fortify/internal/proc/priv/shim/main.go

package shim

import (
	"errors"
	"flag"
	"io"
	"os"
	"path"
	"strconv"

	"git.gensokyo.uk/security/fortify/fst"
	"git.gensokyo.uk/security/fortify/helper"
	"git.gensokyo.uk/security/fortify/helper/bwrap"
	"git.gensokyo.uk/security/fortify/internal"
	"git.gensokyo.uk/security/fortify/internal/fmsg"
	"git.gensokyo.uk/security/fortify/internal/proc"
	init0 "git.gensokyo.uk/security/fortify/internal/proc/priv/init"
)

// everything beyond this point runs as unconstrained target user
// proceed with caution!

func Main(args []string) {
	// sharing stdout with fortify
	// USE WITH CAUTION
	fmsg.SetPrefix("shim")

	// setting this prevents ptrace
	if err := internal.PR_SET_DUMPABLE__SUID_DUMP_DISABLE(); err != nil {
		fmsg.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err)
		panic("unreachable")
	}

	set := flag.NewFlagSet("shim", flag.ExitOnError)

	// debug: export seccomp filter
	debugExportSeccomp := set.String("export-seccomp", "", "export the seccomp filter to file")
	debugExportSeccompFlags := [...]struct {
		o syscallOpts
		v *bool
	}{
		{flagDenyNS, set.Bool("deny-ns", false, "deny namespace-related syscalls")},
		{flagDenyTTY, set.Bool("deny-tty", false, "deny faking input ioctls")},
		{flagDenyDevel, set.Bool("deny-devel", false, "deny development syscalls")},
		{flagMultiarch, set.Bool("multiarch", false, "allow multiarch")},
		{flagLinux32, set.Bool("linux32", false, "allow PER_LINUX32")},
		{flagCan, set.Bool("can", false, "allow AF_CAN")},
		{flagBluetooth, set.Bool("bluetooth", false, "AF_BLUETOOTH")},
	}

	// Ignore errors; set is set for ExitOnError.
	_ = set.Parse(args[1:])

	// debug: export seccomp filter
	if *debugExportSeccomp != "" {
		var opts syscallOpts
		for _, opt := range debugExportSeccompFlags {
			if *opt.v {
				opts |= opt.o
			}
		}

		if f, err := os.Create(*debugExportSeccomp); err != nil {
			fmsg.Fatalf("cannot create %q: %v", *debugExportSeccomp, err)
		} else {
			mustExportFilter(f, opts)
			if err = f.Close(); err != nil {
				fmsg.Fatalf("cannot close %q: %v", *debugExportSeccomp, err)
			}
		}
		fmsg.Exit(0)
	}

	// receive setup payload
	var (
		payload    Payload
		closeSetup func() error
	)
	if f, err := proc.Receive(Env, &payload); err != nil {
		if errors.Is(err, proc.ErrInvalid) {
			fmsg.Fatal("invalid config descriptor")
		}
		if errors.Is(err, proc.ErrNotSet) {
			fmsg.Fatal("FORTIFY_SHIM not set")
		}

		fmsg.Fatalf("cannot decode shim setup payload: %v", err)
		panic("unreachable")
	} else {
		fmsg.SetVerbose(payload.Verbose)
		closeSetup = f
	}

	if payload.Bwrap == nil {
		fmsg.Fatal("bwrap config not supplied")
	}

	// restore bwrap sync fd
	var syncFd *os.File
	if payload.Sync != nil {
		syncFd = os.NewFile(*payload.Sync, "sync")
	}

	// close setup socket
	if err := closeSetup(); err != nil {
		fmsg.Println("cannot close setup pipe:", err)
		// not fatal
	}

	// ensure home directory as target user
	if s, err := os.Stat(payload.Home); err != nil {
		if os.IsNotExist(err) {
			if err = os.Mkdir(payload.Home, 0700); err != nil {
				fmsg.Fatalf("cannot create home directory: %v", err)
			}
		} else {
			fmsg.Fatalf("cannot access home directory: %v", err)
		}

