commit 8aa40ffd5ce26b58d4c47d1b625ca1451c22acb8 Author: Yawning Angel yawning@schwanenlied.me Date: Sun Dec 4 23:18:29 2016 +0000
Remove the old gosecco glue code. --- data/blacklist-extras-i386.seccomp | 5 - data/blacklist.seccomp | 95 ----------- data/tor-obfs4-whitelist.seccomp | 147 ----------------- data/tor-whitelist-extras-i386.seccomp | 29 ---- data/tor-whitelist.seccomp | 122 --------------- ...rbrowser-launcher-whitelist-extras-i386.seccomp | 28 ---- data/torbrowser-launcher-whitelist.seccomp | 173 --------------------- .../internal/sandbox/seccomp.go | 12 -- .../internal/sandbox/seccomp_386.go | 125 --------------- .../internal/sandbox/seccomp_amd64.go | 103 ------------ 10 files changed, 839 deletions(-)
diff --git a/data/blacklist-extras-i386.seccomp b/data/blacklist-extras-i386.seccomp deleted file mode 100644 index dc74400..0000000 --- a/data/blacklist-extras-i386.seccomp +++ /dev/null @@ -1,5 +0,0 @@ -# Seccomp blacklist i386 specific rules that will be installed in adition to -# blacklist.seccomp. - -vm86: 1 -vm86old: 1 diff --git a/data/blacklist.seccomp b/data/blacklist.seccomp deleted file mode 100644 index ccc508b..0000000 --- a/data/blacklist.seccomp +++ /dev/null @@ -1,95 +0,0 @@ -# Basic standard seccomp blacklist rules, based off a few sources. - -# -# linux-user-chroot (v0 profile) -# - -# Block dmesg -syslog: 1 -# Useless old syscall -uselib: 1 -# Don't allow you to switch to bsd emulation or whatnot -personality: 1 -# Don't allow disabling accounting -acct: 1 -# 16-bit code is unnecessary in the sandbox, and modify_ldt is a historic source of interesting information leaks. -modify_ldt: 1 -# Don't allow reading current quota use -quotactl: 1 - -# Scary VM/NUMA ops: -move_pages: 1 -mbind: 1 -get_mempolicy: 1 -set_mempolicy: 1 -migrate_pages: 1 - -# Don't allow subnamespace setups: -# XXX/yawning: The clone restriction breaks bwrap. c'est la vie. It -# looks like Mozilla is considering using user namespaces for the -# content process sandboxing efforts, so this may need to be enabled. -unshare: 1 -mount: 1 -pivot_root: 1 -# {SCMP_SYS(clone), &SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, // Breaks bwrap. - -# Profiling operations; we expect these to be done by tools from -# outside the sandbox. In particular perf has been the source of many -# CVEs. -perf_event_open: 1 -ptrace: 1 - -# -# firejail seccomp_filter_64() -# - -# mount -umount2: 1 -kexec_load: 1 -# ptrace -open_by_handle_at: 1 -name_to_handle_at: 1 -create_module: 1 -init_module: 1 -finit_module: 1 -delete_module: 1 -iopl: 1 -ioperm: 1 -ioprio_set: 1 -swapon: 1 -swapoff: 1 -# syslog -process_vm_readv: 1 -process_vm_writev: 1 -sysfs: 1 -_sysctl: 1 -adjtimex: 1 -clock_adjtime: 1 -lookup_dcookie: 1 -# perf_event_open -fanotify_init: 1 -kcmp: 1 -add_key: 1 -request_key: 1 -keyctl: 1 -# uselib -# acct -# modify_ldt -# pivot_root -io_setup: 1 -io_destroy: 1 -io_getevents: 1 -io_submit: 1 -io_cancel: 1 -remap_file_pages: 1 -# mbind -# get_mempolicy -# set_mempolicy -# migrate_pages -# move_pages -vmsplice: 1 -chroot: 