/* * Part of Very Secure FTPd * Licence: GPL v2 * Author: Chris Evans * ptracesandbox.c * * Generic routines to setup and run a process under a restrictive ptrace() * based sandbox. * Note that the style in this file is to not go via the helper functions in * sysutil.c, but instead hit the system APIs directly. This is because I may * very well release just this file to the public domain, and do not want * dependencies on other parts of vsftpd. */ #include "ptracesandbox.h" #if defined(__linux__) && defined(__i386__) #include #include #include /* For AF_MAX (NPROTO is defined to this) */ #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_sendfile64 #define __NR_sendfile64 239 #endif #ifndef __NR_exit_group #define __NR_exit_group 252 #endif #ifndef __NR_utimes #define __NR_utimes 271 #endif /* For the socketcall() multiplex args. */ #include #ifndef PTRACE_SETOPTIONS #define PTRACE_SETOPTIONS 0x4200 #endif #ifndef PTRACE_O_TRACESYSGOOD #define PTRACE_O_TRACESYSGOOD 1 #endif #ifndef PTRACE_O_TRACEFORK #define PTRACE_O_TRACEFORK 2 #endif #ifndef PTRACE_O_TRACEVFORK #define PTRACE_O_TRACEVFORK 4 #endif #ifndef PTRACE_O_TRACECLONE #define PTRACE_O_TRACECLONE 8 #endif #ifndef O_DIRECT #define O_DIRECT 040000 #endif static void sanitize_child(); static int get_action(struct pt_sandbox* p_sandbox); static int validate_mmap2(struct pt_sandbox* p_sandbox, void* p_arg); static int validate_open_default(struct pt_sandbox* p_sandbox, void* p_arg); static int validate_open_readonly(struct pt_sandbox* p_sandbox, void* p_arg); static int validate_fcntl(struct pt_sandbox* p_sandbox, void* p_arg); static int validate_socketcall(struct pt_sandbox* p_sandbox, void* p_arg); static void install_socketcall(struct pt_sandbox* p_sandbox); #define MAX_SYSCALL 300 struct pt_sandbox { int read_event_fd; int write_event_fd; pid_t pid; int is_allowed[MAX_SYSCALL]; ptrace_sandbox_validator_t validator[MAX_SYSCALL]; void* validator_arg[MAX_SYSCALL]; int is_exit; struct user_regs_struct regs; int is_socketcall_allowed[NPROTO]; ptrace_sandbox_validator_t socketcall_validator[NPROTO]; void* socketcall_validator_arg[NPROTO]; }; static int s_sigchld_fd = -1; void handle_sigchld(int sig) { int ret; if (sig != SIGCHLD) { _exit(1); } if (s_sigchld_fd != -1) { do { static const char zero = '\0'; ret = write(s_sigchld_fd, &zero, sizeof(zero)); } while (ret == -1 && errno == EINTR); if (ret != 1) { _exit(2); } } } struct pt_sandbox* ptrace_sandbox_alloc() { int i; struct sigaction sigact; struct pt_sandbox* ret = malloc(sizeof(struct pt_sandbox)); if (ret == NULL) { return NULL; } ret->pid = -1; ret->read_event_fd = -1; ret->write_event_fd = -1; ret->is_exit = 0; memset(&ret->regs, '\0', sizeof(ret->regs)); for (i = 0; i < MAX_SYSCALL; ++i) { ret->is_allowed[i] = 0; ret->validator[i] = 0; ret->validator_arg[i] = 0; } for (i = 0; i < NPROTO; ++i) { ret->is_socketcall_allowed[i] = 0; ret->socketcall_validator[i] = 0; ret->socketcall_validator_arg[i] = 0; } memset((void*) &sigact, '\0', sizeof(sigact)); sigact.sa_handler = handle_sigchld; if (sigaction(SIGCHLD, &sigact, NULL) != 0) { goto err_out; } return ret; err_out: ptrace_sandbox_free(ret); return NULL; } void ptrace_sandbox_free(struct pt_sandbox* p_sandbox) { if (p_sandbox->pid != -1) { warnx("bug: pid active in ptrace_sandbox_free"); /* We'll kill it for you so it doesn't escape the sandbox totally, but * we won't reap the zombie. * Killing it like this is a risk: if it's stopped in