mirror of
https://github.com/OpenFusionProject/OpenFusion.git
synced 2025-10-15 10:10:14 +00:00
Compare commits
3 Commits
landlock
...
dd62273273
| Author | SHA1 | Date | |
|---|---|---|---|
| dd62273273 | |||
| 37386b857a | |||
| 19dbf7abeb |
7
Makefile
7
Makefile
@@ -133,8 +133,6 @@ HDR=$(CHDR) $(CXXHDR)
|
||||
all: $(SERVER)
|
||||
|
||||
windows: $(SERVER)
|
||||
nosandbox: $(SERVER)
|
||||
nolandlock: $(SERVER)
|
||||
|
||||
# assign Windows-specific values if targeting Windows
|
||||
windows : CC=$(WIN_CC)
|
||||
@@ -144,9 +142,6 @@ windows : CXXFLAGS=$(WIN_CXXFLAGS)
|
||||
windows : LDFLAGS=$(WIN_LDFLAGS)
|
||||
windows : SERVER=$(WIN_SERVER)
|
||||
|
||||
nosandbox : CFLAGS+=-DCONFIG_NOSANDBOX=1
|
||||
nolandlock : CFLAGS+=-DCONFIG_NOLANDLOCK=1
|
||||
|
||||
.SUFFIXES: .o .c .cpp .h .hpp
|
||||
|
||||
.c.o:
|
||||
@@ -168,7 +163,7 @@ version.h:
|
||||
|
||||
src/main.o: version.h
|
||||
|
||||
.PHONY: all windows nosandbox nolandlock clean nuke
|
||||
.PHONY: all windows clean nuke
|
||||
|
||||
# only gets rid of OpenFusion objects, so we don't need to
|
||||
# recompile the libs every time
|
||||
|
||||
@@ -49,7 +49,6 @@ CNShardServer *shardServer = nullptr;
|
||||
std::thread *shardThread = nullptr;
|
||||
|
||||
void startShard(CNShardServer* server) {
|
||||
sandbox_thread_start();
|
||||
server->start();
|
||||
}
|
||||
|
||||
@@ -151,8 +150,6 @@ int main() {
|
||||
/* not reached */
|
||||
}
|
||||
|
||||
sandbox_init();
|
||||
|
||||
std::cout << "[INFO] Starting Server Threads..." << std::endl;
|
||||
CNLoginServer loginServer(settings::LOGINPORT);
|
||||
shardServer = new CNShardServer(settings::SHARDPORT);
|
||||
@@ -160,7 +157,6 @@ int main() {
|
||||
shardThread = new std::thread(startShard, (CNShardServer*)shardServer);
|
||||
|
||||
sandbox_start();
|
||||
sandbox_thread_start();
|
||||
|
||||
loginServer.start();
|
||||
|
||||
|
||||
@@ -4,16 +4,11 @@
|
||||
#if defined(__linux__) || defined(__OpenBSD__)
|
||||
|
||||
# if !defined(CONFIG_NOSANDBOX)
|
||||
void sandbox_init();
|
||||
void sandbox_start();
|
||||
void sandbox_thread_start();
|
||||
# else
|
||||
|
||||
#include <iostream>
|
||||
|
||||
inline void sandbox_init() {}
|
||||
inline void sandbox_thread_start() {}
|
||||
|
||||
inline void sandbox_start() {
|
||||
std::cout << "[WARN] Built without a sandbox" << std::endl;
|
||||
}
|
||||
@@ -22,7 +17,5 @@ inline void sandbox_start() {
|
||||
|
||||
#else
|
||||
// stub for unsupported platforms
|
||||
inline void sandbox_init() {}
|
||||
inline void sandbox_start() {}
|
||||
inline void sandbox_thread_start() {}
|
||||
#endif
|
||||
|
||||
@@ -13,9 +13,6 @@ static void eunveil(const char *path, const char *permissions) {
|
||||
err(1, "unveil");
|
||||
}
|
||||
|
||||
void sandbox_init() {}
|
||||
void sandbox_thread_start() {}
|
||||
|
||||
void sandbox_start() {
|
||||
/*
|
||||
* There shouldn't ever be a reason to disable this one, but might as well
|
||||
|
||||
@@ -4,9 +4,6 @@
|
||||
#include "settings.hpp"
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <fcntl.h>
|
||||
|
||||
#include <filesystem>
|
||||
|
||||
#include <sys/prctl.h>
|
||||
#include <sys/ptrace.h>
|
||||
@@ -20,10 +17,6 @@
|
||||
#include <linux/audit.h>
|
||||
#include <linux/net.h> // for socketcall() args
|
||||
|
||||
#ifndef CONFIG_NOLANDLOCK
|
||||
#include <linux/landlock.h>
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Macros adapted from https://outflux.net/teach-seccomp/
|
||||
* Relevant license:
|
||||
@@ -304,201 +297,46 @@ static sock_fprog prog = {
|
||||
ARRLEN(filter), filter
|
||||
};
|
||||
|
||||
// Our own wrapper for the seccomp() syscall.