1 -tuxcall: 1 -reboot: 1 -nfsservctl: 1 -get_kernel_syms: 1 diff --git a/data/tor-obfs4-whitelist.seccomp b/data/tor-obfs4-whitelist.seccomp deleted file mode 100644 index 773c5b7..0000000 --- a/data/tor-obfs4-whitelist.seccomp +++ /dev/null @@ -1,147 +0,0 @@ -# tor +obfs4proxy binary seccomp rules based off the tor sandbox and the -# subgraph tor-browser-launcher rules, along with some quality time with -# strace. - -# -# WARNING: This is a stopgap. In an ideal world, tor and obfs4proxy will -# have separate containers, with their own seccomp rules. -# - -# Constants used for argument comparisons. -SIG_BLOCK=1 -SIG_SETMASK=2 -MREMAP_MAYMOVE=1 -PF_LOCAL=AF_LOCAL -POLLIN=1 - -# The tor stage 1 set. -access: 1 -brk: 1 -clock_gettime: 1 -close: 1 -clone: 1 -epoll_create: 1 -epoll_wait: 1 -eventfd2: 1 -pipe2: 1 -pipe: 1 -fcntl: 1 -fstat: 1 -# fstat64: 1 -getdents: 1 -getdents64: 1 -getegid: 1 -# getegid32: 1 -geteuid: 1 -# geteuid32: 1 -getgid: 1 -# getgid32: 1 -getrlimit: 1 -gettimeofday: 1 -gettid: 1 -getuid: 1 -# getuid32: 1 -lseek: 1 -#_llseek: 1 -mkdir: 1 -munmap: 1 -prlimit64: 1 -read: 1 -rt_sigreturn: 1 -sched_getaffinity: 1 -sched_yield: 1 -sendmsg: 1 -set_robust_list: 1 -setrlimit: 1 -sigaltstack: 1 -# sigreturn: 1 -stat: 1 -uname: 1 -wait4: 1 -write: 1 -writev: 1 -exit_group: 1 -exit: 1 -madvise: arg2 == 8 -getrandom: 1 -sysinfo: 1 -bind: 1 -listen: 1 -connect: 1 -getsockname: 1 -recvmsg: 1 -recvfrom: 1 -sendto: 1 -unlink: 1 - -# System calls that tor restricts by argument. -rt_sigprocmask: arg0 == SIG_BLOCK || arg0 == SIG_SETMASK -time: arg0 == 0 -epoll_ctl: arg1 == EPOLL_CTL_ADD || arg1 == EPOLL_CTL_MOD || arg1 == EPOLL_CTL_DEL -prctl: (arg0 == PR_SET_DUMPABLE && arg1 == 0) || arg0 == PR_SET_PDEATHSIG -mprotect: arg2 == PROT_READ || arg2 == PROT_NONE || arg2 == PROT_READ | PROT_WRITE -flock: arg1 == (LOCK_EX | LOCK_NB) || arg1 == LOCK_UN -# FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME || FUTEX_WAKE_PRIVATE || FUTEX_WAIT_PRIVATE -futex: arg1 == 393 || arg1 == 128 || arg1 == 129 || arg1 == 1 || arg1 == 0 -mremap: arg3 == MREMAP_MAYMOVE -poll: arg1 == POLLIN && arg2 == 10 -socket: arg0 == AF_UNIX || arg0 == AF_INET || arg0 == AF_INET6 || arg0 == AF_NETLINK -setsockopt: (arg1 == SOL_SOCKET && (arg2 == SO_REUSEADDR || arg2 == SO_SNDBUF || arg2 == SO_RCVBUF || arg2 == SO_BROADCAST)) || (arg1 == SOL_TCP && arg2 == TCP_NODELAY) || (arg1 == SOL_IPV6 && arg2 == IPV6_V6ONLY) -getsockopt: arg1 == SOL_SOCKET && arg2 == SO_ERROR -# XXX: src/common/compat.c:tor_socketpair looks like it uses SOCK_CLOEXEC, -# but according to strace, fcntl is used to actually set the flag (6.0.6). -socketpair: arg0 == PF_LOCAL && (arg1 == SOCK_STREAM || arg1 == SOCK_STREAM | SOCK_CLOEXEC) -# XXX/yawning: Tor doesn't have filters for this, but does for mmap2, but mmap2 -# is an x86-ism, so can't filter args. -# -# (PROT_READ|PROT_EXEC, MAP_PRIVATE | MAP_DENYWRITE) is needed for ld-linux.so -mmap: (arg2 == PROT_READ && arg3 == MAP_PRIVATE) || (arg2 == PROT_NONE && (arg3 == MAP_PRIVATE | MAP_ANONYMOUS | MAP_NORESERVE || arg3 == MAP_PRIVATE | MAP_ANONYMOUS || arg3 == MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS)) || (arg2 == PROT_READ | PROT_WRITE && ((arg3 == MAP_PRIVATE | MAP_ANONYMOUS) || (arg3 == MAP_PRIVATE | MAP_ANONYMOUS | MAP_STACK) || (arg3 == MAP_PRIVATE | MAP_FIXED | MAP_DENYWRITE) || (arg3 == MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS) || (arg3 == MAP_PRIVATE | MAP_DENYWRITE))) || (arg2 == PROT_READ | PROT_EXEC && arg3 == MAP_PRIVATE | MAP_DENYWRITE) - -# System calls that tor has filters for, that we do not due to: -# * Yawning being too dumb/lazy to convert the rules (accept4, mmap2, -# rt_sigaction). -rt_sigaction: 1 -accept4: 1 -# mmap2: 1 -# fcntl64: 1 - -# System calls that tor restricts by argument, but that need to be done by the -# tor binary, because the restriction is by pointer. -chown: 1 -chmod: 1 -open: 1 -openat: 1 -rename: 1 -# stat64: 1 - -# System calls that tor needs, but doesn't know it needs, because they are made -# prior to Tor's sandbox enforcement, either by tor, it's dependencies, or even -# by bubblewrap. -arch_prctl: 1 -unshare: 1 -getpid: 1 -kill: 1 -execve: 1 -restart_syscall: 1 -set_tid_address: 1 -chdir: 1 -umask: arg0 == 022 - -# obfs4proxy requires the following: -# -# Note that it also requires additional things to be allowed in the various -# arg filters, which are made at the pre-existing locations. -# `mprotect` -> `arg2 == PROT_READ | PROT_WRITE` -# `futex` -> `arg1 == 1 || arg1 == 0` (FUTEX_WAKE, FUTEX_WAIT) -# `setsockopt` -> `arg1 == SOL_TCP && arg2 == TCP_NODELAY` -# `arg1 == SOL_SOCKET && arg2 == SO_BROADCAST` -# `arg1 == SOL_IPV6 && arg2 == IPV6_V6ONLY` -# `mmap` -> `arg2 == PROT_NONE && (arg3 == MAP_PRIVATE|MAP_ANONYMOUS || arg3 == MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS)` -mincore: 1 -dup2: 1 -select: 1 -mkdirat: 1 -fsync: 1 -epoll_create1: arg0 == EPOLL_CLOEXEC -getpeername: 1 -getppid: 1 diff --git a/data/tor-whitelist-extras-i386.seccomp b/data/tor-whitelist-extras-i386.seccomp deleted file mode 100644 index 2c33759..0000000 --- a/data/tor-whitelist-extras-i386.seccomp +++ /dev/null @@ -1,29 +0,0 @@ -# tor binary i386 specific seccomp rules that will be installed in addition to -# tor-whitelist-seccomp. - -# 32 bit system specific system calls relocated from tor-whitelist.seccomp -fstat64: 1 -getegid32: 1 -geteuid32: 1 -getgid32: 1 -getuid32: 1 -_llseek: 1 -sigreturn: 1 -mmap2: 1 -fcntl64: 1 -stat64: 1 - -ugetrlimit: 1 -newselect: 1 - -# tor's sandbox code claims that these calls are required on x86 but not on -# x86_64. tor's sandbox attempts to filter socketcall's arguments as well -# when it adds a rule, but seccomp on x86 does not support argument filtering, -# and I suspect that the arg filter is incorrect. -recv: 1 -send: 1 -socketcall: 1 -prlimit: 1 - -# This appears to be required on x86 to initialize TLS. -set_thread_area: 1 diff --git a/data/tor-whitelist.seccomp b/data/tor-whitelist.seccomp deleted file mode 100644 index 8433e3f..0000000 --- a/data/tor-whitelist.seccomp +++ /dev/null @@ -1,122 +0,0 @@ -# tor binary