Commit | Line | Data |
---|---|---|
ba84b0bf MS |
1 | // SPDX-License-Identifier: BSD-3-Clause |
2 | /* | |
3 | * Simple Landlock sandbox manager able to launch a process restricted by a | |
4 | * user-defined filesystem access control policy. | |
5 | * | |
6 | * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net> | |
7 | * Copyright © 2020 ANSSI | |
8 | */ | |
9 | ||
10 | #define _GNU_SOURCE | |
11 | #include <errno.h> | |
12 | #include <fcntl.h> | |
13 | #include <linux/landlock.h> | |
14 | #include <linux/prctl.h> | |
15 | #include <stddef.h> | |
16 | #include <stdio.h> | |
17 | #include <stdlib.h> | |
18 | #include <string.h> | |
19 | #include <sys/prctl.h> | |
20 | #include <sys/stat.h> | |
21 | #include <sys/syscall.h> | |
22 | #include <unistd.h> | |
23 | ||
24 | #ifndef landlock_create_ruleset | |
81709f3d MS |
25 | static inline int |
26 | landlock_create_ruleset(const struct landlock_ruleset_attr *const attr, | |
27 | const size_t size, const __u32 flags) | |
ba84b0bf MS |
28 | { |
29 | return syscall(__NR_landlock_create_ruleset, attr, size, flags); | |
30 | } | |
31 | #endif | |
32 | ||
33 | #ifndef landlock_add_rule | |
34 | static inline int landlock_add_rule(const int ruleset_fd, | |
81709f3d MS |
35 | const enum landlock_rule_type rule_type, |
36 | const void *const rule_attr, | |
37 | const __u32 flags) | |
ba84b0bf | 38 | { |
81709f3d MS |
39 | return syscall(__NR_landlock_add_rule, ruleset_fd, rule_type, rule_attr, |
40 | flags); | |
ba84b0bf MS |
41 | } |
42 | #endif | |
43 | ||
44 | #ifndef landlock_restrict_self | |
45 | static inline int landlock_restrict_self(const int ruleset_fd, | |
81709f3d | 46 | const __u32 flags) |
ba84b0bf MS |
47 | { |
48 | return syscall(__NR_landlock_restrict_self, ruleset_fd, flags); | |
49 | } | |
50 | #endif | |
51 | ||
52 | #define ENV_FS_RO_NAME "LL_FS_RO" | |
53 | #define ENV_FS_RW_NAME "LL_FS_RW" | |
54 | #define ENV_PATH_TOKEN ":" | |
55 | ||
56 | static int parse_path(char *env_path, const char ***const path_list) | |
57 | { | |
58 | int i, num_paths = 0; | |
59 | ||
60 | if (env_path) { | |
61 | num_paths++; | |
62 | for (i = 0; env_path[i]; i++) { | |
63 | if (env_path[i] == ENV_PATH_TOKEN[0]) | |
64 | num_paths++; | |
65 | } | |
66 | } | |
67 | *path_list = malloc(num_paths * sizeof(**path_list)); | |
68 | for (i = 0; i < num_paths; i++) | |
69 | (*path_list)[i] = strsep(&env_path, ENV_PATH_TOKEN); | |
70 | ||
71 | return num_paths; | |
72 | } | |
73 | ||
9805a722 MS |
74 | /* clang-format off */ |
75 | ||
ba84b0bf MS |
76 | #define ACCESS_FILE ( \ |
77 | LANDLOCK_ACCESS_FS_EXECUTE | \ | |
78 | LANDLOCK_ACCESS_FS_WRITE_FILE | \ | |
79 | LANDLOCK_ACCESS_FS_READ_FILE) | |
80 | ||
9805a722 MS |
81 | /* clang-format on */ |
82 | ||
81709f3d MS |
83 | static int populate_ruleset(const char *const env_var, const int ruleset_fd, |
84 | const __u64 allowed_access) | |
ba84b0bf MS |
85 | { |
86 | int num_paths, i, ret = 1; | |
87 | char *env_path_name; | |
88 | const char **path_list = NULL; | |
89 | struct landlock_path_beneath_attr path_beneath = { | |
90 | .parent_fd = -1, | |
91 | }; | |
92 | ||
93 | env_path_name = getenv(env_var); | |
94 | if (!env_path_name) { | |
95 | /* Prevents users to forget a setting. */ | |
96 | fprintf(stderr, "Missing environment variable %s\n", env_var); | |