syscall entry, * that syscall will execute before the pending kill takes effect. * If that pending syscall were to be a fork(), there could be trouble. */ (void) kill(p_sandbox->pid, SIGKILL); } if (p_sandbox->read_event_fd != -1) { s_sigchld_fd = -1; close(p_sandbox->read_event_fd); close(p_sandbox->write_event_fd); } free(p_sandbox); } void ptrace_sandbox_attach_point() { long pt_ret; int ret; pid_t pid = getpid(); if (pid <= 1) { warnx("weird pid"); _exit(1); } /* You don't have to use PTRACE_TRACEME, but if you don't, a rogue SIGCONT * might wake you up from the STOP below before the tracer has attached. */ pt_ret = ptrace(PTRACE_TRACEME, 0, 0, 0); if (pt_ret != 0) { warn("PTRACE_TRACEME failed"); _exit(2); } ret = kill(pid, SIGSTOP); if (ret != 0) { warn("kill SIGSTOP failed"); _exit(3); } } int ptrace_sandbox_launch_process(struct pt_sandbox* p_sandbox, void (*p_func)(void*), void* p_arg) { long pt_ret; pid_t ret; int status; if (p_sandbox->pid != -1) { warnx("bug: process already active"); return -1; } ret = fork(); if (ret < 0) { return -1; } else if (ret == 0) { /* Child context. */ sanitize_child(); (*p_func)(p_arg); _exit(0); } /* Parent context */ p_sandbox->pid = ret; do { ret = waitpid(p_sandbox->pid, &status, 0); } while (ret == -1 && errno == EINTR); if (ret == -1) { warn("waitpid failed"); goto kill_out; } else if (ret != p_sandbox->pid) { warnx("unknown pid %d", ret); goto kill_out; } if (!WIFSTOPPED(status)) { warnx("not stopped status %d\n", status); goto kill_out; } if (WSTOPSIG(status) != SIGSTOP) { warnx("not SIGSTOP status %d\n", status); goto kill_out; } /* The fork, etc. tracing options are worth a bit of explanation. We don't * permit process launching syscalls at all as they are dangerous. But * there's a small race if the untrusted process attempts a denied fork() * and then takes a rouge SIGKILL before the supervisor gets a chance to * clear the orig_eax register. In this case the syscall will still execute. * (Policies may not include signal sending capabilities, thus mitigating this * direct attack, however a rogue SIGKILL may come from a non-malicious * source). Therefore, we'd rather any fork()ed process starts off traced, * just in case this tiny race condition triggers. */ pt_ret = ptrace(PTRACE_SETOPTIONS, p_sandbox->pid, 0, PTRACE_O_TRACESYSGOOD | PTRACE_O_TRACEFORK | PTRACE_O_TRACEVFORK | PTRACE_O_TRACECLONE); if (pt_ret != 0) { warn("PTRACE_SETOPTIONS failure"); goto kill_out; } return p_sandbox->pid; kill_out: (void) kill(p_sandbox->pid, SIGKILL); p_sandbox->pid = -1; return -1; } int ptrace_sandbox_continue_process(struct pt_sandbox* p_sandbox, int sig) { long pt_ret = ptrace(PTRACE_SYSCALL, p_sandbox->pid, 0, sig); if (pt_ret != 0) { warn("PTRACE_SYSCALL failure"); if (errno == ESRCH) { return PTRACE_SANDBOX_ERR_DEAD; } return PTRACE_SANDBOX_ERR_PTRACE; } return 0; } int ptrace_sandbox_get_event_fd(struct pt_sandbox* p_sandbox) { /* TODO: allocate pipe fds */ (void) p_sandbox; return -1; } int ptrace_sandbox_get_event(struct pt_sandbox* p_sandbox, int* status, int block) { pid_t pid; int options = 0; if (!block) { options = WNOHANG; } do { pid = waitpid(p_sandbox->pid, status, options); } while (pid == -1 && errno == EINTR); if (pid == -1) { warn("waitpid failure"); if (errno == ECHILD) { return PTRACE_SANDBOX_ERR_DEAD; } return PTRACE_SANDBOX_ERR_WAITPID; } return pid; } int ptrace_sandbox_handle_event(struct pt_sandbox* p_sandbox, int status) { int sig; int