diff options
author | Stefano Brivio <sbrivio@redhat.com> | 2022-02-07 21:11:37 +0100 |
---|---|---|
committer | Stefano Brivio <sbrivio@redhat.com> | 2022-02-21 13:41:13 +0100 |
commit | 0515adceaa8f69a1d85ae3c8c550c37dd49b0c47 (patch) | |
tree | 6ca9be64f2fa252da4ffdbe4c591778eb06b7b4a /passt.c | |
parent | fcc3db78cd5fdf1b02e2339b722512b97998f28f (diff) | |
download | passt-0515adceaa8f69a1d85ae3c8c550c37dd49b0c47.tar passt-0515adceaa8f69a1d85ae3c8c550c37dd49b0c47.tar.gz passt-0515adceaa8f69a1d85ae3c8c550c37dd49b0c47.tar.bz2 passt-0515adceaa8f69a1d85ae3c8c550c37dd49b0c47.tar.lz passt-0515adceaa8f69a1d85ae3c8c550c37dd49b0c47.tar.xz passt-0515adceaa8f69a1d85ae3c8c550c37dd49b0c47.tar.zst passt-0515adceaa8f69a1d85ae3c8c550c37dd49b0c47.zip |
passt, pasta: Namespace-based sandboxing, defer seccomp policy application
To reach (at least) a conceptually equivalent security level as
implemented by --enable-sandbox in slirp4netns, we need to create a
new mount namespace and pivot_root() into a new (empty) mountpoint, so
that passt and pasta can't access any filesystem resource after
initialisation.
While at it, also detach IPC, PID (only for passt, to prevent
vulnerabilities based on the knowledge of a target PID), and UTS
namespaces.
With this approach, if we apply the seccomp filters right after the
configuration step, the number of allowed syscalls grows further. To
prevent this, defer the application of seccomp policies after the
initialisation phase, before the main loop, that's where we expect bad
things to happen, potentially. This way, we get back to 22 allowed
syscalls for passt and 34 for pasta, on x86_64.
While at it, move #syscalls notes to specific code paths wherever it
conceptually makes sense.
We have to open all the file handles we'll ever need before
sandboxing:
- the packet capture file can only be opened once, drop instance
numbers from the default path and use the (pre-sandbox) PID instead
- /proc/net/tcp{,v6} and /proc/net/udp{,v6}, for automatic detection
of bound ports in pasta mode, are now opened only once, before
sandboxing, and their handles are stored in the execution context
- the UNIX domain socket for passt is also bound only once, before
sandboxing: to reject clients after the first one, instead of
closing the listening socket, keep it open, accept and immediately
discard new connection if we already have a valid one
Clarify the (unchanged) behaviour for --netns-only in the man page.
To actually make passt and pasta processes run in a separate PID
namespace, we need to unshare(CLONE_NEWPID) before forking to
background (if configured to do so). Introduce a small daemon()
implementation, __daemon(), that additionally saves the PID file
before forking. While running in foreground, the process itself can't
move to a new PID namespace (a process can't change the notion of its
own PID): mention that in the man page.
For some reason, fork() in a detached PID namespace causes SIGTERM
and SIGQUIT to be ignored, even if the handler is still reported as
SIG_DFL: add a signal handler that just exits.
We can now drop most of the pasta_child_handler() implementation,
that took care of terminating all processes running in the same
namespace, if pasta started a shell: the shell itself is now the
init process in that namespace, and all children will terminate
once the init process exits.
Issuing 'echo $$' in a detached PID namespace won't return the
actual namespace PID as seen from the init namespace: adapt
demo and test setup scripts to reflect that.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'passt.c')
-rw-r--r-- | passt.c | 126 |
1 files changed, 79 insertions, 47 deletions
@@ -30,7 +30,9 @@ #include <sys/mman.h> #include <sys/resource.h> #include <sys/uio.h> +#include <sys/syscall.h> #include <sys/wait.h> +#include <sys/mount.h> #include <netinet/ip.h> #include <net/ethernet.h> #include <stdlib.h> @@ -53,7 +55,6 @@ #include <linux/seccomp.h> #include <linux/audit.h> #include <linux/filter.h> -#include <linux/capability.h> #include <linux/icmpv6.h> #include "util.h" @@ -228,42 +229,61 @@ static void check_root(void) } /** - * drop_caps() - Drop capabilities we might have except for CAP_NET_BIND_SERVICE + * sandbox() - Unshare IPC, mount, PID, UTS, and user namespaces, "unmount" root + * + * Return: negative error code on failure, zero on success */ -static void drop_caps(void) +static int sandbox(struct ctx *c) { - int i; + int flags = CLONE_NEWIPC | CLONE_NEWNS | CLONE_NEWUTS; - for (i = 0; i < 64; i++) { - if (i == CAP_NET_BIND_SERVICE) - continue; + errno = 0; - prctl(PR_CAPBSET_DROP, i, 0, 0, 0); + if (!c->netns_only) { + if (c->pasta_userns_fd == -1) + flags |= CLONE_NEWUSER; + else + setns(c->pasta_userns_fd, CLONE_NEWUSER); } -} -/** - * pid_file() - Write own PID to file, if configured - * @c: Execution context - */ -static void pid_file(struct ctx *c) { - char pid_buf[12]; - int pid_fd, n; + c->pasta_userns_fd = -1; - if (!