|
||||
// our own wrapper for the seccomp() syscall
|
||||
int seccomp(unsigned int operation, unsigned int flags, void *args) {
|
||||
return syscall(__NR_seccomp, operation, flags, args);
|
||||
}
|
||||
|
||||
#ifndef CONFIG_NOLANDLOCK
|
||||
|
||||
// Support compilation on systems that only have older Landlock headers.
|
||||
#ifndef LANDLOCK_ACCESS_FS_REFER
|
||||
#define LANDLOCK_ACCESS_FS_REFER 0
|
||||
#endif
|
||||
#ifndef LANDLOCK_ACCESS_FS_TRUNCATE
|
||||
#define LANDLOCK_ACCESS_FS_TRUNCATE 0
|
||||
#endif
|
||||
|
||||
struct landlock_ruleset_attr ruleset_attr = {
|
||||
.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE
|
||||
| LANDLOCK_ACCESS_FS_WRITE_FILE
|
||||
| LANDLOCK_ACCESS_FS_READ_DIR
|
||||
| LANDLOCK_ACCESS_FS_MAKE_REG
|
||||
| LANDLOCK_ACCESS_FS_MAKE_DIR
|
||||
| LANDLOCK_ACCESS_FS_MAKE_SYM
|
||||
| LANDLOCK_ACCESS_FS_MAKE_SOCK
|
||||
| LANDLOCK_ACCESS_FS_MAKE_FIFO
|
||||
| LANDLOCK_ACCESS_FS_MAKE_BLOCK
|
||||
| LANDLOCK_ACCESS_FS_REMOVE_FILE
|
||||
| LANDLOCK_ACCESS_FS_REMOVE_DIR
|
||||
| LANDLOCK_ACCESS_FS_TRUNCATE
|
||||
| LANDLOCK_ACCESS_FS_REFER
|
||||
};
|
||||
|
||||
uint64_t landlock_perms = LANDLOCK_ACCESS_FS_READ_FILE
|
||||
| LANDLOCK_ACCESS_FS_WRITE_FILE
|
||||
| LANDLOCK_ACCESS_FS_TRUNCATE
|
||||
| LANDLOCK_ACCESS_FS_MAKE_REG
|
||||
| LANDLOCK_ACCESS_FS_REMOVE_FILE;
|
||||
|
||||
int landlock_fd;
|
||||
bool landlock_supported;
|
||||
|
||||
/*
|
||||
* Our own wrappers for Landlock syscalls.