action; if (WIFEXITED(status) || WIFSIGNALED(status)) { p_sandbox->pid = -1; return 1; } if (!WIFSTOPPED(status)) { warnx("weird status: %d\n", status); return PTRACE_SANDBOX_ERR_WAIT_STATUS; } sig = WSTOPSIG(status); if (sig >= 0 && sig < 0x80) { /* It's a normal signal; deliver it right on. SIGSTOP / SIGCONT handling * are buggy in the kernel and I'm not sure it's safe to pass either on, * so the signal becomes a little more... robust :) */ if (sig == SIGSTOP || sig == SIGCONT) { sig = SIGKILL; } return ptrace_sandbox_continue_process(p_sandbox, sig); } if (!(sig & 0x80)) { warnx("weird status: %d\n", status); return PTRACE_SANDBOX_ERR_WAIT_STATUS; } /* Syscall trap. */ if (p_sandbox->is_exit) { p_sandbox->is_exit = 0; } else { p_sandbox->is_exit = 1; action = get_action(p_sandbox); if (action != 0) { return action; } } return ptrace_sandbox_continue_process(p_sandbox, 0); } int ptrace_sandbox_run_processes(struct pt_sandbox* p_sandbox) { if (ptrace_sandbox_continue_process(p_sandbox, 0) != 0) { goto kill_out; } while (1) { int status; int ret = ptrace_sandbox_get_event(p_sandbox, &status, 1); if (ret <= 0) { goto kill_out; } ret = ptrace_sandbox_handle_event(p_sandbox, status); if (ret < 0) { warnx("couldn't handle sandbox event"); goto kill_out; } if (ret == 1) { return 0; } } kill_out: ptrace_sandbox_kill_processes(p_sandbox); return -1; } void ptrace_sandbox_kill_processes(struct pt_sandbox* p_sandbox) { long pt_ret; struct user_regs_struct regs; pid_t pid = p_sandbox->pid; if (pid == -1) { return; } p_sandbox->pid = -1; pt_ret = ptrace(PTRACE_GETREGS, pid, 0, ®s); if (pt_ret != 0) { warn("PTRACE_GETREGS failure"); /* This API is supposed to be called with the process stopped; but if it * is still running, we can at least help a bit. See security related * comment in ptrace_sandbox_free(), though. */ (void) kill(pid, SIGKILL); return; } /* Kind of nasty, but the only way of stopping a started syscall from * executing is to rewrite the registers to execute a different syscall. */ regs.orig_eax = __NR_exit_group; regs.eip = 0xffffffff; pt_ret = ptrace(PTRACE_SETREGS, pid, 0, ®s); if (pt_ret != 0) { warn("PTRACE_SETREGS failure"); /* Deliberate fall-thru. */ } pt_ret = ptrace(PTRACE_KILL, pid, 0, 0); if (pt_ret != 0) { warn("PTRACE_KILL failure"); /* Deliberate fall-thru. */ } /* Just to make ourselves clear. */ (void) kill(pid, SIGKILL); /* So the GETREGS succeeded, so the process definitely _was_ there. We can * safely wait for it to reap the zombie. */ (void) waitpid(pid, NULL, 0); } int ptrace_sandbox_get_arg(struct pt_sandbox* p_sandbox, int arg, unsigned long* p_out) { long ret = 0; struct user_regs_struct* p_regs = &p_sandbox->regs; if (p_regs->orig_eax == 0) { return PTRACE_SANDBOX_ERR_API_ABUSE_STOPIT; } if (arg < 0 || arg > 5) { return PTRACE_SANDBOX_ERR_API_ABUSE_STOPIT; } switch (arg) { case 0: ret = p_regs->ebx; break; case 1: ret = p_regs->ecx; break; case 2: ret = p_regs->edx; break; case 3: ret = p_regs->esi; break; case 4: ret = p_regs->edi; break; case 5: ret = p_regs->ebp; break; } *p_out = ret; return 0; } int ptrace_sandbox_get_socketcall_arg(struct pt_sandbox* p_sandbox, int arg, unsigned long* p_out) { unsigned long ptr; int ret; struct user_regs_struct* p_regs = &p_sandbox->regs; if (p_regs->orig_eax == 0) { return PTRACE_SANDBOX_ERR_API_ABUSE_STOPIT; } if (arg < 0 || arg > 2) { return PTRACE_SANDBOX_ERR_API_ABUSE_STOPIT; } ret = ptrace_sandbox_get_arg(p_sandbox, 1, &ptr); if (ret != 0) { return ret; } ptr += (arg * 4); ret = ptrace_sandbox_get_long(p_sandbox, ptr, p_out); return ret; } int ptrace_sandbox_get_long(struct pt_sandbox* p_sandbox, unsigned long ptr, unsigned long* p_out) { return ptrace_sandbox_get_buf(p_sandbox, ptr, sizeof(long), (void*) p_out); } int ptrace_sandbox_get_buf(struct pt_sandbox* p_sandbox, unsigned long ptr, unsigned long len, void* p_buf) { long pt_ret; char* p_out = (char*) p_buf; for (; len > 0; len -= sizeof(long)) { errno = 0; pt_ret = ptrace(PTRACE_PEEKDATA, p_sandbox->pid, (void*) ptr, 0); if (pt_ret == -1 && errno != 0) { warn("PTRACE_GETREGS failure"); if (errno == ESRCH) { return PTRACE_SANDBOX_ERR_DEAD; } return PTRACE_SANDBOX_ERR_PTRACE; } if (len >= sizeof(long)) { memcpy(p_out, &pt_ret, sizeof(long)); } else { memcpy(p_out, &pt_ret, len); } p_out += sizeof(long); ptr += sizeof(long); } return 0; } static void sanitize_child() { /* Ensure that if our sandbox supervisor goes down, so do we. */ int ret = prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); if (ret != 0) { _exit(3); } } static int get_action(struct pt_sandbox* p_sandbox) { int ret; int call; int cs; long pt_ret = ptrace(PTRACE_GETREGS, p_sandbox->pid, 0, &(p_sandbox->regs)); if (pt_ret != 0) { warn("PTRACE_GETREGS failure"); if (errno == ESRCH) { return PTRACE_SANDBOX_ERR_DEAD; } return PTRACE_SANDBOX_ERR_PTRACE; } /* We need to be sure that the child is attempting a syscall against the * 32-bit syscall table, otherwise they can bypass the policy by abusing the * fact that e.g. syscall 200 is getgid32() on 32-bit but tkill() on 64-bit. * If the syscall instruct was int80 or sysenter, is it guaranteed to hit * the 32-bit table. If it is syscall, the current CS selector determines * the table. Therefore, we can check the current CS selector references a * known system-only selector that is guaranteed 32-bit (not long mode). */ cs = p_sandbox->regs.xcs; if (cs != 0x73 && cs != 0x23) { warnx("bad CS %d", cs); ret = PTRACE_SANDBOX_ERR_BAD_SYSCALL; goto out; } call = (int) p_sandbox->regs.orig_eax; if (call < 0 || call >= MAX_SYSCALL) { warnx("syscall %d out of bounds", call); ret = PTRACE_SANDBOX_ERR_BAD_SYSCALL; goto out; } if (p_sandbox->is_allowed[call] != 1) { syslog(LOG_LOCAL0 | LOG_DEBUG, "syscall not permitted: %d", call); warnx("syscall not permitted: %d", call); ret = PTRACE_SANDBOX_ERR_POLICY_SYSCALL; goto out; } if (p_sandbox->validator[call]) { ptrace_sandbox_validator_t p_validate = p_sandbox->validator[call]; int validate_ret = (*p_validate)(p_sandbox, p_sandbox->validator_arg[call]); if (validate_ret != 0) { syslog(LOG_LOCAL0 | LOG_DEBUG, "syscall validate fail: %d (%d)", call, validate_ret); warnx("syscall validate failed: %d (%d)", call, validate_ret); ret = PTRACE_SANDBOX_ERR_POLICY_ARGS; goto out; } } ret = 0; out: memset(&p_sandbox->regs, '\0', sizeof(&p_sandbox->regs)); return ret; } void ptrace_sandbox_permit_exit(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_exit] = 1; p_sandbox->is_allowed[__NR_exit_group] = 1; } void ptrace_sandbox_permit_read(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_read] = 1; } void ptrace_sandbox_permit_write(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_write] = 1; } void ptrace_sandbox_permit_sigaction(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_sigaction] = 1; p_sandbox->is_allowed[__NR_rt_sigaction] = 1; } void ptrace_sandbox_permit_alarm(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_alarm] = 