		// home directory is created, proceed
	} else if !s.IsDir() {
		fmsg.Fatalf("data path %q is not a directory", payload.Home)
	}

	var ic init0.Payload

	// resolve argv0
	ic.Argv = payload.Argv
	if len(ic.Argv) > 0 {
		// looked up from $PATH by parent
		ic.Argv0 = payload.Exec[1]
	} else {
		// no argv, look up shell instead
		var ok bool
		if payload.Bwrap.SetEnv == nil {
			fmsg.Fatal("no command was specified and environment is unset")
		}
		if ic.Argv0, ok = payload.Bwrap.SetEnv["SHELL"]; !ok {
			fmsg.Fatal("no command was specified and $SHELL was unset")
		}

		ic.Argv = []string{ic.Argv0}
	}

	conf := payload.Bwrap

	var extraFiles []*os.File

	// serve setup payload
	if fd, encoder, err := proc.Setup(&extraFiles); err != nil {
		fmsg.Fatalf("cannot pipe: %v", err)
	} else {
		conf.SetEnv[init0.Env] = strconv.Itoa(fd)
		go func() {
			fmsg.VPrintln("transmitting config to init")
			if err = encoder.Encode(&ic); err != nil {
				fmsg.Fatalf("cannot transmit init config: %v", err)
			}
		}()
	}

	// bind fortify inside sandbox
	var (
		innerSbin    = path.Join(fst.Tmp, "sbin")
		innerFortify = path.Join(innerSbin, "fortify")
		innerInit    = path.Join(innerSbin, "init")
	)
	conf.Bind(proc.MustExecutable(), innerFortify)
	conf.Symlink("fortify", innerInit)

	helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent
	if b, err := helper.NewBwrap(
		conf, innerInit,
		nil, func(int, int) []string { return make([]string, 0) },
		[]helper.BwrapExtraFile{
			// keep this fd open while sandbox is running
			// (--sync-fd FD)
			{"--sync-fd", syncFd},
			// load and use seccomp rules from FD (not repeatable)
			// (--seccomp FD)
			{"--seccomp", mustResolveSeccomp(payload.Bwrap, payload.Syscall)},
		},
	); err != nil {
		fmsg.Fatalf("malformed sandbox config: %v", err)
	} else {
		cmd := b.Unwrap()
		cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
		cmd.ExtraFiles = extraFiles

		// run and pass through exit code
		if err = b.Start(); err != nil {
			fmsg.Fatalf("cannot start target process: %v", err)
		} else if err = b.Wait(); err != nil {
			fmsg.VPrintln("wait:", err)
		}
		if b.Unwrap().ProcessState != nil {
			fmsg.Exit(b.Unwrap().ProcessState.ExitCode())
		} else {
			fmsg.Exit(127)
		}
	}
}

func mustResolveSeccomp(bwrap *bwrap.Config, syscall *fst.SyscallConfig) (seccompFd *os.File) {
	if syscall == nil {
		fmsg.VPrintln("syscall filter not configured, PROCEED WITH CAUTION")
		return
	}

	// resolve seccomp filter opts
	var (
		opts    syscallOpts
		optd    []string
		optCond = [...]struct {
			v bool
			o syscallOpts
			d string
		}{
			{!bwrap.UserNS, flagDenyNS, "denyns"},
			{bwrap.NewSession, flagDenyTTY, "denytty"},
			{syscall.DenyDevel, flagDenyDevel, "denydevel"},
			{syscall.Multiarch, flagMultiarch, "multiarch"},
			{syscall.Linux32, flagLinux32, "linux32"},
			{syscall.Can, flagCan, "can"},
			{syscall.Bluetooth, flagBluetooth, "bluetooth"},
		}
	)
	if fmsg.Verbose() {
		optd = make([]string, 1, len(optCond)+1)
		optd[0] = "fortify"
	}
	for _, opt := range optCond {
		if opt.v {
			opts |= opt.o
			if fmsg.Verbose() {
				optd = append(optd, opt.d)
			}
		}
	}
	if fmsg.Verbose() {
		fmsg.VPrintf("seccomp flags: %s", optd)
	}

	// export seccomp filter to tmpfile
	if f, err := tmpfile(); err != nil {
		fmsg.Fatalf("cannot create tmpfile: %v", err)
		panic("unreachable")
	} else {
		mustExportFilter(f, opts)
		seccompFd = f
		return
	}
}

func mustExportFilter(f *os.File, opts syscallOpts) {
	if err := exportFilter(f.Fd(), opts); err != nil {
		fmsg.Fatalf("cannot export seccomp filter: %v", err)
		panic("unreachable")
	}
	if _, err := f.Seek(0, io.SeekStart); err != nil {
		fmsg.Fatalf("cannot lseek seccomp file: %v", err)
		panic("unreachable")
	}
}