Bitcoin Core  22.99.0
P2P Digital Currency
syscall_sandbox.cpp
Go to the documentation of this file.
1 // Copyright (c) 2020 The Bitcoin Core developers
2 // Distributed under the MIT software license, see the accompanying
3 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
4 
5 #if defined(HAVE_CONFIG_H)
7 #endif // defined(HAVE_CONFIG_H)
8 
9 #include <util/syscall_sandbox.h>
10 
11 #if defined(USE_SYSCALL_SANDBOX)
12 #include <array>
13 #include <cassert>
14 #include <cstdint>
15 #include <exception>
16 #include <map>
17 #include <new>
18 #include <set>
19 #include <string>
20 #include <vector>
21 
22 #include <logging.h>
23 #include <tinyformat.h>
24 #include <util/threadnames.h>
25 
26 #include <linux/audit.h>
27 #include <linux/filter.h>
28 #include <linux/seccomp.h>
29 #include <linux/unistd.h>
30 #include <signal.h>
31 #include <sys/prctl.h>
32 #include <sys/types.h>
33 #include <unistd.h>
34 
35 namespace {
36 bool g_syscall_sandbox_enabled{false};
37 bool g_syscall_sandbox_log_violation_before_terminating{false};
38 
39 #if !defined(__x86_64__)
40 #error Syscall sandbox is an experimental feature currently available only under Linux x86-64.
41 #endif // defined(__x86_64__)
42 
43 #ifndef SECCOMP_RET_KILL_PROCESS
44 #define SECCOMP_RET_KILL_PROCESS 0x80000000U
45 #endif
46 
47 // Define system call numbers for x86_64 that are referenced in the system call profile
48 // but not provided by the kernel headers used in the GUIX build.
49 // Usually, they can be found via "grep name /usr/include/x86_64-linux-gnu/asm/unistd_64.h"
50 
51 #ifndef __NR_clone3
52 #define __NR_clone3 435
53 #endif
54 
55 #ifndef __NR_statx
56 #define __NR_statx 332
57 #endif
58 
59 #ifndef __NR_getrandom
60 #define __NR_getrandom 318
61 #endif
62 
63 #ifndef __NR_membarrier
64 #define __NR_membarrier 324
65 #endif
66 
67 #ifndef __NR_copy_file_range
68 #define __NR_copy_file_range 326
69 #endif
70 
71 // This list of syscalls in LINUX_SYSCALLS is only used to map syscall numbers to syscall names in
72 // order to be able to print user friendly error messages which include the syscall name in addition
73 // to the syscall number.
74 //
75 // Example output in case of a syscall violation where the syscall is present in LINUX_SYSCALLS:
76 //
77 // ```
78 // 2021-06-09T12:34:56Z ERROR: The syscall "execve" (syscall number 59) is not allowed by the syscall sandbox in thread "msghand". Please report.
79 // ```
80 //
81 // Example output in case of a syscall violation where the syscall is not present in LINUX_SYSCALLS:
82 //
83 // ```
84 // 2021-06-09T12:34:56Z ERROR: The syscall "*unknown*" (syscall number 314) is not allowed by the syscall sandbox in thread "msghand". Please report.
85 // ``
86 //
87 // LINUX_SYSCALLS contains two types of syscalls:
88 // 1.) Syscalls that are present under all architectures or relevant Linux kernel versions for which
89 // we support the syscall sandbox feature (currently only Linux x86-64). Examples include read,
90 // write, open, close, etc.
91 // 2.) Syscalls that are present under a subset of architectures or relevant Linux kernel versions
92 // for which we support the syscall sandbox feature. This type of syscalls should be added to
93 // LINUX_SYSCALLS conditional on availability like in the following example:
94 // ...
95 // #if defined(__NR_arch_dependent_syscall)
96 // {__NR_arch_dependent_syscall, "arch_dependent_syscall"},
97 // #endif // defined(__NR_arch_dependent_syscall)
98 // ...
99 const std::map<uint32_t, std::string> LINUX_SYSCALLS{
100  {__NR_accept, "accept"},
101  {__NR_accept4, "accept4"},
102  {__NR_access, "access"},
103  {__NR_acct, "acct"},
104  {__NR_add_key, "add_key"},
105  {__NR_adjtimex, "adjtimex"},
106  {__NR_afs_syscall, "afs_syscall"},
107  {__NR_alarm, "alarm"},
108  {__NR_arch_prctl, "arch_prctl"},
109  {__NR_bind, "bind"},
110  {__NR_bpf, "bpf"},
111  {__NR_brk, "brk"},
112  {__NR_capget, "capget"},
113  {__NR_capset, "capset"},
114  {__NR_chdir, "chdir"},
115  {__NR_chmod, "chmod"},
116  {__NR_chown, "chown"},
117  {__NR_chroot, "chroot"},
118  {__NR_clock_adjtime, "clock_adjtime"},
119  {__NR_clock_getres, "clock_getres"},
120  {__NR_clock_gettime, "clock_gettime"},
121  {__NR_clock_nanosleep, "clock_nanosleep"},
122  {__NR_clock_settime, "clock_settime"},
123  {__NR_clone, "clone"},
124  {__NR_clone3, "clone3"},
