2024-11-22 13:30:06 +00:00
10 changed files with 9 additions and 221 deletions
--- a/5
+++ b/5
@ -133,8 +133,8 @@ HDR=$(CHDR) $(CXXHDR)
 all: $(SERVER)

 windows: $(SERVER)
+
 nosandbox: $(SERVER)
-nolandlock: $(SERVER)

 # assign Windows-specific values if targeting Windows
 windows : CC=$(WIN_CC)
@ -145,7 +145,6 @@ windows : LDFLAGS=$(WIN_LDFLAGS)
 windows : SERVER=$(WIN_SERVER)

 nosandbox : CFLAGS+=-DCONFIG_NOSANDBOX=1
-nolandlock : CFLAGS+=-DCONFIG_NOLANDLOCK=1

 .SUFFIXES: .o .c .cpp .h .hpp

@ -168,7 +167,7 @@ version.h:

 src/main.o: version.h

-.PHONY: all windows nosandbox nolandlock clean nuke
+.PHONY: all windows nosandbox clean nuke

 # only gets rid of OpenFusion objects, so we don't need to
 # recompile the libs every time
--- a/config.ini
+++ b/config.ini
@ -102,8 +102,5 @@ eventmode=0
 enabled=false
 # the port to listen for connections on
 port=8003
-# The local IP to listen on.
-# Do not change this unless you know what you're doing.
-listenip=127.0.0.1
 # how often the listeners should be updated (in milliseconds)
 interval=5000
--- a/src/core/CNProtocol.cpp
+++ b/src/core/CNProtocol.cpp
@ -428,7 +428,7 @@ void CNServer::removePollFD(int fd) {
 }

 void CNServer::start() {
-    std::cout << "Starting " << serverType << " server at *:" << port << std::endl;
+    std::cout << "Starting server at *:" << port << std::endl;
    while (active) {
        // the timeout is to ensure shard timers are ticking
        int n = poll(fds.data(), fds.size(), 50);
--- a/src/main.cpp
+++ b/src/main.cpp
@ -49,7 +49,6 @@ CNShardServer *shardServer = nullptr;
 std::thread *shardThread = nullptr;

 void startShard(CNShardServer* server) {
-    sandbox_thread_start();
    server->start();
 }

@ -151,8 +150,6 @@ int main() {
        /* not reached */
    }

-    sandbox_init();
-
    std::cout << "[INFO] Starting Server Threads..." << std::endl;
    CNLoginServer loginServer(settings::LOGINPORT);
    shardServer = new CNShardServer(settings::SHARDPORT);
@ -160,7 +157,6 @@ int main() {
    shardThread = new std::thread(startShard, (CNShardServer*)shardServer);

    sandbox_start();
-    sandbox_thread_start();

    loginServer.start();

--- a/src/sandbox/Sandbox.hpp
+++ b/src/sandbox/Sandbox.hpp
@ -4,16 +4,11 @@
 #if defined(__linux__) || defined(__OpenBSD__)

 # if !defined(CONFIG_NOSANDBOX)
-void sandbox_init();
 void sandbox_start();
-void sandbox_thread_start();
 # else

 #include <iostream>

-inline void sandbox_init() {}
-inline void sandbox_thread_start() {}
-
 inline void sandbox_start() {
    std::cout << "[WARN] Built without a sandbox" << std::endl;
 }
@ -22,7 +17,5 @@ inline void sandbox_start() {

 #else
 // stub for unsupported platforms
-inline void sandbox_init() {}
 inline void sandbox_start() {}
-inline void sandbox_thread_start() {}
 #endif
--- a/src/sandbox/openbsd.cpp
+++ b/src/sandbox/openbsd.cpp
@ -13,9 +13,6 @@ static void eunveil(const char *path, const char *permissions) {
        err(1, "unveil");
 }

-void sandbox_init() {}
-void sandbox_thread_start() {}
-
 void sandbox_start() {
    /*
     * There shouldn't ever be a reason to disable this one, but might as well
--- a/src/sandbox/seccomp.cpp
+++ b/src/sandbox/seccomp.cpp
@ -4,9 +4,6 @@
 #include "settings.hpp"

