1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
|
-- Copyright (C) 2007 Lauri Leukkunen <lle@rahina.org>
-- Portion Copyright (c) 2008 Nokia Corporation.
-- (exec postprocessing code written by Lauri T. Aarnio at Nokia)
--
-- Licensed under MIT license
argvmods = {}
-- only map gcc & friends if a cross compiler has been defined,
-- and it has not been disabled by the mapping rules:
if (enable_cross_gcc_toolchain == true) then
local gcc_rule_file_path = session_dir .. "/gcc-conf.lua"
if (sb.path_exists(gcc_rule_file_path)) then
-- this generates gcc related argv/envp manglings
do_file(session_dir .. "/lua_scripts/argvenvp_gcc.lua")
end
end
-- regular mangling rules go here
-- syntax is of the form:
--
-- rule = {
-- name = "binary-name",
-- path_prefixes = {"/list/of", "/possible/path/prefixes"},
-- add_head = {"list", "of", "args", "to", "prepend"},
-- add_tail = {"these", "are", "appended"},
-- remove = {"args", "to", "remove"},
-- new_filename = "exec-this-binary-instead",
-- disable_mapping = 1 -- set this to disable mappings
-- }
-- argvmods[rule.name] = rule
--
-- Environment modifications are not supported yet, except for disabling
-- mappings.
--
-- TODO:
--
-- * new_filename should probably be replaced by integrating argv/envp
-- mangling with the path mapping machinery.
dpkg_architecture = {
name = "dpkg-architecture",
path_prefixes = {"/usr/bin/"},
remove = {"-f"}
}
argvmods[dpkg_architecture.name] = dpkg_architecture
-- ------------------------------------
-- Exec preprocessing.
-- function sb_execve_preprocess is called to decide WHAT FILE
-- should be started (see description of the algorithm in sb_exec.c)
-- (this also typically adds, deletes, or modifies arguments whenever needed)
--
-- returns: err, file, argc, argv, envc, envp
-- (zero as "err" means "OK")
function sbox_execve_preprocess(filename, argv, envp)
local new_argv = {}
local new_envp = {}
local binaryname = string.match(filename, "[^/]+$")
local new_filename = filename
if (debug_messages_enabled) then
sb.log("debug", string.format(
"sbox_execve_preprocess(): %s\n", filename))
end
new_envp = envp
local am = argvmods[binaryname]
if (am ~= nil) then
local prefix_match_found = false
for i = 1, table.maxn(am.path_prefixes) do
if isprefix(am.path_prefixes[i], filename) then
prefix_match_found = true
break
end
end
if (not prefix_match_found) then
am = nil
end
end
if (am ~= nil) then
if (not am.remove) then am.remove = {} end
if (not am.add_head) then am.add_head = {} end
if (not am.add_tail) then am.add_tail = {} end
if (debug_messages_enabled) then
sb.log("debug", string.format(
"argvmods[%s] found\n", filename))
end
-- head additions
for i = 1, table.maxn(am.add_head) do
table.insert(new_argv, am.add_head[i])
end
-- populate new_argv, skip those that are to be removed
for i = 1, table.maxn(argv) do
local match = 0
for j = 1, table.maxn(am.remove) do
if (argv[i] == am.remove[j]) then
match = 1
end
end
if (match == 0) then
table.insert(new_argv, argv[i])
end
end
-- tail additions
for i = 1, table.maxn(am.add_tail) do
table.insert(new_argv, am.add_tail[i])
end
if (am.new_filename) then
-- print(string.format("changing to: %s\n", am.new_filename))
new_filename = am.new_filename
new_argv[1] = am.new_filename
end
if (am.disable_mapping) then
table.insert(new_envp, "SBOX_DISABLE_MAPPING=1")
table.insert(new_envp, "SBOX_DISABLE_ARGVENVP=1")
end
else
new_argv = argv
end
return 0, new_filename, #new_argv, new_argv, #new_envp, new_envp
end
-- ------------------------------------
function locate_ld_library_path(envp)
local k
for k = 1, table.maxn(envp) do
if (string.match(envp[k], "^LD_LIBRARY_PATH=")) then
return k
end
end
return -1
end
-- Return path to be used as LD_LIBRARY_PATH for native applications
--
function get_native_app_ld_library_path(exec_policy, envp)
-- attribute "native_app_ld_library_path" overrides everything else:
if (exec_policy.native_app_ld_library_path ~= nil) then
return exec_policy.native_app_ld_library_path
end
-- attributes "native_app_ld_library_path_prefix" and
-- "native_app_ld_library_path_suffix" extend the old value:
if ((exec_policy.native_app_ld_library_path_prefix ~= nil) or
(exec_policy.native_app_ld_library_path_suffix ~= nil)) then
local ld_library_path_index = locate_ld_library_path(envp)
local libpath = nil
if ld_library_path_index > 0 then
libpath = string.gsub(envp[ld_library_path_index],
"^LD_LIBRARY_PATH=", "", 1)
end
if (exec_policy.native_app_ld_library_path_prefix ~= nil) then
if libpath ~= nil then
libpath = exec_policy.native_app_ld_library_path_prefix ..
