Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
sudo-project
GitHub Repository: sudo-project/sudo
 Path: blob/main/src/sudo_noexec.c
1532 views
1
/*

2
 * SPDX-License-Identifier: ISC

3
 *

4
 * Copyright (c) 2004-2005, 2010-2018 Todd C. Miller <[email protected]>

5
 *

6
 * Permission to use, copy, modify, and distribute this software for any

7
 * purpose with or without fee is hereby granted, provided that the above

8
 * copyright notice and this permission notice appear in all copies.

9
 *

10
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

11
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

12
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

13
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

14
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

15
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

16
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

17
 */

18


19
#include <config.h>

20


21
#include <sys/types.h>

22


23
#if defined(HAVE_DECL_SECCOMP_MODE_FILTER) && HAVE_DECL_SECCOMP_MODE_FILTER

24
# include <sys/prctl.h>

25
# include <asm/unistd.h>

26
# include <linux/filter.h>

27
# include <linux/seccomp.h>

28
#endif

29


30
#include <errno.h>

31
#include <stdarg.h>

32
#include <stddef.h>

33
#include <stdio.h>

34
#include <stdlib.h>

35
#include <unistd.h>

36
#ifdef HAVE_SPAWN_H

37
#include <spawn.h>

38
#endif

39
#include <string.h>

40
#ifdef HAVE_WORDEXP_H

41
#include <wordexp.h>

42
#endif

43
#if defined(HAVE_SHL_LOAD)

44
# include <dl.h>

45
#elif defined(HAVE_DLOPEN)

46
# include <dlfcn.h>

47
#endif

48


49
#include <sudo_compat.h>

50
#include <pathnames.h>

51


52
#ifdef HAVE___INTERPOSE

53
/*

54
 * Mac OS X 10.4 and above has support for library symbol interposition.

55
 * There is a good explanation of this in the Mac OS X Internals book.

56
 */

57
typedef struct interpose_s {

58
    void *new_func;

59
    void *orig_func;

60
} interpose_t;

61


62
# define FN_NAME(fn)	fake_ ## fn

63
# define INTERPOSE(fn) \

64
    __attribute__((__used__)) static const interpose_t interpose_ ## fn \

65
    __attribute__((__section__("__DATA,__interpose"))) = \

66
	{ (void *)fake_ ## fn, (void *)fn };

67
#else

68
# define FN_NAME(fn)	fn

69
# define INTERPOSE(fn)

70
#endif

71


72
/*

73
 * Replacements for the exec(3) family of syscalls.  It is not enough to

74
 * just replace execve(2) since many C libraries do not call the public

75
 * execve(2) interface.  Note that it is still possible to access the real

76
 * syscalls via the syscall(2) interface, but that is rarely done.

77
 */

78


79
#define EXEC_REPL_BODY				\

80
{						\

81
    errno = EACCES;				\

82
    return -1;					\

83
}

84


85
#define EXEC_REPL1(fn, t1)			\

86
sudo_dso_public int FN_NAME(fn)(t1 a1);		\

87
int FN_NAME(fn)(t1 a1)				\

88
EXEC_REPL_BODY					\

89
INTERPOSE(fn)

90


91
#define EXEC_REPL2(fn, t1, t2)			\

92
sudo_dso_public int FN_NAME(fn)(t1 a1, t2 a2);	\

93
int FN_NAME(fn)(t1 a1, t2 a2)			\

94
EXEC_REPL_BODY					\

95
INTERPOSE(fn)

96


97
#define EXEC_REPL3(fn, t1, t2, t3)		\

98
sudo_dso_public int FN_NAME(fn)(t1 a1, t2 a2, t3 a3); \

99
int FN_NAME(fn)(t1 a1, t2 a2, t3 a3)		\

100
EXEC_REPL_BODY					\

101
INTERPOSE(fn)

102


103
#define EXEC_REPL6(fn, t1, t2, t3, t4, t5, t6)	\

104
sudo_dso_public int FN_NAME(fn)(t1 a1, t2 a2, t3 a3, t4 a4, t5 a5, t6 a6); \

105
int FN_NAME(fn)(t1 a1, t2 a2, t3 a3, t4 a4, t5 a5, t6 a6) \

106
EXEC_REPL_BODY					\

107
INTERPOSE(fn)

108


109
#define EXEC_REPL_VA(fn, t1, t2)		\

110
sudo_dso_public int FN_NAME(fn)(t1 a1, t2 a2, ...); \

111
int FN_NAME(fn)(t1 a1, t2 a2, ...)		\

112
EXEC_REPL_BODY					\

113
INTERPOSE(fn)

114


115
/*

116
 * Standard exec(3) family of functions.

117
 */

118
EXEC_REPL_VA(execl, const char *, const char *)

119
EXEC_REPL_VA(execle, const char *, const char *)

120
EXEC_REPL_VA(execlp, const char *, const char *)

121
EXEC_REPL2(execv, const char *, char * const *)

122
EXEC_REPL2(execvp, const char *, char * const *)

123
EXEC_REPL3(execve, const char *, char * const *, char * const *)

124


125
/*

126
 * Non-standard exec(3) functions and corresponding private versions.