125  {__NR_close, "close"},
126  {__NR_connect, "connect"},
127  {__NR_copy_file_range, "copy_file_range"},
128  {__NR_creat, "creat"},
129  {__NR_create_module, "create_module"},
130  {__NR_delete_module, "delete_module"},
131  {__NR_dup, "dup"},
132  {__NR_dup2, "dup2"},
133  {__NR_dup3, "dup3"},
134  {__NR_epoll_create, "epoll_create"},
135  {__NR_epoll_create1, "epoll_create1"},
136  {__NR_epoll_ctl, "epoll_ctl"},
137  {__NR_epoll_ctl_old, "epoll_ctl_old"},
138  {__NR_epoll_pwait, "epoll_pwait"},
139  {__NR_epoll_wait, "epoll_wait"},
140  {__NR_epoll_wait_old, "epoll_wait_old"},
141  {__NR_eventfd, "eventfd"},
142  {__NR_eventfd2, "eventfd2"},
143  {__NR_execve, "execve"},
144  {__NR_execveat, "execveat"},
145  {__NR_exit, "exit"},
146  {__NR_exit_group, "exit_group"},
147  {__NR_faccessat, "faccessat"},
148  {__NR_fadvise64, "fadvise64"},
149  {__NR_fallocate, "fallocate"},
150  {__NR_fanotify_init, "fanotify_init"},
151  {__NR_fanotify_mark, "fanotify_mark"},
152  {__NR_fchdir, "fchdir"},
153  {__NR_fchmod, "fchmod"},
154  {__NR_fchmodat, "fchmodat"},
155  {__NR_fchown, "fchown"},
156  {__NR_fchownat, "fchownat"},
157  {__NR_fcntl, "fcntl"},
158  {__NR_fdatasync, "fdatasync"},
159  {__NR_fgetxattr, "fgetxattr"},
160  {__NR_finit_module, "finit_module"},
161  {__NR_flistxattr, "flistxattr"},
162  {__NR_flock, "flock"},
163  {__NR_fork, "fork"},
164  {__NR_fremovexattr, "fremovexattr"},
165  {__NR_fsetxattr, "fsetxattr"},
166  {__NR_fstat, "fstat"},
167  {__NR_fstatfs, "fstatfs"},
168  {__NR_fsync, "fsync"},
169  {__NR_ftruncate, "ftruncate"},
170  {__NR_futex, "futex"},
171  {__NR_futimesat, "futimesat"},
172  {__NR_getcpu, "getcpu"},
173  {__NR_getcwd, "getcwd"},
174  {__NR_getdents, "getdents"},
175  {__NR_getdents64, "getdents64"},
176  {__NR_getegid, "getegid"},
177  {__NR_geteuid, "geteuid"},
178  {__NR_getgid, "getgid"},
179  {__NR_getgroups, "getgroups"},
180  {__NR_getitimer, "getitimer"},
181  {__NR_get_kernel_syms, "get_kernel_syms"},
182  {__NR_get_mempolicy, "get_mempolicy"},
183  {__NR_getpeername, "getpeername"},
184  {__NR_getpgid, "getpgid"},
185  {__NR_getpgrp, "getpgrp"},
186  {__NR_getpid, "getpid"},
187  {__NR_getpmsg, "getpmsg"},
188  {__NR_getppid, "getppid"},
189  {__NR_getpriority, "getpriority"},
190  {__NR_getrandom, "getrandom"},
191  {__NR_getresgid, "getresgid"},
192  {__NR_getresuid, "getresuid"},
193  {__NR_getrlimit, "getrlimit"},
194  {__NR_get_robust_list, "get_robust_list"},
195  {__NR_getrusage, "getrusage"},
196  {__NR_getsid, "getsid"},
197  {__NR_getsockname, "getsockname"},
198  {__NR_getsockopt, "getsockopt"},
199  {__NR_get_thread_area, "get_thread_area"},
200  {__NR_gettid, "gettid"},
201  {__NR_gettimeofday, "gettimeofday"},
202  {__NR_getuid, "getuid"},
203  {__NR_getxattr, "getxattr"},
204  {__NR_init_module, "init_module"},
205  {__NR_inotify_add_watch, "inotify_add_watch"},
206  {__NR_inotify_init, "inotify_init"},
207  {__NR_inotify_init1, "inotify_init1"},
208  {__NR_inotify_rm_watch, "inotify_rm_watch"},
209  {__NR_io_cancel, "io_cancel"},
210  {__NR_ioctl, "ioctl"},
211  {__NR_io_destroy, "io_destroy"},
212  {__NR_io_getevents, "io_getevents"},
213  {__NR_ioperm, "ioperm"},
214  {__NR_iopl, "iopl"},
215  {__NR_ioprio_get, "ioprio_get"},
216  {__NR_ioprio_set, "ioprio_set"},
217  {__NR_io_setup, "io_setup"},
218  {__NR_io_submit, "io_submit"},
219  {__NR_kcmp, "kcmp"},
220  {__NR_kexec_file_load, "kexec_file_load"},
221  {__NR_kexec_load, "kexec_load"},
222  {__NR_keyctl, "keyctl"},
223  {__NR_kill, "kill"},
224  {__NR_lchown, "lchown"},
225  {__NR_lgetxattr, "lgetxattr"},
226  {__NR_link, "link"},
227  {__NR_linkat, "linkat"},
228  {__NR_listen, "listen"},
229  {__NR_listxattr, "listxattr"},
230  {__NR_llistxattr, "llistxattr"},
231  {__NR_lookup_dcookie, "lookup_dcookie"},
232  {__NR_lremovexattr, "lremovexattr"},
233  {__NR_lseek, "lseek"},
234  {__NR_lsetxattr, "lsetxattr"},
235  {__NR_lstat, "lstat"},
236  {__NR_madvise, "madvise"},
237  {__NR_mbind, "mbind"},
238  {__NR_membarrier, "membarrier"},
239  {__NR_memfd_create, "memfd_create"},
240  {__NR_migrate_pages, "migrate_pages"},
241  {__NR_mincore, "mincore"},
242  {__NR_mkdir, "mkdir"},
243  {__NR_mkdirat, "mkdirat"},
244  {__NR_mknod, "mknod"},
245  {__NR_mknodat, "mknodat"},
246  {__NR_mlock, "mlock"},
247  {__NR_mlock2, "mlock2"},
248  {__NR_mlockall, "mlockall"},