":" .. libpath
else
libpath = exec_policy.native_app_ld_library_path_prefix
end
end
if (exec_policy.native_app_ld_library_path_suffix ~= nil) then
if libpath ~= nil then
libpath = libpath .. ":" ..
exec_policy.native_app_ld_library_path_suffix
else
libpath = exec_policy.native_app_ld_library_path_suffix
end
end
return libpath
end
return nil
end
-- Set LD_LIBRARY_PATH: modifies "envp"
--
function setenv_native_app_ld_library_path(exec_policy, envp)
local ld_library_path_index = locate_ld_library_path(envp)
local new_path = get_native_app_ld_library_path(exec_policy, envp)
-- Set the value:
if (new_path ~= nil) then
if (ld_library_path_index > 0) then
envp[ld_library_path_index] =
"LD_LIBRARY_PATH=" .. new_path
sb.log("debug", "Replaced LD_LIBRARY_PATH")
else
table.insert(envp, "LD_LIBRARY_PATH=" .. new_path)
sb.log("debug", "Added LD_LIBRARY_PATH")
end
else
sb.log("debug", "No value for LD_LIBRARY_PATH")
end
end
-- ------------------------------------
-- returns args_ok, rule, exec_policy
function check_rule_and_policy(rule, exec_policy, filename, mapped_file)
-- First, if either rule or the exec policy is a string, something
-- has failed during the previous steps or mapping has been disabled;
-- => fail
if ((type(rule) == "string") or (type(exec_policy) == "string")) then
local rs = ""
local eps = ""
if (type(rule) == "string") then
rs = rule
end
if (type(exec_policy) == "string") then
eps = exec_policy
end
sb.log("debug", "check_rule_and_policy: "..rs..";"..eps);
return false, rule, exec_policy
end
-- if exec_policy was not provided by the caller (i.e. not
-- provided by the mapping rule), look up the policy from
-- exec_policy_chains array.
if (exec_policy == nil) then
local res
sb.log("debug", "trying exec_policy_chains..")
res, exec_policy = sb_find_exec_policy(binaryname, mapped_file)
if res == 0 then
-- there is no default policy for this mode
sb.log("notice",
"sb_execve_postprocess: No exec_policy for "..filename)
return false, rule, exec_policy
end
end
-- Exec policy is OK.
return true, rule, exec_policy
end
-- ------------------------------------
-- Script interpreter mapping.
-- This is called from C:
-- returns: rule, policy, result, mapped_interpreter, #argv, argv, #envp, envp
-- "result" is one of:
-- 0: argv / envp were modified; mapped_interpreter was set
-- 1: argv / envp were not modified; mapped_interpreter was set
-- 2: argv / envp were not modified; caller should call ordinary path
-- mapping to find the interpreter
-- -1: deny exec.
function sb_execve_map_script_interpreter(rule, exec_policy, interpreter,
interp_arg, mapped_script_filename, orig_script_filename, argv, envp)
local args_ok
args_ok, rule, exec_policy = check_rule_and_policy(rule,
exec_policy, orig_script_filename, mapped_script_filename)
if args_ok == false then
-- no exec policy. Deny exec, we can't find the interpreter
sb.log("error", "Unable to map script interpreter.");
return rule, exec_policy, -1, interpreter, #argv, argv, #envp, envp
end
-- exec policy is OK.
