1 /*
2 * SPDX-License-Identifier: ISC
3 *
4 * Copyright (c) 2004-2005, 2010-2018 Todd C. Miller <Todd.Miller@sudo.ws>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19 /*
20 * This is an open source non-commercial project. Dear PVS-Studio, please check it.
21 * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
22 */
23
24 #include <config.h>
25
26 #include <sys/types.h>
27
28 #if defined(HAVE_DECL_SECCOMP_SET_MODE_FILTER) && HAVE_DECL_SECCOMP_SET_MODE_FILTER
29 # include <sys/prctl.h>
30 # include <asm/unistd.h>
31 # include <linux/filter.h>
32 # include <linux/seccomp.h>
33 #endif
34
35 #include <errno.h>
36 #include <stdarg.h>
37 #include <stddef.h>
38 #include <stdio.h>
39 #include <stdlib.h>
40 #include <unistd.h>
41 #ifdef HAVE_SPAWN_H
42 #include <spawn.h>
43 #endif
44 #include <string.h>
45 #ifdef HAVE_WORDEXP_H
46 #include <wordexp.h>
47 #endif
48 #if defined(HAVE_SHL_LOAD)
49 # include <dl.h>
50 #elif defined(HAVE_DLOPEN)
51 # include <dlfcn.h>
52 #endif
53
54 #include "sudo_compat.h"
55 #include "pathnames.h"
56
57 #ifdef HAVE___INTERPOSE
58 /*
59 * Mac OS X 10.4 and above has support for library symbol interposition.
60 * There is a good explanation of this in the Mac OS X Internals book.
61 */
62 typedef struct interpose_s {
63 void *new_func;
64 void *orig_func;
65 } interpose_t;
66
67 # define FN_NAME(fn) fake_ ## fn
68 # define INTERPOSE(fn) \
69 __attribute__((__used__)) static const interpose_t interpose_ ## fn \
70 __attribute__((__section__("__DATA,__interpose"))) = \
71 { (void *)fake_ ## fn, (void *)fn };
72 #else
73 # define FN_NAME(fn) fn
74 # define INTERPOSE(fn)
75 #endif
76
77 /*
78 * Replacements for the exec(3) family of syscalls. It is not enough to
79 * just replace execve(2) since many C libraries do not call the public
80 * execve(2) interface. Note that it is still possible to access the real
81 * syscalls via the syscall(2) interface, but that is rarely done.
82 */
83
84 #define EXEC_REPL_BODY \
85 { \
86 errno = EACCES; \
87 return -1; \
88 }
89
90 #define EXEC_REPL1(fn, t1) \
91 sudo_dso_public int \
92 FN_NAME(fn)(t1 a1) \
93 EXEC_REPL_BODY \
94 INTERPOSE(fn)
95
96 #define EXEC_REPL2(fn, t1, t2) \
97 sudo_dso_public int \
98 FN_NAME(fn)(t1 a1, t2 a2) \
99 EXEC_REPL_BODY \
100 INTERPOSE(fn)
101
102 #define EXEC_REPL3(fn, t1, t2, t3) \
103 sudo_dso_public int \
104 FN_NAME(fn)(t1 a1, t2 a2, t3 a3) \
105 EXEC_REPL_BODY \
106 INTERPOSE(fn)
107
108 #define EXEC_REPL6(fn, t1, t2, t3, t4, t5, t6) \
109 sudo_dso_public int \
110 FN_NAME(fn)(t1 a1, t2 a2, t3 a3, t4 a4, t5 a5, t6 a6) \
111 EXEC_REPL_BODY \
112 INTERPOSE(fn)
113
114 #define EXEC_REPL_VA(fn, t1, t2) \
115 sudo_dso_public int \
116 FN_NAME(fn)(t1 a1, t2 a2, ...) \
117 EXEC_REPL_BODY \
118 INTERPOSE(fn)
119
120 /*
121 * Standard exec(3) family of functions.
122 */
EXEC_REPL_VA(execl,const char *,const char *)123 EXEC_REPL_VA(execl, const char *, const char *)
124 EXEC_REPL_VA(execle, const char *, const char *)
125 EXEC_REPL_VA(execlp, const char *, const char *)
126 EXEC_REPL2(execv, const char *, char * const *)
127 EXEC_REPL2(execvp, const char *, char * const *)
128 EXEC_REPL3(execve, const char *, char * const *, char * const *)
129
130 /*
131 * Non-standard exec(3) functions and corresponding private versions.
132 */
133 #ifdef HAVE_EXECVP
134 EXEC_REPL3(execvP, const char *, const char *, char * const *)
135 #endif
136 #ifdef HAVE_EXECVPE
137 EXEC_REPL3(execvpe, const char *, char * const *, char * const *)
138 #endif
139 #ifdef HAVE_EXECT
140 EXEC_REPL3(exect, const char *, char * const *, char * const *)
141 #endif
142
143 /*
144 * Not all systems support fexecve(2), posix_spawn(2) and posix_spawnp(2).