97 | return 1; | |
98 | } | |
99 | env_path_name = strdup(env_path_name); | |
100 | unsetenv(env_var); | |
101 | num_paths = parse_path(env_path_name, &path_list); | |
102 | if (num_paths == 1 && path_list[0][0] == '\0') { | |
103 | /* | |
104 | * Allows to not use all possible restrictions (e.g. use | |
105 | * LL_FS_RO without LL_FS_RW). | |
106 | */ | |
107 | ret = 0; | |
108 | goto out_free_name; | |
109 | } | |
110 | ||
111 | for (i = 0; i < num_paths; i++) { | |
112 | struct stat statbuf; | |
113 | ||
81709f3d | 114 | path_beneath.parent_fd = open(path_list[i], O_PATH | O_CLOEXEC); |
ba84b0bf MS |
115 | if (path_beneath.parent_fd < 0) { |
116 | fprintf(stderr, "Failed to open \"%s\": %s\n", | |
81709f3d | 117 | path_list[i], strerror(errno)); |
ba84b0bf MS |
118 | goto out_free_name; |
119 | } | |
120 | if (fstat(path_beneath.parent_fd, &statbuf)) { | |
121 | close(path_beneath.parent_fd); | |
122 | goto out_free_name; | |
123 | } | |
124 | path_beneath.allowed_access = allowed_access; | |
125 | if (!S_ISDIR(statbuf.st_mode)) | |
126 | path_beneath.allowed_access &= ACCESS_FILE; | |
127 | if (landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, | |
81709f3d MS |
128 | &path_beneath, 0)) { |
129 | fprintf(stderr, | |
130 | "Failed to update the ruleset with \"%s\": %s\n", | |
131 | path_list[i], strerror(errno)); | |
ba84b0bf MS |
132 | close(path_beneath.parent_fd); |
133 | goto out_free_name; | |
134 | } | |
135 | close(path_beneath.parent_fd); | |
136 | } | |
137 | ret = 0; | |
138 | ||
139 | out_free_name: | |
66b513b7 | 140 | free(path_list); |
ba84b0bf MS |
141 | free(env_path_name); |
142 | return ret; | |
143 | } | |
144 | ||
9805a722 MS |
145 | /* clang-format off */ |
146 | ||
ba84b0bf MS |
147 | #define ACCESS_FS_ROUGHLY_READ ( \ |
148 | LANDLOCK_ACCESS_FS_EXECUTE | \ | |
149 | LANDLOCK_ACCESS_FS_READ_FILE | \ | |
150 | LANDLOCK_ACCESS_FS_READ_DIR) | |
151 | ||
152 | #define ACCESS_FS_ROUGHLY_WRITE ( \ | |
153 | LANDLOCK_ACCESS_FS_WRITE_FILE | \ | |
154 | LANDLOCK_ACCESS_FS_REMOVE_DIR | \ | |
155 | LANDLOCK_ACCESS_FS_REMOVE_FILE | \ | |
156 | LANDLOCK_ACCESS_FS_MAKE_CHAR | \ | |
157 | LANDLOCK_ACCESS_FS_MAKE_DIR | \ | |
158 | LANDLOCK_ACCESS_FS_MAKE_REG | \ | |
159 | LANDLOCK_ACCESS_FS_MAKE_SOCK | \ | |
160 | LANDLOCK_ACCESS_FS_MAKE_FIFO | \ | |
161 | LANDLOCK_ACCESS_FS_MAKE_BLOCK | \ | |
76b902f8 MS |
162 | LANDLOCK_ACCESS_FS_MAKE_SYM | \ |
163 | LANDLOCK_ACCESS_FS_REFER) | |
164 | ||
165 | #define ACCESS_ABI_2 ( \ | |
166 | LANDLOCK_ACCESS_FS_REFER) | |
ba84b0bf | 167 | |
9805a722 MS |
168 | /* clang-format on */ |
169 | ||
ba84b0bf MS |
170 | int main(const int argc, char *const argv[], char *const *const envp) |
171 | { | |
172 | const char *cmd_path; | |
173 | char *const *cmd_argv; | |
76b902f8 MS |
174 | int ruleset_fd, abi; |
175 | __u64 access_fs_ro = ACCESS_FS_ROUGHLY_READ, | |
176 | access_fs_rw = ACCESS_FS_ROUGHLY_READ | ACCESS_FS_ROUGHLY_WRITE; | |
ba84b0bf | 177 | struct landlock_ruleset_attr ruleset_attr = { |
76b902f8 | 178 | .handled_access_fs = access_fs_rw, |
ba84b0bf MS |
179 | }; |
180 | ||
181 | if (argc < 2) { | |
81709f3d MS |
182 | fprintf(stderr, |
183 | "usage: %s=\"...\" %s=\"...\" %s <cmd> [args]...\n\n", | |
184 | ENV_FS_RO_NAME, ENV_FS_RW_NAME, argv[0]); | |
185 | fprintf(stderr, | |