seccomp rules based off the tor sandbox and the subgraph -# tor-browser-launcher rules. - -# Constants used for argument comparisons. -SIG_BLOCK=1 -SIG_SETMASK=2 -MREMAP_MAYMOVE=1 -PF_LOCAL=AF_LOCAL -POLLIN=1 - -# The tor stage 1 set. -access: 1 -brk: 1 -clock_gettime: 1 -close: 1 -clone: 1 -epoll_create: 1 -epoll_wait: 1 -eventfd2: 1 -pipe2: 1 -pipe: 1 -fcntl: 1 -fstat: 1 -# fstat64: 1 -getdents: 1 -getdents64: 1 -getegid: 1 -# getegid32: 1 -geteuid: 1 -# geteuid32: 1 -getgid: 1 -# getgid32: 1 -getrlimit: 1 -gettimeofday: 1 -gettid: 1 -getuid: 1 -# getuid32: 1 -lseek: 1 -#_llseek: 1 -mkdir: 1 -munmap: 1 -prlimit64: 1 -read: 1 -rt_sigreturn: 1 -sched_getaffinity: 1 -sched_yield: 1 -sendmsg: 1 -set_robust_list: 1 -setrlimit: 1 -sigaltstack: 1 -# sigreturn: 1 -stat: 1 -uname: 1 -wait4: 1 -write: 1 -writev: 1 -exit_group: 1 -exit: 1 -madvise: arg2 == 8 -getrandom: 1 -sysinfo: 1 -bind: 1 -listen: 1 -connect: 1 -getsockname: 1 -recvmsg: 1 -recvfrom: 1 -sendto: 1 -unlink: 1 - -# System calls that tor restricts by argument. -rt_sigprocmask: arg0 == SIG_BLOCK || arg0 == SIG_SETMASK -time: arg0 == 0 -epoll_ctl: arg1 == EPOLL_CTL_ADD || arg1 == EPOLL_CTL_MOD || arg1 == EPOLL_CTL_DEL -prctl: (arg0 == PR_SET_DUMPABLE && arg1 == 0) || arg0 == PR_SET_PDEATHSIG -mprotect: arg2 == PROT_READ || arg2 == PROT_NONE -flock: arg1 == (LOCK_EX | LOCK_NB) || arg1 == LOCK_UN -# FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME || FUTEX_WAKE_PRIVATE || FUTEX_WAIT_PRIVATE -futex: arg1 == 393 || arg1 == 128 || arg1 == 129 -mremap: arg3 == MREMAP_MAYMOVE -poll: arg1 == POLLIN && arg2 == 10 -socket: arg0 == AF_UNIX || arg0 == AF_INET || arg0 == AF_INET6 || arg0 == AF_NETLINK -setsockopt: arg1 == SOL_SOCKET && (arg2 == SO_REUSEADDR || arg2 == SO_SNDBUF || arg2 == SO_RCVBUF) -getsockopt: arg1 == SOL_SOCKET && arg2 == SO_ERROR -# XXX: src/common/compat.c:tor_socketpair looks like it uses SOCK_CLOEXEC, -# but according to strace, fcntl is used to actually set the flag (6.0.6). -socketpair: arg0 == PF_LOCAL && (arg1 == SOCK_STREAM || arg1 == SOCK_STREAM | SOCK_CLOEXEC) -# XXX/yawning: Tor doesn't have filters for this, but does for mmap2, but mmap2 -# is an x86-ism, so can't filter args. -# -# (PROT_READ|PROT_EXEC, MAP_PRIVATE | MAP_DENYWRITE) is needed for ld-linux.so -mmap: (arg2 == PROT_READ && arg3 == MAP_PRIVATE) || (arg2 == PROT_NONE && arg3 == MAP_PRIVATE | MAP_ANONYMOUS | MAP_NORESERVE) || (arg2 == PROT_READ | PROT_WRITE && ((arg3 == MAP_PRIVATE | MAP_ANONYMOUS) || (arg3 == MAP_PRIVATE | MAP_ANONYMOUS | MAP_STACK) || (arg3 == MAP_PRIVATE | MAP_FIXED | MAP_DENYWRITE) || (arg3 == MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS) || (arg3 == MAP_PRIVATE | MAP_DENYWRITE))) || (arg2 == PROT_READ | PROT_EXEC && arg3 == MAP_PRIVATE | MAP_DENYWRITE) - -# System calls that tor has filters for, that we do not due to: -# * Yawning being too dumb/lazy to convert the rules (accept4, mmap2, -# rt_sigaction). -rt_sigaction: 1 -accept4: 1 -# mmap2: 1 -# fcntl64: 1 - -# System calls that tor restricts by argument, but that need to