2 * Copyright (c) 2004-2005, 2010-2018 Todd C. Miller <Todd.Miller@sudo.ws>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 * This is an open source non-commercial project. Dear PVS-Studio, please check it.
19 * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
24 #include <sys/types.h>
26 #if defined(HAVE_DECL_SECCOMP_SET_MODE_FILTER) && HAVE_DECL_SECCOMP_SET_MODE_FILTER
27 # include <sys/prctl.h>
28 # include <asm/unistd.h>
29 # include <linux/filter.h>
30 # include <linux/seccomp.h>
44 #endif /* HAVE_STRING_H */
47 #endif /* HAVE_STRINGS_H */
51 #if defined(HAVE_SHL_LOAD)
53 #elif defined(HAVE_DLOPEN)
57 #include "sudo_compat.h"
58 #include "pathnames.h"
60 #ifdef HAVE___INTERPOSE
62 * Mac OS X 10.4 and above has support for library symbol interposition.
63 * There is a good explanation of this in the Mac OS X Internals book.
65 typedef struct interpose_s {
70 # define FN_NAME(fn) dummy_ ## fn
71 # define INTERPOSE(fn) \
72 __attribute__((__used__)) static const interpose_t interpose_ ## fn \
73 __attribute__((__section__("__DATA,__interpose"))) = \
74 { (void *)dummy_ ## fn, (void *)fn };
76 # define FN_NAME(fn) fn
77 # define INTERPOSE(fn)
81 * Dummy versions of the exec(3) family of syscalls. It is not enough to
82 * just dummy out execve(2) since many C libraries do not call the public
83 * execve(2) interface. Note that it is still possible to access the real
84 * syscalls via the syscall(2) interface, but that is rarely done.
93 #define DUMMY1(fn, t1) \
99 #define DUMMY2(fn, t1, t2) \
101 FN_NAME(fn)(t1 a1, t2 a2) \
105 #define DUMMY3(fn, t1, t2, t3) \
107 FN_NAME(fn)(t1 a1, t2 a2, t3 a3) \
111 #define DUMMY6(fn, t1, t2, t3, t4, t5, t6) \
113 FN_NAME(fn)(t1 a1, t2 a2, t3 a3, t4 a4, t5 a5, t6 a6) \
117 #define DUMMY_VA(fn, t1, t2) \
119 FN_NAME(fn)(t1 a1, t2 a2, ...) \
124 * Standard exec(3) family of functions.
126 DUMMY_VA(execl, const char *, const char *)
127 DUMMY_VA(execle, const char *, const char *)
128 DUMMY_VA(execlp, const char *, const char *)
129 DUMMY2(execv, const char *, char * const *)
130 DUMMY2(execvp, const char *, char * const *)
131 DUMMY3(execve, const char *, char * const *, char * const *)
134 * Non-standard exec(3) functions and corresponding private versions.
137 DUMMY3(execvP, const char *, const char *, char * const *)
140 DUMMY3(execvpe, const char *, char * const *, char * const *)
143 DUMMY3(exect, const char *, char * const *, char * const *)
147 * Not all systems support fexecve(2), posix_spawn(2) and posix_spawnp(2).
150 DUMMY3(fexecve, int , char * const *, char * const *)
152 #ifdef HAVE_POSIX_SPAWN
153 DUMMY6(posix_spawn, pid_t *, const char *, const posix_spawn_file_actions_t *, const posix_spawnattr_t *, char * const *, char * const *)
155 #ifdef HAVE_POSIX_SPAWNP
156 DUMMY6(posix_spawnp, pid_t *, const char *, const posix_spawn_file_actions_t *, const posix_spawnattr_t *, char * const *, char * const *)
160 * system(3) and popen(3).
161 * We can't use a wrapper for popen since it returns FILE *, not int.
163 DUMMY1(system, const char *)
166 FN_NAME(popen)(const char *c, const char *t)
173 #if defined(HAVE_WORDEXP) && (defined(RTLD_NEXT) || defined(HAVE_SHL_LOAD) || defined(HAVE___INTERPOSE))
175 * We can't use a wrapper for wordexp(3) since we still want to call
176 * the real wordexp(3) but with WRDE_NOCMD added to the flags argument.
178 typedef int (*sudo_fn_wordexp_t)(const char *, wordexp_t *, int);
181 FN_NAME(wordexp)(const char *words, wordexp_t *we, int flags)
183 #if defined(HAVE___INTERPOSE)
184 return wordexp(words, we, flags | WRDE_NOCMD);
186 # if defined(HAVE_DLOPEN)
187 void *fn = dlsym(RTLD_NEXT, "wordexp");
188 # elif defined(HAVE_SHL_LOAD)
189 const char *name, *myname = _PATH_SUDO_NOEXEC;
190 struct shl_descriptor *desc;
194 name = strrchr(myname, '/');
198 /* Search for wordexp() but skip this shared object. */
199 while (shl_get(idx++, &desc) == 0) {
200 name = strrchr(desc->filename, '/');
202 name = desc->filename;
205 if (strcmp(name, myname) == 0)
207 if (shl_findsym(&desc->handle, "wordexp", TYPE_PROCEDURE, &fn) == 0)
217 return ((sudo_fn_wordexp_t)fn)(words, we, flags | WRDE_NOCMD);
218 #endif /* HAVE___INTERPOSE */
221 #endif /* HAVE_WORDEXP && (RTLD_NEXT || HAVE_SHL_LOAD || HAVE___INTERPOSE) */
224 * On Linux we can use a seccomp() filter to disable exec.
226 #if defined(HAVE_DECL_SECCOMP_SET_MODE_FILTER) && HAVE_DECL_SECCOMP_SET_MODE_FILTER
228 /* Older systems may not support execveat(2). */
229 #ifndef __NR_execveat
230 # define __NR_execveat -1
233 static void noexec_ctor(void) __attribute__((constructor));
238 struct sock_filter exec_filter[] = {
239 /* Load syscall number into the accumulator */
240 BPF_STMT(BPF_LD | BPF_ABS, offsetof(struct seccomp_data, nr)),
241 /* Jump to deny for execve/execveat */
242 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_execve, 2, 0),
243 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_execveat, 1, 0),
244 /* Allow non-matching syscalls */
245 BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
246 /* Deny execve/execveat syscall */
247 BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | (EACCES & SECCOMP_RET_DATA))
249 const struct sock_fprog exec_fprog = {
255 * SECCOMP_MODE_FILTER will fail unless the process has
256 * CAP_SYS_ADMIN or the no_new_privs bit is set.
258 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0)
259 (void)prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &exec_fprog);
261 #endif /* HAVE_DECL_SECCOMP_SET_MODE_FILTER */