diff options
Diffstat (limited to 'src/security_util.cpp')
-rw-r--r-- | src/security_util.cpp | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/src/security_util.cpp b/src/security_util.cpp new file mode 100644 index 0000000..33728fc --- /dev/null +++ b/src/security_util.cpp | |||
@@ -0,0 +1,82 @@ | |||
1 | //SPDX-License-Identifier: GPL-3.0 | ||
2 | |||
3 | #include <libqalculate/Function.h> | ||
4 | #include <libqalculate/Variable.h> | ||
5 | #include <security_util.h> | ||
6 | |||
7 | #ifdef UID | ||
8 | #include <grp.h> | ||
9 | #include <cap-ng.h> | ||
10 | #else | ||
11 | #warning "Not doing setuid/setgid, do not use in production!" | ||
12 | #endif | ||
13 | |||
14 | #ifdef SECCOMP | ||
15 | #include <seccomp.h> | ||
16 | #else | ||
17 | #warning "Not doing seccomp, do not use in production!" | ||
18 | #endif | ||
19 | |||
20 | void do_setuid() { | ||
21 | #ifdef UID | ||
22 | if (setgroups(0, {})) { | ||
23 | perror("couldn't remove groups"); | ||
24 | abort(); | ||
25 | } | ||
26 | |||
27 | if (setresgid(UID, UID, UID)) { | ||
28 | perror("couldn't set gid"); | ||
29 | abort(); | ||
30 | } | ||
31 | |||
32 | if (setresuid(UID, UID, UID)) { | ||
33 | perror("couldn't set uid"); | ||
34 | abort(); | ||
35 | } | ||
36 | |||
37 | capng_clear(CAPNG_SELECT_BOTH); | ||
38 | if (capng_update(CAPNG_DROP, (capng_type_t)(CAPNG_EFFECTIVE | CAPNG_PERMITTED), CAP_SETGID)) { | ||
39 | printf("couldn't drop caps: can't select\n"); | ||
40 | abort(); | ||
41 | } | ||
42 | int err = capng_apply(CAPNG_SELECT_BOTH); | ||
43 | if (err) { | ||
44 | printf("couldn't drop caps: %d\n", err); | ||
45 | abort(); | ||
46 | } | ||
47 | #endif | ||
48 | } | ||
49 | |||
50 | void do_defang_calculator(Calculator *calc) { | ||
51 | calc->getActiveFunction("command")->destroy(); // rce | ||
52 | #ifdef HAS_PLOT | ||
53 | calc->getActiveFunction("plot")->destroy(); // wouldn't work | ||
54 | #endif | ||
55 | calc->getActiveVariable("uptime")->destroy(); // information leakage | ||
56 | } | ||
57 | |||
58 | void do_seccomp() { | ||
59 | #ifdef SECCOMP | ||
60 | scmp_filter_ctx ctx; | ||
61 | ctx = seccomp_init(SCMP_ACT_KILL); | ||
62 | /* 0 */ seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0); | ||
63 | /* 1 */ seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0); | ||
64 | /* 9 */ seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0); | ||
65 | /* 10 */ seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect), 0); | ||
66 | /* 11 */ seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0); | ||
67 | /* 13 */ seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigaction), 0); | ||
68 | /* 14 */ seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 0); | ||
69 | /* 24 */ seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sched_yield), 0); | ||
70 | /* 230 */ seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(clock_nanosleep), 0); | ||
71 | /* 231 */ seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); | ||
72 | /* 262 */ seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat), 0); | ||
73 | /* 273 */ seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(set_robust_list), 0); | ||
74 | /* 334 */ seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rseq), 0); | ||
75 | /* 435 */ seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(clone3), 0); | ||
76 | int err = seccomp_load(ctx); | ||
77 | if (err) { | ||
78 | printf("couldn't seccomp: %d\n", err); | ||
79 | abort(); | ||
80 | } | ||
81 | #endif | ||
82 | } | ||