249  {__NR_mmap, "mmap"},
250  {__NR_modify_ldt, "modify_ldt"},
251  {__NR_mount, "mount"},
252  {__NR_move_pages, "move_pages"},
253  {__NR_mprotect, "mprotect"},
254  {__NR_mq_getsetattr, "mq_getsetattr"},
255  {__NR_mq_notify, "mq_notify"},
256  {__NR_mq_open, "mq_open"},
257  {__NR_mq_timedreceive, "mq_timedreceive"},
258  {__NR_mq_timedsend, "mq_timedsend"},
259  {__NR_mq_unlink, "mq_unlink"},
260  {__NR_mremap, "mremap"},
261  {__NR_msgctl, "msgctl"},
262  {__NR_msgget, "msgget"},
263  {__NR_msgrcv, "msgrcv"},
264  {__NR_msgsnd, "msgsnd"},
265  {__NR_msync, "msync"},
266  {__NR_munlock, "munlock"},
267  {__NR_munlockall, "munlockall"},
268  {__NR_munmap, "munmap"},
269  {__NR_name_to_handle_at, "name_to_handle_at"},
270  {__NR_nanosleep, "nanosleep"},
271  {__NR_newfstatat, "newfstatat"},
272  {__NR_nfsservctl, "nfsservctl"},
273  {__NR_open, "open"},
274  {__NR_openat, "openat"},
275  {__NR_open_by_handle_at, "open_by_handle_at"},
276  {__NR_pause, "pause"},
277  {__NR_perf_event_open, "perf_event_open"},
278  {__NR_personality, "personality"},
279  {__NR_pipe, "pipe"},
280  {__NR_pipe2, "pipe2"},
281  {__NR_pivot_root, "pivot_root"},
282 #ifdef __NR_pkey_alloc
283  {__NR_pkey_alloc, "pkey_alloc"},
284 #endif
285 #ifdef __NR_pkey_free
286  {__NR_pkey_free, "pkey_free"},
287 #endif
288 #ifdef __NR_pkey_mprotect
289  {__NR_pkey_mprotect, "pkey_mprotect"},
290 #endif
291  {__NR_poll, "poll"},
292  {__NR_ppoll, "ppoll"},
293  {__NR_prctl, "prctl"},
294  {__NR_pread64, "pread64"},
295  {__NR_preadv, "preadv"},
296 #ifdef __NR_preadv2
297  {__NR_preadv2, "preadv2"},
298 #endif
299  {__NR_prlimit64, "prlimit64"},
300  {__NR_process_vm_readv, "process_vm_readv"},
301  {__NR_process_vm_writev, "process_vm_writev"},
302  {__NR_pselect6, "pselect6"},
303  {__NR_ptrace, "ptrace"},
304  {__NR_putpmsg, "putpmsg"},
305  {__NR_pwrite64, "pwrite64"},
306  {__NR_pwritev, "pwritev"},
307 #ifdef __NR_pwritev2
308  {__NR_pwritev2, "pwritev2"},
309 #endif
310  {__NR_query_module, "query_module"},
311  {__NR_quotactl, "quotactl"},
312  {__NR_read, "read"},
313  {__NR_readahead, "readahead"},
314  {__NR_readlink, "readlink"},
315  {__NR_readlinkat, "readlinkat"},
316  {__NR_readv, "readv"},
317  {__NR_reboot, "reboot"},
318  {__NR_recvfrom, "recvfrom"},
319  {__NR_recvmmsg, "recvmmsg"},
320  {__NR_recvmsg, "recvmsg"},
321  {__NR_remap_file_pages, "remap_file_pages"},
322  {__NR_removexattr, "removexattr"},
323  {__NR_rename, "rename"},
324  {__NR_renameat, "renameat"},
325  {__NR_renameat2, "renameat2"},
326  {__NR_request_key, "request_key"},
327  {__NR_restart_syscall, "restart_syscall"},
328  {__NR_rmdir, "rmdir"},
329  {__NR_rt_sigaction, "rt_sigaction"},
330  {__NR_rt_sigpending, "rt_sigpending"},
331  {__NR_rt_sigprocmask, "rt_sigprocmask"},
332  {__NR_rt_sigqueueinfo, "rt_sigqueueinfo"},
333  {__NR_rt_sigreturn, "rt_sigreturn"},
334  {__NR_rt_sigsuspend, "rt_sigsuspend"},
335  {__NR_rt_sigtimedwait, "rt_sigtimedwait"},
336  {__NR_rt_tgsigqueueinfo, "rt_tgsigqueueinfo"},
337  {__NR_sched_getaffinity, "sched_getaffinity"},
338  {__NR_sched_getattr, "sched_getattr"},
339  {__NR_sched_getparam, "sched_getparam"},
340  {__NR_sched_get_priority_max, "sched_get_priority_max"},
341  {__NR_sched_get_priority_min, "sched_get_priority_min"},
342  {__NR_sched_getscheduler, "sched_getscheduler"},
343  {__NR_sched_rr_get_interval, "sched_rr_get_interval"},
344  {__NR_sched_setaffinity, "sched_setaffinity"},
345  {__NR_sched_setattr, "sched_setattr"},
346  {__NR_sched_setparam, "sched_setparam"},
347  {__NR_sched_setscheduler, "sched_setscheduler"},
348  {__NR_sched_yield, "sched_yield"},
349  {__NR_seccomp, "seccomp"},
350  {__NR_security, "security"},
351  {__NR_select, "select"},
352  {__NR_semctl, "semctl"},
353  {__NR_semget, "semget"},
354  {__NR_semop, "semop"},
355  {__NR_semtimedop, "semtimedop"},
356  {__NR_sendfile, "sendfile"},
357  {__NR_sendmmsg, "sendmmsg"},
358  {__NR_sendmsg, "sendmsg"},
359  {__NR_sendto, "sendto"},
360  {__NR_setdomainname, "setdomainname"},
361  {__NR_setfsgid, "setfsgid"},
362  {__NR_setfsuid, "setfsuid"},
363  {__NR_setgid, "setgid"},
364  {__NR_setgroups, "setgroups"},
365  {__NR_sethostname, "sethostname"},
366  {__NR_setitimer, "setitimer"},
367  {__NR_set_mempolicy, "set_mempolicy"},
368  {__NR_setns, "setns"},
369  {__NR_setpgid, "setpgid"},