be done by the -# tor binary, because the restriction is by pointer. -chown: 1 -chmod: 1 -open: 1 -openat: 1 -rename: 1 -# stat64: 1 - -# System calls that tor needs, but doesn't know it needs, because they are made -# prior to Tor's sandbox enforcement, either by tor, it's dependencies, or even -# by bubblewrap. -arch_prctl: 1 -unshare: 1 -getpid: 1 -kill: 1 -execve: 1 -restart_syscall: 1 -set_tid_address: 1 -chdir: 1 -umask: arg0 == 022 diff --git a/data/torbrowser-launcher-whitelist-extras-i386.seccomp b/data/torbrowser-launcher-whitelist-extras-i386.seccomp deleted file mode 100644 index b859f69..0000000 --- a/data/torbrowser-launcher-whitelist-extras-i386.seccomp +++ /dev/null @@ -1,28 +0,0 @@ -# Tor Browser i386 specific seccomp rules that will be installed in addition to -# torbrowser-launcher-whitelist-seccomp. - -fcntl64:1 -fstat64: 1 -lstat64: 1 -statfs64: 1 -stat64: 1 -prlimit64: 1 -_llseek: 1 -fstatfs64: 1 -ftruncate64: 1 -fadvise64_64: 1 - -mmap2: 1 -set_thread_area: 1 -getresuid32: 1 -getresgid32: 1 -time: 1 -getuid32: 1 -getgid32: 1 -ugetrlimit: 1 - -recv: 1 -send: 1 -socketcall: 1 - -waitpid: 1 diff --git a/data/torbrowser-launcher-whitelist.seccomp b/data/torbrowser-launcher-whitelist.seccomp deleted file mode 100644 index 7e47052..0000000 --- a/data/torbrowser-launcher-whitelist.seccomp +++ /dev/null @@ -1,173 +0,0 @@ -TIOCGPGRP=21519 - -FUTEX_WAIT=0 -FUTEX_WAKE=1 -FUTEX_FD=2 -FUTEX_REQUEUE=3 -FUTEX_CMP_REQUEUE=3 -FUTEX_WAKE_OP=5 -#FUTEX_LOCK_PI=6 -#FUTEX_UNLOCK_PI=7 -FUTEX_WAIT_BITSET=9 -FUTEX_PRIVATE_FLAG=128 -FUTEX_CLOCK_REALTIME=256 - -FUTEX_WAIT_PRIVATE=FUTEX_WAIT | FUTEX_PRIVATE_FLAG -FUTEX_WAKE_PRIVATE=FUTEX_WAKE | FUTEX_PRIVATE_FLAG -FUTEX_CMP_REQUEUE_PRIVATE=FUTEX_CMP_REQUEUE | FUTEX_PRIVATE_FLAG -FUTEX_WAKE_OP_PRIVATE=FUTEX_WAKE_OP | FUTEX_PRIVATE_FLAG -#FUTEX_LOCK_PI_PRIVATE=FUTEX_LOCK_PI | FUTEX_PRIVATE_FLAG -#FUTEX_UNLOCK_PI_PRIVATE=FUTEX_UNLOCK_PI | FUTEX_PRIVATE_FLAG -FUTEX_WAIT_BITSET_PRIVATE=FUTEX_WAIT_BITSET | FUTEX_PRIVATE_FLAG - -# XXX/yawning: Because we patch PulseAudio's mutex creation, we can omit -# FUTEX_LOCK_PI_PRIVATE, FUTEX_UNLOCK_PI_PRIVATE, FUTEX_UNLOCK_PI. -# -# This is deliberate and aims to avoid rumored scary race conditions in the -# PI futex code. -futex: arg1 == FUTEX_CMP_REQUEUE_PRIVATE || arg1 == FUTEX_WAIT || arg1 == FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME || arg1 == FUTEX_WAIT_PRIVATE || arg1 == FUTEX_WAKE || arg1 == FUTEX_WAKE_OP_PRIVATE || arg1 == FUTEX_WAKE_PRIVATE || arg1 == FUTEX_WAIT_BITSET_PRIVATE - -lseek: 1 -open: 1 -read: 1 -stat: 1 -close: 1 -mmap: 1 -write: 1 -access: 1 -recvmsg: 1 -poll: 1 -madvise: arg2 == 4 -munmap: 1 -mprotect: 1 -lstat: 1 -getdents: 1 -writev: 1 -rt_sigaction: 1 -fcntl: 1 -brk: 1 -# ioctl: FIONREAD || TCGETS -ioctl: arg1 == 0x541b || arg1 == 21505 || arg1 == TIOCGPGRP -rt_sigprocmask: 1 -pread64: 1 -seccomp:1 -unshare:1 -gettimeofday:1 -creat:1 -fchdir:1 -utimes:1 -sigaltstack:1 -sched_yield:1 -mincore: 1 -alarm: 1 -nanosleep: 1 -vfork: 1 -mlock: 1 -clock_gettime: 1 -getpgrp: 1 -getppid: 1 -getpid: 