[sandbox] Print error message on seccomp sandbox violation

Co-authored-by: cpunch <sethtstubbs@gmail.com>

.github/workflows/push-docker-image.yml

@@ -3,6 +3,7 @@ name: Push Docker Image
 on:
   release:
     types: [published]
+  workflow_dispatch:
 
 jobs:
   push-docker-image:
@@ -28,6 +29,8 @@ jobs:
         with:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
           username: ${{ secrets.DOCKERHUB_USERNAME }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
       - name: Build and push the Docker image
         uses: docker/build-push-action@v5
         with:

Makefile

@@ -133,6 +133,8 @@ HDR=$(CHDR) $(CXXHDR)
 all: $(SERVER)
 
 windows: $(SERVER)
+nosandbox: $(SERVER)
+nolandlock: $(SERVER)
 
 # assign Windows-specific values if targeting Windows
 windows : CC=$(WIN_CC)
@@ -142,6 +144,9 @@ windows : CXXFLAGS=$(WIN_CXXFLAGS)
 windows : LDFLAGS=$(WIN_LDFLAGS)
 windows : SERVER=$(WIN_SERVER)
 
+nosandbox : CFLAGS+=-DCONFIG_NOSANDBOX=1
+nolandlock : CFLAGS+=-DCONFIG_NOLANDLOCK=1
+
 .SUFFIXES: .o .c .cpp .h .hpp
 
 .c.o:
@@ -163,7 +168,7 @@ version.h:
 
 src/main.o: version.h
 
-.PHONY: all windows clean nuke
+.PHONY: all windows nosandbox nolandlock clean nuke
 
 # only gets rid of OpenFusion objects, so we don't need to
 # recompile the libs every time

README.md

@@ -1,13 +1,14 @@
-<p align="center"><img width="640" src="res/openfusion-hero.png" alt=""></p>
+<p align="center"><img width="640" src="res/openfusion-hero.png" alt="OpenFusion Logo"></p>
 
 <p align="center">
     <a href="https://github.com/OpenFusionProject/OpenFusion/releases/latest"><img src="https://img.shields.io/github/v/release/OpenFusionProject/OpenFusion" alt="Current Release"></a>
     <a href="https://github.com/OpenFusionProject/OpenFusion/actions/workflows/check-builds.yaml"><img src="https://github.com/OpenFusionProject/OpenFusion/actions/workflows/check-builds.yaml/badge.svg" alt="Workflow"></a>
+    <a href="https://hub.docker.com/repository/docker/openfusion/openfusion/"><img src="https://badgen.net/docker/pulls/openfusion/openfusion?icon=docker&label=pulls"></a>
     <a href="https://discord.gg/DYavckB"><img src="https://img.shields.io/badge/chat-on%20discord-7289da.svg?logo=discord" alt="Discord"></a>
     <a href="https://github.com/OpenFusionProject/OpenFusion/blob/master/LICENSE.md"><img src="https://img.shields.io/github/license/OpenFusionProject/OpenFusion" alt="License"></a>
 </p>
 
-OpenFusion is a reverse-engineered server for FusionFall. It primarily targets versions `beta-20100104` and `beta-20111013` of the original game, with [limited support](https://github.com/OpenFusionProject/OpenFusion/wiki/FusionFall-Version-Support) for others.
+OpenFusion is a reverse-engineered server for FusionFall. It primarily targets versions `beta-20100104` and `beta-20111013` of the original game, with [limited support](https://openfusion.dev/docs/reference/fusionfall-version-support/) for others.
 
 ## Usage
 
@@ -25,7 +26,7 @@ OpenFusion is a reverse-engineered server for FusionFall. It primarily targets v
 4. To create an account, simply enter the details you wish to use at the login screen then click Log In. Do *not* click register, as this will just lead to a blank screen.
 5. Make a new character, and enjoy the game! Your progress will be saved automatically, and you can resume playing by entering the login details you used in step 4.
 