370  {__NR_setpriority, "setpriority"},
371  {__NR_setregid, "setregid"},
372  {__NR_setresgid, "setresgid"},
373  {__NR_setresuid, "setresuid"},
374  {__NR_setreuid, "setreuid"},
375  {__NR_setrlimit, "setrlimit"},
376  {__NR_set_robust_list, "set_robust_list"},
377  {__NR_setsid, "setsid"},
378  {__NR_setsockopt, "setsockopt"},
379  {__NR_set_thread_area, "set_thread_area"},
380  {__NR_set_tid_address, "set_tid_address"},
381  {__NR_settimeofday, "settimeofday"},
382  {__NR_setuid, "setuid"},
383  {__NR_setxattr, "setxattr"},
384  {__NR_shmat, "shmat"},
385  {__NR_shmctl, "shmctl"},
386  {__NR_shmdt, "shmdt"},
387  {__NR_shmget, "shmget"},
388  {__NR_shutdown, "shutdown"},
389  {__NR_sigaltstack, "sigaltstack"},
390  {__NR_signalfd, "signalfd"},
391  {__NR_signalfd4, "signalfd4"},
392  {__NR_socket, "socket"},
393  {__NR_socketpair, "socketpair"},
394  {__NR_splice, "splice"},
395  {__NR_stat, "stat"},
396  {__NR_statfs, "statfs"},
397  {__NR_statx, "statx"},
398  {__NR_swapoff, "swapoff"},
399  {__NR_swapon, "swapon"},
400  {__NR_symlink, "symlink"},
401  {__NR_symlinkat, "symlinkat"},
402  {__NR_sync, "sync"},
403  {__NR_sync_file_range, "sync_file_range"},
404  {__NR_syncfs, "syncfs"},
405  {__NR__sysctl, "_sysctl"},
406  {__NR_sysfs, "sysfs"},
407  {__NR_sysinfo, "sysinfo"},
408  {__NR_syslog, "syslog"},
409  {__NR_tee, "tee"},
410  {__NR_tgkill, "tgkill"},
411  {__NR_time, "time"},
412  {__NR_timer_create, "timer_create"},
413  {__NR_timer_delete, "timer_delete"},
414  {__NR_timerfd_create, "timerfd_create"},
415  {__NR_timerfd_gettime, "timerfd_gettime"},
416  {__NR_timerfd_settime, "timerfd_settime"},
417  {__NR_timer_getoverrun, "timer_getoverrun"},
418  {__NR_timer_gettime, "timer_gettime"},
419  {__NR_timer_settime, "timer_settime"},
420  {__NR_times, "times"},
421  {__NR_tkill, "tkill"},
422  {__NR_truncate, "truncate"},
423  {__NR_tuxcall, "tuxcall"},
424  {__NR_umask, "umask"},
425  {__NR_umount2, "umount2"},
426  {__NR_uname, "uname"},
427  {__NR_unlink, "unlink"},
428  {__NR_unlinkat, "unlinkat"},
429  {__NR_unshare, "unshare"},
430  {__NR_uselib, "uselib"},
431  {__NR_userfaultfd, "userfaultfd"},
432  {__NR_ustat, "ustat"},
433  {__NR_utime, "utime"},
434  {__NR_utimensat, "utimensat"},
435  {__NR_utimes, "utimes"},
436  {__NR_vfork, "vfork"},
437  {__NR_vhangup, "vhangup"},
438  {__NR_vmsplice, "vmsplice"},
439  {__NR_vserver, "vserver"},
440  {__NR_wait4, "wait4"},
441  {__NR_waitid, "waitid"},
442  {__NR_write, "write"},
443  {__NR_writev, "writev"},
444 };
445 
446 std::string GetLinuxSyscallName(uint32_t syscall_number)
447 {
448  const auto element = LINUX_SYSCALLS.find(syscall_number);
449  if (element != LINUX_SYSCALLS.end()) {
450  return element->second;
451  }
452  return "*unknown*";
453 }
454 
455 // See Linux kernel developer Kees Cook's seccomp guide at <https://outflux.net/teach-seccomp/> for
456 // an accessible introduction to using seccomp.
457 //
458 // This function largely follows <https://outflux.net/teach-seccomp/step-3/syscall-reporter.c> and
459 // <https://outflux.net/teach-seccomp/step-3/seccomp-bpf.h>.
460 //
461 // Seccomp BPF resources:
462 // * Seccomp BPF documentation: <https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html>
463 // * seccomp(2) manual page: <https://www.kernel.org/doc/man-pages/online/pages/man2/seccomp.2.html>
464 // * Seccomp BPF demo code samples: <https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/samples/seccomp>
465 void SyscallSandboxDebugSignalHandler(int, siginfo_t* signal_info, void* void_signal_context)
466 {
467  // The si_code field inside the siginfo_t argument that is passed to a SA_SIGINFO signal handler
468  // is a value indicating why the signal was sent.
469  //
470  // The following value can be placed in si_code for a SIGSYS signal:
471  // * SYS_SECCOMP (since Linux 3.5): Triggered by a seccomp(2) filter rule.
472  constexpr int32_t SYS_SECCOMP_SI_CODE{1};
473  assert(signal_info->si_code == SYS_SECCOMP_SI_CODE);
474 
475  // The ucontext_t structure contains signal context information that was saved on the user-space
476  // stack by the kernel.
477  const ucontext_t* signal_context = static_cast<ucontext_t*>(void_signal_context);
478  assert(signal_context != nullptr);
479 
480  std::set_new_handler(std::terminate);
481  // Portability note: REG_RAX is Linux x86_64 specific.