1 -fchown: 1 -prctl: arg0 == PR_SET_NAME || arg0 == PR_GET_NAME || arg0 == PR_GET_TIMERSLACK || arg0 == PR_SET_SECCOMP -epoll_create1: 1 -readlinkat: 1 -getrandom: 1 -accept4: 1 -newfstatat: 1 -select: 1 -memfd_create:1 -execve: 1 -fstat: 1 -set_tid_address: 1 -set_robust_list: 1 -getrusage: 1 -readlink: 1 -readahead: 1 -arch_prctl: 1 -pwrite64: 1 -fdatasync: 1 -getpriority: 1 -gettid: 1 -exit_group: 1 -fstatfs: 1 -unlink: 1 -exit: 1 -dup2: 1 -dup: 1 -uname: 1 -getuid: 1 -geteuid: 1 -getgid: 1 -getegid: 1 -fsync: 1 -getrlimit: 1 -mkdir: 1 -connect: 1 -statfs: 1 -getsockname: 1 -getpeername: 1 -pipe: 1 -chmod: 1 -chdir: 1 -setsid: 1 -rmdir: 1 -splice: 1 -restart_syscall: 1 -recvfrom: 1 -sendto: 1 -setsockopt: 1 -quotactl: 1 -ppoll: 1 -openat: 1 -epoll_wait: 1 -clone: 1 -wait4: 1 -link: 1 -rename: 1 -setpriority: 1 -tgkill: 1 -fadvise64: 1 -fallocate: 1 -getsockopt: 1 -sysinfo: 1 -sched_getaffinity: 1 -inotify_add_watch: 1 -eventfd2: 1 -inotify_init1: 1 -shmdt: 1 -shmat: 1 -shmctl: 1 -shmget: 1 -rt_sigreturn: 1 -getcwd: 1 -sendmsg: 1 -getresuid: 1 -ftruncate: 1 -umask: 1 -getresgid: 1 -epoll_ctl: 1 -epoll_create: 1 -socketpair: 1 -symlink: 1 -utime: 1 -shutdown: 1 -mremap: 1 -bind: 1 -name_to_handle_at: 1 -pipe2: 1 -fchmod: 1 -kill: 1 -listen: 1 -setrlimit: 1 -clock_getres: 1 -sched_setscheduler: 1 -capset: 1 -# XXX/yawning: Why is this needed? -#personality: 1 -setresuid: 1 -setresgid: 1 -capget: 1 -getdents64: 1 -inotify_rm_watch: 1 -# XXX/yawning: Only allow AF_UNIX. -socket: arg0 == AF_UNIX diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp.go index fed647e..967d5b8 100644 --- a/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp.go +++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp.go @@ -18,20 +18,12 @@ package sandbox
import ( "log" - "os" "runtime"
seccomp "github.com/seccomp/libseccomp-golang" )
const ( - torBrowserWhitelist = "torbrowser-launcher-whitelist.seccomp" - torWhitelist = "tor-whitelist.seccomp" - torObfs4Whitelist = "tor-obfs4-whitelist.seccomp" - basicBlacklist = "blacklist.seccomp" -) - -const ( madvNormal = 0 // MADV_NORMAL madvDontneed = 4 // MADV_DONTNEED madvFree = 8 // MADV_FREE @@ -77,10 +69,6 @@ const ( tiocgpgrp = 0x540f )
-func installBasicSeccompBlacklist(fd *os.File) error { - return installSeccomp(fd, blacklistSeccompAssets, true) -} - func newWhitelist() (*seccomp.ScmpFilter, error) { arch, err := seccomp.GetNativeArch() if err != nil { diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp_386.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp_386.go deleted file mode 100644 index 1e6e18c..0000000 --- a/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp_386.go +++ /dev/null @@ -1,125 +0,0 @@ -// secomp_386.go - Sandbox seccomp rules (i386). -// Copyright (C) 2016 Yawning Angel. -// -// This program is free software: you can redistribute it and/or modify -// it under the terms of the GNU Affero General Public License as -// published by the Free Software Foundation, either version 3 of the -// License, or (at your option) any later version. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU Affero General Public License for more details. -// -// You should have received a copy of the GNU Affero General Public License -// along with this program. If not, see http://www.gnu.org/licenses/. - -// +build 386 - -package sandbox - -import ( - "bytes" - "fmt" - "log" - "os" - - seccomp "github.com/seccomp/libseccomp-golang" - - "cmd/sandboxed-tor-browser/internal/data" -) - -const ( - torBrowserExtraWhitelist = "torbrowser-launcher-whitelist-extras-i386.seccomp" - torExtraWhitelist = "tor-whitelist-extras-i386.seccomp" - basicExtraBlacklist = "blacklist-extras-i386.seccomp" -) - -var torBrowserSeccompAssets = []string{torBrowserWhitelist, torBrowserExtraWhitelist} -var torSeccompAssets = []string{torWhitelist, torExtraWhitelist} -var torObfs4SeccompAssets = []string{torObfs4Whitelist, torExtraWhitelist} -var blacklistSeccompAssets = []string{basicBlacklist, basicExtraBlacklist} - -// installSeccomp on i386 implements a minimal subset of the gosecco -// description launguage sufficient to enumerate system calls listed in -// rule files. -// -// When i386 gains support for filtering system call arguments via seccomp, -// this will need to be beefed up, but hopefully gosecco will be updated -// by then. -func installSeccomp(fd *os.File, assets []string, isBlacklist bool) error { - defer fd.Close() - - var rules []byte - for _, asset := range assets { - b, err := data.Asset(asset) - if err != nil { - return err - } - rules = append(rules, b...) - rules = append(rules, '\n') - } - - actENOSYS := seccomp.ActErrno.SetReturnCode(38) - defaultAct, ruleAct := actENOSYS, seccomp.ActAllow - if isBlacklist { - defaultAct, ruleAct = ruleAct, defaultAct - } - - f, err := seccomp.NewFilter(defaultAct) - if err != nil { - return err - } - defer f.Release() - if err := f.AddArch(seccomp.ArchNative); err != nil { - return err - } - - // Parse the rule set and build seccomp rules. - for ln, l := range bytes.Split(rules, []byte{'\n'}) { - l = bytes.TrimSpace(l) - if len(l) == 0 { // Empty line. - continue - } - if idx := bytes.IndexRune(l, '#'); idx == 0 { - continue - } - - if bytes.IndexByte(l, ':') != -1 { - // Rule - sp := bytes.SplitN(l, []byte{':'}, 2) - if len(sp) != 2 { - return fmt.Errorf("seccomp: invalid rule: %d:%v", ln, string(l)) - } - - scallName := string(bytes.TrimSpace(sp[0])) - scall, err := seccomp.GetSyscallFromName(scallName) - if err != nil { - if scallName == "newselect" { - // The library doesn't have "NR_newselect" yet. - scall = seccomp.ScmpSyscall(142) - } else { - // Continue instead of failing on ENOSYS. gosecco will fail - // here, but this allows whitelists to be more futureproof, - // and handles thing like Debian prehistoric^wstable missing - // system calls that we would like to allow like `getrandom`. - log.Printf("seccomp: unknown system call: %v", scallName) - continue - } - } - - // If the system call is present, just add it. This is x86, - // seccomp can't filter args on this architecture. - if err = f.AddRule(scall, ruleAct); err != nil { - return err - } - } else if bytes.IndexByte(l, '=') != -1 { - // Skip declarations. - continue - } else { - return fmt.Errorf("seccomp: syntax error in profile: %d:%v", ln, string(l)) - } - } - - return f.ExportBPF(fd) -} diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp_amd64.