 #include <stdlib.h>
-#include <fcntl.h>
-
-#include <filesystem>

 #include <sys/prctl.h>
 #include <sys/ptrace.h>
@ -20,10 +17,6 @@
 #include <linux/audit.h>
 #include <linux/net.h> // for socketcall() args

-#ifndef CONFIG_NOLANDLOCK
-#include <linux/landlock.h>
-#endif
-
 /*
 * Macros adapted from https://outflux.net/teach-seccomp/
 * Relevant license:
@ -61,7 +54,7 @@
    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno))

 #define KILL_PROCESS \
-    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP)
+    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL_PROCESS)

 /*
 * Macros adapted from openssh's sandbox-seccomp-filter.c
@ -304,201 +297,25 @@ static sock_fprog prog = {
    ARRLEN(filter), filter
 };

-// Our own wrapper for the seccomp() syscall.
+// our own wrapper for the seccomp() syscall
 int seccomp(unsigned int operation, unsigned int flags, void *args) {
    return syscall(__NR_seccomp, operation, flags, args);
 }

-#ifndef CONFIG_NOLANDLOCK
-
-// Support compilation on systems that only have older Landlock headers.
-#ifndef LANDLOCK_ACCESS_FS_REFER
-#define LANDLOCK_ACCESS_FS_REFER 0
-#endif
-#ifndef LANDLOCK_ACCESS_FS_TRUNCATE
-#define LANDLOCK_ACCESS_FS_TRUNCATE 0
-#endif
-
-struct landlock_ruleset_attr ruleset_attr = {
-    .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE
-        | LANDLOCK_ACCESS_FS_WRITE_FILE
-        | LANDLOCK_ACCESS_FS_READ_DIR
-        | LANDLOCK_ACCESS_FS_MAKE_REG
-        | LANDLOCK_ACCESS_FS_MAKE_DIR
-        | LANDLOCK_ACCESS_FS_MAKE_SYM
-        | LANDLOCK_ACCESS_FS_MAKE_SOCK
-        | LANDLOCK_ACCESS_FS_MAKE_FIFO
-        | LANDLOCK_ACCESS_FS_MAKE_BLOCK
-        | LANDLOCK_ACCESS_FS_REMOVE_FILE
-        | LANDLOCK_ACCESS_FS_REMOVE_DIR
-        | LANDLOCK_ACCESS_FS_TRUNCATE
-        | LANDLOCK_ACCESS_FS_REFER
-};
-
-uint64_t landlock_perms = LANDLOCK_ACCESS_FS_READ_FILE
-    | LANDLOCK_ACCESS_FS_WRITE_FILE
-    | LANDLOCK_ACCESS_FS_TRUNCATE
-    | LANDLOCK_ACCESS_FS_MAKE_REG
-    | LANDLOCK_ACCESS_FS_REMOVE_FILE;
-
-int landlock_fd;
-bool landlock_supported;
-
-/*
- * Our own wrappers for Landlock syscalls.
- */
-
-int landlock_create_ruleset(const struct landlock_ruleset_attr *attr, size_t size, uint32_t flags) {
-    return syscall(__NR_landlock_create_ruleset, attr, size, flags);
-}
-
-int landlock_add_rule(int ruleset_fd, enum landlock_rule_type rule_type, const void *rule_attr, uint32_t flags) {
-    return syscall(__NR_landlock_add_rule, ruleset_fd, rule_type, rule_attr, flags);
-}
-
-int landlock_restrict_self(int ruleset_fd, uint32_t flags) {
-    return syscall(__NR_landlock_restrict_self, ruleset_fd, flags);
-}
-
-static void landlock_path(std::string path, uint32_t perms) {
-    struct landlock_path_beneath_attr path_beneath = {
-        .allowed_access = perms
-    };
-
-    path_beneath.parent_fd = open(path.c_str(), O_PATH|O_CLOEXEC);
