/*
* Part of Very Secure FTPd
* Licence: GPL v2
* Author: Chris Evans
* ftppolicy.c
*
* Code to build a sandbox policy based on current session options.
*/
#include "ftppolicy.h"
#include "ptracesandbox.h"
#include "tunables.h"
#include "session.h"
#include "sysutil.h"
/* For AF_INET etc. network constants. */
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
static int socket_validator(struct pt_sandbox* p_sandbox, void* p_arg);
static int connect_validator(struct pt_sandbox* p_sandbox, void* p_arg);
static int getsockopt_validator(struct pt_sandbox* p_sandbox, void* p_arg);
static int setsockopt_validator(struct pt_sandbox* p_sandbox, void* p_arg);
void
policy_setup(struct pt_sandbox* p_sandbox, const struct vsf_session* p_sess)
{
int is_anon = p_sess->is_anonymous;
/* Always need to be able to exit! */
ptrace_sandbox_permit_exit(p_sandbox);
/* Needed for memory management. */
ptrace_sandbox_permit_mmap(p_sandbox);
ptrace_sandbox_permit_mprotect(p_sandbox);
ptrace_sandbox_permit_brk(p_sandbox);
/* Simple reads and writes are required. Permitting write does not imply
* filesystem write access because access control is done at open time.
*/
ptrace_sandbox_permit_read(p_sandbox);
ptrace_sandbox_permit_write(p_sandbox);
/* Reading FTP commands from the network. */
ptrace_sandbox_permit_recv(p_sandbox);
/* Querying time is harmless; used for log timestamps and internally to
* OpenSSL
*/
ptrace_sandbox_permit_query_time(p_sandbox);
/* Typically post-login things follow. */
/* Since we're in a chroot(), we can just blanket allow filesystem readonly
* open.
*/
ptrace_sandbox_permit_open(p_sandbox, 0);
ptrace_sandbox_permit_close(p_sandbox);
/* Other pathname-based metadata queries. */
ptrace_sandbox_permit_file_stats(p_sandbox);
ptrace_sandbox_permit_readlink(p_sandbox);
/* Querying, reading and changing directory. */
ptrace_sandbox_permit_getcwd(p_sandbox);
ptrace_sandbox_permit_chdir(p_sandbox);
ptrace_sandbox_permit_getdents(p_sandbox);
/* Simple fd-based operations. */
ptrace_sandbox_permit_fd_stats(p_sandbox);
ptrace_sandbox_permit_seek(p_sandbox);
ptrace_sandbox_permit_shutdown(p_sandbox);
ptrace_sandbox_permit_fcntl(p_sandbox);
ptrace_sandbox_permit_setsockopt(p_sandbox);
ptrace_sandbox_set_setsockopt_validator(p_sandbox, setsockopt_validator, 0);
/* Misc */
/* Setting umask. */
ptrace_sandbox_permit_umask(p_sandbox);
/* Select for data connection readyness. */
ptrace_sandbox_permit_select(p_sandbox);
/* Always need ability to take signals (SIGPIPE) */
ptrace_sandbox_permit_sigreturn(p_sandbox);
/* Sleeping (bandwidth limit, connect retires, anon login fails) */
ptrace_sandbox_permit_sleep(p_sandbox);
/* High-speed transfers... */
ptrace_sandbox_permit_sendfile(p_sandbox);
/* TODO - Grrrr! nscd cache access is leaking into child. Need to find out
* out how to disable that. Also means that text_userdb_names loads values
* from the real system data.
*/
if (tunable_text_userdb_names)
{
ptrace_sandbox_permit_mremap(p_sandbox);
}
/* May need ability to install signal handlers. */
if (tunable_async_abor_enable ||
tunable_idle_session_timeout > 0 ||
tunable_data_connection_timeout > 0)
{
ptrace_sandbox_permit_sigaction(p_sandbox);
}
/* May need ability to set up timeout alarms. */
if (tunable_idle_session_timeout > 0 || tunable_data_connection_timeout > 0)
{
ptrace_sandbox_permit_alarm(p_sandbox);
}
/* Set up network permissions according to config and session. */
ptrace_sandbox_permit_socket(p_sandbox);
ptrace_sandbox_set_socket_validator(p_sandbox,
socket_validator,
(void*) p_sess);
ptrace_sandbox_permit_bind(p_sandbox);
/* Yes, reuse of the connect validator is intentional. */
ptrace_sandbox_set_bind_validator(p_sandbox,
connect_validator,
(void*) p_sess);
if (tunable_port_enable)
{
ptrace_sandbox_permit_connect(p_sandbox);
ptrace_sandbox_set_connect_validator(p_sandbox,
connect_validator,
(void*) p_sess);
ptrace_sandbox_permit_getsockopt(p_sandbox);
ptrace_sandbox_set_getsockopt_validator(p_sandbox, getsockopt_validator, 0);
}
if (tunable_pasv_enable)
{
ptrace_sandbox_permit_listen(p_sandbox);