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp_amd64.go deleted file mode 100644 index 2ed4cf5..0000000 --- a/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp_amd64.go +++ /dev/null @@ -1,103 +0,0 @@ -// secomp_amd64.go - Sandbox seccomp rules (amd64). -// Copyright (C) 2016 Yawning Angel. -// -// This program is free software: you can redistribute it and/or modify -// it under the terms of the GNU Affero General Public License as -// published by the Free Software Foundation, either version 3 of the -// License, or (at your option) any later version. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU Affero General Public License for more details. -// -// You should have received a copy of the GNU Affero General Public License -// along with this program. If not, see http://www.gnu.org/licenses/. - -// +build amd64 - -package sandbox - -import ( - "encoding/binary" - "fmt" - "os" - - "golang.org/x/sys/unix" - - "github.com/twtiger/gosecco" - "github.com/twtiger/gosecco/parser" - - "cmd/sandboxed-tor-browser/internal/data" -) - -const ( - actAllow = "allow" - actKill = "kill" - actENOSYS = "ENOSYS" -) - -var whitelistSettings = &gosecco.SeccompSettings{ - DefaultPositiveAction: actAllow, - DefaultNegativeAction: actENOSYS, - DefaultPolicyAction: actENOSYS, - ActionOnX32: actKill, - ActionOnAuditFailure: actKill, -} - -var blacklistSettings = &gosecco.SeccompSettings{ - DefaultPositiveAction: actENOSYS, - DefaultNegativeAction: actAllow, - DefaultPolicyAction: actAllow, - ActionOnX32: actKill, - ActionOnAuditFailure: actKill, -} - -var torBrowserSeccompAssets = []string{torBrowserWhitelist} -var torSeccompAssets = []string{torWhitelist} -var torObfs4SeccompAssets = []string{torObfs4Whitelist} -var blacklistSeccompAssets = []string{basicBlacklist} - -func installSeccomp(fd *os.File, assets []string, isBlacklist bool) error { - defer fd.Close() - - settings := whitelistSettings - if isBlacklist { - settings = blacklistSettings - } - - // XXX: This really should support multile assets. - if len(assets) != 1 { - return fmt.Errorf("seccomp: asset vector length > 1: %d", len(assets)) - } - - rules, err := data.Asset(assets[0]) - if err != nil { - return err - } - source := &parser.StringSource{ - Name: assets[0], - Content: string(rules), - } - - bpf, err := gosecco.PrepareSource(source, *settings) - if err != nil { - return err - } - - return writeBpf(fd, bpf) -} - -func writeBpf(fd *os.File, bpf []unix.SockFilter) error { - if size, limit := len(bpf), 0xffff; size > limit { - return fmt.Errorf("filter program too big: %d bpf instructions (limit = %d)", size, limit) - } - - for _, rule := range bpf { - if err := binary.Write(fd, binary.LittleEndian, rule); err != nil { - return err - } - } - - return nil -}