*c->pid_file) - return; + /* If we run in foreground, we have no chance to actually move to a new + * PID namespace. For passt, use CLONE_NEWPID anyway, in case somebody + * ever gets around seccomp profiles -- there's no harm in passing it. + */ + if (!c->foreground || c->mode == MODE_PASST) + flags |= CLONE_NEWPID; - pid_fd = open(c->pid_file, O_CREAT | O_WRONLY, S_IRUSR | S_IWUSR); - if (pid_fd < 0) - return; + unshare(flags); - n = snprintf(pid_buf, sizeof(pid_buf), "%i\n", getpid()); + mount("", "/", "", MS_UNBINDABLE | MS_REC, NULL); + mount("", TMPDIR, "tmpfs", MS_NODEV | MS_NOEXEC | MS_NOSUID | MS_RDONLY, + "nr_inodes=2,nr_blocks=0"); + chdir(TMPDIR); + syscall(SYS_pivot_root, ".", "."); + umount2(".", MNT_DETACH | UMOUNT_NOFOLLOW); - if (write(pid_fd, pid_buf, n) < 0) { - perror("PID file write"); - exit(EXIT_FAILURE); - } - close(pid_fd); + if (errno) + return -errno; + + drop_caps(); /* Relative to the new user namespace this time. */ + + return 0; +} + +/** + * exit_handler() - Signal handler for SIGQUIT and SIGTERM + * @unused: Unused, handler deals with SIGQUIT and SIGTERM only + * + * TODO: After unsharing the PID namespace and forking, SIG_DFL for SIGTERM and + * SIGQUIT unexpectedly doesn't cause the process to terminate, figure out why. + */ +void exit_handler(int signal) +{ + (void)signal; + + exit(EXIT_SUCCESS); } /** @@ -273,36 +293,36 @@ static void pid_file(struct ctx *c) { * * Return: non-zero on failure * - * #syscalls read write open|openat close fork|clone dup2|dup3 ioctl writev - * #syscalls socket bind connect getsockopt setsockopt recvfrom sendto shutdown - * #syscalls accept4 accept listen set_robust_list getrlimit setrlimit - * #syscalls openat fcntl lseek clone setsid exit exit_group getpid chdir - * #syscalls epoll_ctl epoll_create1 epoll_wait|epoll_pwait epoll_pwait - * #syscalls prlimit64 clock_gettime fstat|newfstat newfstatat syslog - * #syscalls ppc64le:_llseek ppc64le:recv ppc64le:send ppc64le:getuid - * #syscalls ppc64:_llseek ppc64:recv ppc64:send ppc64:getuid ppc64:ugetrlimit - * #syscalls s390x:socketcall s390x:sigreturn - * #syscalls:pasta rt_sigreturn|sigreturn ppc64:sigreturn ppc64:fcntl64 + * #syscalls read write writev + * #syscalls socket bind connect getsockopt setsockopt s390x:socketcall close + * #syscalls recvfrom sendto shutdown ppc64le:recv ppc64le:send + * #syscalls accept4|accept listen + * #syscalls epoll_ctl epoll_wait|epoll_pwait epoll_pwait clock_gettime */ int main(int argc, char **argv) { + int nfds, i, devnull_fd = -1, pidfile_fd = -1; struct epoll_event events[EPOLL_EVENTS]; struct ctx c = { 0 }; struct rlimit limit; struct timespec now; + struct sigaction sa; char *log_name; - int nfds, i; #ifndef PASST_LEGACY_NO_OPTIONS check_root(); #endif drop_caps(); - if (strstr(argv[0], "pasta") || strstr(argv[0], "passt4netns")) { - struct sigaction sa; + c.pasta_userns_fd = c.pasta_netns_fd = c.fd_tap = c.fd_tap_listen = -1; + + sigemptyset(&sa.sa_mask); + sa.sa_flags = 0; + sa.sa_handler = exit_handler; + sigaction(SIGTERM, &sa, NULL); + sigaction(SIGQUIT, &sa, NULL); - sigemptyset(&sa.sa_mask); - sa.sa_flags = 0; + if (strstr(argv[0], "pasta") || strstr(argv[0], "passt4netns")) { sa.sa_handler = pasta_child_handler; sigaction(SIGCHLD, &sa, NULL); signal(SIGPIPE, SIG_IGN); @@ -323,8 +343,6 @@ int main(int argc, char **argv) conf(&c, argc, argv); - seccomp(&c); - if (!c.debug && (c.stderr || isatty(fileno(stdout)))) __openlog(log_name, LOG_PERROR, LOG_DAEMON); @@ -369,12 +387,26 @@ int main(int argc, char **argv) else __setlogmask(LOG_UPTO(LOG_INFO)); - if (!c.foreground && daemon(0, 0)) { - perror("daemon"); + pcap_init(&c); + + if (!c.foreground) + devnull_fd = open("/dev/null", O_RDWR); + + if (*c.pid_file) + pidfile_fd = open(c.pid_file, + O_CREAT | O_WRONLY, S_IRUSR | S_IWUSR); + + if (sandbox(&c)) { + err("Failed to sandbox process, exiting\n"); exit(EXIT_FAILURE); } - pid_file(&c); + if (!c.foreground) + __daemon(pidfile_fd, devnull_fd); + else + write_pidfile(pidfile_fd, getpid()); + + seccomp(&c); timer_init(&c, &now); loop: |