tor

test_sandbox.c (12318B)

---

/* Copyright (c) 2021, The Tor Project, Inc. */
/* See LICENSE for licensing information */

#ifndef _LARGEFILE64_SOURCE
/**
* Temporarily required for O_LARGEFILE flag. Needs to be removed
* with the libevent fix.
*/
#define _LARGEFILE64_SOURCE
#endif /* !defined(_LARGEFILE64_SOURCE) */

#include "orconfig.h"

#include "lib/sandbox/sandbox.h"
#include "lib/crypt_ops/crypto_rand.h"
#include "ext/equix/include/equix.h"

#ifdef USE_LIBSECCOMP

#include <dirent.h>
#ifdef HAVE_FCNTL_H
#include <fcntl.h>
#endif
#ifdef HAVE_SYS_STAT_H
#include <sys/stat.h>
#endif
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif

#include "core/or/or.h"

#include "test/test.h"
#include "test/log_test_helpers.h"

typedef struct {
 sandbox_cfg_t *cfg;

 char *file_ops_allowed;
 char *file_ops_blocked;

 char *file_rename_target_allowed;

 char *dir_ops_allowed;
 char *dir_ops_blocked;
} sandbox_data_t;

/* All tests are skipped when coverage support is enabled (see further below)
* as the sandbox interferes with the use of gcov.  Prevent a compiler warning
* by omitting these definitions in that case. */
#ifndef ENABLE_COVERAGE
static void *
setup_sandbox(const struct testcase_t *testcase)
{
 sandbox_data_t *data = tor_malloc_zero(sizeof(*data));

 (void)testcase;

 /* Establish common file and directory names within the test suite's
  * temporary directory. */
 data->file_ops_allowed = tor_strdup(get_fname("file_ops_allowed"));
 data->file_ops_blocked = tor_strdup(get_fname("file_ops_blocked"));

 data->file_rename_target_allowed =
   tor_strdup(get_fname("file_rename_target_allowed"));

 data->dir_ops_allowed = tor_strdup(get_fname("dir_ops_allowed"));
 data->dir_ops_blocked = tor_strdup(get_fname("dir_ops_blocked"));

 /* Create the corresponding filesystem objects. */
 creat(data->file_ops_allowed, S_IRWXU);
 creat(data->file_ops_blocked, S_IRWXU);
 mkdir(data->dir_ops_allowed, S_IRWXU);
 mkdir(data->dir_ops_blocked, S_IRWXU);

 /* Create the sandbox configuration. */
 data->cfg = sandbox_cfg_new();

 sandbox_cfg_allow_open_filename(&data->cfg,
                                 tor_strdup(data->file_ops_allowed));
 sandbox_cfg_allow_open_filename(&data->cfg,
                                 tor_strdup(data->dir_ops_allowed));

 sandbox_cfg_allow_chmod_filename(&data->cfg,
                                  tor_strdup(data->file_ops_allowed));
 sandbox_cfg_allow_chmod_filename(&data->cfg,
                                  tor_strdup(data->dir_ops_allowed));
 sandbox_cfg_allow_chown_filename(&data->cfg,
                                  tor_strdup(data->file_ops_allowed));
 sandbox_cfg_allow_chown_filename(&data->cfg,
                                  tor_strdup(data->dir_ops_allowed));

 sandbox_cfg_allow_rename(&data->cfg, tor_strdup(data->file_ops_allowed),
                          tor_strdup(data->file_rename_target_allowed));

 sandbox_cfg_allow_openat_filename(&data->cfg,
                                   tor_strdup(data->dir_ops_allowed));

 sandbox_cfg_allow_opendir_dirname(&data->cfg,
                                   tor_strdup(data->dir_ops_allowed));

 sandbox_cfg_allow_stat_filename(&data->cfg,
                                 tor_strdup(data->file_ops_allowed));
 sandbox_cfg_allow_stat_filename(&data->cfg,
                                 tor_strdup(data->dir_ops_allowed));

 /* Activate the sandbox, which will remain in effect until the process
  * terminates. */
 sandbox_init(data->cfg);

 return data;
}

static int
cleanup_sandbox(const struct testcase_t *testcase, void *data_)
{
 sandbox_data_t *data = data_;

 (void)testcase;

 tor_free(data->dir_ops_blocked);
 tor_free(data->dir_ops_allowed);
 tor_free(data->file_rename_target_allowed);
 tor_free(data->file_ops_blocked);
 tor_free(data->file_ops_allowed);

 tor_free(data);

 return 1;
}

static const struct testcase_setup_t sandboxed_testcase_setup = {
 .setup_fn = setup_sandbox,
 .cleanup_fn = cleanup_sandbox
};
#endif /* !defined(ENABLE_COVERAGE) */

static void
test_sandbox_is_active(void *ignored)
{
 (void)ignored;

 tt_assert(!sandbox_is_active());

 sandbox_init(sandbox_cfg_new());
 tt_assert(sandbox_is_active());

done:
 (void)0;
}

static void
test_sandbox_open_filename(void *arg)
{
 sandbox_data_t *data = arg;
 int fd, errsv;

 fd = open(sandbox_intern_string(data->file_ops_allowed), O_RDONLY);
 if (fd == -1)
   tt_abort_perror("open");
 close(fd);

