'%s', bind:[%s]:%d, "
"max_conns_per_ip:%u, uid:(ns:%u, global:%u), gid:(ns:%u, global:%u), time_limit:%ld, personality:%#lx, daemonize:%s, "
"clone_newnet:%s, clone_newuser:%s, clone_newns:%s, clone_newpid:%s, "
- "clone_newipc:%s, clonew_newuts:%s, clone_newcgroup:%s, apply_sandbox:%s, keep_caps:%s, "
+ "clone_newipc:%s, clonew_newuts:%s, clone_newcgroup:%s, keep_caps:%s, "
"tmpfs_size:%zu, disable_no_new_privs:%s, pivot_root_only:%s",
nsjconf->hostname, nsjconf->chroot, nsjconf->argv[0], nsjconf->bindhost, nsjconf->port,
nsjconf->max_conns_per_ip, nsjconf->inside_uid, nsjconf->outside_uid,
logYesNo(nsjconf->clone_newuser), logYesNo(nsjconf->clone_newns),
logYesNo(nsjconf->clone_newpid), logYesNo(nsjconf->clone_newipc),
logYesNo(nsjconf->clone_newuts), logYesNo(nsjconf->clone_newcgroup),
- logYesNo(nsjconf->apply_sandbox), logYesNo(nsjconf->keep_caps), nsjconf->tmpfs_size,
+ logYesNo(nsjconf->keep_caps), nsjconf->tmpfs_size,
logYesNo(nsjconf->disable_no_new_privs), logYesNo(nsjconf->pivot_root_only));
{
.bindhost = "::",
.daemonize = false,
.tlimit = 0,
- .apply_sandbox = true,
.pivot_root_only = false,
.verbose = false,
.keep_caps = false,
.cgroup_mem_mount = "/sys/fs/cgroup/memory",
.cgroup_mem_parent = "NSJAIL",
.cgroup_mem_max = (size_t)0,
- .seccomp_fprog = {0, NULL},
.iface_no_lo = false,
.iface = NULL,
.iface_vs_ip = "0.0.0.0",
{{"env", required_argument, NULL, 'E'}, "Environment variable (can be used multiple times)"},
{{"keep_caps", no_argument, NULL, 0x0501}, "Don't drop capabilities (DANGEROUS)"},
{{"silent", no_argument, NULL, 0x0502}, "Redirect child's fd:0/1/2 to /dev/null"},
- {{"disable_sandbox", no_argument, NULL, 0x0503}, "Don't enable the seccomp-bpf sandboxing"},
{{"skip_setsid", no_argument, NULL, 0x0504}, "Don't call setsid(), allows for terminal signal handling in the sandboxed process"},
{{"pass_fd", required_argument, NULL, 0x0505}, "Don't close this FD before executing child (can be specified multiple times), by default: 0/1/2 are kept open"},
{{"pivot_root_only", no_argument, NULL, 0x0506}, "Only perform pivot_root, no chroot. This will enable nested namespaces"},
case 0x0502:
nsjconf->is_silent = true;
break;
- case 0x0503:
- nsjconf->apply_sandbox = false;
- break;
case 0x0504:
nsjconf->skip_setsid = true;
break;
break;
#if USE_KAFEL
case 0x901:
- {
- FILE *f = fopen(optarg, "r");
- if (f == NULL) {
- LOG_E("Could not open policy file `%s'", optarg);
- return false;
- }
- kafel_ctxt_t ctxt = kafel_ctxt_create();
- kafel_set_input_file(ctxt, f);
- if (kafel_compile(ctxt, &nsjconf->seccomp_fprog) != 0) {
- fclose(f);
- LOG_E("Could not compile policy: %s",
- kafel_error_msg(ctxt));
- kafel_ctxt_destroy(&ctxt);
- return false;
- }
- fclose(f);
- kafel_ctxt_destroy(&ctxt);
+ if ((nsjconf->kafel_file = fopen(optarg, "r")) == NULL) {
+ PLOG_F("Couldn't open '%s'", optarg);
}
break;
#endif
#include "sandbox.h"
-#include <errno.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
#include <sys/prctl.h>
-/* TBREMOVED */