145 */
146 #ifdef HAVE_FEXECVE
147 EXEC_REPL3(fexecve, int , char * const *, char * const *)
148 #endif
149 #ifdef HAVE_POSIX_SPAWN
150 EXEC_REPL6(posix_spawn, pid_t *, const char *, const posix_spawn_file_actions_t *, const posix_spawnattr_t *, char * const *, char * const *)
151 #endif
152 #ifdef HAVE_POSIX_SPAWNP
153 EXEC_REPL6(posix_spawnp, pid_t *, const char *, const posix_spawn_file_actions_t *, const posix_spawnattr_t *, char * const *, char * const *)
154 #endif
155
156 /*
157 * system(3) and popen(3).
158 * We can't use a wrapper for popen since it returns FILE *, not int.
159 */
160 EXEC_REPL1(system, const char *)
161
162 sudo_dso_public FILE *
163 FN_NAME(popen)(const char *c, const char *t)
164 {
165 errno = EACCES;
166 return NULL;
167 }
168 INTERPOSE(popen)
169
170 #if defined(HAVE_WORDEXP) && (defined(RTLD_NEXT) || defined(HAVE_SHL_LOAD) || defined(HAVE___INTERPOSE))
171 /*
172 * We can't use a wrapper for wordexp(3) since we still want to call
173 * the real wordexp(3) but with WRDE_NOCMD added to the flags argument.
174 */
175 typedef int (*sudo_fn_wordexp_t)(const char *, wordexp_t *, int);
176
177 sudo_dso_public int
FN_NAME(wordexp)178 FN_NAME(wordexp)(const char *words, wordexp_t *we, int flags)
179 {
180 #if defined(HAVE___INTERPOSE)
181 return wordexp(words, we, flags | WRDE_NOCMD);
182 #else
183 # if defined(HAVE_DLOPEN)
184 void *fn = dlsym(RTLD_NEXT, "wordexp");
185 # elif defined(HAVE_SHL_LOAD)
186 const char *name, *myname = _PATH_SUDO_NOEXEC;
187 struct shl_descriptor *desc;
188 void *fn = NULL;
189 int idx = 0;
190
191 /* Search for wordexp() but skip this shared object. */
192 myname = sudo_basename(myname);
193 while (shl_get(idx++, &desc) == 0) {
194 name = sudo_basename(desc->filename);
195 if (strcmp(name, myname) == 0)
196 continue;
197 if (shl_findsym(&desc->handle, "wordexp", TYPE_PROCEDURE, &fn) == 0)
198 break;
199 }
200 # else
201 void *fn = NULL;
202 # endif
203 if (fn == NULL) {
204 errno = EACCES;
205 return -1;
206 }
207 return ((sudo_fn_wordexp_t)fn)(words, we, flags | WRDE_NOCMD);
208 #endif /* HAVE___INTERPOSE */
209 }
210 INTERPOSE(wordexp)
211 #endif /* HAVE_WORDEXP && (RTLD_NEXT || HAVE_SHL_LOAD || HAVE___INTERPOSE) */
212
213 /*
214 * On Linux we can use a seccomp() filter to disable exec.
215 */
216 #if defined(HAVE_DECL_SECCOMP_SET_MODE_FILTER) && HAVE_DECL_SECCOMP_SET_MODE_FILTER
217
218 /* Older systems may not support execveat(2). */
219 #ifndef __NR_execveat
220 # define __NR_execveat -1
221 #endif
222
223 static void noexec_ctor(void) __attribute__((constructor));
224
225 static void
noexec_ctor(void)226 noexec_ctor(void)
227 {
228 struct sock_filter exec_filter[] = {
229 /* Load syscall number into the accumulator */
230 BPF_STMT(BPF_LD | BPF_ABS, offsetof(struct seccomp_data, nr)),
231 /* Jump to deny for execve/execveat */
232 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_execve, 2, 0),
233 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_execveat, 1, 0),
234 /* Allow non-matching syscalls */
235 BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
236 /* Deny execve/execveat syscall */
237 BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | (EACCES & SECCOMP_RET_DATA))
238 };
239 const struct sock_fprog exec_fprog = {
240 nitems(exec_filter),
241 exec_filter
242 };
243
244 /*
245 * SECCOMP_MODE_FILTER will fail unless the process has
246 * CAP_SYS_ADMIN or the no_new_privs bit is set.
247 */
248 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0)
249 (void)prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &exec_fprog);
250 }
251 #endif /* HAVE_DECL_SECCOMP_SET_MODE_FILTER */
252