mirror of
https://github.com/yrutschle/sslh.git
synced 2025-04-04 19:30:04 +03:00
187 lines
5.1 KiB
C
187 lines
5.1 KiB
C
/*
|
|
* Setup a sandbox using the Landlock LSM, if available.
|
|
|
|
# Copyright (C) 2023 Yves Rutschle
|
|
#
|
|
# This program is free software; you can redistribute it
|
|
# and/or modify it under the terms of the GNU General Public
|
|
# License as published by the Free Software Foundation; either
|
|
# version 2 of the License, or (at your option) any later
|
|
# version.
|
|
#
|
|
# This program is distributed in the hope that it will be
|
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
# PURPOSE. See the GNU General Public License for more
|
|
# details.
|
|
#
|
|
# The full text for the General Public License is here:
|
|
# http://www.gnu.org/licenses/gpl.html
|
|
#
|
|
*/
|
|
|
|
#include "config.h"
|
|
#include "log.h"
|
|
|
|
#ifdef HAVE_LANDLOCK
|
|
|
|
#define _GNU_SOURCE
|
|
#include <linux/landlock.h>
|
|
#include <sys/prctl.h>
|
|
#include <sys/syscall.h>
|
|
|
|
/* Ubuntu 22.04 does not have this symbol */
|
|
#ifndef LANDLOCK_ACCESS_FS_REFER
|
|
#define LANDLOCK_ACCESS_FS_REFER (1ULL << 13)
|
|
#endif
|
|
|
|
#ifndef landlock_create_ruleset
|
|
static inline int
|
|
landlock_create_ruleset(const struct landlock_ruleset_attr *const attr,
|
|
const size_t size, const __u32 flags)
|
|
{
|
|
return syscall(__NR_landlock_create_ruleset, attr, size, flags);
|
|
}
|
|
#endif
|
|
|
|
#ifndef landlock_add_rule
|
|
static inline int landlock_add_rule(const int ruleset_fd,
|
|
const enum landlock_rule_type rule_type,
|
|
const void *const rule_attr,
|
|
const __u32 flags)
|
|
{
|
|
return syscall(__NR_landlock_add_rule, ruleset_fd, rule_type, rule_attr,
|
|
flags);
|
|
}
|
|
#endif
|
|
|
|
#ifndef landlock_restrict_self
|
|
static inline int landlock_restrict_self(const int ruleset_fd,
|
|
const __u32 flags)
|
|
{
|
|
return syscall(__NR_landlock_restrict_self, ruleset_fd, flags);
|
|
}
|
|
#endif
|
|
|
|
typedef enum {
|
|
LL_TREE,
|
|
LL_FILE
|
|
} ll_obj_type;
|
|
|
|
static int add_path_ro(int ruleset_fd, ll_obj_type otype, const char* path)
|
|
{
|
|
int fd = open(path, O_PATH | O_CLOEXEC);
|
|
if (fd < 0) {
|
|
print_message(msg_config_error, "Landlock: Failed to open %s: %s\n", path, strerror(errno));
|
|
return -1;
|
|
}
|
|
|
|
struct landlock_path_beneath_attr path_beneath = {
|
|
.allowed_access = (otype == LL_TREE ? LANDLOCK_ACCESS_FS_READ_DIR : 0 ) |
|
|
LANDLOCK_ACCESS_FS_READ_FILE,
|
|
.parent_fd = fd,
|
|
};
|
|
|
|
int res = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, &path_beneath, 0);
|
|
if (res) {
|
|
print_message(msg_config_error, "Landlock: Failed to update the ruleset with \"%s\": %s\n",
|
|
path, strerror(errno));
|
|
close(path_beneath.parent_fd);
|
|
return -1;
|
|
}
|
|
|
|
// close helper handle
|
|
close(fd);
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
static int add_libs(int ruleset_fd)
|
|
{
|
|
/* Access to libraries, to be able to fork */
|
|
add_path_ro(ruleset_fd, LL_TREE, "/lib");
|
|
add_path_ro(ruleset_fd, LL_TREE, "/usr/lib");
|
|
add_path_ro(ruleset_fd, LL_FILE, "/etc/ld.so.cache"); /* To avoid searching all libs... */
|
|
return 0;
|
|
}
|
|
|
|
static int add_resolv(int ruleset_fd)
|
|
{
|
|
/* Files to resolve names (required when dynamic resolution is used) */
|
|
add_path_ro(ruleset_fd, LL_FILE, "/etc/hosts");
|
|
add_path_ro(ruleset_fd, LL_FILE, "/etc/resolv.conf");
|
|
add_path_ro(ruleset_fd, LL_FILE, "/etc/nsswitch.conf");
|
|
return 0;
|
|
}
|
|
|
|
static int add_libwrap(int ruleset_fd)
|
|
{
|
|
/* Files for libwrap */
|
|
#ifdef LIBWRAP
|
|
add_path_ro(ruleset_fd, LL_FILE, "/etc/hosts.allow");
|
|
add_path_ro(ruleset_fd, LL_FILE, "/etc/hosts.deny");
|
|
#endif
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
|
|
void setup_landlock(void)
|
|
{
|
|
__u64 restrict_rules =
|
|
LANDLOCK_ACCESS_FS_EXECUTE |
|
|
LANDLOCK_ACCESS_FS_READ_FILE |
|
|
LANDLOCK_ACCESS_FS_READ_DIR |
|
|
LANDLOCK_ACCESS_FS_WRITE_FILE |
|
|
LANDLOCK_ACCESS_FS_REMOVE_DIR |
|
|
LANDLOCK_ACCESS_FS_REMOVE_FILE |
|
|
LANDLOCK_ACCESS_FS_MAKE_CHAR |
|
|
LANDLOCK_ACCESS_FS_MAKE_DIR |
|
|
LANDLOCK_ACCESS_FS_MAKE_REG |
|
|
LANDLOCK_ACCESS_FS_MAKE_SOCK |
|
|
LANDLOCK_ACCESS_FS_MAKE_FIFO |
|
|
LANDLOCK_ACCESS_FS_MAKE_BLOCK |
|
|
LANDLOCK_ACCESS_FS_MAKE_SYM |
|
|
LANDLOCK_ACCESS_FS_REFER;
|
|
|
|
struct landlock_ruleset_attr ruleset_attr = {
|
|
.handled_access_fs = restrict_rules
|
|
};
|
|
|
|
/* ruleset_addr.handled_access_fs contains all rights that will be restricted
|
|
* unless explicitly added */
|
|
int ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
|
|
if (ruleset_fd < 0) {
|
|
print_message(msg_config_error, "Landlock: Failed to create a ruleset");
|
|
return;
|
|
}
|
|
|
|
|
|
/* Add all the paths we need */
|
|
add_libs(ruleset_fd);
|
|
add_resolv(ruleset_fd);
|
|
add_libwrap(ruleset_fd);
|
|
|
|
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
|
|
print_message(msg_config_error, "Landlock: Failed to restrict privileges");
|
|
return;
|
|
}
|
|
if (landlock_restrict_self(ruleset_fd, 0)) {
|
|
print_message(msg_config_error, "Landlock: Failed to enforce ruleset");
|
|
return;
|
|
}
|
|
close(ruleset_fd);
|
|
|
|
print_message(msg_config, "Landlock: all restricted\n");
|
|
}
|
|
|
|
#else /* HAVE_LANDLOCK */
|
|
void setup_landlock(void)
|
|
{
|
|
print_message(msg_config, "Landlock: not built in\n");
|
|
return;
|
|
}
|
|
#endif /* HAVE_LANDLOCK */
|