482  const uint32_t syscall_number = static_cast<uint32_t>(signal_context->uc_mcontext.gregs[REG_RAX]);
483  const std::string syscall_name = GetLinuxSyscallName(syscall_number);
484  const std::string thread_name = !util::ThreadGetInternalName().empty() ? util::ThreadGetInternalName() : "*unnamed*";
485  const std::string error_message = strprintf("ERROR: The syscall \"%s\" (syscall number %d) is not allowed by the syscall sandbox in thread \"%s\". Please report.", syscall_name, syscall_number, thread_name);
486  tfm::format(std::cerr, "%s\n", error_message);
487  LogPrintf("%s\n", error_message);
488  std::terminate();
489 }
490 
491 // This function largely follows install_syscall_reporter from Kees Cook's seccomp guide:
492 // <https://outflux.net/teach-seccomp/step-3/syscall-reporter.c>
493 bool SetupSyscallSandboxDebugHandler()
494 {
495  struct sigaction action = {};
496  sigset_t mask;
497  sigemptyset(&mask);
498  sigaddset(&mask, SIGSYS);
499  action.sa_sigaction = &SyscallSandboxDebugSignalHandler;
500  action.sa_flags = SA_SIGINFO;
501  if (sigaction(SIGSYS, &action, nullptr) < 0) {
502  return false;
503  }
504  if (sigprocmask(SIG_UNBLOCK, &mask, nullptr)) {
505  return false;
506  }
507  return true;
508 }
509 
510 enum class SyscallSandboxAction {
511  KILL_PROCESS,
512  INVOKE_SIGNAL_HANDLER,
513 };
514 
515 class SeccompPolicyBuilder
516 {
517  std::set<uint32_t> allowed_syscalls;
518 
519 public:
520  SeccompPolicyBuilder()
521  {
522  // Allowed by default.
523  AllowAddressSpaceAccess();
524  AllowEpoll();
525  AllowEventFd();
526  AllowFutex();
527  AllowGeneralIo();
528  AllowGetRandom();
529  AllowGetSimpleId();
530  AllowGetTime();
531  AllowGlobalProcessEnvironment();
532  AllowGlobalSystemStatus();
533  AllowKernelInternalApi();
534  AllowNetworkSocketInformation();
535  AllowOperationOnExistingFileDescriptor();
536  AllowPipe();
537  AllowPrctl();
538  AllowProcessStartOrDeath();
539  AllowScheduling();
540  AllowSignalHandling();
541  AllowSleep();
542  AllowUmask();
543  }
544 
545  void AllowAddressSpaceAccess()
546  {
547  allowed_syscalls.insert(__NR_brk); // change data segment size
548  allowed_syscalls.insert(__NR_madvise); // give advice about use of memory
549  allowed_syscalls.insert(__NR_membarrier); // issue memory barriers on a set of threads
550  allowed_syscalls.insert(__NR_mincore); // check if virtual memory is in RAM
551  allowed_syscalls.insert(__NR_mlock); // lock memory
552  allowed_syscalls.insert(__NR_mmap); // map files or devices into memory
553  allowed_syscalls.insert(__NR_mprotect); // set protection on a region of memory
554  allowed_syscalls.insert(__NR_mremap); // remap a file in memory
555  allowed_syscalls.insert(__NR_munlock); // unlock memory
556  allowed_syscalls.insert(__NR_munmap); // unmap files or devices into memory
557  }
558 
559  void AllowEpoll()
560  {
561  allowed_syscalls.insert(__NR_epoll_create1); // open an epoll file descriptor
562  allowed_syscalls.insert(__NR_epoll_ctl); // control interface for an epoll file descriptor
563  allowed_syscalls.insert(__NR_epoll_pwait); // wait for an I/O event on an epoll file descriptor
564  allowed_syscalls.insert(__NR_epoll_wait); // wait for an I/O event on an epoll file descriptor
565  }
566 
567  void AllowEventFd()
568  {
569  allowed_syscalls.insert(__NR_eventfd2); // create a file descriptor for event notification
570  }
571 
572  void AllowFileSystem()
573  {
574  allowed_syscalls.insert(__NR_access); // check user's permissions for a file
575  allowed_syscalls.insert(__NR_chdir); // change working directory
576  allowed_syscalls.insert(__NR_chmod); // change permissions of a file
577  allowed_syscalls.insert(__NR_copy_file_range); // copy a range of data from one file to another
578  allowed_syscalls.insert(__NR_fallocate); // manipulate file space
579  allowed_syscalls.insert(__NR_fchmod); // change permissions of a file
580  allowed_syscalls.insert(__NR_fchown); // change ownership of a file
581  allowed_syscalls.insert(__NR_fdatasync); // synchronize a file's in-core state with storage device
582  allowed_syscalls.insert(__NR_flock); // apply or remove an advisory lock on an open file
583  allowed_syscalls.insert(__NR_fstat); // get file status
584  allowed_syscalls.insert(__NR_newfstatat); // get file status
585  allowed_syscalls.insert(__NR_fsync); // synchronize a file's in-core state with storage device
586  allowed_syscalls.insert(__NR_ftruncate); // truncate a file to a specified length
587  allowed_syscalls.insert(__NR_getcwd); // get current working directory
588  allowed_syscalls.insert(__NR_getdents); // get directory entries
589  allowed_syscalls.insert(__NR_getdents64); // get directory entries
590  allowed_syscalls.insert(__NR_lstat); // get file status
591  allowed_syscalls.insert(__NR_mkdir); // create a directory
592  allowed_syscalls.insert(__NR_open); // open and possibly create a file
593  allowed_syscalls.insert(__NR_openat); // open and possibly create a file
594  allowed_syscalls.insert(__NR_readlink); // read value of a symbolic link
595  allowed_syscalls.insert(__NR_rename); // change the name or location of a file
596  allowed_syscalls.insert(__NR_rmdir); // delete a directory
597  allowed_syscalls.insert(__NR_stat); // get file status
598  allowed_syscalls.insert(__NR_statfs); // get filesystem statistics
599  allowed_syscalls.insert(__NR_statx); // get file status (extended)
600  allowed_syscalls.insert(__NR_unlink); // delete a name and possibly the file it refers to
601  }
602 
603  void AllowFutex()
604  {
605  allowed_syscalls.insert(__NR_futex); // fast user-space locking
606  allowed_syscalls.insert(__NR_set_robust_list); // set list of robust futexes
607  }
608 
609  void AllowGeneralIo()
610  {
611  allowed_syscalls.insert(__NR_ioctl); // control device
612  allowed_syscalls.insert(__NR_lseek); // reposition read/write file offset
613  allowed_syscalls.insert(__NR_poll); // wait for some event on a file descriptor
614  allowed_syscalls.insert(__NR_ppoll); // wait for some event on a file descriptor
615  allowed_syscalls.insert(__NR_pread64); // read from a file descriptor at a given offset
616  allowed_syscalls.insert(__NR_pwrite64); // write to a file descriptor at a given offset
617  allowed_syscalls.insert(__NR_read); // read from a file descriptor