-#include <signal.h>
-#include <unistd.h>
-
#include "common.h"
#include "log.h"
-#include "seccomp/bpf-helper.h"
+#if defined(USE_KAFEL)
+#include "kafel.h"
+#endif // defined(USE_KAFEL)
-/*
- * A demo policy, it disallows syslog and ptrace syscalls, both in 32 and 64
- * modes
- */
-static bool sandboxPrepareAndCommit(struct nsjconf_t *nsjconf)
+#ifndef PR_SET_NO_NEW_PRIVS
+#define PR_SET_NO_NEW_PRIVS 38
+#endif /* PR_SET_NO_NEW_PRIVS */
+
+static bool sandboxPrepareAndCommit(struct nsjconf_t *nsjconf __attribute__ ((unused)))
{
-#if defined(__x86_64__) || defined(__i386__)
- if (nsjconf->seccomp_fprog.filter == NULL) {
- struct bpf_labels l = {.count = 0 };
- struct sock_filter filter[] = {
- LOAD_ARCH,
- JEQ32(AUDIT_ARCH_I386, JUMP(&l, label_i386)),
- JEQ32(AUDIT_ARCH_X86_64, JUMP(&l, label_x86_64)),
+#if defined(USE_KAFEL)
+ if (nsjconf->kafel_file == NULL) {
+ return true;
+ }
- /* I386 */
- LABEL(&l, label_i386),
- LOAD_SYSCALL_NR,
-#define __NR_syslog_32 103
-#define __NR_uselib_32 86
- JEQ32(__NR_syslog_32, ERRNO(ENOENT)),
- JEQ32(__NR_uselib_32, KILL),
- ALLOW,
+ struct sock_fprog seccomp_fprog;
+ kafel_ctxt_t ctxt = kafel_ctxt_create();
+ kafel_set_input_file(ctxt, nsjconf->kafel_file);
+ if (kafel_compile(ctxt, &seccomp_fprog) != 0) {
+ LOG_E("Could not compile policy: %s", kafel_error_msg(ctxt));
+ kafel_ctxt_destroy(&ctxt);
+ return false;
+ }
+ kafel_ctxt_destroy(&ctxt);
- /* X86_64 */
- LABEL(&l, label_x86_64),
- LOAD_SYSCALL_NR,
-#define __NR_syslog_64 103
-#define __NR_uselib_64 134
- JEQ32(__NR_syslog_64, ERRNO(ENOENT)),
- JEQ32(__NR_uselib_64, KILL),
- ALLOW,
- };
- /* *INDENT-OFF* */
- nsjconf->seccomp_fprog = (struct sock_fprog) {
- .filter = filter,
- .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
- };
- /* *INDENT-ON* */
- if (bpf_resolve_jumps(&l, filter, sizeof(filter) / sizeof(*filter)) != 0) {
- LOG_W("bpf_resolve_jumps() failed");
- return false;
- }
+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+ PLOG_W("prctl(PR_SET_NO_NEW_PRIVS, 1) failed");
+ return false;
}
-#endif /* defined(__x86_64__) || defined(__i386__) */
- if (nsjconf->seccomp_fprog.filter != NULL) {
-#ifndef PR_SET_NO_NEW_PRIVS
-#define PR_SET_NO_NEW_PRIVS 38
-#endif /* PR_SET_NO_NEW_PRIVS */
- if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
- PLOG_W("prctl(PR_SET_NO_NEW_PRIVS, 1) failed");
- return false;
- }
- if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &nsjconf->seccomp_fprog, 0, 0)) {
- PLOG_W("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER) failed");
- return false;
- }
+ if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &seccomp_fprog, 0, 0)) {
+ PLOG_W("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER) failed");
+ return false;
}
+#endif /* defined(USE_KAFEL) */
return true;
}
bool sandboxApply(struct nsjconf_t * nsjconf)
{
- if (nsjconf->apply_sandbox == false) {
- return true;
- }
if (sandboxPrepareAndCommit(nsjconf) == false) {
return false;
}
projects / platform / upstream / nsjail.git / commitdiff