From 14873703e54cf3ac5bde2415828e7a83189be469 Mon Sep 17 00:00:00 2001
From: Paul Pan <i@0x7f.app>
Date: Wed, 27 Dec 2023 23:16:19 +0800
Subject: [PATCH] feat: allow to execute self

---
 launcher.c    |  7 +++++--
 rules/rules.c |  9 +++++++++
 sandbox.c     | 36 +++++++++++++++++++++++++-----------
 sandbox.h     |  4 +++-
 4 files changed, 42 insertions(+), 14 deletions(-)

diff --git a/launcher.c b/launcher.c
index fc0c2f9..130fdca 100644
--- a/launcher.c
+++ b/launcher.c
@@ -85,7 +85,7 @@ void parse(int argc, char *argv[]) {
 
 void launch_child() {
     char *args[] = {config[program], NULL};
-    char *env[7];
+    char *env[8];
 
     /* build env */ {
         env[0] = malloc(sizeof("LD_PRELOAD=") + strlen(config[sandbox_path]) + 1);
@@ -106,7 +106,10 @@ void launch_child() {
         env[5] = malloc(sizeof(SANDBOX_ACTION "=") + strlen(config[sandbox_action]) + 1);
         sprintf(env[5], SANDBOX_ACTION "=%s", config[sandbox_action]);
 
-        env[6] = NULL;
+        env[6] = malloc(sizeof(SANDBOX_EXE_PATH "=") + strlen(config[program]) + 1);
+        sprintf(env[6], SANDBOX_EXE_PATH "=%s", config[program]);
+
+        env[7] = NULL;
     }
 
     /* build stdin */ {
diff --git a/rules/rules.c b/rules/rules.c
index a7863a3..e6315ad 100644
--- a/rules/rules.c
+++ b/rules/rules.c
@@ -1,5 +1,6 @@
 #include "rules.h"
 #include "../err.h"
+#include "../sandbox.h"
 #include "../utils/log.h"
 
 #include <stdlib.h>
@@ -9,10 +10,18 @@ LIST_HEAD(seccomp_rules);
 
 void register_rule(struct rule *rule) { list_add(&rule->list, &seccomp_rules); }
 
+void setup_self(scmp_filter_ctx ctx) {
+    // allow to execute self
+    char *self = getenv(SANDBOX_EXE_PATH);
+    if (self) add_syscall_nr_arg(SCMP_SYS(execve), ctx, SCMP_ACT_ALLOW, 1, SCMP_A0(SCMP_CMP_EQ, (scmp_datum_t)self));
+}
+
 void setup_rule(char *name, scmp_filter_ctx ctx) {
     struct list_head *current;
     struct rule      *rule;
 
+    setup_self(ctx);
+
     list_for_each(current, &seccomp_rules) {
         rule = list_entry(current, struct rule, list);
         if (strcmp(rule->name, name) == 0) {
diff --git a/sandbox.c b/sandbox.c
index 1d159d9..986d89d 100644
--- a/sandbox.c
+++ b/sandbox.c
@@ -3,7 +3,8 @@
 #include "rules/rules.h"
 #include "utils/log.h"
 
-#include <stdbool.h>
+#include <errno.h>
+#include <stdarg.h>
 #include <stdlib.h>
 #include <string.h>
 
@@ -15,6 +16,19 @@ void add_syscall_nr(int syscall_nr, scmp_filter_ctx ctx, uint32_t action) {
     }
 }
 
+void add_syscall_nr_arg(int syscall_nr, scmp_filter_ctx ctx, uint32_t action, unsigned arg_cnt, ...) {
+    va_list(args);
+    va_start(args, arg_cnt);
+
+    if (seccomp_rule_add(ctx, action, syscall_nr, arg_cnt, args)) {
+        LOG_ERR("Failed to add syscall %d", syscall_nr);
+        seccomp_release(ctx);
+        exit(ERR_SECCOMP_RESOLVE);
+    }
+
+    va_end(args);
+}
+
 void add_syscall_name(const char *syscall_name, scmp_filter_ctx ctx, uint32_t action) {
     int syscall_nr = seccomp_syscall_resolve_name(syscall_name);
     if (syscall_nr == __NR_SCMP_ERROR) {
@@ -32,32 +46,32 @@ void setup_seccomp(void) {
     char *template = getenv(SANDBOX_TEMPLATE);
     char *action   = getenv(SANDBOX_ACTION);
 
-    bool kill     = true;
-    bool disabled = false;
-
-    if (action && strncmp(action, "log", sizeof("log")) == 0) kill = false;
+    uint32_t act      = SCMP_ACT_KILL;
+    bool     disabled = false;
 
+    if (action && strncmp(action, "log", sizeof("log")) == 0) act = SCMP_ACT_LOG;
+    if (action && strncmp(action, "kill", sizeof("kill")) == 0) act = SCMP_ACT_KILL;
+    if (action && strncmp(action, "ret", sizeof("ret")) == 0) act = SCMP_ACT_ERRNO(EPERM);
     if (action && strncmp(action, "disabled", sizeof("disabled")) == 0) {
         LOG_INFO("Seccomp disabled");
-        disabled = true;
-        kill     = false;
+        return;
     }
 
-    if (kill && !template) {
+    if (!template) {
         LOG_ERR("Environment variable %s required", SANDBOX_TEMPLATE);
         dump_rules();
         exit(ERR_SECCOMP_ENV);
     }
 
-    scmp_filter_ctx ctx = seccomp_init(kill ? SCMP_ACT_KILL_PROCESS : SCMP_ACT_LOG);
+    scmp_filter_ctx ctx = seccomp_init(act);
     if (!ctx) {
         LOG_ERR("Failed to init seccomp context");
         exit(ERR_SECCOMP_INIT);
     }
 
-    if (!disabled && template) setup_rule(template, ctx);
+    setup_rule(template, ctx);
 
-    if (!disabled && seccomp_load(ctx)) {
+    if (seccomp_load(ctx)) {
         LOG_ERR("Failed to load seccomp context");
         seccomp_release(ctx);
         exit(ERR_SECCOMP_LOAD);
diff --git a/sandbox.h b/sandbox.h
index d294088..82adece 100644
--- a/sandbox.h
+++ b/sandbox.h
@@ -7,9 +7,11 @@
 // Configuration Environment Variables
 #define SANDBOX_TEMPLATE "SANDBOX_TEMPLATE"
 #define SANDBOX_ACTION   "SANDBOX_ACTION"
+#define SANDBOX_EXE_PATH "SANDBOX_EXE_PATH"
 
 void setup_seccomp(void);
-void add_syscall_name(const char *syscall_name, scmp_filter_ctx ctx, uint32_t action);
 void add_syscall_nr(int syscall_nr, scmp_filter_ctx ctx, uint32_t action);
+void add_syscall_nr_arg(int syscall_nr, scmp_filter_ctx ctx, uint32_t action, unsigned arg_cnt, ...);
+void add_syscall_name(const char *syscall_name, scmp_filter_ctx ctx, uint32_t action);
 
 #endif // WOJ_SANDBOX_SANDBOX_H