618  allowed_syscalls.insert(__NR_readv); // read data into multiple buffers
619  allowed_syscalls.insert(__NR_recvfrom); // receive a message from a socket
620  allowed_syscalls.insert(__NR_recvmsg); // receive a message from a socket
621  allowed_syscalls.insert(__NR_select); // synchronous I/O multiplexing
622  allowed_syscalls.insert(__NR_sendmmsg); // send multiple messages on a socket
623  allowed_syscalls.insert(__NR_sendmsg); // send a message on a socket
624  allowed_syscalls.insert(__NR_sendto); // send a message on a socket
625  allowed_syscalls.insert(__NR_write); // write to a file descriptor
626  allowed_syscalls.insert(__NR_writev); // write data into multiple buffers
627  }
628 
629  void AllowGetRandom()
630  {
631  allowed_syscalls.insert(__NR_getrandom); // obtain a series of random bytes
632  }
633 
634  void AllowGetSimpleId()
635  {
636  allowed_syscalls.insert(__NR_getegid); // get group identity
637  allowed_syscalls.insert(__NR_geteuid); // get user identity
638  allowed_syscalls.insert(__NR_getgid); // get group identity
639  allowed_syscalls.insert(__NR_getpgid); // get process group
640  allowed_syscalls.insert(__NR_getpid); // get process identification
641  allowed_syscalls.insert(__NR_getppid); // get process identification
642  allowed_syscalls.insert(__NR_getresgid); // get real, effective and saved group IDs
643  allowed_syscalls.insert(__NR_getresuid); // get real, effective and saved user IDs
644  allowed_syscalls.insert(__NR_getsid); // get session ID
645  allowed_syscalls.insert(__NR_gettid); // get thread identification
646  allowed_syscalls.insert(__NR_getuid); // get user identity
647  }
648 
649  void AllowGetTime()
650  {
651  allowed_syscalls.insert(__NR_clock_getres); // find the resolution (precision) of the specified clock
652  allowed_syscalls.insert(__NR_clock_gettime); // retrieve the time of the specified clock
653  }
654 
655  void AllowGlobalProcessEnvironment()
656  {
657  allowed_syscalls.insert(__NR_getrlimit); // get resource limits
658  allowed_syscalls.insert(__NR_getrusage); // get resource usage
659  allowed_syscalls.insert(__NR_prlimit64); // get/set resource limits
660  }
661 
662  void AllowGlobalSystemStatus()
663  {
664  allowed_syscalls.insert(__NR_sysinfo); // return system information
665  allowed_syscalls.insert(__NR_uname); // get name and information about current kernel
666  }
667 
668  void AllowKernelInternalApi()
669  {
670  allowed_syscalls.insert(__NR_restart_syscall); // restart a system call after interruption by a stop signal
671  }
672 
673  void AllowNetwork()
674  {
675  allowed_syscalls.insert(__NR_accept); // accept a connection on a socket
676  allowed_syscalls.insert(__NR_accept4); // accept a connection on a socket
677  allowed_syscalls.insert(__NR_bind); // bind a name to a socket
678  allowed_syscalls.insert(__NR_connect); // initiate a connection on a socket
679  allowed_syscalls.insert(__NR_listen); // listen for connections on a socket
680  allowed_syscalls.insert(__NR_setsockopt); // set options on sockets
681  allowed_syscalls.insert(__NR_socket); // create an endpoint for communication
682  allowed_syscalls.insert(__NR_socketpair); // create a pair of connected sockets
683  }
684 
685  void AllowNetworkSocketInformation()
686  {
687  allowed_syscalls.insert(__NR_getpeername); // get name of connected peer socket
688  allowed_syscalls.insert(__NR_getsockname); // get socket name
689  allowed_syscalls.insert(__NR_getsockopt); // get options on sockets
690  }
691 
692  void AllowOperationOnExistingFileDescriptor()
693  {
694  allowed_syscalls.insert(__NR_close); // close a file descriptor
695  allowed_syscalls.insert(__NR_dup); // duplicate a file descriptor
696  allowed_syscalls.insert(__NR_dup2); // duplicate a file descriptor
697  allowed_syscalls.insert(__NR_fcntl); // manipulate file descriptor
698  allowed_syscalls.insert(__NR_shutdown); // shut down part of a full-duplex connection
699  }
700 
701  void AllowPipe()
702  {
703  allowed_syscalls.insert(__NR_pipe); // create pipe
704  allowed_syscalls.insert(__NR_pipe2); // create pipe
705  }
706 
707  void AllowPrctl()
708  {
709  allowed_syscalls.insert(__NR_arch_prctl); // set architecture-specific thread state
710  allowed_syscalls.insert(__NR_prctl); // operations on a process
711  }
712 
713  void AllowProcessStartOrDeath()
714  {
715  allowed_syscalls.insert(__NR_clone); // create a child process
716  allowed_syscalls.insert(__NR_clone3); // create a child process
717  allowed_syscalls.insert(__NR_exit); // terminate the calling process
718  allowed_syscalls.insert(__NR_exit_group); // exit all threads in a process
719  allowed_syscalls.insert(__NR_fork); // create a child process
720  allowed_syscalls.insert(__NR_tgkill); // send a signal to a thread
721  allowed_syscalls.insert(__NR_wait4); // wait for process to change state, BSD style
722  }
723 
724  void AllowScheduling()
725  {
726  allowed_syscalls.insert(__NR_sched_getaffinity); // set a thread's CPU affinity mask
727  allowed_syscalls.insert(__NR_sched_getparam); // get scheduling parameters
728  allowed_syscalls.insert(__NR_sched_getscheduler); // get scheduling policy/parameters
729  allowed_syscalls.insert(__NR_sched_setscheduler); // set scheduling policy/parameters
730  allowed_syscalls.insert(__NR_sched_yield); // yield the processor
731  }
732 
733  void AllowSignalHandling()
734  {
735  allowed_syscalls.insert(__NR_rt_sigaction); // examine and change a signal action
736  allowed_syscalls.insert(__NR_rt_sigprocmask); // examine and change blocked signals
737  allowed_syscalls.insert(__NR_rt_sigreturn); // return from signal handler and cleanup stack frame
738  allowed_syscalls.insert(__NR_sigaltstack); // set and/or get signal stack context
739  }
740 
741  void AllowSleep()
742  {
743  allowed_syscalls.insert(__NR_clock_nanosleep); // high-resolution sleep with specifiable clock
744  allowed_syscalls.insert(__NR_nanosleep); // high-resolution sleep
745  }
746 
747  void AllowUmask()
748  {
749  allowed_syscalls.insert(__NR_umask); // set file mode creation mask
750  }
751 
752  // See Linux kernel developer Kees Cook's seccomp guide at <https://outflux.net/teach-seccomp/>
753  // for an accessible introduction to using seccomp.
