summaryrefslogtreecommitdiffstats
path: root/plugin/rpcplugin/sandbox/sandbox_linux.go
diff options
context:
space:
mode:
Diffstat (limited to 'plugin/rpcplugin/sandbox/sandbox_linux.go')
-rw-r--r--plugin/rpcplugin/sandbox/sandbox_linux.go468
1 files changed, 468 insertions, 0 deletions
diff --git a/plugin/rpcplugin/sandbox/sandbox_linux.go b/plugin/rpcplugin/sandbox/sandbox_linux.go
new file mode 100644
index 000000000..d088652a7
--- /dev/null
+++ b/plugin/rpcplugin/sandbox/sandbox_linux.go
@@ -0,0 +1,468 @@
+// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package sandbox
+
+import (
+ "bytes"
+ "context"
+ "encoding/json"
+ "fmt"
+ "io"
+ "io/ioutil"
+ "os"
+ "os/exec"
+ "path/filepath"
+ "syscall"
+ "unsafe"
+
+ "github.com/pkg/errors"
+ "golang.org/x/sys/unix"
+
+ "github.com/mattermost/mattermost-server/plugin/rpcplugin"
+)
+
+func init() {
+ if len(os.Args) < 3 || os.Args[0] != "sandbox.runProcess" {
+ return
+ }
+
+ var config Configuration
+ if err := json.Unmarshal([]byte(os.Args[1]), &config); err != nil {
+ fmt.Println(err.Error())
+ os.Exit(1)
+ }
+ if err := runProcess(&config, os.Args[2]); err != nil {
+ if eerr, ok := err.(*exec.ExitError); ok {
+ if status, ok := eerr.Sys().(syscall.WaitStatus); ok {
+ os.Exit(status.ExitStatus())
+ }
+ }
+ fmt.Println(err.Error())
+ os.Exit(1)
+ }
+ os.Exit(0)
+}
+
+func systemMountPoints() (points []*MountPoint) {
+ points = append(points, &MountPoint{
+ Source: "proc",
+ Destination: "/proc",
+ Type: "proc",
+ }, &MountPoint{
+ Source: "/dev/null",
+ Destination: "/dev/null",
+ }, &MountPoint{
+ Source: "/dev/zero",
+ Destination: "/dev/zero",
+ }, &MountPoint{
+ Source: "/dev/full",
+ Destination: "/dev/full",
+ })
+
+ readOnly := []string{
+ "/dev/random",
+ "/dev/urandom",
+ "/etc/resolv.conf",
+ "/lib",
+ "/lib32",
+ "/lib64",
+ "/etc/ssl/certs",
+ "/system/etc/security/cacerts",
+ "/usr/local/share/certs",
+ "/etc/pki/tls/certs",
+ "/etc/openssl/certs",
+ "/etc/ssl/ca-bundle.pem",
+ "/etc/pki/tls/cacert.pem",
+ "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem",
+ }
+
+ for _, v := range []string{"SSL_CERT_FILE", "SSL_CERT_DIR"} {
+ if path := os.Getenv(v); path != "" {
+ readOnly = append(readOnly, path)
+ }
+ }
+
+ for _, point := range readOnly {
+ points = append(points, &MountPoint{
+ Source: point,
+ Destination: point,
+ ReadOnly: true,
+ })
+ }
+
+ return
+}
+
+func runProcess(config *Configuration, path string) error {
+ root, err := ioutil.TempDir("", "")
+ if err != nil {
+ return err
+ }
+ defer os.RemoveAll(root)
+
+ if err := syscall.Mount("", "/", "", syscall.MS_PRIVATE|syscall.MS_REC, ""); err != nil {
+ return errors.Wrapf(err, "unable to make root private")
+ }
+
+ if err := mountMountPoints(root, systemMountPoints()); err != nil {
+ return errors.Wrapf(err, "unable to mount sandbox system mount points")
+ }
+
+ if err := mountMountPoints(root, config.MountPoints); err != nil {