-    if (path_beneath.parent_fd < 0) {
-        perror(path.c_str());
-        exit(1);
-    }
-
-    if (landlock_add_rule(landlock_fd, LANDLOCK_RULE_PATH_BENEATH, &path_beneath, 0)) {
-        perror("landlock_add_rule");
-        exit(1);
-    }
-
-    close(path_beneath.parent_fd);
-}
-
-static bool landlock_detect() {
-    int abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
-
-    if (abi < 0) {
-        if (errno == ENOSYS || errno == EOPNOTSUPP) {
-            std::cout << "[WARN] No Landlock support on this system" << std::endl;
-            return false;
-        }
-        perror("landlock_create_ruleset");
-        exit(1);
-    }
-
-    std::cout << "[INFO] Detected Landlock ABI version: " << abi << std::endl;
-
-    switch (abi) {
-    case 1:
-        ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
-        landlock_perms &= ~LANDLOCK_ACCESS_FS_REFER;
-        // fallthrough
-    case 2:
-        ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
-        landlock_perms &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
-    }
-
-    return true;
-}
-
-static void landlock_init() {
-    std::cout << "[INFO] Setting up Landlock sandbox..." << std::endl;
-
-    landlock_supported = landlock_detect();
-
-    if (!landlock_supported)
-        return;
-
-    landlock_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
-    if (landlock_fd < 0) {
-        perror("landlock_create_ruleset");
-        exit(1);
-    }
-
-    std::string dbdir = std::filesystem::path(settings::DBPATH).parent_path();
-
-    // for the DB files (we can't rely on them being in the working directory)
-    landlock_path(dbdir == "" ? "." : dbdir, landlock_perms);
-    // for writing the gruntwork file
-    landlock_path(settings::TDATADIR, landlock_perms);
-    // for passowrd salting during account creation
-    landlock_path("/dev/urandom", LANDLOCK_ACCESS_FS_READ_FILE);
-    // for core dumps, optionally
-    if (settings::SANDBOXEXTRAPATH != "")
-        landlock_path(settings::SANDBOXEXTRAPATH, landlock_perms);
-}
-
-#endif // !CONFIG_NOLANDLOCK
-
-static void sigsys_handler(int signo, siginfo_t *info, void *context) {
-    // report the unhandled syscall
-    std::cout << "[FATAL] Unhandled syscall " << info->si_syscall
-       << " at " << std::hex << info->si_call_addr << " on arch " << info->si_arch << std::endl;
-
-    std::cout << "If you're unsure why this is happening, please read https://openfusion.dev/docs/development/the-sandbox/" << std::endl
-              << "for more information and possibly open an issue at https://github.com/OpenFusionProject/OpenFusion/issues to report"
-              << " needed changes in our seccomp filter." << std::endl;
-
-    exit(1);
-}
-
-void sandbox_init() {
+void sandbox_start() {
    if (!settings::SANDBOX) {
        std::cout << "[WARN] Running without a sandbox" << std::endl;
        return;
    }