1; } void ptrace_sandbox_permit_query_time(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_gettimeofday] = 1; p_sandbox->is_allowed[__NR_time] = 1; } void ptrace_sandbox_permit_mmap(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_mmap2] = 1; p_sandbox->validator[__NR_mmap2] = validate_mmap2; } static int validate_mmap2(struct pt_sandbox* p_sandbox, void* p_arg) { unsigned long arg4; int ret = ptrace_sandbox_get_arg(p_sandbox, 3, &arg4); (void) p_arg; if (ret != 0) { return ret; } if (arg4 & MAP_SHARED) { return -1; } return 0; } void ptrace_sandbox_permit_mprotect(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_mprotect] = 1; } void ptrace_sandbox_permit_file_stats(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_stat] = 1; p_sandbox->is_allowed[__NR_stat64] = 1; p_sandbox->is_allowed[__NR_lstat] = 1; p_sandbox->is_allowed[__NR_lstat64] = 1; } void ptrace_sandbox_permit_fd_stats(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_fstat] = 1; p_sandbox->is_allowed[__NR_fstat64] = 1; } void ptrace_sandbox_permit_getcwd(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_getcwd] = 1; } void ptrace_sandbox_permit_chdir(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_chdir] = 1; } void ptrace_sandbox_permit_umask(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_umask] = 1; } void ptrace_sandbox_permit_open(struct pt_sandbox* p_sandbox, int writeable) { p_sandbox->is_allowed[__NR_open] = 1; if (writeable == 1) { p_sandbox->validator[__NR_open] = validate_open_default; } else { p_sandbox->validator[__NR_open] = validate_open_readonly; } } static int validate_open_default(struct pt_sandbox* p_sandbox, void* p_arg) { unsigned long arg2; int ret = ptrace_sandbox_get_arg(p_sandbox, 1, &arg2); (void) p_arg; if (ret != 0) { return ret; } if (arg2 & (O_ASYNC | O_DIRECT | O_SYNC)) { return -1; } return 0; } static int validate_open_readonly(struct pt_sandbox* p_sandbox, void* p_arg) { unsigned long arg2; int ret = validate_open_default(p_sandbox, p_arg); if (ret != 0) { return ret; } ret = ptrace_sandbox_get_arg(p_sandbox, 1, &arg2); if (ret != 0) { return ret; } if ((arg2 & O_ACCMODE) != O_RDONLY) { return -1; } return 0; } void ptrace_sandbox_permit_close(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_close] = 1; } void ptrace_sandbox_permit_getdents(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_getdents] = 1; p_sandbox->is_allowed[__NR_getdents64] = 1; } void ptrace_sandbox_permit_fcntl(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_fcntl] = 1; p_sandbox->validator[__NR_fcntl] = validate_fcntl; p_sandbox->is_allowed[__NR_fcntl64] = 1; p_sandbox->validator[__NR_fcntl64] = validate_fcntl; } static int validate_fcntl(struct pt_sandbox* p_sandbox, void* p_arg) { unsigned long arg2; unsigned long arg3; int ret = ptrace_sandbox_get_arg(p_sandbox, 1, &arg2); (void) p_arg; if (ret != 0) { return ret; } ret = ptrace_sandbox_get_arg(p_sandbox, 2, &arg3); if (ret != 0) { return ret; } if (arg2 != F_GETFL && arg2 != F_SETFL && arg2 != F_SETOWN && arg2 != F_SETLK && arg2 != F_SETLKW && arg2 != F_SETLK64 && arg2 != F_SETLKW64 && arg2 != F_SETFD && arg2 != F_GETFD) { syslog(LOG_LOCAL0 | LOG_DEBUG, "fcntl not permitted: %ld", arg2); warnx("fcntl not permitted: %ld", arg2); return -1; } if (arg2 == F_SETFL && (arg3 & (O_ASYNC | O_DIRECT))) { return -2; } if (arg2 == F_SETOWN && (int) arg3 != p_sandbox->pid) { return -3; } return 0; } void