+ return errors.Wrapf(err, "unable to mount sandbox config mount points")
+ }
+
+ if err := pivotRoot(root); err != nil {
+ return errors.Wrapf(err, "unable to pivot sandbox root")
+ }
+
+ if err := os.Mkdir("/tmp", 0755); err != nil {
+ return errors.Wrapf(err, "unable to create /tmp")
+ }
+
+ if config.WorkingDirectory != "" {
+ if err := os.Chdir(config.WorkingDirectory); err != nil {
+ return errors.Wrapf(err, "unable to set working directory")
+ }
+ }
+
+ if err := dropInheritableCapabilities(); err != nil {
+ return errors.Wrapf(err, "unable to drop inheritable capabilities")
+ }
+
+ if err := enableSeccompFilter(); err != nil {
+ return errors.Wrapf(err, "unable to enable seccomp filter")
+ }
+
+ return runExecutable(path)
+}
+
+func mountMountPoint(root string, mountPoint *MountPoint) error {
+ isDir := true
+ if mountPoint.Type == "" {
+ stat, err := os.Lstat(mountPoint.Source)
+ if err != nil {
+ return nil
+ }
+ if (stat.Mode() & os.ModeSymlink) != 0 {
+ if path, err := filepath.EvalSymlinks(mountPoint.Source); err == nil {
+ newMountPoint := *mountPoint
+ newMountPoint.Source = path
+ if err := mountMountPoint(root, &newMountPoint); err != nil {
+ return errors.Wrapf(err, "unable to mount symbolic link target: "+mountPoint.Source)
+ }
+ return nil
+ }
+ }
+ isDir = stat.IsDir()
+ }
+
+ target := filepath.Join(root, mountPoint.Destination)
+
+ if isDir {
+ if err := os.MkdirAll(target, 0755); err != nil {
+ return errors.Wrapf(err, "unable to create directory: "+target)
+ }
+ } else {
+ if err := os.MkdirAll(filepath.Dir(target), 0755); err != nil {
+ return errors.Wrapf(err, "unable to create directory: "+target)
+ }
+ f, err := os.Create(target)
+ if err != nil {
+ return errors.Wrapf(err, "unable to create file: "+target)
+ }
+ f.Close()
+ }
+
+ flags := uintptr(syscall.MS_NOSUID | syscall.MS_NODEV)
+ if mountPoint.Type == "" {
+ flags |= syscall.MS_BIND
+ }
+ if mountPoint.ReadOnly {
+ flags |= syscall.MS_RDONLY
+ }
+
+ if err := syscall.Mount(mountPoint.Source, target, mountPoint.Type, flags, ""); err != nil {
+ return errors.Wrapf(err, "unable to mount "+mountPoint.Source)
+ }
+
+ if (flags & syscall.MS_BIND) != 0 {
+ // If this was a bind mount, our other flags actually got silently ignored during the above syscall:
+ //
+ // If mountflags includes MS_BIND [...] The remaining bits in the mountflags argument are
+ // also ignored, with the exception of MS_REC.
+ //
+ // Furthermore, remounting will fail if we attempt to unset a bit that was inherited from
+ // the mount's parent:
+ //
+ // The mount(2) flags MS_RDONLY, MS_NOSUID, MS_NOEXEC, and the "atime" flags
+ // (MS_NOATIME, MS_NODIRATIME, MS_RELATIME) settings become locked when propagated from
+ // a more privileged to a less privileged mount namespace, and may not be changed in the
+ // less privileged mount namespace.
+ //
+ // So we need to get the actual flags, add our new ones, then do a remount if needed.