ptrace_sandbox_permit_accept(p_sandbox);
}
/* Set up write permissions according to config and session. */
if (tunable_write_enable)
{
if (!is_anon || tunable_anon_upload_enable)
{
ptrace_sandbox_permit_open(p_sandbox, 1);
}
if (!is_anon || tunable_anon_mkdir_write_enable)
{
ptrace_sandbox_permit_mkdir(p_sandbox);
}
if (!is_anon || tunable_anon_other_write_enable)
{
ptrace_sandbox_permit_unlink(p_sandbox);
ptrace_sandbox_permit_rmdir(p_sandbox);
ptrace_sandbox_permit_rename(p_sandbox);
ptrace_sandbox_permit_ftruncate(p_sandbox);
if (tunable_mdtm_write)
{
ptrace_sandbox_permit_utime(p_sandbox);
}
}
if (!is_anon && tunable_chmod_enable)
{
ptrace_sandbox_permit_chmod(p_sandbox);
}
if (is_anon && tunable_chown_uploads)
{
ptrace_sandbox_permit_fchmod(p_sandbox);
ptrace_sandbox_permit_fchown(p_sandbox);
}
}
}
static int
socket_validator(struct pt_sandbox* p_sandbox, void* p_arg)
{
int ret;
struct vsf_session* p_sess = (struct vsf_session*) p_arg;
unsigned long arg1;
unsigned long arg2;
unsigned long expected_family = AF_INET;
if (vsf_sysutil_sockaddr_is_ipv6(p_sess->p_local_addr))
{
expected_family = AF_INET6;
}
ret = ptrace_sandbox_get_socketcall_arg(p_sandbox, 0, &arg1);
if (ret != 0)
{
return ret;
}
ret = ptrace_sandbox_get_socketcall_arg(p_sandbox, 1, &arg2);
if (ret != 0)
{
return ret;
}
if (arg1 != expected_family || arg2 != SOCK_STREAM)
{
return -1;
}
return 0;
}
static int
connect_validator(struct pt_sandbox* p_sandbox, void* p_arg)
{
int ret;
struct vsf_session* p_sess = (struct vsf_session*) p_arg;
unsigned long arg2;
unsigned long arg3;
unsigned long expected_family = AF_INET;
unsigned long expected_len = sizeof(struct sockaddr_in);
void* p_buf = 0;
struct sockaddr* p_sockaddr;
static struct vsf_sysutil_sockaddr* p_sockptr;
if (vsf_sysutil_sockaddr_is_ipv6(p_sess->p_local_addr))
{
expected_family = AF_INET6;
expected_len = sizeof(struct sockaddr_in6);
}
ret = ptrace_sandbox_get_socketcall_arg(p_sandbox, 1, &arg2);
if (ret != 0)
{
return ret;
}
ret = ptrace_sandbox_get_socketcall_arg(p_sandbox, 2, &arg3);
if (ret != 0)
{
return ret;
}
if (arg3 != expected_len)
{
return -1;
}
p_buf = vsf_sysutil_malloc((int) expected_len);
ret = ptrace_sandbox_get_buf(p_sandbox, arg2, expected_len, p_buf);
if (ret != 0)
{
vsf_sysutil_free(p_buf);
return -2;
}
p_sockaddr = (struct sockaddr*) p_buf;
if (p_sockaddr->sa_family != expected_family)
{
vsf_sysutil_free(p_buf);
return -3;
}
if (expected_family == AF_INET)
{
struct sockaddr_in* p_sockaddr_in = (struct sockaddr_in*) p_sockaddr;
vsf_sysutil_sockaddr_alloc_ipv4(&p_sockptr);
vsf_sysutil_sockaddr_set_ipv4addr(p_sockptr,
(const unsigned char*)
&p_sockaddr_in->sin_addr);
}
else
{
struct sockaddr_in6* p_sockaddr_in6 = (struct sockaddr_in6*) p_sockaddr;
vsf_sysutil_sockaddr_alloc_ipv6(&p_sockptr);
vsf_sysutil_sockaddr_set_ipv6addr(p_sockptr,
(const unsigned char*)
&p_sockaddr_in6->sin6_addr);
}
if (!vsf_sysutil_sockaddr_addr_equal(p_sess->p_remote_addr, p_sockptr))
{
vsf_sysutil_free(p_buf);
return -4;
}
vsf_sysutil_free(p_buf);
return 0;
}
static int
getsockopt_validator(struct pt_sandbox* p_sandbox, void* p_arg)
{
int ret;
unsigned long arg2;
unsigned long arg3;
(void) p_arg;
ret = ptrace_sandbox_get_socketcall_arg(p_sandbox, 1, &arg2);
if (ret != 0)
{
return ret;
}
ret = ptrace_sandbox_get_socketcall_arg(p_sandbox, 2, &arg3);
if (ret != 0)
{
return ret;
}
if (arg2 != SOL_SOCKET || arg3 != SO_ERROR)
{
return -1;
}
return 0;
}
static int
setsockopt_validator(struct pt_sandbox* p_sandbox, void* p_arg)
{
int ret;
unsigned long arg2;
unsigned long arg3;
(void) p_arg;
ret = ptrace_sandbox_get_socketcall_arg(p_sandbox, 1, &arg2);
if (ret != 0)
{
return ret;
}
ret = ptrace_sandbox_get_socketcall_arg(p_sandbox, 2, &arg3);
if (ret != 0)
{
return ret;
}
if (arg2 == SOL_SOCKET)
{
if (arg3 != SO_KEEPALIVE &&
arg3 != SO_REUSEADDR &&
arg3 != SO_OOBINLINE &&
arg3 != SO_LINGER)
{
return -1;
}
}
else if (arg2 == IPPROTO_TCP)
{
if (arg3 != TCP_NODELAY)
{
return -2;
}
}
else if (arg2 == IPPROTO_IP)
{
if (arg3 != IP_TOS)
{
return -3;
}
}
else
{
return -4;
}
return 0;
}