ptrace_sandbox_permit_sendfile(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_sendfile] = 1; p_sandbox->is_allowed[__NR_sendfile64] = 1; } void ptrace_sandbox_permit_seek(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_lseek] = 1; p_sandbox->is_allowed[__NR__llseek] = 1; } void ptrace_sandbox_permit_select(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_select] = 1; p_sandbox->is_allowed[__NR__newselect] = 1; } void ptrace_sandbox_permit_unlink(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_unlink] = 1; } void ptrace_sandbox_permit_mkdir(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_mkdir] = 1; } void ptrace_sandbox_permit_rmdir(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_rmdir] = 1; } void ptrace_sandbox_permit_rename(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_rename] = 1; } void ptrace_sandbox_permit_utime(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_utime] = 1; p_sandbox->is_allowed[__NR_utimes] = 1; } void ptrace_sandbox_permit_sigreturn(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_sigreturn] = 1; } void ptrace_sandbox_permit_recv(struct pt_sandbox* p_sandbox) { install_socketcall(p_sandbox); p_sandbox->is_socketcall_allowed[SYS_RECV] = 1; } static void install_socketcall(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_socketcall] = 1; p_sandbox->validator[__NR_socketcall] = validate_socketcall; } static int validate_socketcall(struct pt_sandbox* p_sandbox, void* p_arg) { unsigned long arg1; int ret = ptrace_sandbox_get_arg(p_sandbox, 0, &arg1); (void) p_arg; if (ret != 0) { return ret; } if (arg1 < 1 || arg1 >= NPROTO) { return -1; } if (p_sandbox->is_socketcall_allowed[arg1] != 1) { syslog(LOG_LOCAL0 | LOG_DEBUG, "socketcall not permitted: %ld", arg1); warnx("socketcall not permitted: %ld", arg1); return -2; } if (p_sandbox->socketcall_validator[arg1]) { ptrace_sandbox_validator_t p_val = p_sandbox->socketcall_validator[arg1]; ret = (*p_val)(p_sandbox, p_sandbox->socketcall_validator_arg[arg1]); if (ret != 0) { syslog(LOG_LOCAL0 | LOG_DEBUG, "socketcall validate fail: %ld (%d)", arg1, ret); warnx("socketcall validate fail: %ld (%d)", arg1, ret); return -3; } } return 0; } void ptrace_sandbox_permit_readlink(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_readlink] = 1; } void ptrace_sandbox_permit_brk(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_brk] = 1; } void ptrace_sandbox_permit_sleep(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_nanosleep] = 1; } void ptrace_sandbox_permit_fchmod(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_fchmod] = 1; } void ptrace_sandbox_permit_chmod(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_chmod] = 1; } void ptrace_sandbox_permit_fchown(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_fchown] = 1; p_sandbox->is_allowed[__NR_fchown32] = 1; } void ptrace_sandbox_permit_mremap(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_mremap] = 1; } void ptrace_sandbox_permit_ftruncate(struct pt_sandbox* p_sandbox) { p_sandbox->is_allowed[__NR_ftruncate] = 1; p_sandbox->is_allowed[__NR_ftruncate64] = 1; } void ptrace_sandbox_permit_socket(struct pt_sandbox* p_sandbox) { install_socketcall(p_sandbox); p_sandbox->is_socketcall_allowed[SYS_SOCKET] = 1; } void ptrace_sandbox_set_socket_validator(struct pt_sandbox* p_sandbox, ptrace_sandbox_validator_t val, void* p_arg) { p_sandbox->socketcall_validator[SYS_SOCKET] = val; p_sandbox->socketcall_validator_arg[SYS_SOCKET] = p_arg; } void