auth/box: build restricted namespaces using components from the parent.

2022-06-07 05:38:08 +00:00 · 2022-06-07 05:38:08 +00:00 · 056ad652a4
commit 056ad652a4
parent f4840cdba5
3 changed files with 230 additions and 0 deletions
--- a/sys/man/8/auth
+++ b/sys/man/8/auth
@ -60,6 +60,20 @@ changeuser, convkeys, printnetkey, status, enable, disable, authsrv, guard.srv,
 .I arg
 \&...
 .PP
+.B auth/box
+[
+.B -d
+] [
+.B -rc
+.I file
+] [
+.B -e
+.I devs
+]
+.I command
+.I arg
+\&...
+.PP
 .B auth/as
 [
 .B -d
@ -264,6 +278,29 @@ If there are no arguments, it
 It's an easy way to run a command as
 .IR none .
 .PP
+.I Box
+sets up a restricted namespace and
+.IR exec's
+its arguments as the user
+.IR none .
+Components of the current namespace are bound
+into the child namespace with the
+.B -r 
+and 
+.B -c
+flags, using either
+.I MREPL 
+or
+.I MCREATE
+respectively. The only components
+in the child namespace will be those
+defined this way.
+By default all further kernel driver
+access is blocked. The
+.B -e
+flag specifies a string of driver
+characters to keep in the child namespace.
+.PP
 .I As
 executes
 .I command
--- a/sys/src/cmd/auth/box.c
+++ b/sys/src/cmd/auth/box.c
@ -0,0 +1,192 @@
+#include <u.h>
+#include <libc.h>
+#include <auth.h>
+
+static int debug;
+
+static void
+binderr(char *new, char *old, int flag)
+{
+	char dash[4] = { '-' };
+
+	if(debug){
+		if(flag & MCREATE){
+			dash[2] = 'c';
+			flag &= ~MCREATE;
+		}
+		switch(flag){
+		case MREPL:
+			dash[0] = ' ';
+			if(dash[2] == 'c')
+				dash[1] = '-';
+			else
+				dash[1] = ' ';
+			break;
+		case MBEFORE:
+			dash[1] = 'b';
+			break;
+		case MAFTER:
+			dash[1] = 'a';
+			break;
+		}
+		print("bind %s %s %s\n", dash, new, old);
+	}
+	if(bind(new, old, flag) < 0)
+		sysfatal("bind: %r");
+}
+
+static void
+resolvenames(char **names, int nname)
+{
+	int i;
+	char buf[8192];
+	int fd;
+
+	fd = open(".", OREAD|OCEXEC);
+	if(fd < 0)
+		sysfatal("could not open .: %r");
+	fd2path(fd, buf, sizeof buf);
+	for(i = 0; i < nname; i++){
+		if(names[i] == nil)
+			continue;
+		cleanname(names[i]);
+		switch(names[i][0]){
+		case '#':
+		case '/':
+			break;
+		case '.':
+			if(names[i][1] == '/')
+				break;
+		default:
+			names[i] = cleanname(smprint("%s/%s", buf, names[i]));
+		}	
+	}
+	close(fd);
+}
+
+static void
+sandbox(char **names, int *flags, int nname)
+{
+	char *parts[32];
+	char rootskel[128];
+	char src[8192], targ[8192], dir[8192], skel[8192];
+	char name[8192];
+	char *newroot;
+	Dir *d;
+	int i, j, n;
+
+	snprint(rootskel, sizeof rootskel, "#zd/newroot.%d", getpid());
+	binderr(rootskel, "/", MBEFORE);
+
+	newroot = rootskel + strlen("#zd");
+
+	for(j = 0; j < nname; j++){
+		if(names[j] == nil)
+			continue;
+		utfecpy(name, &name[sizeof name-1], names[j]);
+		n = gettokens(name, parts, nelem(parts), "/");
+		utfecpy(targ, &targ[sizeof targ-1], newroot);
+		memset(src, 0, sizeof src);
+		for(i = 0; i < n; i++){
+			utfecpy(dir, &dir[sizeof dir-1], targ);
+			snprint(targ, sizeof targ, "%s/%s", targ, parts[i]);
+			snprint(src, sizeof src, "%s/%s", src, parts[i]);
+			d = dirstat(targ);
+			if(d != nil){
+				free(d);
+				continue;
+			}
+			d = dirstat(src);
+			if(d == nil)
+				continue;
+			if(d->mode & DMDIR)
+				snprint(skel, sizeof skel, "#zd/%s", parts[i]);
+			else
+				snprint(skel, sizeof skel, "#zf/%s", parts[i]);
+			free(d);
+			binderr(skel, dir, MBEFORE);
+		}
+		binderr(names[j], targ, flags[j]);
+	}
+	binderr(newroot, "/", MREPL);
+}
+
+static void
+run(char **a)
+{
+	exec(a[0], a);
+
+	if(a[0][0] != '/' && a[0][0] != '#' &&
+	  (a[0][0] != '.' || (a[0][1] != '/' &&
+		             (a[0][1] != '.' ||  a[0][2] != '/'))))
+		exec(smprint("/bin/%s", a[0]), a);
+
+	sysfatal("exec: %s: %r", a[0]);
+}
+
+void
+usage(void)
+{
+	fprint(2, "usage %s: [ -d ] [ -r file ] [ -c dir ] [ -e devs ] cmd args...\n", argv0);
+	exits("usage");
+}
+
+void
+main(int argc, char **argv)
+{
+	char devs[1024];
+	int dfd;
+	char *parts[256];
+	int mflags[256];
+	int nparts;
+
+	nparts = 0;
+	memset(devs, 0, sizeof devs);
+	ARGBEGIN{
+	case 'd':
+		debug = 1;
+		break;
+	case 'r':
+		parts[nparts] = EARGF(usage());
+		mflags[nparts++] = MREPL;
+		break;
+	case 'c':
+		parts[nparts] = EARGF(usage());
+		mflags[nparts++] = MCREATE|MREPL;
+		break;
+	case 'e':
+		snprint(devs, sizeof devs, "%s%s", devs, EARGF(usage()));
+		break;
+	default:
+		usage();
+		break;
+	}ARGEND
+	if(argc == 0)
+		usage();
+
+	rfork(RFNAMEG|RFENVG);
+	dfd = open("/dev/drivers", OWRITE|OCEXEC);
+	if(dfd < 0)
+		sysfatal("could not /dev/drivers: %r");
+
+	resolvenames(parts, nparts);
+
+	if(procsetuser("none") < 0)
+		sysfatal("cant become none: %r");
+	putenv("user", "none");
+
+	sandbox(parts, mflags, nparts);
+	
+	if(debug)
+		print("chdev %s\n", devs);
+
+	if(devs[0] != '\0'){
+		if(fprint(dfd, "chdev & %s", devs) <= 0)
+			sysfatal("could not write chdev: %r");
+	} else {
+		if(fprint(dfd, "chdev ~") <= 0)
+			sysfatal("could not write chdev: %r");
+	}
+	close(dfd);
+	run(argv);
+}
--- a/sys/src/cmd/auth/mkfile
+++ b/sys/src/cmd/auth/mkfile
@ -9,6 +9,7 @@ TARG=\
 	asn1dump\
 	asn12rsa\
 	authsrv\
+	box\
 	changeuser\
 	convkeys\
 	cron\