 /* It might be nice to use sandbox_intern_string() in the line below as well
  * (and likewise in the test cases that follow) but this would require
  * capturing the warning message it logs, and the mechanism for doing so
  * relies on system calls that are normally blocked by the sandbox and may
  * vary across architectures. */
 fd = open(data->file_ops_blocked, O_RDONLY);
 errsv = errno;
 tt_int_op(fd, OP_EQ, -1);
 tt_int_op(errsv, OP_EQ, EPERM);

done:
 if (fd >= 0)
   close(fd);
}

static void
test_sandbox_chmod_filename(void *arg)
{
 sandbox_data_t *data = arg;
 int rc, errsv;

 if (chmod(sandbox_intern_string(data->file_ops_allowed),
           S_IRUSR | S_IWUSR) != 0)
   tt_abort_perror("chmod");

 rc = chmod(data->file_ops_blocked, S_IRUSR | S_IWUSR);
 errsv = errno;
 tt_int_op(rc, OP_EQ, -1);
 tt_int_op(errsv, OP_EQ, EPERM);

done:
 (void)0;
}

static void
test_sandbox_chown_filename(void *arg)
{
 sandbox_data_t *data = arg;
 int rc, errsv;

 if (chown(sandbox_intern_string(data->file_ops_allowed), -1, -1) != 0)
   tt_abort_perror("chown");

 rc = chown(data->file_ops_blocked, -1, -1);
 errsv = errno;
 tt_int_op(rc, OP_EQ, -1);
 tt_int_op(errsv, OP_EQ, EPERM);

done:
 (void)0;
}

static void
test_sandbox_rename_filename(void *arg)
{
 sandbox_data_t *data = arg;
 const char *fname_old = sandbox_intern_string(data->file_ops_allowed),
   *fname_new = sandbox_intern_string(data->file_rename_target_allowed);
 int rc, errsv;

 if (rename(fname_old, fname_new) != 0)
   tt_abort_perror("rename");

 rc = rename(fname_new, fname_old);
 errsv = errno;
 tt_int_op(rc, OP_EQ, -1);
 tt_int_op(errsv, OP_EQ, EPERM);

done:
 (void)0;
}

static void
test_sandbox_openat_filename(void *arg)
{
 sandbox_data_t *data = arg;
 int flags = O_RDONLY | O_NONBLOCK | O_LARGEFILE | O_DIRECTORY | O_CLOEXEC;
 int fd, errsv;

 fd = openat(AT_FDCWD, sandbox_intern_string(data->dir_ops_allowed), flags);
 if (fd < 0)
   tt_abort_perror("openat");
 close(fd);

 fd = openat(AT_FDCWD, data->dir_ops_blocked, flags);
 errsv = errno;
 tt_int_op(fd, OP_EQ, -1);
 tt_int_op(errsv, OP_EQ, EPERM);

done:
 if (fd >= 0)
   close(fd);
}

static void
test_sandbox_opendir_dirname(void *arg)
{
 sandbox_data_t *data = arg;
 DIR *dir;
 int errsv;

 dir = opendir(sandbox_intern_string(data->dir_ops_allowed));
 if (dir == NULL)
   tt_abort_perror("opendir");
 closedir(dir);

 dir = opendir(data->dir_ops_blocked);
 errsv = errno;
 tt_ptr_op(dir, OP_EQ, NULL);
 tt_int_op(errsv, OP_EQ, EPERM);

done:
 if (dir)
   closedir(dir);
}

static void
test_sandbox_stat_filename(void *arg)
{
 sandbox_data_t *data = arg;
 struct stat st;

 if (stat(sandbox_intern_string(data->file_ops_allowed), &st) != 0)
   tt_abort_perror("stat");

 int rc = stat(data->file_ops_blocked, &st);
 int errsv = errno;
 tt_int_op(rc, OP_EQ, -1);
 tt_int_op(errsv, OP_EQ, EPERM);

done:
 (void)0;
}

/** This is a simplified subset of test_crypto_equix(), running one solve
* and one verify from inside the sandbox. The sandbox restricts mprotect, and
* hashx will experience a failure at runtime which this test case exercises.
* The result of the solve and verify should both still be correct, since we
* expect it to cleanly fall back on an interpreted implementation which has
* no operating system dependencies. */
static void
test_sandbox_crypto_equix(void *arg)
{
 (void)arg;

 const char *challenge_literal = "abce";
 const size_t challenge_len = strlen(challenge_literal);
 const size_t num_sols = 4;
 static const equix_solution sols_expected[EQUIX_MAX_SOLS] = {
   {{ 0x4fca, 0x72eb, 0x101f, 0xafab, 0x1add, 0x2d71, 0x75a3, 0xc978 }},
   {{ 0x17f1, 0x7aa6, 0x23e3, 0xab00, 0x7e2f, 0x917e, 0x16da, 0xda9e }},
   {{ 0x70ee, 0x7757, 0x8a54, 0xbd2b, 0x90e4, 0xe31e, 0x2085, 0xe47e }},
   {{ 0x62c5, 0x86d1, 0x5752, 0xe1f0, 0x12da, 0x8f33, 0x7336, 0xf161 }},
 };