127
 */

128
#ifdef HAVE_EXECVP

129
EXEC_REPL3(execvP, const char *, const char *, char * const *)

130
#endif

131
#ifdef HAVE_EXECVPE

132
EXEC_REPL3(execvpe, const char *, char * const *, char * const *)

133
#endif

134
#ifdef HAVE_EXECT

135
EXEC_REPL3(exect, const char *, char * const *, char * const *)

136
#endif

137


138
/*

139
 * Not all systems support fexecve(2), posix_spawn(2) and posix_spawnp(2).

140
 */

141
#ifdef HAVE_FEXECVE

142
EXEC_REPL3(fexecve, int , char * const *, char * const *)

143
#endif

144
#ifdef HAVE_POSIX_SPAWN

145
EXEC_REPL6(posix_spawn, pid_t *, const char *, const posix_spawn_file_actions_t *, const posix_spawnattr_t *, char * const *, char * const *)

146
#endif

147
#ifdef HAVE_POSIX_SPAWNP

148
EXEC_REPL6(posix_spawnp, pid_t *, const char *, const posix_spawn_file_actions_t *, const posix_spawnattr_t *, char * const *, char * const *)

149
#endif

150


151
/*

152
 * system(3) and popen(3).

153
 * We can't use a wrapper for popen since it returns FILE *, not int.

154
 */

155
EXEC_REPL1(system, const char *)

156


157
sudo_dso_public FILE *FN_NAME(popen)(const char *c, const char *t);

158
FILE *FN_NAME(popen)(const char *c, const char *t)

159
{

160
    errno = EACCES;

161
    return NULL;

162
}

163
INTERPOSE(popen)

164


165
#if defined(HAVE_WORDEXP) && (defined(RTLD_NEXT) || defined(HAVE_SHL_LOAD) || defined(HAVE___INTERPOSE))

166
/*

167
 * We can't use a wrapper for wordexp(3) since we still want to call

168
 * the real wordexp(3) but with WRDE_NOCMD added to the flags argument.

169
 */

170
typedef int (*sudo_fn_wordexp_t)(const char *, wordexp_t *, int);

171


172
sudo_dso_public int FN_NAME(wordexp)(const char *words, wordexp_t *we, int flags);

173
int FN_NAME(wordexp)(const char *words, wordexp_t *we, int flags)

174
{

175
#if defined(HAVE___INTERPOSE)

176
    return wordexp(words, we, flags | WRDE_NOCMD);

177
#else

178
# if defined(HAVE_DLOPEN)

179
    void *fn = dlsym(RTLD_NEXT, "wordexp");

180
# elif defined(HAVE_SHL_LOAD)

181
    const char *name, *myname = _PATH_SUDO_NOEXEC;

182
    struct shl_descriptor *desc;

183
    void *fn = NULL;

184
    int idx = 0;

185


186
    /* Search for wordexp() but skip this shared object. */

187
    myname = sudo_basename(myname);

188
    while (shl_get(idx++, &desc) == 0) {

189
	name = sudo_basename(desc->filename);

190
	if (strcmp(name, myname) == 0)

191
	    continue;

192
	if (shl_findsym(&desc->handle, "wordexp", TYPE_PROCEDURE, &fn) == 0)

193
	    break;

194
    }

195
# else

196
    void *fn = NULL;

197
# endif

198
    if (fn == NULL) {

199
	errno = EACCES;

200
	return -1;

201
    }

202
    return ((sudo_fn_wordexp_t)fn)(words, we, flags | WRDE_NOCMD);

203
#endif /* HAVE___INTERPOSE */

204
}

205
INTERPOSE(wordexp)

206
#endif /* HAVE_WORDEXP && (RTLD_NEXT || HAVE_SHL_LOAD || HAVE___INTERPOSE) */

207


208
/*

209
 * On Linux we can use a seccomp() filter to disable exec.

210
 */

211
#if defined(HAVE_DECL_SECCOMP_MODE_FILTER) && HAVE_DECL_SECCOMP_MODE_FILTER

212


213
/* Older systems may not support execveat(2). */

214
#ifndef __NR_execveat

215
# define __NR_execveat -1

216
#endif

217


218
static void noexec_ctor(void) __attribute__((constructor));

219


220
static void

221
noexec_ctor(void)

222
{

223
    struct sock_filter exec_filter[] = {

224
	/* Load syscall number into the accumulator */

225
	BPF_STMT(BPF_LD | BPF_ABS, offsetof(struct seccomp_data, nr)),

226
	/* Jump to deny for execve/execveat */

227
	BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_execve, 2, 0),

228
	BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_execveat, 1, 0),

229
	/* Allow non-matching syscalls */

230
	BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),

231
	/* Deny execve/execveat syscall */

232
	BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | (EACCES & SECCOMP_RET_DATA))

233
    };

234
    const struct sock_fprog exec_fprog = {

235
	nitems(exec_filter),

236
	exec_filter

237
    };

238


239
    /*

240
     * SECCOMP_MODE_FILTER will fail unless the process has

241
     * CAP_SYS_ADMIN or the no_new_privs bit is set.

242
     */

243
    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0)

244
	(void)prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &exec_fprog);

245
}

246
#endif /* HAVE_DECL_SECCOMP_MODE_FILTER */

247


248