if (exec_policy.script_log_level ~= nil) then
sb.log(exec_policy.script_log_level,
exec_policy.script_log_message)
end
if (exec_policy.script_deny_exec == true) then
return rule, exec_policy, -1, interpreter, #argv, argv, #envp, envp
end
if (exec_policy.name == nil) then
sb.log("debug", "Applying nameless exec_policy to script")
else
sb.log("debug", string.format(
"Applying exec_policy '%s' to script",
exec_policy.name))
end
if (exec_policy.script_interpreter_rule ~= nil) then
local exec_pol_2, mapped_interpreter, ro_flag
exec_pol_2, mapped_interpreter, ro_flag = sbox_execute_rule(
interpreter, "map_script_interpreter",
interpreter, interpreter,
exec_policy.script_interpreter_rule)
if exec_policy.script_set_argv0_to_mapped_interpreter then
argv[1] = mapped_interpreter
return rule, exec_policy, 0,
mapped_interpreter, #argv, argv, #envp, envp
else
return rule, exec_policy, 1,
mapped_interpreter, #argv, argv, #envp, envp
end
end
-- The default case:
-- exec policy says nothing about the script interpreters.
-- use ordinary path mapping to find it
return rule, exec_policy, 2, interpreter, #argv, argv, #envp, envp
end
-- ------------------------------------
-- Exec postprocessing.
-- function sb_execve_postprocess is called to decide HOW the executable
-- should be started (see description of the algorithm in sb_exec.c)
--
-- returns: status, mapped_file, file, argc, argv, envc, envp
-- "status":
-- -1 = do not execute.
-- 0 = argc&argv were updated, OK to execute with the new params
-- 1 = ok to exec directly with orig.arguments
function sb_execve_postprocess_native_executable(rule, exec_policy,
exec_type, mapped_file, filename, argv, envp)
-- Native binary. See what we need to do with it...
sb.log("debug", string.format("sb_execve_postprocess: Native binary"))
sb.log("debug", "Rule: apply exec_policy")
if (rule.prefix ~= nil) then
sb.log("debug", string.format("rule.prefix=%s", rule.prefix))
end
if (rule.path ~= nil) then
sb.log("debug", string.format("rule.path=%s", rule.path))
end
local new_argv = {}
local new_envp = envp
local new_filename = filename
local new_mapped_file = mapped_file
-- by default, copy argv from index 1 (refers to argv[0])
local first_argv_element_to_copy = 1
local updated_args = 0
if (exec_policy.native_app_ld_so ~= nil) then
-- we need to use ld.so for starting the binary,
-- instead of starting it directly:
new_mapped_file = exec_policy.native_app_ld_so
table.insert(new_argv, exec_policy.native_app_ld_so)
local ld_lib_path = get_native_app_ld_library_path(
exec_policy, new_envp)
if (ld_lib_path ~= nil) then
table.insert(new_argv, "--library-path")
table.insert(new_argv, ld_lib_path)
end
-- NOTE/WARNING: The default ld.so (ld-linux.so) will loose
-- argv[0], when the binary is executed by ld.so's
-- command line (which we will be doing). It will always copy
-- the filename to argv[0].
--
-- We now have a patch for ld.so which introduces a new
-- option, "--argv0 argument", and a flag is used to tell
-- if a patched ld.so is available (the "sb2" script finds
-- that out during startup phase).
--
if (exec_policy.native_app_ld_so_supports_argv0) then
table.insert(new_argv, "--argv0")
-- C's argv[0] is in argv[1] here!
table.insert(new_argv, argv[1])
table.insert(new_argv, mapped_file)
else
-- Replace argv[0] by pathname:
table.insert(new_argv, mapped_file)
end
first_argv_element_to_copy = 2
updated_args = 1
elseif ((exec_policy.native_app_ld_library_path ~= nil) or
(exec_policy.native_app_ld_library_path_prefix ~= nil) or
(exec_policy.native_app_ld_library_path_suffix ~= nil)) then
-- Start the binary with a nonstandard LD_LIBRARY_PATH
setenv_native_app_ld_library_path(exec_policy, new_envp)
updated_args = 1
end
--
-- When exec_policy contains field 'native_app_locale_path' we
-- need to set environment variables $LOCPATH (and $NLSPATH) to
-- point there. Localization functions (e.g isalpha(), etc.)
-- gets their locale specific information from $LOCPATH when
-- it is set.