-Instructions for getting the client to run on Linux through Wine can be found [here](https://github.com/OpenFusionProject/OpenFusion/wiki/Running-the-game-client-on-Linux).
+Instructions for getting the client to run on Linux through Wine can be found [here](https://openfusion.dev/docs/guides/running-on-linux/).
 
 ### Hosting a server
 1. Grab `OpenFusionServer-1.6-Original.zip` or `OpenFusionServer-1.6-Academy.zip` from [here](https://github.com/OpenFusionProject/OpenFusion/releases/tag/1.6).
@@ -79,17 +80,17 @@ This just works if you're all under the same LAN, but if you want to play over t
 
 ## Compiling 
 
-OpenFusion has one external dependency: SQLite. The oldest compatible version is `3.33.0`. You can install it on Windows using `vcpkg`, and on Unix/Linux using your distribution's package manager. For a more indepth guide on how to set up vcpkg, [read this guide on the wiki](https://github.com/OpenFusionProject/OpenFusion/wiki/Installing-SQLite-on-Windows-using-vcpkg).
+OpenFusion has one external dependency: SQLite. The oldest compatible version is `3.33.0`. You can install it on Windows using `vcpkg`, and on Unix/Linux using your distribution's package manager. For a more indepth guide on how to set up vcpkg, [read this guide](https://openfusion.dev/docs/development/installing-sqlite-on-windows-using-vcpkg/).
 
 You have two choices for compiling OpenFusion: the included Makefile and the included CMakeLists file.
 
 ### Makefile
 
-A detailed compilation guide is available for Windows users in the wiki [using MinGW-w64 and MSYS2](https://github.com/OpenFusionProject/OpenFusion/wiki/Compilation-on-Windows). Otherwise, to compile it for the current platform you're on, just run `make` with the correct build tools installed (currently make and clang).
+A detailed compilation guide is available for Windows users on the website [using MinGW-w64 and MSYS2](https://openfusion.dev/docs/development/compilation-on-windows-msys2-mingw/). Otherwise, to compile it for the current platform you're on, just run `make` with the correct build tools installed (currently make and clang).
 
 ### CMake
 
-A detailed guide is available [on the wiki](https://github.com/OpenFusionProject/OpenFusion/wiki/Compilation-with-CMake-or-Visual-Studio) for people using regular old CMake or the version of CMake that comes with Visual Studio. tl;dr: `cmake -B build`
+A detailed guide is available [in our documentation](https://openfusion.dev/docs/development/compilation-with-cmake-or-visual-studio/) for people using regular old CMake or the version of CMake that comes with Visual Studio. TL;DR: `cmake -B build`
 
 ## Contributing
 
@@ -107,4 +108,4 @@ Meanwhile the Academy server is more meant for legitimate playthroughs (default
 
 When hosting a local server, you will have access to all commands by default (account level 1).
 
-For a list of available commands, see [this wiki page](https://github.com/OpenFusionProject/OpenFusion/wiki/Ingame-Command-list).
+For a list of available commands, see [this page](https://openfusion.dev/docs/reference/ingame-command-list/).

src/Abilities.cpp

@@ -368,7 +368,6 @@ void Abilities::useNPCSkill(EntityRef npc, int skillID, std::vector<ICombatant*>
     SkillData* skill = &SkillTable[skillID];
 
     std::vector<SkillResult> results = handleSkill(skill, 0, src, affected);
-    if(results.empty()) return; // no effect; no need for confirmation packets
 
     // lazy validation since skill results might be different sizes
     if (!validOutVarPacket(sizeof(sP_FE2CL_NPC_SKILL_HIT), results.size(), MAX_SKILLRESULT_SIZE)) {

src/main.cpp

@@ -49,6 +49,7 @@ CNShardServer *shardServer = nullptr;
 std::thread *shardThread = nullptr;
 
 void startShard(CNShardServer* server) {
+    sandbox_thread_start();
     server->start();
 }
 