754  //
755  // This function largely follows <https://outflux.net/teach-seccomp/step-3/seccomp-bpf.h>.
756  std::vector<sock_filter> BuildFilter(SyscallSandboxAction default_action)
757  {
758  std::vector<sock_filter> bpf_policy;
759  // See VALIDATE_ARCHITECTURE in seccomp-bpf.h referenced above.
760  bpf_policy.push_back(BPF_STMT(BPF_LD + BPF_W + BPF_ABS, offsetof(struct seccomp_data, arch)));
761  // Portability note: AUDIT_ARCH_X86_64 is Linux x86_64 specific.
762  bpf_policy.push_back(BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, AUDIT_ARCH_X86_64, 1, 0));
763  bpf_policy.push_back(BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_KILL_PROCESS));
764  // See EXAMINE_SYSCALL in seccomp-bpf.h referenced above.
765  bpf_policy.push_back(BPF_STMT(BPF_LD + BPF_W + BPF_ABS, offsetof(struct seccomp_data, nr)));
766  for (const uint32_t allowed_syscall : allowed_syscalls) {
767  // See ALLOW_SYSCALL in seccomp-bpf.h referenced above.
768  bpf_policy.push_back(BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, allowed_syscall, 0, 1));
769  bpf_policy.push_back(BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW));
770  }
771  switch (default_action) {
772  case SyscallSandboxAction::KILL_PROCESS:
773  // Disallow syscall and kill the process.
774  //
775  // See KILL_PROCESS in seccomp-bpf.h referenced above.
776  //
777  // Note that we're using SECCOMP_RET_KILL_PROCESS (kill the process) instead
778  // of SECCOMP_RET_KILL_THREAD (kill the thread). The SECCOMP_RET_KILL_PROCESS
779  // action was introduced in Linux 4.14.
780  //
781  // SECCOMP_RET_KILL_PROCESS: Results in the entire process exiting immediately without
782  // executing the system call.
783  //
784  // SECCOMP_RET_KILL_PROCESS documentation:
785  // <https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html>
786  bpf_policy.push_back(BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_KILL_PROCESS));
787  break;
788  case SyscallSandboxAction::INVOKE_SIGNAL_HANDLER:
789  // Disallow syscall and force a SIGSYS to trigger syscall debug reporter.
790  //
791  // SECCOMP_RET_TRAP: Results in the kernel sending a SIGSYS signal to the triggering
792  // task without executing the system call.
793  //
794  // SECCOMP_RET_TRAP documentation:
795  // <https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html>
796  bpf_policy.push_back(BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_TRAP));
797  break;
798  }
799  return bpf_policy;
800  }
801 };
802 } // namespace
803 
804 bool SetupSyscallSandbox(bool log_syscall_violation_before_terminating)
805 {
806  assert(!g_syscall_sandbox_enabled && "SetupSyscallSandbox(...) should only be called once.");
807  g_syscall_sandbox_enabled = true;
808  g_syscall_sandbox_log_violation_before_terminating = log_syscall_violation_before_terminating;
809  if (log_syscall_violation_before_terminating) {
810  if (!SetupSyscallSandboxDebugHandler()) {
811  return false;
812  }
813  }
815  return true;
816 }
817 
818 void TestDisallowedSandboxCall()
819 {
820  // The getgroups syscall is assumed NOT to be allowed by the syscall sandbox policy.
821  std::array<gid_t, 1> groups;
822  [[maybe_unused]] int32_t ignored = getgroups(groups.size(), groups.data());
823 }
824 #endif // defined(USE_SYSCALL_SANDBOX)
825 
827 {
828 #if defined(USE_SYSCALL_SANDBOX)
829  if (!g_syscall_sandbox_enabled) {
830  return;
831  }
832  SeccompPolicyBuilder seccomp_policy_builder;
833  switch (syscall_policy) {
834  case SyscallSandboxPolicy::INITIALIZATION: // Thread: main thread (state: init)
835  // SyscallSandboxPolicy::INITIALIZATION is the first policy loaded.
836  //
837  // Subsequently loaded policies can reduce the abilities further, but
838  // abilities can never be regained.
839  //
840  // SyscallSandboxPolicy::INITIALIZATION must thus be a superset of all
841  // other policies.