--
if exec_policy.native_app_locale_path ~= nil then
sb.log("debug", string.format("setting LOCPATH=%s",
exec_policy.native_app_locale_path))
table.insert(new_envp, "LOCPATH=" ..
exec_policy.native_app_locale_path)
table.insert(new_envp, "NLSPATH=" ..
exec_policy.native_app_locale_path)
updated_args = 1
end
if (updated_args == 1) then
-- Add components from original argv[]
local i
for i = first_argv_element_to_copy, table.maxn(argv) do
table.insert(new_argv, argv[i])
end
return 0, new_mapped_file, new_filename, #new_argv, new_argv, #new_envp, new_envp
end
-- else args not modified.
return 1, mapped_file, filename, #argv, argv, #envp, envp
end
if string.match(sbox_cputransparency_method, "qemu") then
cputransparency_method_is_qemu = true
end
if string.match(sbox_cputransparency_method, "sbrsh") then
cputransparency_method_is_sbrsh = true
end
function split_to_tokens(text,delim)
local results = {}
local c
for c in string.gmatch(text, delim) do
table.insert(results, c)
end
return results
end
-- Remove selected elements from a table of strings.
-- Returns a new table containing the selected elements, or nil if none
-- was found. Original table may be modified!
function pick_and_remove_elems_from_string_table(tbl,pattern)
local res = nil
if tbl ~= nil then
local i = #tbl
while (i > 0) do
if string.match(tbl[i], pattern) then
local elem = table.remove(tbl, i)
if res == nil then
res = {}
end
table.insert(res, elem)
end
i = i - 1
end
end
return(res)
end
function sb_execve_postprocess_sbrsh(rule, exec_policy,
exec_type, mapped_file, filename, argv, envp)
local new_argv = split_to_tokens(sbox_cputransparency_method,"[^%s]+")
if #new_argv < 1 then
sb.log("error", "Invalid sbox_cputransparency_method set");
-- deny
return -1, mapped_file, filename, #argv, argv, #envp, envp
end
if (sbox_target_root == nil) or (sbox_target_root == "") then
sb.log("error",
"sbox_target_root not set, "..
"unable to execute the target binary");
return -1, mapped_file, filename, #argv, argv, #envp, envp
end
sb.log("info", string.format("Exec:sbrsh (%s,%s,%s)",
new_argv[1], sbox_target_root, mapped_file));
local target_root = sbox_target_root
if not string.match(target_root, "/$") then
-- Add a trailing /
target_root = target_root.."/"
end
local file_in_device = mapped_file;
-- Check the file to execute; fail if the file can
-- not be located on the device
if isprefix(target_root, mapped_file) then
local trlen = string.len(target_root)
file_in_device = string.sub(file_in_device, trlen)
elseif isprefix(sbox_user_home_dir, mapped_file) then
-- no change
else
sb.log("error", string.format(
"Binary must be under target (%s) or"..
" home when using sbrsh", target_root))
return -1, mapped_file, filename, #argv, argv, #envp, envp
end
-- Check directory
local dir_in_device = sb.getcwd()
if isprefix(target_root, dir_in_device) then
local trlen = string.len(target_root)
dir_in_device = string.sub(dir_in_device, trlen)
elseif isprefix(sbox_user_home_dir, dir_in_device) then
-- no change
else
sb.log("warning", string.format(
"Executing binary with bogus working"..
" directory (/tmp) because sbrsh can only"..
" see %s and %s\n",
target_root, sbox_user_home_dir))
dir_in_device = "/tmp"
end
local new_envp = envp
local new_filename = new_argv[1] -- first component of method
if (sbox_sbrsh_config ~= nil) and (sbox_sbrsh_config ~= "") then
table.insert(new_argv, "--config")
table.insert(new_argv, sbox_sbrsh_config)
end
table.insert(new_argv, "--directory")
table.insert(new_argv, dir_in_device)
table.insert(new_argv, file_in_device)
-- Append arguments for target process (skip argv[0],
-- there isn't currently any way to give that over sbrsh)
for i = 2, #argv do
table.insert(new_argv, argv[i])
end
-- remove libsb2 from LD_PRELOAD
local ld_preload_tbl = pick_and_remove_elems_from_string_table(
new_envp, "^LD_PRELOAD=")
if ld_preload_tbl == nil then
sb.log("debug", "LD_PRELOAD not found")
else
sb.log("debug", string.format("LD_PRELOAD was %s",
ld_preload_tbl[1]))
local ld_preload_path = string.gsub(ld_preload_tbl[1],
"^LD_PRELOAD=", "", 1)
local ld_preload_components = split_to_tokens(ld_preload_path,
"[^:]+")
-- pick & throw away libsb2.so
pick_and_remove_elems_from_string_table(ld_preload_components,
sbox_libsb2)
if #ld_preload_components > 0 then
local new_ld_preload = table.concat(
ld_preload_components, ":")
table.insert(new_envp, "LD_PRELOAD="..new_ld_preload)
sb.log("debug", "set LD_PRELOAD to "..new_ld_preload)
else
sb.log("debug", "nothing left, run without LD_PRELOAD")
end
end
-- environment&args were changed
return 0, new_filename, filename, #new_argv, new_argv,
#new_envp, new_envp
end
function sb_execve_postprocess_cpu_transparency_executable(rule, exec_policy,
exec_type, mapped_file, filename, argv, envp)
sb.log("debug", "postprocessing cpu_transparency for " .. filename)
if cputransparency_method_is_qemu then
local new_envp = {}
local new_argv = {}
local new_filename = sbox_cputransparency_method
new_argv[1] = sbox_cputransparency_method
-- drop LD_PRELOAD env.var.