@@ -150,6 +151,8 @@ int main() {
         /* not reached */
     }
 
+    sandbox_init();
+
     std::cout << "[INFO] Starting Server Threads..." << std::endl;
     CNLoginServer loginServer(settings::LOGINPORT);
     shardServer = new CNShardServer(settings::SHARDPORT);
@@ -157,6 +160,7 @@ int main() {
     shardThread = new std::thread(startShard, (CNShardServer*)shardServer);
 
     sandbox_start();
+    sandbox_thread_start();
 
     loginServer.start();
 

src/sandbox/Sandbox.hpp

@@ -4,11 +4,16 @@
 #if defined(__linux__) || defined(__OpenBSD__)
 
 # if !defined(CONFIG_NOSANDBOX)
+void sandbox_init();
 void sandbox_start();
+void sandbox_thread_start();
 # else
 
 #include <iostream>
 
+inline void sandbox_init() {}
+inline void sandbox_thread_start() {}
+
 inline void sandbox_start() {
     std::cout << "[WARN] Built without a sandbox" << std::endl;
 }
@@ -17,5 +22,7 @@ inline void sandbox_start() {
 
 #else
 // stub for unsupported platforms
+inline void sandbox_init() {}
 inline void sandbox_start() {}
+inline void sandbox_thread_start() {}
 #endif

src/sandbox/openbsd.cpp

@@ -13,6 +13,9 @@ static void eunveil(const char *path, const char *permissions) {
         err(1, "unveil");
 }
 
+void sandbox_init() {}
+void sandbox_thread_start() {}
+
 void sandbox_start() {
     /*
      * There shouldn't ever be a reason to disable this one, but might as well

src/sandbox/seccomp.cpp

@@ -4,6 +4,9 @@
 #include "settings.hpp"
 
 #include <stdlib.h>
+#include <fcntl.h>
+
+#include <filesystem>
 
 #include <sys/prctl.h>
 #include <sys/ptrace.h>
@@ -17,6 +20,10 @@
 #include <linux/audit.h>
 #include <linux/net.h> // for socketcall() args
 
+#ifndef CONFIG_NOLANDLOCK
+#include <linux/landlock.h>
+#endif
+
 /*
  * Macros adapted from https://outflux.net/teach-seccomp/
  * Relevant license:
@@ -54,7 +61,7 @@
     BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno))
 
 #define KILL_PROCESS \
-    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL_PROCESS)
+    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP)
 
 /*
  * Macros adapted from openssh's sandbox-seccomp-filter.c
@@ -297,25 +304,201 @@ static sock_fprog prog = {
     ARRLEN(filter), filter
 };
 
-// our own wrapper for the seccomp() syscall
+// Our own wrapper for the seccomp() syscall.
 int seccomp(unsigned int operation, unsigned int flags, void *args) {
     return syscall(__NR_seccomp, operation, flags, args);
 }
 