+ var stats syscall.Statfs_t
+ if err := syscall.Statfs(target, &stats); err != nil {
+ return errors.Wrap(err, "unable to get mount flags for target: "+target)
+ }
+ const lockedFlagsMask = unix.MS_RDONLY | unix.MS_NOSUID | unix.MS_NOEXEC | unix.MS_NOATIME | unix.MS_NODIRATIME | unix.MS_RELATIME
+ lockedFlags := uintptr(stats.Flags & lockedFlagsMask)
+ if lockedFlags != ((flags | lockedFlags) & lockedFlagsMask) {
+ if err := syscall.Mount("", target, "", flags|lockedFlags|syscall.MS_REMOUNT, ""); err != nil {
+ return errors.Wrapf(err, "unable to remount "+mountPoint.Source)
+ }
+ }
+ }
+
+ return nil
+}
+
+func mountMountPoints(root string, mountPoints []*MountPoint) error {
+ for _, mountPoint := range mountPoints {
+ if err := mountMountPoint(root, mountPoint); err != nil {
+ return err
+ }
+ }
+
+ return nil
+}
+
+func pivotRoot(newRoot string) error {
+ if err := syscall.Mount(newRoot, newRoot, "", syscall.MS_BIND|syscall.MS_REC, ""); err != nil {
+ return errors.Wrapf(err, "unable to mount new root")
+ }
+
+ prevRoot := filepath.Join(newRoot, ".prev_root")
+
+ if err := os.MkdirAll(prevRoot, 0700); err != nil {
+ return errors.Wrapf(err, "unable to create directory for previous root")
+ }
+
+ if err := syscall.PivotRoot(newRoot, prevRoot); err != nil {
+ return errors.Wrapf(err, "syscall error")
+ }
+
+ if err := os.Chdir("/"); err != nil {
+ return errors.Wrapf(err, "unable to change directory")
+ }
+
+ prevRoot = "/.prev_root"
+
+ if err := syscall.Unmount(prevRoot, syscall.MNT_DETACH); err != nil {
+ return errors.Wrapf(err, "unable to unmount previous root")
+ }
+
+ if err := os.RemoveAll(prevRoot); err != nil {
+ return errors.Wrapf(err, "unable to remove previous root directory")
+ }
+
+ return nil
+}
+
+func dropInheritableCapabilities() error {
+ type capHeader struct {
+ version uint32
+ pid int
+ }
+
+ type capData struct {
+ effective uint32
+ permitted uint32
+ inheritable uint32
+ }
+
+ var hdr capHeader
+ var data [2]capData
+
+ if _, _, errno := syscall.Syscall(syscall.SYS_CAPGET, uintptr(unsafe.Pointer(&hdr)), 0, 0); errno != 0 {
+ return errors.Wrapf(syscall.Errno(errno), "unable to get capabilities version")
+ }
+
+ if _, _, errno := syscall.Syscall(syscall.SYS_CAPGET, uintptr(unsafe.Pointer(&hdr)), uintptr(unsafe.Pointer(&data[0])), 0); errno != 0 {
+ return errors.Wrapf(syscall.Errno(errno), "unable to get capabilities")
+ }
+
+ data[0].inheritable = 0
+ data[1].inheritable = 0
+ if _, _, errno := syscall.Syscall(syscall.SYS_CAPSET, uintptr(unsafe.Pointer(&hdr)), uintptr(unsafe.Pointer(&data[0])), 0); errno != 0 {
+ return errors.Wrapf(syscall.Errno(errno), "unable to set inheritable capabilities")
+ }
+
+ for i := 0; i < 64; i++ {
+ if _, _, errno := syscall.Syscall(syscall.SYS_PRCTL, syscall.PR_CAPBSET_DROP, uintptr(i), 0); errno != 0 && errno != syscall.EINVAL {
+ return errors.Wrapf(syscall.Errno(errno), "unable to drop bounding set capability")
+ }
+ }
+
+ return nil
+}
+
+func enableSeccompFilter() error {
+ return EnableSeccompFilter(SeccompFilter(NATIVE_AUDIT_ARCH, AllowedSyscalls))
+}
+
+func runExecutable(path string) error {
+ childFiles := []*os.File{
+ os.NewFile(3, ""), os.NewFile(4, ""),
+ }
+ defer childFiles[0].Close()
+ defer childFiles[1].Close()
+
+ cmd := exec.Command(path)
+ cmd.Stdout = os.Stdout
+ cmd.Stderr = os.Stderr
+ cmd.ExtraFiles = childFiles
+ cmd.SysProcAttr = &syscall.SysProcAttr{
