diff --git a/Makefile b/Makefile index a30a9f6..b8a9229 100644 --- a/Makefile +++ b/Makefile @@ -12,8 +12,8 @@ ifeq ($(UNAME_SYS), Linux) -Wstrict-prototypes -Wmissing-prototypes \ -pie -fPIE \ -fno-strict-aliasing - XMPPIPE_SANDBOX ?= seccomp - XMPPIPE_SANDBOX_RLIMIT_NOFILE ?= 0 + XMPPIPE_RESTRICT_PROCESS ?= seccomp + XMPPIPE_RESTRICT_PROCESS_RLIMIT_NOFILE ?= 0 LDFLAGS ?= -Wl,-z,relro,-z,now -Wl,-z,noexecstack else ifeq ($(UNAME_SYS), FreeBSD) CFLAGS ?= -DHAVE_STRTONUM \ @@ -21,7 +21,7 @@ else ifeq ($(UNAME_SYS), FreeBSD) -Wformat -Werror=format-security \ -pie -fPIE \ -fno-strict-aliasing - XMPPIPE_SANDBOX ?= capsicum + XMPPIPE_RESTRICT_PROCESS ?= capsicum LDFLAGS ?= -Wl,-z,relro,-z,now -Wl,-z,noexecstack else ifeq ($(UNAME_SYS), OpenBSD) CFLAGS ?= -DHAVE_STRTONUM \ @@ -29,7 +29,7 @@ else ifeq ($(UNAME_SYS), OpenBSD) -Wformat -Werror=format-security \ -pie -fPIE \ -fno-strict-aliasing - XMPPIPE_SANDBOX ?= pledge + XMPPIPE_RESTRICT_PROCESS ?= pledge LDFLAGS ?= -Wl,-z,relro,-z,now -Wl,-z,noexecstack else ifeq ($(UNAME_SYS), SunOS) else ifeq ($(UNAME_SYS), Darwin) @@ -39,15 +39,15 @@ else ifeq ($(UNAME_SYS), Darwin) -fno-strict-aliasing endif -XMPPIPE_SANDBOX ?= rlimit -XMPPIPE_SANDBOX_RLIMIT_NOFILE ?= -1 +XMPPIPE_RESTRICT_PROCESS ?= rlimit +XMPPIPE_RESTRICT_PROCESS_RLIMIT_NOFILE ?= -1 XMPPIPE_CFLAGS ?= -g -Wall CFLAGS += $(XMPPIPE_CFLAGS) \ -fwrapv \ - -DXMPPIPE_SANDBOX=\"$(XMPPIPE_SANDBOX)\" \ - -DXMPPIPE_SANDBOX_$(XMPPIPE_SANDBOX) \ - -DXMPPIPE_SANDBOX_RLIMIT_NOFILE=$(XMPPIPE_SANDBOX_RLIMIT_NOFILE) + -DXMPPIPE_RESTRICT_PROCESS=\"$(XMPPIPE_RESTRICT_PROCESS)\" \ + -DXMPPIPE_RESTRICT_PROCESS_$(XMPPIPE_RESTRICT_PROCESS) \ + -DXMPPIPE_RESTRICT_PROCESS_RLIMIT_NOFILE=$(XMPPIPE_RESTRICT_PROCESS_RLIMIT_NOFILE) LDFLAGS += $(XMPPIPE_LDFLAGS) diff --git a/src/strtonum.c b/src/strtonum.c index a593c10..509fdec 100644 --- a/src/strtonum.c +++ b/src/strtonum.c @@ -23,6 +23,7 @@ #include #include #include + #include "strtonum.h" #define INVALID 1 diff --git a/src/xmppipe.c b/src/xmppipe.c index 7d944e5..f4b3119 100644 --- a/src/xmppipe.c +++ b/src/xmppipe.c @@ -97,8 +97,8 @@ int main(int argc, char **argv) { jid = xmppipe_getenv("XMPPIPE_USERNAME"); pass = xmppipe_getenv("XMPPIPE_PASSWORD"); - if (xmppipe_sandbox_init(state) < 0) - err(EXIT_FAILURE, "sandbox failed"); + if (xmppipe_restrict_process_init(state) < 0) + err(EXIT_FAILURE, "restrict_process failed"); while ((ch = getopt_long(argc, argv, "a:b:c:dDeF:hI:k:K:o:P:p:r:sS:u:U:vx", long_options, NULL)) != -1) { @@ -264,10 +264,11 @@ int main(int argc, char **argv) { errx(EXIT_FAILURE, "XMPP handshake failed"); if (state->verbose) - (void)fprintf(stderr, "sandbox: stdin: %s\n", XMPPIPE_SANDBOX); + (void)fprintf(stderr, "restrict_process: stdin: %s\n", + XMPPIPE_RESTRICT_PROCESS); - if (xmppipe_sandbox_stdin(state) < 0) - err(EXIT_FAILURE, "sandbox failed"); + if (xmppipe_restrict_process_stdin(state) < 0) + err(EXIT_FAILURE, "restrict_process failed"); if (xmppipe_stream_init(state) < 0) errx(EXIT_FAILURE, "enabling stream management failed"); @@ -555,8 +556,8 @@ static long long xmppipe_strtonum(xmppipe_state_t *state, const char *nptr, } static void usage(xmppipe_state_t *state) { - (void)fprintf(stderr, "%s %s (using %s sandbox)\n", __progname, - XMPPIPE_VERSION, XMPPIPE_SANDBOX); + (void)fprintf(stderr, "%s %s (using %s mode process restriction)\n", + __progname, XMPPIPE_VERSION, XMPPIPE_RESTRICT_PROCESS); (void)fprintf( stderr, "usage: %s [OPTIONS]\n" diff --git a/src/xmppipe.h b/src/xmppipe.h index dc27e81..8386b6e 100644 --- a/src/xmppipe.h +++ b/src/xmppipe.h @@ -166,8 +166,8 @@ void xmppipe_stanza_set_text(xmpp_stanza_t *, const char *const); void xmppipe_stanza_set_type(xmpp_stanza_t *const, const char *const); void xmppipe_stanza_add_child(xmpp_stanza_t *, xmpp_stanza_t *); -int xmppipe_sandbox_init(xmppipe_state_t *state); -int xmppipe_sandbox_stdin(xmppipe_state_t *state); +int xmppipe_restrict_process_init(xmppipe_state_t *state); +int xmppipe_restrict_process_stdin(xmppipe_state_t *state); int xmppipe_conn_fd(xmppipe_state_t *state); int b64_ntop(u_char const *src, size_t srclength, char *target, diff --git a/src/xmppipe_fmt.c b/src/xmppipe_fmt.c index f12d0c1..3974b88 100644 --- a/src/xmppipe_fmt.c +++ b/src/xmppipe_fmt.c @@ -12,8 +12,8 @@ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include "xmppipe.h" #include "errno.h" +#include "xmppipe.h" static unsigned char rfc3986[256]; diff --git a/src/xmppipe_sandbox_capsicum.c b/src/xmppipe_restrict_process_capsicum.c similarity index 91% rename from src/xmppipe_sandbox_capsicum.c rename to src/xmppipe_restrict_process_capsicum.c index efbb17c..1ff8025 100644 --- a/src/xmppipe_sandbox_capsicum.c +++ b/src/xmppipe_restrict_process_capsicum.c @@ -12,7 +12,7 @@ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#ifdef XMPPIPE_SANDBOX_capsicum +#ifdef XMPPIPE_RESTRICT_PROCESS_capsicum #include #include #include @@ -23,13 +23,13 @@ #include "xmppipe.h" -int xmppipe_sandbox_init(xmppipe_state_t *state) { +int xmppipe_restrict_process_init(xmppipe_state_t *state) { struct rlimit rl = {0}; return setrlimit(RLIMIT_NPROC, &rl); } -int xmppipe_sandbox_stdin(xmppipe_state_t *state) { +int xmppipe_restrict_process_stdin(xmppipe_state_t *state) { struct rlimit rl = {0}; cap_rights_t policy_read; cap_rights_t policy_write; diff --git a/src/xmppipe_sandbox_null.c b/src/xmppipe_restrict_process_null.c similarity index 82% rename from src/xmppipe_sandbox_null.c rename to src/xmppipe_restrict_process_null.c index 740308a..e1bb315 100644 --- a/src/xmppipe_sandbox_null.c +++ b/src/xmppipe_restrict_process_null.c @@ -12,10 +12,10 @@ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#ifdef XMPPIPE_SANDBOX_null +#ifdef XMPPIPE_RESTRICT_PROCESS_null #include "xmppipe.h" -int xmppipe_sandbox_init(xmppipe_state_t *state) { return 0; } +int xmppipe_restrict_process_init(xmppipe_state_t *state) { return 0; } -int xmppipe_sandbox_stdin(xmppipe_state_t *state) { return 0; } +int xmppipe_restrict_process_stdin(xmppipe_state_t *state) { return 0; } #endif diff --git a/src/xmppipe_sandbox_pledge.c b/src/xmppipe_restrict_process_pledge.c similarity index 85% rename from src/xmppipe_sandbox_pledge.c rename to src/xmppipe_restrict_process_pledge.c index 16244f3..16ee5cb 100644 --- a/src/xmppipe_sandbox_pledge.c +++ b/src/xmppipe_restrict_process_pledge.c @@ -12,15 +12,15 @@ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#ifdef XMPPIPE_SANDBOX_pledge +#ifdef XMPPIPE_RESTRICT_PROCESS_pledge #include "xmppipe.h" #include -int xmppipe_sandbox_init(xmppipe_state_t *state) { +int xmppipe_restrict_process_init(xmppipe_state_t *state) { return pledge("stdio inet dns rpath", NULL); } -int xmppipe_sandbox_stdin(xmppipe_state_t *state) { +int xmppipe_restrict_process_stdin(xmppipe_state_t *state) { return pledge("stdio", NULL); } #endif diff --git a/src/xmppipe_sandbox_rlimit.c b/src/xmppipe_restrict_process_rlimit.c