|
||||
*/
|
||||
|
||||
int landlock_create_ruleset(const struct landlock_ruleset_attr *attr, size_t size, uint32_t flags) {
|
||||
return syscall(__NR_landlock_create_ruleset, attr, size, flags);
|
||||
}
|
||||
|
||||
int landlock_add_rule(int ruleset_fd, enum landlock_rule_type rule_type, const void *rule_attr, uint32_t flags) {
|
||||
return syscall(__NR_landlock_add_rule, ruleset_fd, rule_type, rule_attr, flags);
|
||||
}
|
||||
|
||||
int landlock_restrict_self(int ruleset_fd, uint32_t flags) {
|
||||
return syscall(__NR_landlock_restrict_self, ruleset_fd, flags);
|
||||
}
|
||||
|
||||
static void landlock_path(std::string path, uint32_t perms) {
|
||||
struct landlock_path_beneath_attr path_beneath = {
|
||||
.allowed_access = perms
|
||||
};
|
||||
|
||||
path_beneath.parent_fd = open(path.c_str(), O_PATH|O_CLOEXEC);
|
||||
if (path_beneath.parent_fd < 0) {
|
||||
perror(path.c_str());
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if (landlock_add_rule(landlock_fd, LANDLOCK_RULE_PATH_BENEATH, &path_beneath, 0)) {
|
||||
perror("landlock_add_rule");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
close(path_beneath.parent_fd);
|
||||
}
|
||||
|
||||
static bool landlock_detect() {
|
||||
int abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
|
||||
|
||||
if (abi < 0) {
|
||||
if (errno == ENOSYS || errno == EOPNOTSUPP) {
|
||||
std::cout << "[WARN] No Landlock support on this system" << std::endl;
|
||||
return false;
|
||||
}
|
||||
perror("landlock_create_ruleset");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
std::cout << "[INFO] Landlock ABI version: " << abi << std::endl;
|
||||
|
||||
switch (abi) {
|
||||
case 1:
|
||||
ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
|
||||
landlock_perms &= ~LANDLOCK_ACCESS_FS_REFER;
|
||||
// fallthrough
|
||||
case 2:
|
||||
ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
|
||||
landlock_perms &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static void landlock_init() {
|
||||
std::cout << "[INFO] Setting up Landlock sandbox..." << std::endl;
|
||||
|
||||
landlock_supported = landlock_detect();
|
||||
|
||||
if (!landlock_supported)
|
||||
return;
|
||||
|
||||
landlock_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
|
||||
if (landlock_fd < 0) {
|
||||
perror("landlock_create_ruleset");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
std::string dbdir = std::filesystem::path(settings::DBPATH).parent_path();
|
||||
|
||||
// for the DB files (we can't rely on them being in the working directory)
|
||||
landlock_path(dbdir == "" ? "." : dbdir, landlock_perms);
|
||||
// for writing the gruntwork file
|
||||
landlock_path(settings::TDATADIR, landlock_perms);
|
||||
// for passowrd salting during account creation
|
||||
landlock_path("/dev/urandom", LANDLOCK_ACCESS_FS_READ_FILE);
|
||||
// for core dumps, optionally
|
||||
if (settings::SANDBOXEXTRAPATH != "")
|
||||
landlock_path(settings::SANDBOXEXTRAPATH, landlock_perms);
|
||||
}
|
||||
|
||||
#endif // !CONFIG_NOLANDLOCK
|
||||
|
||||
static void sigsys_handler(int signo, siginfo_t *info, void *context) {
|
||||
void sig_sys_handler(int signo, siginfo_t *info, void *context)
|
||||
{
|
||||
// report the unhandled syscall
|
||||
std::cout << "[FATAL] Unhandled syscall " << info->si_syscall
|
||||
<< " at " << std::hex << info->si_call_addr << " on arch " << info->si_arch << std::endl;
|
||||
std::cout << "[FATAL] Unhandled syscall: " << info->si_syscall << std::endl;
|
||||
|
||||
