def __init__(self, filesystem, writable=(1, 2)):
super(CHROOTSecurity, self).__init__()
self.fs_jail = re.compile('|'.join(filesystem) if filesystem else '^')
self._writable = list(writable)
if sys.platform.startswith('freebsd'):
self._getcwd_pid = lambda pid: utf8text(bsd_get_proc_cwd(pid))
self._getfd_pid = lambda pid, fd: utf8text(bsd_get_proc_fdno(pid, fd))
else:
self._getcwd_pid = lambda pid: os.readlink('/proc/%d/cwd' % pid)
self._getfd_pid = lambda pid, fd: os.readlink('/proc/%d/fd/%d' % (pid, fd))
self.update({
# Deny with report
sys_openat: self.check_file_access_at('openat', is_open=True),
sys_faccessat: self.check_file_access_at('faccessat'),
sys_open: self.check_file_access('open', 0, is_open=True),
sys_access: self.check_file_access('access', 0),
sys_mkdir: self.check_file_access('mkdir', 0),
sys_unlink: self.check_file_access('unlink', 0),
sys_readlink: self.check_file_access('readlink', 0),
sys_readlinkat: self.check_file_access_at('readlinkat'),
sys_stat: self.check_file_access('stat', 0),
sys_stat64: self.check_file_access('stat64', 0),
sys_lstat: self.check_file_access('lstat', 0),
sys_lstat64: self.check_file_access('lstat64', 0),
sys_fstatat: self.check_file_access_at('fstatat'),
sys_tgkill: self.do_tgkill,
sys_kill: self.do_kill,
sys_prctl: self.do_prctl,
sys_read: ALLOW,
sys_write: ALLOW,
sys_writev: ALLOW,
sys_statfs: ALLOW,
sys_statfs64: ALLOW,
sys_getpgrp: ALLOW,
sys_restart_syscall: ALLOW,
sys_select: ALLOW,
sys_newselect: ALLOW,
sys_modify_ldt: ALLOW,
sys_ppoll: ALLOW,
sys_getgroups32: ALLOW,
sys_sched_getaffinity: ALLOW,
sys_sched_getparam: ALLOW,
sys_sched_getscheduler: ALLOW,
sys_sched_get_priority_min: ALLOW,
sys_sched_get_priority_max: ALLOW,
sys_timerfd_create: ALLOW,
sys_timer_create: ALLOW,
sys_timer_settime: ALLOW,
sys_timer_delete: ALLOW,
sys_sigprocmask: ALLOW,
sys_rt_sigreturn: ALLOW,
sys_sigreturn: ALLOW,
sys_nanosleep: ALLOW,
sys_sysinfo: ALLOW,
sys_getrandom: ALLOW,
sys_socket: ACCESS_DENIED,
sys_socketcall: ACCESS_DENIED,
sys_close: ALLOW,
sys_dup: ALLOW,
sys_dup2: ALLOW,
sys_dup3: ALLOW,
sys_fstat: ALLOW,
sys_mmap: ALLOW,
sys_mremap: ALLOW,
sys_mprotect: ALLOW,
sys_madvise: ALLOW,
sys_munmap: ALLOW,
sys_brk: ALLOW,
sys_fcntl: ALLOW,
sys_arch_prctl: ALLOW,
sys_set_tid_address: ALLOW,
sys_set_robust_list: ALLOW,
sys_futex: ALLOW,
sys_rt_sigaction: ALLOW,
sys_rt_sigprocmask: ALLOW,
sys_getrlimit: ALLOW,
sys_ioctl: ALLOW,
sys_getcwd: ALLOW,
sys_geteuid: ALLOW,
sys_getuid: ALLOW,
sys_getegid: ALLOW,
sys_getgid: ALLOW,
sys_getdents: ALLOW,
sys_lseek: ALLOW,
sys_getrusage: ALLOW,
sys_sigaltstack: ALLOW,
sys_pipe: ALLOW,
sys_clock_gettime: ALLOW,
sys_clock_getres: ALLOW,
sys_gettimeofday: ALLOW,
sys_getpid: ALLOW,
sys_getppid: ALLOW,
sys_sched_yield: ALLOW,
sys_clone: ALLOW,
sys_exit: ALLOW,
sys_exit_group: ALLOW,
sys_gettid: ALLOW,
# x86 specific
sys_mmap2: ALLOW,
sys_fstat64: ALLOW,
sys_set_thread_area: ALLOW,
sys_ugetrlimit: ALLOW,
sys_uname: ALLOW,
sys_getuid32: ALLOW,
sys_geteuid32: ALLOW,
sys_getgid32: ALLOW,
sys_getegid32: ALLOW,
sys_llseek: ALLOW,
sys_fcntl64: ALLOW,
sys_time: ALLOW,
sys_prlimit64: ALLOW,
sys_getdents64: ALLOW,
})
# FreeBSD-specific syscalls
if 'freebsd' in sys.platform:
self.update({
sys_obreak: ALLOW,
sys_sysarch: ALLOW,
sys_sysctl: ALLOW, # TODO: More strict?