ptrace_sandbox_permit_bind(struct pt_sandbox* p_sandbox) { install_socketcall(p_sandbox); p_sandbox->is_socketcall_allowed[SYS_BIND] = 1; } void ptrace_sandbox_set_bind_validator(struct pt_sandbox* p_sandbox, ptrace_sandbox_validator_t val, void* p_arg) { p_sandbox->socketcall_validator[SYS_BIND] = val; p_sandbox->socketcall_validator_arg[SYS_BIND] = p_arg; } void ptrace_sandbox_permit_connect(struct pt_sandbox* p_sandbox) { install_socketcall(p_sandbox); p_sandbox->is_socketcall_allowed[SYS_CONNECT] = 1; } void ptrace_sandbox_set_connect_validator(struct pt_sandbox* p_sandbox, ptrace_sandbox_validator_t val, void* p_arg) { p_sandbox->socketcall_validator[SYS_CONNECT] = val; p_sandbox->socketcall_validator_arg[SYS_CONNECT] = p_arg; } void ptrace_sandbox_permit_listen(struct pt_sandbox* p_sandbox) { install_socketcall(p_sandbox); p_sandbox->is_socketcall_allowed[SYS_LISTEN] = 1; } void ptrace_sandbox_permit_accept(struct pt_sandbox* p_sandbox) { install_socketcall(p_sandbox); p_sandbox->is_socketcall_allowed[SYS_ACCEPT] = 1; } void ptrace_sandbox_permit_setsockopt(struct pt_sandbox* p_sandbox) { install_socketcall(p_sandbox); p_sandbox->is_socketcall_allowed[SYS_SETSOCKOPT] = 1; } void ptrace_sandbox_set_setsockopt_validator(struct pt_sandbox* p_sandbox, ptrace_sandbox_validator_t val, void* p_arg) { p_sandbox->socketcall_validator[SYS_SETSOCKOPT] = val; p_sandbox->socketcall_validator_arg[SYS_SETSOCKOPT] = p_arg; } void ptrace_sandbox_permit_getsockopt(struct pt_sandbox* p_sandbox) { install_socketcall(p_sandbox); p_sandbox->is_socketcall_allowed[SYS_GETSOCKOPT] = 1; } void ptrace_sandbox_set_getsockopt_validator(struct pt_sandbox* p_sandbox, ptrace_sandbox_validator_t val, void* p_arg) { p_sandbox->socketcall_validator[SYS_GETSOCKOPT] = val; p_sandbox->socketcall_validator_arg[SYS_GETSOCKOPT] = p_arg; } void ptrace_sandbox_permit_shutdown(struct pt_sandbox* p_sandbox) { install_socketcall(p_sandbox); p_sandbox->is_socketcall_allowed[SYS_SHUTDOWN] = 1; } #else /* __linux__ && __i386__ */ struct pt_sandbox* ptrace_sandbox_alloc() { return 0; } void ptrace_sandbox_free(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } int ptrace_sandbox_launch_process(struct pt_sandbox* p_sandbox, void (*p_func)(void*), void* p_arg) { (void) p_sandbox; (void) p_func; (void) p_arg; return -1; } int ptrace_sandbox_run_processes(struct pt_sandbox* p_sandbox) { (void) p_sandbox; return -1; } void ptrace_sandbox_attach_point(void) { } void ptrace_sandbox_permit_exit(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_read(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_write(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_sigaction(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_alarm(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_query_time(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_mmap(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_mprotect(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_file_stats(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_fd_stats(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_getcwd(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_chdir(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_umask(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_open(struct pt_sandbox* p_sandbox, int writeable) { (void) p_sandbox; (void) writeable; } void