new_argv[2] = "-drop-ld-preload"
-- target runtime linker comes from /
new_argv[3] = "-L"
new_argv[4] = "/"
if conf_cputransparency_has_argv0_flag then
-- set target argv[0]
new_argv[5] = "-0"
new_argv[6] = argv[1]
end
if conf_cputransparency_qemu_has_libattr_hack_flag then
-- For ARM emulation:
-- a nasty bug exists in some older libattr library
-- version (e.g. it causes "ls -l" to crash), this
-- flag enables a hack in Qemu which makes
-- libattr to work correctly even if it uses incorrect
-- system call format.
table.insert(new_argv, "-libattr-hack")
end
if conf_cputransparency_qemu_has_env_control_flags then
for i = 1, #envp do
-- drop LD_TRACE_ from target environment
if not string.match(envp[i], "^LD_TRACE_.*") then
table.insert(new_envp, envp[i])
else
-- .. and move it to qemu command line
table.insert(new_argv, "-E")
table.insert(new_argv, envp[i])
end
end
else
-- copy environment. Some things will be broken with
-- this qemu (for example, prelinking won't work)
new_envp = envp
end
-- unmapped file is exec'd
table.insert(new_argv, filename)
--
-- Append arguments for target process (skip argv[0]
-- as this is done using -0 switch).
--
for i = 2, #argv do
table.insert(new_argv, argv[i])
end
-- environment&args were changed
return 0, new_filename, filename, #new_argv, new_argv,
#new_envp, new_envp
elseif cputransparency_method_is_sbrsh then
return sb_execve_postprocess_sbrsh(rule, exec_policy,
exec_type, mapped_file, filename, argv, envp)
end
-- no changes
return 1, mapped_file, filename, #argv, argv, #envp, envp
end
-- This is called from C:
function sb_execve_postprocess(rule, exec_policy, exec_type,
mapped_file, filename, binaryname, argv, envp)
local args_ok
args_ok, rule, exec_policy = check_rule_and_policy(rule,
exec_policy, filename, mapped_file)
if args_ok == false then
-- postprocessing is not needed / can't be done, but
-- exec must be allowed.
return 1, mapped_file, filename, #argv, argv, #envp, envp
end
-- Exec policy found.
if (exec_policy.log_level ~= nil) then
sb.log(exec_policy.log_level, exec_policy.log_message)
end
if (exec_policy.deny_exec == true) then
return -1, mapped_file, filename, #argv, argv, #envp, envp
end
if (exec_policy.name == nil) then
sb.log("debug", "Applying nameless exec_policy")
else
sb.log("debug", string.format("Applying exec_policy '%s'",
exec_policy.name))
end
sb.log("debug", string.format("sb_execve_postprocess:type=%s",
exec_type))
if (exec_policy.name) then
table.insert(envp, "__SB2_EXEC_POLICY_NAME="..exec_policy.name)
end
-- End of generic part. Rest of postprocessing depends on type of
-- the executable.
if (exec_type == "native") then
return sb_execve_postprocess_native_executable(rule,
exec_policy, exec_type, mapped_file,
filename, argv, envp)
elseif (exec_type == "cpu_transparency") then
return sb_execve_postprocess_cpu_transparency_executable(rule,
exec_policy, exec_type, mapped_file,
filename, argv, envp)
else
-- all other exec_types: allow exec with orig.args
return 1, mapped_file, filename, #argv, argv, #envp, envp
end
end
|