+ Pdeathsig: syscall.SIGTERM,
+ }
+
+ if err := cmd.Run(); err != nil {
+ return err
+ }
+
+ return nil
+}
+
+type process struct {
+ command *exec.Cmd
+}
+
+func newProcess(ctx context.Context, config *Configuration, path string) (rpcplugin.Process, io.ReadWriteCloser, error) {
+ configJSON, err := json.Marshal(config)
+ if err != nil {
+ return nil, nil, err
+ }
+
+ ipc, childFiles, err := rpcplugin.NewIPC()
+ if err != nil {
+ return nil, nil, err
+ }
+ defer childFiles[0].Close()
+ defer childFiles[1].Close()
+
+ cmd := exec.CommandContext(ctx, "/proc/self/exe")
+ cmd.Args = []string{"sandbox.runProcess", string(configJSON), path}
+ cmd.Stdout = os.Stdout
+ cmd.Stderr = os.Stderr
+ cmd.ExtraFiles = childFiles
+
+ cmd.SysProcAttr = &syscall.SysProcAttr{
+ Cloneflags: syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWIPC | syscall.CLONE_NEWPID | syscall.CLONE_NEWUSER,
+ Pdeathsig: syscall.SIGTERM,
+ GidMappings: []syscall.SysProcIDMap{
+ {
+ ContainerID: 0,
+ HostID: os.Getgid(),
+ Size: 1,
+ },
+ },
+ UidMappings: []syscall.SysProcIDMap{
+ {
+ ContainerID: 0,
+ HostID: os.Getuid(),
+ Size: 1,
+ },
+ },
+ }
+
+ err = cmd.Start()
+ if err != nil {
+ ipc.Close()
+ return nil, nil, err
+ }
+
+ return &process{
+ command: cmd,
+ }, ipc, nil
+}
+
+func (p *process) Wait() error {
+ return p.command.Wait()
+}
+
+func init() {
+ if len(os.Args) < 1 || os.Args[0] != "sandbox.checkSupportInNamespace" {
+ return
+ }
+
+ if err := checkSupportInNamespace(); err != nil {
+ fmt.Fprintf(os.Stderr, "%v", err.Error())
+ os.Exit(1)
+ }
+
+ os.Exit(0)
+}
+
+func checkSupportInNamespace() error {
+ root, err := ioutil.TempDir("", "")
+ if err != nil {
+ return err
+ }
+ defer os.RemoveAll(root)
+
+ if err := syscall.Mount("", "/", "", syscall.MS_PRIVATE|syscall.MS_REC, ""); err != nil {
+ return errors.Wrapf(err, "unable to make root private")
+ }
+
+ if err := mountMountPoints(root, systemMountPoints()); err != nil {
+ return errors.Wrapf(err, "unable to mount sandbox system mount points")
+ }
+
+ if err := pivotRoot(root); err != nil {
+ return errors.Wrapf(err, "unable to pivot sandbox root")
+ }
+
+ if err := dropInheritableCapabilities(); err != nil {
+ return errors.Wrapf(err, "unable to drop inheritable capabilities")
+ }
+
+ if err := enableSeccompFilter(); err != nil {
+ return errors.Wrapf(err, "unable to enable seccomp filter")
+ }
+
+ return nil
+}
+
+func checkSupport() error {
+ if AllowedSyscalls == nil {
+ return fmt.Errorf("unsupported architecture")
+ }
+
+ stderr := &bytes.Buffer{}
+
+ cmd := exec.Command("/proc/self/exe")
+ cmd.Args = []string{"sandbox.checkSupportInNamespace"}
+ cmd.Stderr = stderr
+ cmd.SysProcAttr = &syscall.SysProcAttr{
+ Cloneflags: syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWIPC | syscall.CLONE_NEWPID | syscall.CLONE_NEWUSER,
+ Pdeathsig: syscall.SIGTERM,
+ GidMappings: []syscall.SysProcIDMap{
+ {
+ ContainerID: 0,
+ HostID: os.Getgid(),
+ Size: 1,
+ },
+ },
+ UidMappings: []syscall.SysProcIDMap{
+ {
+ ContainerID: 0,
+ HostID: os.Getuid(),
+ Size: 1,
+ },
+ },
+ }
+
+ if err := cmd.Start(); err != nil {
+ return errors.Wrapf(err, "unable to create user namespace")
+ }
+
+ if err := cmd.Wait(); err != nil {
+ if _, ok := err.(*exec.ExitError); ok {
+ return errors.Wrapf(fmt.Errorf("%v", stderr.String()), "unable to prepare namespace")
+ }
+ return errors.Wrapf(err, "unable to prepare namespace")
+ }
+
+ return nil
+}