sys_issetugid: ALLOW,
sys_rtprio_thread: ALLOW, # EPERMs when invalid anyway
sys_umtx_op: ALLOW, # http://fxr.watson.org/fxr/source/kern/kern_umtx.c?v=FREEBSD60#L720
sys_nosys: ALLOW, # what?? TODO: this shouldn't really exist, so why is Python calling it?
sys_getcontext: ALLOW,
sys_setcontext: ALLOW,
sys_pread: ALLOW,
sys_fsync: ALLOW,
sys_shm_open: self.check_file_access('shm_open', 0),
sys_cpuset_getaffinity: ALLOW,
sys_thr_new: ALLOW,
sys_thr_exit: ALLOW,
sys_thr_kill: ALLOW,
sys_thr_self: ALLOW,
sys__mmap: ALLOW,
sys___mmap: ALLOW,
sys_sigsuspend: ALLOW,
sys_clock_getcpuclockid2: ALLOW,
sys_fstatfs: ALLOW,
sys_getdirentries: ALLOW, # TODO: maybe check path?
sys_getdtablesize: ALLOW,
sys_kqueue: ALLOW,
sys_kevent: ALLOW,
sys_ktimer_create: ALLOW,
sys_ktimer_settime: ALLOW,
sys_ktimer_delete: ALLOW,
sys_cap_getmode: ALLOW,
sys_minherit: ALLOW,
})
def __init__(self, read_fs, write_fs=None, writable=(1, 2)):
super().__init__()
self.read_fs = read_fs
self.write_fs = write_fs
self.read_fs_jail = {}
self.write_fs_jail = {}
self._writable = list(writable)
if sys.platform.startswith('freebsd'):
self._getcwd_pid = lambda pid: utf8text(bsd_get_proc_cwd(pid))
self._getfd_pid = lambda pid, fd: utf8text(
bsd_get_proc_fdno(pid, fd))
else:
self._getcwd_pid = lambda pid: os.readlink('/proc/%d/cwd' % pid)
self._getfd_pid = lambda pid, fd: os.readlink('/proc/%d/fd/%d' %
(pid, fd))
self.update({
# Deny with report
sys_openat:
self.check_file_access_at('openat', is_open=True),
sys_open:
self.check_file_access('open', 0, is_open=True),
sys_faccessat:
self.check_file_access_at('faccessat'),
sys_access:
self.check_file_access('access', 0),
sys_readlink:
self.check_file_access('readlink', 0),
sys_readlinkat:
self.check_file_access_at('readlinkat'),
sys_stat:
self.check_file_access('stat', 0),
sys_stat64:
self.check_file_access('stat64', 0),
sys_lstat:
self.check_file_access('lstat', 0),
sys_lstat64:
self.check_file_access('lstat64', 0),
sys_fstatat:
self.check_file_access_at('fstatat'),
sys_mkdir:
ACCESS_EPERM,
sys_unlink:
ACCESS_EPERM,
sys_tgkill:
self.do_kill,
sys_kill:
self.do_kill,
sys_prctl:
self.do_prctl,
sys_read:
ALLOW,
sys_pread64:
ALLOW,
sys_write:
ALLOW,
sys_writev:
ALLOW,
sys_statfs:
ALLOW,
sys_statfs64:
ALLOW,
sys_getpgrp:
ALLOW,
sys_restart_syscall:
ALLOW,
sys_select:
ALLOW,
sys_newselect:
ALLOW,
sys_modify_ldt:
ALLOW,
sys_ppoll:
ALLOW,
sys_getgroups32:
ALLOW,
sys_sched_getaffinity:
ALLOW,
sys_sched_getparam:
ALLOW,
sys_sched_getscheduler:
ALLOW,
sys_sched_get_priority_min:
ALLOW,
sys_sched_get_priority_max:
ALLOW,
sys_timerfd_create:
ALLOW,
sys_timer_create:
ALLOW,
sys_timer_settime:
ALLOW,
sys_timer_delete:
ALLOW,
sys_sigprocmask:
ALLOW,
sys_rt_sigreturn:
ALLOW,
sys_sigreturn:
ALLOW,
sys_nanosleep:
ALLOW,
sys_sysinfo:
ALLOW,
sys_getrandom:
ALLOW,
sys_socket:
ACCESS_EACCES,
sys_socketcall:
ACCESS_EACCES,
sys_close:
ALLOW,
sys_dup:
ALLOW,
sys_dup2:
ALLOW,
sys_dup3:
ALLOW,
sys_fstat:
ALLOW,
sys_mmap:
ALLOW,
sys_mremap:
ALLOW,
sys_mprotect:
ALLOW,
sys_madvise:
ALLOW,
sys_munmap:
ALLOW,
sys_brk:
ALLOW,
sys_fcntl:
ALLOW,
sys_arch_prctl:
ALLOW,
sys_set_tid_address:
ALLOW,
sys_set_robust_list:
ALLOW,
sys_futex:
ALLOW,
sys_rt_sigaction:
ALLOW,
sys_rt_sigprocmask:
ALLOW,
sys_getrlimit:
ALLOW,
sys_ioctl:
ALLOW,
sys_getcwd:
ALLOW,
sys_geteuid:
ALLOW,
sys_getuid:
ALLOW,
sys_getegid:
ALLOW,
sys_getgid:
ALLOW,
sys_getdents:
ALLOW,
sys_lseek:
ALLOW,
sys_getrusage:
ALLOW,
sys_sigaltstack:
ALLOW,
sys_pipe:
ALLOW,
sys_pipe2:
ALLOW,
sys_clock_gettime:
ALLOW,
sys_clock_getres:
ALLOW,
sys_gettimeofday:
ALLOW,
sys_getpid:
ALLOW,
sys_getppid:
ALLOW,
sys_sched_yield:
ALLOW,
sys_clone:
ALLOW,
sys_exit:
ALLOW,
sys_exit_group:
ALLOW,
sys_gettid:
ALLOW,
# x86 specific
sys_mmap2:
ALLOW,
sys_fstat64:
ALLOW,
sys_set_thread_area:
ALLOW,
sys_ugetrlimit:
ALLOW,
sys_uname:
ALLOW,
sys_getuid32:
ALLOW,
sys_geteuid32:
ALLOW,
sys_getgid32:
ALLOW,
sys_getegid32:
ALLOW,
sys_llseek:
ALLOW,
sys_fcntl64:
ALLOW,
sys_time:
ALLOW,
sys_prlimit64:
self.do_prlimit,
sys_getdents64:
ALLOW,
})
# FreeBSD-specific syscalls
if 'freebsd' in sys.platform:
self.update({
sys_obreak: ALLOW,
sys_sysarch: ALLOW,
sys_sysctl: ALLOW, # TODO: More strict?
sys_issetugid: ALLOW,
sys_rtprio_thread: ALLOW, # EPERMs when invalid anyway
sys_umtx_op:
ALLOW, # http://fxr.watson.org/fxr/source/kern/kern_umtx.c?v=FREEBSD60#L720
sys_nosys:
ALLOW, # what?? TODO: this shouldn't really exist, so why is Python calling it?
sys_getcontext: ALLOW,
sys_setcontext: ALLOW,
sys_pread: ALLOW,
sys_fsync: ALLOW,
sys_shm_open: self.check_file_access('shm_open', 0),
sys_cpuset_getaffinity: ALLOW,
sys_thr_new: ALLOW,
sys_thr_exit: ALLOW,
sys_thr_kill: ALLOW,
sys_thr_self: ALLOW,
sys__mmap: ALLOW,
sys___mmap: ALLOW,
sys_sigsuspend: ALLOW,
sys_clock_getcpuclockid2: ALLOW,
sys_fstatfs: ALLOW,
sys_getdirentries: ALLOW, # TODO: maybe check path?