std::cout << "If you're unsure why this is happening, please read https://openfusion.dev/docs/development/the-sandbox/" << std::endl
|
||||
std::cout << "If you're unsure why this is happening, please read https://openfusion.dev/docs/development/the-sandbox/" << std::endl
|
||||
<< "for more information and possibly open an issue at https://github.com/OpenFusionProject/OpenFusion/issues to report"
|
||||
<< " needed changes in our seccomp filter." << std::endl;
|
||||
|
||||
exit(1);
|
||||
}
|
||||
|
||||
void sandbox_init() {
|
||||
void sandbox_start() {
|
||||
if (!settings::SANDBOX) {
|
||||
std::cout << "[WARN] Running without a sandbox" << std::endl;
|
||||
return;
|
||||
}
|
||||
|
||||
// listen to SIGSYS to report unhandled syscalls
|
||||
std::cout << "[INFO] Starting seccomp-bpf sandbox..." << std::endl;
|
||||
|
||||
// we listen to SIGSYS to report unhandled syscalls
|
||||
struct sigaction sa = {};
|
||||
|
||||
sa.sa_flags = SA_SIGINFO;
|
||||
sa.sa_sigaction = sigsys_handler;
|
||||
|
||||
sa.sa_sigaction = sig_sys_handler;
|
||||
if (sigaction(SIGSYS, &sa, NULL) < 0) {
|
||||
perror("sigaction");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
#ifndef CONFIG_NOLANDLOCK
|
||||
landlock_init();
|
||||
#else
|
||||
std::cout << "[WARN] Built without Landlock" << std::endl;
|
||||
#endif
|
||||
}
|
||||
|
||||
void sandbox_start() {
|
||||
if (!settings::SANDBOX)
|
||||
return;
|
||||
|
||||
std::cout << "[INFO] Starting seccomp-bpf sandbox..." << std::endl;
|
||||
|
||||
// Sandboxing starts in sandbox_thread_start().
|
||||
}
|
||||
|
||||
void sandbox_thread_start() {
|
||||
if (!settings::SANDBOX)
|
||||
return;
|
||||
|
||||
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
|
||||
perror("prctl");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
#ifndef CONFIG_NOLANDLOCK
|
||||
if (landlock_supported) {
|
||||
if (landlock_restrict_self(landlock_fd, 0)) {
|
||||
perror("landlock_restrict_self");
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog) < 0) {
|
||||
if (seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, &prog) < 0) {
|
||||
perror("seccomp");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
@@ -9,7 +9,6 @@
|
||||
// defaults :)
|
||||
int settings::VERBOSITY = 1;
|
||||
bool settings::SANDBOX = true;
|
||||
std::string settings::SANDBOXEXTRAPATH = "";
|
||||
|
||||
int settings::LOGINPORT = 23000;
|
||||
bool settings::APPROVEALLNAMES = true;
|
||||
@@ -86,7 +85,6 @@ void settings::init() {
|
||||
|
||||
VERBOSITY = reader.GetInteger("", "verbosity", VERBOSITY);
|
||||
SANDBOX = reader.GetBoolean("", "sandbox", SANDBOX);
|
||||
SANDBOXEXTRAPATH = reader.Get("", "sandboxextrapath", SANDBOXEXTRAPATH);
|
||||
LOGINPORT = reader.GetInteger("login", "port", LOGINPORT);
|
||||
APPROVEALLNAMES = reader.GetBoolean("login", "acceptallcustomnames", APPROVEALLNAMES);
|
||||
AUTOCREATEACCOUNTS = reader.GetBoolean("login", "autocreateaccounts", AUTOCREATEACCOUNTS);
|
||||
|
||||
@@ -5,7 +5,6 @@
|
||||
namespace settings {
|
||||
extern int VERBOSITY;
|
||||
extern bool SANDBOX;
|
||||
extern std::string SANDBOXEXTRAPATH;
|
||||
extern int LOGINPORT;
|
||||
extern bool APPROVEALLNAMES;
|
||||
extern bool AUTOCREATEACCOUNTS;
|
||||
|
||||
3
vendor/bcrypt/bcrypt.c
vendored
3
vendor/bcrypt/bcrypt.c
vendored
@@ -38,9 +38,8 @@ typedef __int64 ssize_t;
|
||||
#include <wincrypt.h> /* CryptAcquireContext, CryptGenRandom */
|
||||
#else
|
||||
#include "bcrypt.h"
|
||||
#endif
|
||||
|
||||
#include "ow-crypt.h"
|
||||
#endif
|
||||
|
||||
#define RANDBYTES (16)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user