186 | "Launch a command in a restricted environment.\n\n"); | |
ba84b0bf MS |
187 | fprintf(stderr, "Environment variables containing paths, " |
188 | "each separated by a colon:\n"); | |
81709f3d MS |
189 | fprintf(stderr, |
190 | "* %s: list of paths allowed to be used in a read-only way.\n", | |
191 | ENV_FS_RO_NAME); | |
192 | fprintf(stderr, | |
193 | "* %s: list of paths allowed to be used in a read-write way.\n", | |
194 | ENV_FS_RW_NAME); | |
195 | fprintf(stderr, | |
196 | "\nexample:\n" | |
197 | "%s=\"/bin:/lib:/usr:/proc:/etc:/dev/urandom\" " | |
198 | "%s=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" " | |
199 | "%s bash -i\n", | |
200 | ENV_FS_RO_NAME, ENV_FS_RW_NAME, argv[0]); | |
ba84b0bf MS |
201 | return 1; |
202 | } | |
203 | ||
76b902f8 MS |
204 | abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); |
205 | if (abi < 0) { | |
ba84b0bf MS |
206 | const int err = errno; |
207 | ||
76b902f8 | 208 | perror("Failed to check Landlock compatibility"); |
ba84b0bf MS |
209 | switch (err) { |
210 | case ENOSYS: | |
81709f3d MS |
211 | fprintf(stderr, |
212 | "Hint: Landlock is not supported by the current kernel. " | |
213 | "To support it, build the kernel with " | |
214 | "CONFIG_SECURITY_LANDLOCK=y and prepend " | |
215 | "\"landlock,\" to the content of CONFIG_LSM.\n"); | |
ba84b0bf MS |
216 | break; |
217 | case EOPNOTSUPP: | |
81709f3d MS |
218 | fprintf(stderr, |
219 | "Hint: Landlock is currently disabled. " | |
220 | "It can be enabled in the kernel configuration by " | |
221 | "prepending \"landlock,\" to the content of CONFIG_LSM, " | |
222 | "or at boot time by setting the same content to the " | |
223 | "\"lsm\" kernel parameter.\n"); | |
ba84b0bf MS |
224 | break; |
225 | } | |
226 | return 1; | |
227 | } | |
76b902f8 MS |
228 | /* Best-effort security. */ |
229 | if (abi < 2) { | |
230 | ruleset_attr.handled_access_fs &= ~ACCESS_ABI_2; | |
231 | access_fs_ro &= ~ACCESS_ABI_2; | |
232 | access_fs_rw &= ~ACCESS_ABI_2; | |
233 | } | |
234 | ||
235 | ruleset_fd = | |
236 | landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); | |
237 | if (ruleset_fd < 0) { | |
238 | perror("Failed to create a ruleset"); | |
239 | return 1; | |
240 | } | |
241 | if (populate_ruleset(ENV_FS_RO_NAME, ruleset_fd, access_fs_ro)) { | |
ba84b0bf MS |
242 | goto err_close_ruleset; |
243 | } | |
76b902f8 | 244 | if (populate_ruleset(ENV_FS_RW_NAME, ruleset_fd, access_fs_rw)) { |
ba84b0bf MS |
245 | goto err_close_ruleset; |
246 | } | |
247 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { | |
248 | perror("Failed to restrict privileges"); | |
249 | goto err_close_ruleset; | |
250 | } | |
251 | if (landlock_restrict_self(ruleset_fd, 0)) { | |
252 | perror("Failed to enforce ruleset"); | |
253 | goto err_close_ruleset; | |
254 | } | |
255 | close(ruleset_fd); | |
256 | ||
257 | cmd_path = argv[1]; | |
258 | cmd_argv = argv + 1; | |
259 | execvpe(cmd_path, cmd_argv, envp); | |
260 | fprintf(stderr, "Failed to execute \"%s\": %s\n", cmd_path, | |
81709f3d | 261 | strerror(errno)); |
ba84b0bf MS |
262 | fprintf(stderr, "Hint: access to the binary, the interpreter or " |
263 | "shared libraries may be denied.\n"); | |
264 | return 1; | |
265 | ||
266 | err_close_ruleset: | |
267 | close(ruleset_fd); | |
268 | return 1; | |
269 | } |