similarity index 81% rename from src/xmppipe_sandbox_rlimit.c rename to src/xmppipe_restrict_process_rlimit.c index 8213f42..b2ab094 100644 --- a/src/xmppipe_sandbox_rlimit.c +++ b/src/xmppipe_restrict_process_rlimit.c @@ -12,23 +12,23 @@ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#ifdef XMPPIPE_SANDBOX_rlimit +#ifdef XMPPIPE_RESTRICT_PROCESS_rlimit #include #include #include "xmppipe.h" -int xmppipe_sandbox_init(xmppipe_state_t *state) { +int xmppipe_restrict_process_init(xmppipe_state_t *state) { struct rlimit rl_zero = {0}; return setrlimit(RLIMIT_NPROC, &rl_zero); } -int xmppipe_sandbox_stdin(xmppipe_state_t *state) { +int xmppipe_restrict_process_stdin(xmppipe_state_t *state) { struct rlimit rl = {0}; - rl.rlim_cur = XMPPIPE_SANDBOX_RLIMIT_NOFILE; - rl.rlim_max = XMPPIPE_SANDBOX_RLIMIT_NOFILE; + rl.rlim_cur = XMPPIPE_RESTRICT_PROCESS_RLIMIT_NOFILE; + rl.rlim_max = XMPPIPE_RESTRICT_PROCESS_RLIMIT_NOFILE; if (rl.rlim_cur == (rlim_t)-1) { int fd = xmppipe_conn_fd(state); diff --git a/src/xmppipe_sandbox_seccomp.c b/src/xmppipe_restrict_process_seccomp.c similarity index 93% rename from src/xmppipe_sandbox_seccomp.c rename to src/xmppipe_restrict_process_seccomp.c index 32a7fc8..98895ea 100644 --- a/src/xmppipe_sandbox_seccomp.c +++ b/src/xmppipe_restrict_process_seccomp.c @@ -12,7 +12,7 @@ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#ifdef XMPPIPE_SANDBOX_seccomp +#ifdef XMPPIPE_RESTRICT_PROCESS_seccomp #include #include #include @@ -23,16 +23,16 @@ #include "xmppipe.h" -/* macros from openssh-7.2/sandbox-seccomp-filter.c */ +/* macros from openssh-7.2/restrict_process-seccomp-filter.c */ -/* Linux seccomp_filter sandbox */ +/* Linux seccomp_filter restrict_process */ #define SECCOMP_FILTER_FAIL SECCOMP_RET_KILL /* Use a signal handler to emit violations when debugging */ -#ifdef SANDBOX_SECCOMP_FILTER_DEBUG +#ifdef RESTRICT_PROCESS_SECCOMP_FILTER_DEBUG #undef SECCOMP_FILTER_FAIL #define SECCOMP_FILTER_FAIL SECCOMP_RET_TRAP -#endif /* SANDBOX_SECCOMP_FILTER_DEBUG */ +#endif /* RESTRICT_PROCESS_SECCOMP_FILTER_DEBUG */ /* Simple helpers to avoid manual errors (but larger BPF programs). */ #define SC_DENY(_nr, _errno) \ @@ -47,10 +47,9 @@ BPF_STMT(BPF_LD + BPF_W + BPF_ABS, \ offsetof(struct seccomp_data, args[(_arg_nr)])), \ BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, (_arg_val), 0, 1), \ - BPF_STMT( \ - BPF_RET + BPF_K, SECCOMP_RET_ALLOW), /* reload syscall number; all \ - rules expect it in \ - accumulator */ \ + BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW), /* reload syscall number; \ + all rules expect it in \ + accumulator */ \ BPF_STMT(BPF_LD + BPF_W + BPF_ABS, offsetof(struct seccomp_data, nr)) /* @@ -74,7 +73,7 @@ #define SECCOMP_AUDIT_ARCH 0 #endif -int xmppipe_sandbox_init(xmppipe_state_t *state) { +int xmppipe_restrict_process_init(xmppipe_state_t *state) { struct sock_filter filter[] = { /* Ensure the syscall arch convention is as expected. */ BPF_STMT(BPF_LD + BPF_W + BPF_ABS, offsetof(struct seccomp_data, arch)), @@ -305,7 +304,7 @@ int xmppipe_sandbox_init(xmppipe_state_t *state) { return prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog); } -int xmppipe_sandbox_stdin(xmppipe_state_t *state) { +int xmppipe_restrict_process_stdin(xmppipe_state_t *state) { struct sock_filter filter[] = { /* Ensure the syscall arch convention is as expected. */ BPF_STMT(BPF_LD + BPF_W + BPF_ABS, offsetof(struct seccomp_data, arch)),