sys_getdtablesize: ALLOW,
sys_kqueue: ALLOW,
sys_kevent: ALLOW,
sys_ktimer_create: ALLOW,
sys_ktimer_settime: ALLOW,
sys_ktimer_delete: ALLOW,
sys_cap_getmode: ALLOW,
sys_minherit: ALLOW,
})
def __init__(self, *, read_fs: Sequence[FilesystemAccessRule],
write_fs: Sequence[FilesystemAccessRule]):
super().__init__()
self.read_fs_jail = self._compile_fs_jail(read_fs)
self.write_fs_jail = self._compile_fs_jail(write_fs)
if sys.platform.startswith('freebsd'):
self._getcwd_pid = lambda pid: utf8text(bsd_get_proc_cwd(pid))
self._getfd_pid = lambda pid, fd: utf8text(
bsd_get_proc_fdno(pid, fd))
else:
self._getcwd_pid = lambda pid: os.readlink('/proc/%d/cwd' % pid)
self._getfd_pid = lambda pid, fd: os.readlink('/proc/%d/fd/%d' %
(pid, fd))
self.update({
# Deny with report
sys_openat:
self.handle_openat(dir_reg=0, file_reg=1, flag_reg=2),
sys_open:
self.handle_open(file_reg=0, flag_reg=1),
sys_faccessat:
self.handle_file_access_at(FilesystemSyscallKind.READ,
dir_reg=0,
file_reg=1),
sys_faccessat2:
self.handle_file_access_at(FilesystemSyscallKind.READ,
dir_reg=0,
file_reg=1),
sys_access:
self.handle_file_access(FilesystemSyscallKind.READ, file_reg=0),
sys_readlink:
self.handle_file_access(FilesystemSyscallKind.READ, file_reg=0),
sys_readlinkat:
self.handle_file_access_at(FilesystemSyscallKind.READ,
dir_reg=0,
file_reg=1),
sys_stat:
self.handle_file_access(FilesystemSyscallKind.READ, file_reg=0),
sys_stat64:
self.handle_file_access(FilesystemSyscallKind.READ, file_reg=0),
sys_lstat:
self.handle_file_access(FilesystemSyscallKind.READ, file_reg=0),
sys_lstat64:
self.handle_file_access(FilesystemSyscallKind.READ, file_reg=0),
sys_fstatat:
self.handle_fstat(dir_reg=0, file_reg=1),
sys_statx:
self.handle_fstat(dir_reg=0, file_reg=1),
sys_tgkill:
self.handle_kill,
sys_kill:
self.handle_kill,
sys_prctl:
self.handle_prctl,
sys_read:
ALLOW,
sys_pread64:
ALLOW,
sys_write:
ALLOW,
sys_writev:
ALLOW,
sys_statfs:
ALLOW,
sys_statfs64:
ALLOW,
sys_getpgrp:
ALLOW,
sys_restart_syscall:
ALLOW,
sys_select:
ALLOW,
sys_newselect:
ALLOW,
sys_modify_ldt:
ALLOW,
sys_poll:
ALLOW,
sys_ppoll:
ALLOW,
sys_getgroups32:
ALLOW,
sys_sched_getaffinity:
ALLOW,
sys_sched_getparam:
ALLOW,
sys_sched_getscheduler:
ALLOW,
sys_sched_get_priority_min:
ALLOW,
sys_sched_get_priority_max:
ALLOW,
sys_sched_setscheduler:
ALLOW,
sys_timerfd_create:
ALLOW,
sys_timer_create:
ALLOW,
sys_timer_settime:
ALLOW,
sys_timer_delete:
ALLOW,
sys_sigprocmask:
ALLOW,
sys_rt_sigreturn:
ALLOW,
sys_sigreturn:
ALLOW,
sys_nanosleep:
ALLOW,
sys_sysinfo:
ALLOW,
sys_getrandom:
ALLOW,
sys_socket:
ACCESS_EACCES,
sys_socketcall:
ACCESS_EACCES,
sys_close:
ALLOW,
sys_dup:
ALLOW,
sys_dup2:
ALLOW,
sys_dup3:
ALLOW,
sys_fstat:
ALLOW,
sys_mmap:
ALLOW,
sys_mremap:
ALLOW,
sys_mprotect:
ALLOW,
sys_madvise:
ALLOW,
sys_munmap:
ALLOW,
sys_brk:
ALLOW,
sys_fcntl:
ALLOW,
sys_arch_prctl:
ALLOW,
sys_set_tid_address:
ALLOW,
sys_set_robust_list:
ALLOW,
sys_futex:
ALLOW,
sys_rt_sigaction:
ALLOW,
sys_rt_sigprocmask:
ALLOW,
sys_getrlimit:
ALLOW,
sys_ioctl:
ALLOW,
sys_getcwd:
ALLOW,
sys_geteuid:
ALLOW,
sys_getuid:
ALLOW,
sys_getegid:
ALLOW,
sys_getgid:
ALLOW,
sys_getdents:
ALLOW,
sys_lseek:
ALLOW,
sys_getrusage:
ALLOW,
sys_sigaltstack:
ALLOW,
sys_pipe:
ALLOW,
sys_pipe2:
ALLOW,
sys_clock_gettime:
ALLOW,
sys_clock_gettime64:
ALLOW,
sys_clock_getres:
ALLOW,
sys_gettimeofday:
ALLOW,
sys_getpid:
ALLOW,
sys_getppid:
ALLOW,
sys_sched_yield:
ALLOW,
sys_clone:
ALLOW,
sys_exit:
ALLOW,
sys_exit_group:
ALLOW,
sys_gettid:
ALLOW,
# x86 specific
sys_mmap2:
ALLOW,
sys_fstat64:
ALLOW,
sys_set_thread_area:
ALLOW,
sys_ugetrlimit:
ALLOW,
sys_uname:
ALLOW,
sys_getuid32:
ALLOW,
sys_geteuid32:
ALLOW,
sys_getgid32:
ALLOW,
sys_getegid32:
ALLOW,
sys_llseek:
ALLOW,
sys_fcntl64:
ALLOW,
sys_time:
ALLOW,
sys_prlimit64:
self.handle_prlimit,
sys_getdents64:
ALLOW,
})
# FreeBSD-specific syscalls
if 'freebsd' in sys.platform:
self.update({
sys_mkdir:
ACCESS_EPERM,
sys_break:
ALLOW,
sys_sysarch:
ALLOW,
sys_sysctl:
ALLOW, # TODO: More strict?
sys_sysctlbyname:
ALLOW, # TODO: More strict?
sys_issetugid:
ALLOW,
sys_rtprio_thread:
ALLOW, # EPERMs when invalid anyway
sys_umtx_op:
ALLOW, # http://fxr.watson.org/fxr/source/kern/kern_umtx.c?v=FREEBSD60#L720
sys_getcontext:
ALLOW,
sys_setcontext:
ALLOW,
sys_pread:
ALLOW,
sys_fsync:
ALLOW,
sys_shm_open:
self.handle_open(file_reg=0, flag_reg=1),
sys_shm_open2:
self.handle_open(file_reg=0, flag_reg=1),
sys_cpuset_getaffinity:
ALLOW,
sys_thr_new:
ALLOW,
sys_thr_exit:
ALLOW,
sys_thr_kill:
ALLOW,
sys_thr_self:
ALLOW,
sys_sigsuspend:
ALLOW,
sys_clock_getcpuclockid2:
ALLOW,
sys_fstatfs:
ALLOW,
sys_getdirentries:
ALLOW, # TODO: maybe check path?
sys_getdtablesize:
ALLOW,
sys_kqueue:
ALLOW,
sys_kevent:
ALLOW,
sys_ktimer_create:
ALLOW,
sys_ktimer_settime:
ALLOW,
sys_ktimer_delete:
ALLOW,
sys_cap_getmode:
ALLOW,
sys_minherit:
ALLOW,
sys_thr_set_name:
ALLOW,
sys_sigfastblock:
ALLOW,
sys_realpathat:
self.handle_file_access_at(FilesystemSyscallKind.READ,
dir_reg=0,
file_reg=1),
})