-void sandbox_start() {
+#ifndef CONFIG_NOLANDLOCK
+
+// Support compilation on systems that only have older Landlock headers.
+#ifndef LANDLOCK_ACCESS_FS_REFER
+#define LANDLOCK_ACCESS_FS_REFER 0
+#endif
+#ifndef LANDLOCK_ACCESS_FS_TRUNCATE
+#define LANDLOCK_ACCESS_FS_TRUNCATE 0
+#endif
+
+struct landlock_ruleset_attr ruleset_attr = {
+    .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE
+        | LANDLOCK_ACCESS_FS_WRITE_FILE
+        | LANDLOCK_ACCESS_FS_READ_DIR
+        | LANDLOCK_ACCESS_FS_MAKE_REG
+        | LANDLOCK_ACCESS_FS_MAKE_DIR
+        | LANDLOCK_ACCESS_FS_MAKE_SYM
+        | LANDLOCK_ACCESS_FS_MAKE_SOCK
+        | LANDLOCK_ACCESS_FS_MAKE_FIFO
+        | LANDLOCK_ACCESS_FS_MAKE_BLOCK
+        | LANDLOCK_ACCESS_FS_REMOVE_FILE
+        | LANDLOCK_ACCESS_FS_REMOVE_DIR
+        | LANDLOCK_ACCESS_FS_TRUNCATE
+        | LANDLOCK_ACCESS_FS_REFER
+};
+
+uint64_t landlock_perms = LANDLOCK_ACCESS_FS_READ_FILE
+    | LANDLOCK_ACCESS_FS_WRITE_FILE
+    | LANDLOCK_ACCESS_FS_TRUNCATE
+    | LANDLOCK_ACCESS_FS_MAKE_REG
+    | LANDLOCK_ACCESS_FS_REMOVE_FILE;
+
+int landlock_fd;
+bool landlock_supported;
+
+/*
+ * Our own wrappers for Landlock syscalls.
+ */
+
+int landlock_create_ruleset(const struct landlock_ruleset_attr *attr, size_t size, uint32_t flags) {
+    return syscall(__NR_landlock_create_ruleset, attr, size, flags);
+}
+
+int landlock_add_rule(int ruleset_fd, enum landlock_rule_type rule_type, const void *rule_attr, uint32_t flags) {
+    return syscall(__NR_landlock_add_rule, ruleset_fd, rule_type, rule_attr, flags);
+}
+
+int landlock_restrict_self(int ruleset_fd, uint32_t flags) {
+    return syscall(__NR_landlock_restrict_self, ruleset_fd, flags);
+}
+
+static void landlock_path(std::string path, uint32_t perms) {
+    struct landlock_path_beneath_attr path_beneath = {
+        .allowed_access = perms
+    };
+
+    path_beneath.parent_fd = open(path.c_str(), O_PATH|O_CLOEXEC);
+    if (path_beneath.parent_fd < 0) {
+        perror(path.c_str());
+        exit(1);
+    }
+
+    if (landlock_add_rule(landlock_fd, LANDLOCK_RULE_PATH_BENEATH, &path_beneath, 0)) {
+        perror("landlock_add_rule");
+        exit(1);
+    }
+
+    close(path_beneath.parent_fd);
+}
+
+static bool landlock_detect() {
+    int abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
+
+    if (abi < 0) {
+        if (errno == ENOSYS || errno == EOPNOTSUPP) {
+            std::cout << "[WARN] No Landlock support on this system" << std::endl;
+            return false;
+        }
+        perror("landlock_create_ruleset");
+        exit(1);
+    }
+
+    std::cout << "[INFO] Landlock ABI version: " << abi << std::endl;
+
+    switch (abi) {
+    case 1:
+        ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
+        landlock_perms &= ~LANDLOCK_ACCESS_FS_REFER;
+        // fallthrough
+    case 2:
+        ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
+        landlock_perms &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
+    }
+
+    return true;
+}
+
+static void landlock_init() {
+    std::cout << "[INFO] Setting up Landlock sandbox..." << std::endl;
+
+    landlock_supported = landlock_detect();
+
+    if (!landlock_supported)
+        return;
+
+    landlock_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
+    if (landlock_fd < 0) {
+        perror("landlock_create_ruleset");
+        exit(1);
+    }
+
+    std::string dbdir = std::filesystem::path(settings::DBPATH).parent_path();
+
+    // for the DB files (we can't rely on them being in the working directory)
+    landlock_path(dbdir == "" ? "." : dbdir, landlock_perms);
+    // for writing the gruntwork file
+    landlock_path(settings::TDATADIR, landlock_perms);
+    // for passowrd salting during account creation
+    landlock_path("/dev/urandom", LANDLOCK_ACCESS_FS_READ_FILE);
+    // for core dumps, optionally
+    if (settings::SANDBOXEXTRAPATH != "")
+        landlock_path(settings::SANDBOXEXTRAPATH, landlock_perms);
+}
+
+#endif // !CONFIG_NOLANDLOCK
+
+static void sigsys_handler(int signo, siginfo_t *info, void *context) {
+    // report the unhandled syscall
+    std::cout << "[FATAL] Unhandled syscall " << info->si_syscall
+       << " at " << std::hex << info->si_call_addr << " on arch " << info->si_arch << std::endl;
+
+    std::cout << "If you're unsure why this is happening, please read https://openfusion.dev/docs/development/the-sandbox/" << std::endl
+              << "for more information and possibly open an issue at https://github.com/OpenFusionProject/OpenFusion/issues to report"
+              << " needed changes in our seccomp filter." << std::endl;
+
+    exit(1);
+}
+
+void sandbox_init() {
     if (!settings::SANDBOX) {
         std::cout << "[WARN] Running without a sandbox" << std::endl;
         return;
     }
 
