[tor-commits] [torsocks/master] Hijack execve() syscall to check for cap/setuid
dgoulet at torproject.org
dgoulet at torproject.org
Mon Jun 13 21:14:03 UTC 2016
commit 6111dd4b49b8d4892d183c650c3d71592452209a
Author: David Goulet <dgoulet at ev0ke.net>
Date: Mon Jun 13 15:12:58 2016 -0400
Hijack execve() syscall to check for cap/setuid
If a binary is set with capabilities or is setuid/gid, the kernel will strip
out the LD_PRELOAD thus making torsocks useless. This is only working on Linux
at this point.
This is not a complete fix but it's a good start and useful to have. See
ticket #14322 for more information.
Patch from cypherpunks with minor syntax edit.
Signed-off-by: David Goulet <dgoulet at ev0ke.net>
---
src/lib/Makefile.am | 2 +-
src/lib/execve.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++
src/lib/torsocks.c | 5 ++--
src/lib/torsocks.h | 15 ++++++++++
4 files changed, 101 insertions(+), 3 deletions(-)
diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am
index 6e137f3..a81b5cf 100644
--- a/src/lib/Makefile.am
+++ b/src/lib/Makefile.am
@@ -9,6 +9,6 @@ lib_LTLIBRARIES = libtorsocks.la
libtorsocks_la_SOURCES = torsocks.c torsocks.h \
connect.c gethostbyname.c getaddrinfo.c close.c \
getpeername.c socket.c syscall.c socketpair.c recv.c \
- exit.c accept.c listen.c fclose.c sendto.c
+ exit.c accept.c listen.c fclose.c sendto.c execve.c
libtorsocks_la_LIBADD = $(top_builddir)/src/common/libcommon.la
diff --git a/src/lib/execve.c b/src/lib/execve.c
new file mode 100644
index 0000000..ec3d12c
--- /dev/null
+++ b/src/lib/execve.c
@@ -0,0 +1,82 @@
+/*
+ * Copyright (C) 2016 - David Goulet <dgoulet at ev0ke.net>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License, version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc., 51
+ * Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <sys/types.h>
+#include <sys/xattr.h>
+#include <sys/stat.h>
+
+#include "torsocks.h"
+
+/* execve(2) */
+TSOCKS_LIBC_DECL(execve, LIBC_EXECVE_RET_TYPE, LIBC_EXECVE_SIG)
+
+/*
+ * Check the file for setuid or security capabilities. Return 1 if
+ * capabilities or suid is set which indicates that LD_PRELOAD will be
+ * stripped. If none of those are present, return 0.
+ */
+int
+check_cap_suid(const char *filename)
+{
+ struct stat perms;
+
+ if (stat(filename, &perms) == 0) {
+ if (perms.st_mode & (S_ISUID | S_ISGID)) {
+ /* setXuid is enabled, LD_PRELOAD will be stripped */
+ return -1;
+ }
+ }
+
+/* Capabilities as such are just on Linux. */
+#ifdef __linux__
+ static const char *sec_cap = "security.capability";
+ ssize_t len = getxattr(filename, sec_cap, NULL, 0);
+ if (len > 0) {
+ /* security capabilities are set, LD_PRELOAD will be stripped */
+ return -1;
+ }
+ /* On failure or a value of zero, either no caps are present or the
+ * filename wasn't found so in both cases, let execve() call handle the
+ * failure if one. */
+#endif /* __linux__ */
+
+ return 0;
+}
+
+/*
+ * execve() is hijacked to avoid executing setuid or setcap binaries which
+ * will strip the LD_PRELOAD settings.
+ */
+LIBC_EXECVE_RET_TYPE tsocks_execve(LIBC_EXECVE_SIG)
+{
+ if (check_cap_suid(filename) < 0) {
+ errno = EPERM;
+ return -1;
+ }
+ return tsocks_libc_execve(filename, argv, envp);
+}
+
+/*
+ * Libc hijacked symbol execve(2).
+ */
+LIBC_EXECVE_DECL
+{
+ if (!tsocks_libc_execve) {
+ tsocks_initialize();
+ }
+ return tsocks_execve(LIBC_EXECVE_ARGS);
+}
diff --git a/src/lib/torsocks.c b/src/lib/torsocks.c
index 0342aeb..9d92e82 100644
--- a/src/lib/torsocks.c
+++ b/src/lib/torsocks.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2000-2008 - Shaun Clowes <delius at progsoc.org>
+ * Copyright (C) 2000-2008 - Shaun Clowes <delius at progsoc.org>
* 2008-2011 - Robert Hogan <robert at roberthogan.net>
* 2013 - David Goulet <dgoulet at ev0ke.net>
*
@@ -217,8 +217,9 @@ static void init_libc_symbols(void)
tsocks_libc_close = dlsym(libc_ptr, LIBC_CLOSE_NAME_STR);
tsocks_libc_socket = dlsym(libc_ptr, LIBC_SOCKET_NAME_STR);
tsocks_libc_syscall = dlsym(libc_ptr, LIBC_SYSCALL_NAME_STR);
+ tsocks_libc_execve = dlsym(libc_ptr, LIBC_EXECVE_NAME_STR);
if (!tsocks_libc_connect || !tsocks_libc_close || !tsocks_libc_socket
- || !tsocks_libc_syscall) {
+ || !tsocks_libc_syscall || !tsocks_libc_execve) {
ERR("Unable to lookup symbols in " LIBC_NAME "(%s)", dlerror());
goto error;
}
diff --git a/src/lib/torsocks.h b/src/lib/torsocks.h
index 0eeef2a..a7907f5 100644
--- a/src/lib/torsocks.h
+++ b/src/lib/torsocks.h
@@ -75,6 +75,15 @@
#define LIBC_CLOSE_SIG int fd
#define LIBC_CLOSE_ARGS fd
+/* execve(2) */
+#define LIBC_EXECVE_NAME execve
+#define LIBC_EXECVE_NAME_STR XSTR(LIBC_EXECVE_NAME)
+#define LIBC_EXECVE_RET_TYPE int
+#define LIBC_EXECVE_SIG \
+ const char *filename, char *const argv[], char *const envp[]
+#define LIBC_EXECVE_ARGS \
+ filename, argv, envp
+
/* fclose(3) */
#include <stdio.h>
@@ -325,6 +334,12 @@ TSOCKS_DECL(close, LIBC_CLOSE_RET_TYPE, LIBC_CLOSE_SIG)
#define LIBC_CLOSE_DECL \
LIBC_CLOSE_RET_TYPE LIBC_CLOSE_NAME(LIBC_CLOSE_SIG)
+/* execve(2) */
+extern TSOCKS_LIBC_DECL(execve, LIBC_EXECVE_RET_TYPE, LIBC_EXECVE_SIG)
+TSOCKS_DECL(execve, LIBC_EXECVE_RET_TYPE, LIBC_EXECVE_SIG)
+#define LIBC_EXECVE_DECL \
+ LIBC_EXECVE_RET_TYPE LIBC_EXECVE_NAME(LIBC_EXECVE_SIG)
+
/* fclose(3) */
extern TSOCKS_LIBC_DECL(fclose, LIBC_FCLOSE_RET_TYPE, LIBC_FCLOSE_SIG)
TSOCKS_DECL(fclose, LIBC_FCLOSE_RET_TYPE, LIBC_FCLOSE_SIG)
More information about the tor-commits
mailing list