ptrace_sandbox_permit_close(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_getdents(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_fcntl(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_sendfile(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_seek(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_select(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_unlink(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_mkdir(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_rmdir(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_rename(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_utime(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_utimes(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_sigreturn(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_recv(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_kill_processes(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } int ptrace_sandbox_get_arg(struct pt_sandbox* p_sandbox, int arg, unsigned long* p_out) { (void) p_sandbox; (void) arg; (void) p_out; return -1; } int ptrace_sandbox_get_socketcall_arg(struct pt_sandbox* p_sandbox, int arg, unsigned long* p_out) { (void) p_sandbox; (void) arg; (void) p_out; return -1; } int ptrace_sandbox_get_long(struct pt_sandbox* p_sandbox, unsigned long ptr, unsigned long* p_out) { (void) p_sandbox; (void) ptr; (void) p_out; return -1; } int ptrace_sandbox_get_buf(struct pt_sandbox* p_sandbox, unsigned long ptr, unsigned long len, void* p_buf) { (void) p_sandbox; (void) ptr; (void) len; (void) p_buf; return -1; } void ptrace_sandbox_permit_readlink(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_brk(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_sleep(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_fchmod(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_chmod(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_fchown(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_mremap(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_ftruncate(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_socket(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_set_socket_validator(struct pt_sandbox* p_sandbox, ptrace_sandbox_validator_t val, void* p_arg) { (void) p_sandbox; (void) val; (void) p_arg; } void ptrace_sandbox_permit_bind(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_set_bind_validator(struct pt_sandbox* p_sandbox, ptrace_sandbox_validator_t val, void* p_arg) { (void) p_sandbox; (void) val; (void) p_arg; } void ptrace_sandbox_permit_connect(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_set_connect_validator(struct pt_sandbox* p_sandbox, ptrace_sandbox_validator_t val, void* p_arg) { (void) p_sandbox; (void) val; (void) p_arg; } void ptrace_sandbox_permit_listen(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_accept(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_permit_setsockopt(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_set_setsockopt_validator(struct pt_sandbox* p_sandbox, ptrace_sandbox_validator_t val, void* p_arg) { (void) p_sandbox; (void) val; (void) p_arg; } void ptrace_sandbox_permit_getsockopt(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } void ptrace_sandbox_set_getsockopt_validator(struct pt_sandbox* p_sandbox, ptrace_sandbox_validator_t val, void* p_arg) { (void) p_sandbox; (void) val; (void) p_arg; } void ptrace_sandbox_permit_shutdown(struct pt_sandbox* p_sandbox) { (void) p_sandbox; } #endif /* __linux__ && __i386__ */