842  seccomp_policy_builder.AllowFileSystem();
843  seccomp_policy_builder.AllowNetwork();
844  break;
845  case SyscallSandboxPolicy::INITIALIZATION_DNS_SEED: // Thread: dnsseed
846  seccomp_policy_builder.AllowFileSystem();
847  seccomp_policy_builder.AllowNetwork();
848  break;
849  case SyscallSandboxPolicy::INITIALIZATION_LOAD_BLOCKS: // Thread: loadblk
850  seccomp_policy_builder.AllowFileSystem();
851  break;
852  case SyscallSandboxPolicy::INITIALIZATION_MAP_PORT: // Thread: mapport
853  seccomp_policy_builder.AllowFileSystem();
854  seccomp_policy_builder.AllowNetwork();
855  break;
856  case SyscallSandboxPolicy::MESSAGE_HANDLER: // Thread: msghand
857  seccomp_policy_builder.AllowFileSystem();
858  break;
859  case SyscallSandboxPolicy::NET: // Thread: net
860  seccomp_policy_builder.AllowFileSystem();
861  seccomp_policy_builder.AllowNetwork();
862  break;
863  case SyscallSandboxPolicy::NET_ADD_CONNECTION: // Thread: addcon
864  seccomp_policy_builder.AllowFileSystem();
865  seccomp_policy_builder.AllowNetwork();
866  break;
867  case SyscallSandboxPolicy::NET_HTTP_SERVER: // Thread: http
868  seccomp_policy_builder.AllowFileSystem();
869  seccomp_policy_builder.AllowNetwork();
870  break;
871  case SyscallSandboxPolicy::NET_HTTP_SERVER_WORKER: // Thread: httpworker.<N>
872  seccomp_policy_builder.AllowFileSystem();
873  seccomp_policy_builder.AllowNetwork();
874  break;
875  case SyscallSandboxPolicy::NET_OPEN_CONNECTION: // Thread: opencon
876  seccomp_policy_builder.AllowFileSystem();
877  seccomp_policy_builder.AllowNetwork();
878  break;
879  case SyscallSandboxPolicy::SCHEDULER: // Thread: scheduler
880  seccomp_policy_builder.AllowFileSystem();
881  break;
882  case SyscallSandboxPolicy::TOR_CONTROL: // Thread: torcontrol
883  seccomp_policy_builder.AllowFileSystem();
884  seccomp_policy_builder.AllowNetwork();
885  break;
886  case SyscallSandboxPolicy::TX_INDEX: // Thread: txindex
887  seccomp_policy_builder.AllowFileSystem();
888  break;
889  case SyscallSandboxPolicy::VALIDATION_SCRIPT_CHECK: // Thread: scriptch.<N>
890  break;
891  case SyscallSandboxPolicy::SHUTOFF: // Thread: main thread (state: shutoff)
892  seccomp_policy_builder.AllowFileSystem();
893  break;
894  }
895 
896  const SyscallSandboxAction default_action = g_syscall_sandbox_log_violation_before_terminating ? SyscallSandboxAction::INVOKE_SIGNAL_HANDLER : SyscallSandboxAction::KILL_PROCESS;
897  std::vector<sock_filter> filter = seccomp_policy_builder.BuildFilter(default_action);
898  const sock_fprog prog = {
899  .len = static_cast<uint16_t>(filter.size()),
900  .filter = filter.data(),
901  };
902  // Do not allow abilities to be regained after being dropped.
903  //
904  // PR_SET_NO_NEW_PRIVS documentation: <https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html>
905  if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) {
906  throw std::runtime_error("Syscall sandbox enforcement failed: prctl(PR_SET_NO_NEW_PRIVS)");
907  }
908  // Install seccomp-bpf syscall filter.
909  //
910  // PR_SET_SECCOMP documentation: <https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html>
911  if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) != 0) {
912  throw std::runtime_error("Syscall sandbox enforcement failed: prctl(PR_SET_SECCOMP)");
913  }
914 
915  const std::string thread_name = !util::ThreadGetInternalName().empty() ? util::ThreadGetInternalName() : "*unnamed*";
916  LogPrint(BCLog::UTIL, "Syscall filter installed for thread \"%s\"\n", thread_name);
917 #endif // defined(USE_SYSCALL_SANDBOX)
918 }
SyscallSandboxPolicy::INITIALIZATION_DNS_SEED
@ INITIALIZATION_DNS_SEED
assert
assert(!tx.IsCoinBase())
tinyformat::format
void format(std::ostream &out, const char *fmt, const Args &... args)
Format list of arguments to the stream according to given format string.
Definition: tinyformat.h:1062
SyscallSandboxPolicy::NET_OPEN_CONNECTION
@ NET_OPEN_CONNECTION
SyscallSandboxPolicy::TOR_CONTROL
@ TOR_CONTROL
SyscallSandboxPolicy::NET_ADD_CONNECTION
@ NET_ADD_CONNECTION
bitcoin-config.h
SyscallSandboxPolicy::VALIDATION_SCRIPT_CHECK
@ VALIDATION_SCRIPT_CHECK
SyscallSandboxPolicy::NET_HTTP_SERVER
@ NET_HTTP_SERVER
SyscallSandboxPolicy::INITIALIZATION
@ INITIALIZATION
tinyformat.h
SyscallSandboxPolicy::INITIALIZATION_MAP_PORT
@ INITIALIZATION_MAP_PORT
syscall_sandbox.h
util::ThreadGetInternalName
const std::string & ThreadGetInternalName()
Get the thread's internal (in-memory) name; used e.g.
Definition: threadnames.cpp:53
LogPrintf
#define LogPrintf(...)
Definition: logging.h:187
SetSyscallSandboxPolicy
void SetSyscallSandboxPolicy(SyscallSandboxPolicy syscall_policy)
Force the current thread (and threads created from the current thread) into a restricted-service oper...
Definition: syscall_sandbox.cpp:826
BCLog::UTIL
@ UTIL
Definition: logging.h:63
SyscallSandboxPolicy::SHUTOFF
@ SHUTOFF
LogPrint
#define LogPrint(category,...)
Definition: logging.h:191
SyscallSandboxPolicy
SyscallSandboxPolicy
Definition: syscall_sandbox.h:8
strprintf
#define strprintf
Format arguments and return the string or write to given std::ostream (see tinyformat::format doc for...
Definition: tinyformat.h:1164
SyscallSandboxPolicy::MESSAGE_HANDLER
@ MESSAGE_HANDLER
SyscallSandboxPolicy::NET_HTTP_SERVER_WORKER
@ NET_HTTP_SERVER_WORKER
SyscallSandboxPolicy::INITIALIZATION_LOAD_BLOCKS
@ INITIALIZATION_LOAD_BLOCKS
SyscallSandboxPolicy::NET
@ NET
SyscallSandboxPolicy::SCHEDULER
@ SCHEDULER
SyscallSandboxPolicy::TX_INDEX
@ TX_INDEX
threadnames.h