-    // listen to SIGSYS to report unhandled syscalls
-    struct sigaction sa = {};
-
-    sa.sa_flags = SA_SIGINFO;
-    sa.sa_sigaction = sigsys_handler;
-
-    if (sigaction(SIGSYS, &sa, NULL) < 0) {
-        perror("sigaction");
-        exit(1);
-    }
-
-#ifndef CONFIG_NOLANDLOCK
-    landlock_init();
-#else
-    std::cout << "[WARN] Built without Landlock" << std::endl;
-#endif
-}
-
-void sandbox_start() {
-    if (!settings::SANDBOX)
-        return;
-
    std::cout << "[INFO] Starting seccomp-bpf sandbox..." << std::endl;

-    // Sandboxing starts in sandbox_thread_start().
-}
-
-void sandbox_thread_start() {
-    if (!settings::SANDBOX)
-        return;
-
    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
        perror("prctl");
        exit(1);
    }

-#ifndef CONFIG_NOLANDLOCK
-    if (landlock_supported) {
-        if (landlock_restrict_self(landlock_fd, 0)) {
-            perror("landlock_restrict_self");
-            exit(1);
-        }
-    }
-#endif
-
-    if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog) < 0) {
+    if (seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, &prog) < 0) {
        perror("seccomp");
        exit(1);
    }
--- a/src/servers/Monitor.cpp
+++ b/src/servers/Monitor.cpp
@ -180,14 +180,9 @@ SOCKET Monitor::init() {
    }

    address.sin_family = AF_INET;
+    address.sin_addr.s_addr = INADDR_ANY;
    address.sin_port = htons(settings::MONITORPORT);

-    if (!inet_pton(AF_INET, settings::MONITORLISTENIP.c_str(), &address.sin_addr)) {
-        std::cout << "Failed to set monitor listen address" << std::endl;
-        printSocketError("inet_pton");
-        exit(1);
-    }
-
    if (SOCKETERROR(bind(listener, (struct sockaddr*)&address, sizeof(address)))) {
        std::cout << "Failed to bind to monitor port" << std::endl;
        printSocketError("bind");
@ -211,7 +206,7 @@ SOCKET Monitor::init() {
        exit(EXIT_FAILURE);
    }

-    std::cout << "Monitor listening on " << settings::MONITORLISTENIP << ":" << settings::MONITORPORT << std::endl;
+    std::cout << "Monitor listening on *:" << settings::MONITORPORT << std::endl;

    REGISTER_SHARD_TIMER(tick, settings::MONITORINTERVAL);

--- a/src/settings.cpp
+++ b/src/settings.cpp
@ -9,7 +9,6 @@
 // defaults :)
 int settings::VERBOSITY = 1;
 bool settings::SANDBOX = true;
-std::string settings::SANDBOXEXTRAPATH = "";

 int settings::LOGINPORT = 23000;
 bool settings::APPROVEALLNAMES = true;
@ -64,7 +63,6 @@ bool settings::DISABLEFIRSTUSEFLAG = true;
 // monitor settings
 bool settings::MONITORENABLED = false;
 int settings::MONITORPORT = 8003;
-std::string settings::MONITORLISTENIP = "127.0.0.1";
 int settings::MONITORINTERVAL = 5000;

 // event mode settings
@ -87,7 +85,6 @@ void settings::init() {

    VERBOSITY = reader.GetInteger("", "verbosity", VERBOSITY);
    SANDBOX = reader.GetBoolean("", "sandbox", SANDBOX);
-    SANDBOXEXTRAPATH = reader.Get("", "sandboxextrapath", SANDBOXEXTRAPATH);
    LOGINPORT = reader.GetInteger("login", "port", LOGINPORT);
    APPROVEALLNAMES = reader.GetBoolean("login", "acceptallcustomnames", APPROVEALLNAMES);
    AUTOCREATEACCOUNTS = reader.GetBoolean("login", "autocreateaccounts", AUTOCREATEACCOUNTS);
@ -122,6 +119,5 @@ void settings::init() {
    IZRACESCORECAPPED = reader.GetBoolean("shard", "izracescorecapped", IZRACESCORECAPPED);
    MONITORENABLED = reader.GetBoolean("monitor", "enabled", MONITORENABLED);
    MONITORPORT = reader.GetInteger("monitor", "port", MONITORPORT);
-    MONITORLISTENIP = reader.Get("monitor", "listenip", MONITORLISTENIP);
    MONITORINTERVAL = reader.GetInteger("monitor", "interval", MONITORINTERVAL);
 }
--- a/src/settings.hpp
+++ b/src/settings.hpp
@ -5,7 +5,6 @@
 namespace settings {
    extern int VERBOSITY;
    extern bool SANDBOX;
-    extern std::string SANDBOXEXTRAPATH;
    extern int LOGINPORT;
    extern bool APPROVEALLNAMES;
    extern bool AUTOCREATEACCOUNTS;
@ -38,7 +37,6 @@ namespace settings {
    extern int EVENTMODE;
    extern bool MONITORENABLED;
    extern int MONITORPORT;
-    extern std::string MONITORLISTENIP;
    extern int MONITORINTERVAL;
    extern bool DISABLEFIRSTUSEFLAG;
    extern bool IZRACESCORECAPPED;