 equix_solutions_buffer output;
 equix_ctx *solve_ctx = NULL, *verify_ctx = NULL;

 solve_ctx = equix_alloc(EQUIX_CTX_SOLVE | EQUIX_CTX_TRY_COMPILE);
 tt_ptr_op(solve_ctx, OP_NE, NULL);

 equix_result result;
 memset(&output, 0xEE, sizeof output);
 result = equix_solve(solve_ctx, challenge_literal, challenge_len, &output);
 tt_int_op(result, OP_EQ, EQUIX_OK);
 tt_int_op(output.count, OP_EQ, num_sols);
 tt_int_op(output.flags, OP_EQ, 0); /* EQUIX_SOLVER_DID_USE_COMPILER unset */
 tt_mem_op(output.sols, OP_EQ, sols_expected,
           num_sols * sizeof(equix_solution));

 verify_ctx = equix_alloc(EQUIX_CTX_VERIFY | EQUIX_CTX_TRY_COMPILE);
 tt_ptr_op(verify_ctx, OP_NE, NULL);

 /* Test one of the solutions randomly */
 const unsigned sol_i = crypto_rand_int(num_sols);
 equix_solution *sol = &output.sols[sol_i];

 result = equix_verify(verify_ctx, challenge_literal,
                       challenge_len, sol);
 tt_int_op(EQUIX_OK, OP_EQ, result);

done:
 equix_free(solve_ctx);
 equix_free(verify_ctx);
}

#define SANDBOX_TEST_SKIPPED(name) \
 { #name, test_sandbox_ ## name, TT_SKIP, NULL, NULL }

/* Skip all tests when coverage support is enabled, as the sandbox interferes
* with gcov and prevents it from producing any results. */
#ifdef ENABLE_COVERAGE
#define SANDBOX_TEST(name, flags) SANDBOX_TEST_SKIPPED(name)
#define SANDBOX_TEST_IN_SANDBOX(name) SANDBOX_TEST_SKIPPED(name)
#else
#define SANDBOX_TEST(name, flags) \
 { #name, test_sandbox_ ## name, flags, NULL, NULL }
#define SANDBOX_TEST_IN_SANDBOX(name) \
 { #name, test_sandbox_ ## name, TT_FORK, &sandboxed_testcase_setup, NULL }
#endif /* defined(ENABLE_COVERAGE) */

struct testcase_t sandbox_tests[] = {
 SANDBOX_TEST(is_active, TT_FORK),

/* When Tor is built with fragile compiler-hardening the sandbox is usually
* unable to filter requests to open files or directories, as doing so would
* interfere with the address sanitizer as it retrieves information about the
* running process via the filesystem.  Skip these tests in that case as the
* corresponding functions are likely to have no effect and this will cause the
* tests to fail. */
#ifdef ENABLE_FRAGILE_HARDENING
 SANDBOX_TEST_SKIPPED(open_filename),
 SANDBOX_TEST_SKIPPED(openat_filename),
 SANDBOX_TEST_SKIPPED(opendir_dirname),
#else
 SANDBOX_TEST_IN_SANDBOX(open_filename),
 SANDBOX_TEST_IN_SANDBOX(openat_filename),
#endif /* defined(ENABLE_FRAGILE_HARDENING) */

 /* Ok why... Quick answer is #40918. This has been failing on Debian SID
  * making us unable to have nightly packages which is a problem as we have
  * several relay operators using them and actively reporting us issues with
  * them. This test fails due to the sandbox denying it.
  *
  * We are deprecating C-tor slowly and honestly, the Sandbox feature has
  * always been a source of pain and unhappiness. Disable this as finding why,
  * fixing it and hoping it doesn't come back will mostly be a waste of our
  * time at this point. */
 SANDBOX_TEST_SKIPPED(opendir_dirname),

 SANDBOX_TEST_IN_SANDBOX(chmod_filename),
 SANDBOX_TEST_IN_SANDBOX(chown_filename),
 SANDBOX_TEST_IN_SANDBOX(rename_filename),

/* Currently the sandbox is unable to filter stat() calls on systems where
* glibc implements this function using either of the legacy "stat" or "stat64"
* system calls, or (in glibc version 2.33 and later) either of the newer
* "newfstatat" or "statx" syscalls.
*
* Skip testing sandbox_cfg_allow_stat_filename() if it seems the likely the
* function will have no effect and the test will therefore not succeed. */
#if !defined(__NR_stat) && !defined(__NR_stat64) && !defined(__NR_newfstatat) \
 && !(defined(__i386__) && defined(__NR_statx))
 SANDBOX_TEST_IN_SANDBOX(stat_filename),
#else
 SANDBOX_TEST_SKIPPED(stat_filename),
#endif

 SANDBOX_TEST_IN_SANDBOX(crypto_equix),
 END_OF_TESTCASES
};

#endif /* defined(USE_SECCOMP) */