commit 6111dd4b49b8d4892d183c650c3d71592452209a Author: David Goulet dgoulet@ev0ke.net Date: Mon Jun 13 15:12:58 2016 -0400

Hijack execve() syscall to check for cap/setuid

If a binary is set with capabilities or is setuid/gid, the kernel will strip out the LD_PRELOAD thus making torsocks useless. This is only working on Linux at this point.

This is not a complete fix but it's a good start and useful to have. See ticket #14322 for more information.

Patch from cypherpunks with minor syntax edit.

Signed-off-by: David Goulet dgoulet@ev0ke.net --- src/lib/Makefile.am | 2 +- src/lib/execve.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++ src/lib/torsocks.c | 5 ++-- src/lib/torsocks.h | 15 ++++++++++ 4 files changed, 101 insertions(+), 3 deletions(-)

diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am index 6e137f3..a81b5cf 100644 --- a/src/lib/Makefile.am +++ b/src/lib/Makefile.am @@ -9,6 +9,6 @@ lib_LTLIBRARIES = libtorsocks.la libtorsocks_la_SOURCES = torsocks.c torsocks.h \ connect.c gethostbyname.c getaddrinfo.c close.c \ getpeername.c socket.c syscall.c socketpair.c recv.c \ - exit.c accept.c listen.c fclose.c sendto.c + exit.c accept.c listen.c fclose.c sendto.c execve.c

libtorsocks_la_LIBADD = $(top_builddir)/src/common/libcommon.la diff --git a/src/lib/execve.c b/src/lib/execve.c new file mode 100644 index 0000000..ec3d12c --- /dev/null +++ b/src/lib/execve.c @@ -0,0 +1,82 @@ +/* + * Copyright (C) 2016 - David Goulet dgoulet@ev0ke.net + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License, version 2 only, as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., 51 + * Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#include <sys/types.h> +#include <sys/xattr.h> +#include <sys/stat.h> + +#include "torsocks.h" + +/* execve(2) */ +TSOCKS_LIBC_DECL(execve, LIBC_EXECVE_RET_TYPE, LIBC_EXECVE_SIG) + +/* + * Check the file for setuid or security capabilities. Return 1 if + * capabilities or suid is set which indicates that LD_PRELOAD will be + * stripped. If none of those are present, return 0. + */ +int +check_cap_suid(const char *filename) +{ + struct stat perms; + + if (stat(filename, &perms) == 0) { + if (perms.st_mode & (S_ISUID | S_ISGID)) { + /* setXuid is enabled, LD_PRELOAD will be stripped */ + return -1; + } + } + +/* Capabilities as such are just on Linux. */ +#ifdef __linux__ + static const char *sec_cap = "security.capability"; + ssize_t len = getxattr(filename, sec_cap, NULL, 0); + if (len > 0) { + /* security capabilities are set, LD_PRELOAD will be stripped */ + return -1; + } + /* On failure or a value of zero, either no caps are present or the + * filename wasn't found so in both cases, let execve() call handle the + * failure if one. */ +#endif /* __linux__ */ + + return 0; +} + +/* + * execve() is hijacked to avoid executing setuid or setcap binaries which + * will strip the LD_PRELOAD settings. + */ +LIBC_EXECVE_RET_TYPE tsocks_execve(LIBC_EXECVE_SIG) +{ + if (check_cap_suid(filename) < 0) { + errno = EPERM; + return -1; + } + return tsocks_libc_execve(filename, argv, envp); +} + +/* + * Libc hijacked symbol execve(2). + */ +LIBC_EXECVE_DECL +{ + if (!tsocks_libc_execve) { + tsocks_initialize(); + } + return tsocks_execve(LIBC_EXECVE_ARGS); +} diff --git a/src/lib/torsocks.c b/src/lib/torsocks.c index 0342aeb..9d92e82 100644 --- a/src/lib/torsocks.c +++ b/src/lib/torsocks.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2000-2008 - Shaun Clowes delius@progsoc.org + * Copyright (C) 2000-2008 - Shaun Clowes delius@progsoc.org * 2008-2011 - Robert Hogan robert@roberthogan.net * 2013 - David Goulet dgoulet@ev0ke.net * @@ -217,8 +217,9 @@ static void init_libc_symbols(void) tsocks_libc_close = dlsym(libc_ptr, LIBC_CLOSE_NAME_STR); tsocks_libc_socket = dlsym(libc_ptr, LIBC_SOCKET_NAME_STR); tsocks_libc_syscall = dlsym(libc_ptr, LIBC_SYSCALL_NAME_STR); + tsocks_libc_execve = dlsym(libc_ptr, LIBC_EXECVE_NAME_STR); if (!tsocks_libc_connect || !tsocks_libc_close || !tsocks_libc_socket - || !tsocks_libc_syscall) { + || !tsocks_libc_syscall || !tsocks_libc_execve) { ERR("Unable to lookup symbols in " LIBC_NAME "(%s)", dlerror()); goto error; } diff --git a/src/lib/torsocks.h b/src/lib/torsocks.h index 0eeef2a..a7907f5 100644 --- a/src/lib/torsocks.h +++ b/src/lib/torsocks.h @@ -75,6 +75,15 @@ #define LIBC_CLOSE_SIG int fd #define LIBC_CLOSE_ARGS fd

+/* execve(2) */ +#define LIBC_EXECVE_NAME execve +#define LIBC_EXECVE_NAME_STR XSTR(LIBC_EXECVE_NAME) +#define LIBC_EXECVE_RET_TYPE int +#define LIBC_EXECVE_SIG \ + const char *filename, char *const argv[], char *const envp[] +#define LIBC_EXECVE_ARGS \ + filename, argv, envp + /* fclose(3) */ #include <stdio.h>

@@ -325,6 +334,12 @@ TSOCKS_DECL(close, LIBC_CLOSE_RET_TYPE, LIBC_CLOSE_SIG) #define LIBC_CLOSE_DECL \ LIBC_CLOSE_RET_TYPE LIBC_CLOSE_NAME(LIBC_CLOSE_SIG)

+/* execve(2) */ +extern TSOCKS_LIBC_DECL(execve, LIBC_EXECVE_RET_TYPE, LIBC_EXECVE_SIG) +TSOCKS_DECL(execve, LIBC_EXECVE_RET_TYPE, LIBC_EXECVE_SIG) +#define LIBC_EXECVE_DECL \ + LIBC_EXECVE_RET_TYPE LIBC_EXECVE_NAME(LIBC_EXECVE_SIG) + /* fclose(3) */ extern TSOCKS_LIBC_DECL(fclose, LIBC_FCLOSE_RET_TYPE, LIBC_FCLOSE_SIG) TSOCKS_DECL(fclose, LIBC_FCLOSE_RET_TYPE, LIBC_FCLOSE_SIG)