+    // listen to SIGSYS to report unhandled syscalls
+    struct sigaction sa = {};
+
+    sa.sa_flags = SA_SIGINFO;
+    sa.sa_sigaction = sigsys_handler;
+
+    if (sigaction(SIGSYS, &sa, NULL) < 0) {
+        perror("sigaction");
+        exit(1);
+    }
+
+#ifndef CONFIG_NOLANDLOCK
+    landlock_init();
+#else
+    std::cout << "[WARN] Built without Landlock" << std::endl;
+#endif
+}
+
+void sandbox_start() {
+    if (!settings::SANDBOX)
+        return;
+
     std::cout << "[INFO] Starting seccomp-bpf sandbox..." << std::endl;
 
+    // Sandboxing starts in sandbox_thread_start().
+}
+
+void sandbox_thread_start() {
+    if (!settings::SANDBOX)
+        return;
+
     if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
         perror("prctl");
         exit(1);
     }
 
-    if (seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, &prog) < 0) {
+#ifndef CONFIG_NOLANDLOCK
+    if (landlock_supported) {
+        if (landlock_restrict_self(landlock_fd, 0)) {
+            perror("landlock_restrict_self");
+            exit(1);
+        }
+    }
+#endif
+
+    if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog) < 0) {
         perror("seccomp");
         exit(1);
     }

src/settings.cpp

@@ -9,6 +9,7 @@
 // defaults :)
 int settings::VERBOSITY = 1;
 bool settings::SANDBOX = true;
+std::string settings::SANDBOXEXTRAPATH = "";
 
 int settings::LOGINPORT = 23000;
 bool settings::APPROVEALLNAMES = true;
@@ -85,6 +86,7 @@ void settings::init() {
 
     VERBOSITY = reader.GetInteger("", "verbosity", VERBOSITY);
     SANDBOX = reader.GetBoolean("", "sandbox", SANDBOX);
+    SANDBOXEXTRAPATH = reader.Get("", "sandboxextrapath", SANDBOXEXTRAPATH);
     LOGINPORT = reader.GetInteger("login", "port", LOGINPORT);
     APPROVEALLNAMES = reader.GetBoolean("login", "acceptallcustomnames", APPROVEALLNAMES);
     AUTOCREATEACCOUNTS = reader.GetBoolean("login", "autocreateaccounts", AUTOCREATEACCOUNTS);

src/settings.hpp

@@ -5,6 +5,7 @@
 namespace settings {
     extern int VERBOSITY;
     extern bool SANDBOX;
+    extern std::string SANDBOXEXTRAPATH;
     extern int LOGINPORT;
     extern bool APPROVEALLNAMES;
     extern bool AUTOCREATEACCOUNTS;

vendor/bcrypt/bcrypt.c

@@ -38,9 +38,10 @@ typedef __int64 ssize_t;
 #include <wincrypt.h> /* CryptAcquireContext, CryptGenRandom */
 #else
 #include "bcrypt.h"
-#include "ow-crypt.h"
 #endif
 
+#include "ow-crypt.h"
+
 #define RANDBYTES (16)
 
 static int try_close(int fd)