Merge bitcoin/bitcoin#24758: Disable the syscall sandbox for bitcoin-qt and remove gui-related syscalls

laanwj · laanwj · commit c5c4fb318281 · 2022-04-06T11:57:08.000+02:00
fabdf9f Remove gui-only syscalls (MarcoFalke) fa0c2aa init: Disable syscall sandbox in the bitcoin-qt process (MarcoFalke) Pull request description: It is basically impossible (and a bit out of scope) for us to maintain a sandbox for the qt library. I am not sure if it is possible to only sandbox a few threads in a process, but I doubt this will add no practical benefit anyway, so I am disabling the sandbox for the whole bitcoin-qt process. See also bitcoin/bitcoin#24690 (comment) ACKs for top commit: laanwj: Code review ACK fabdf9f Tree-SHA512: 944ded03ee25f7dfd0bfeea9c3f97f575f2d470aa03b387b07f3e3bec5cb886e4aaa17e4a9fb359d3e670e6da69adc9111673d13e6561ec55b3161bb67dfe760
diff --git a/src/init.cpp b/src/init.cpp
@@ -792,7 +792,7 @@ bool AppInitBasicSetup(const ArgsManager& args)
     return true;
 }
 
-bool AppInitParameterInteraction(const ArgsManager& args)
+bool AppInitParameterInteraction(const ArgsManager& args, bool use_syscall_sandbox)
 {
     const CChainParams& chainparams = Params();
     // ********************************************************* Step 2: parameter interactions
@@ -1058,6 +1058,9 @@ bool AppInitParameterInteraction(const ArgsManager& args)
         if (!SetupSyscallSandbox(log_syscall_violation_before_terminating)) {
             return InitError(Untranslated("Installation of the syscall sandbox failed."));
         }
+        if (use_syscall_sandbox) {
+            SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION);
+        }
         LogPrintf("Experimental syscall sandbox enabled (-sandbox=%s): bitcoind will terminate if an unexpected (not allowlisted) syscall is invoked.\n", sandbox_arg);
     }
 #endif // USE_SYSCALL_SANDBOX
diff --git a/src/init.h b/src/init.h
@@ -41,7 +41,7 @@ bool AppInitBasicSetup(const ArgsManager& args);
  * @note This can be done before daemonization. Do not call Shutdown() if this function fails.
  * @pre Parameters should be parsed and config file should be read, AppInitBasicSetup should have been called.
  */
-bool AppInitParameterInteraction(const ArgsManager& args);
+bool AppInitParameterInteraction(const ArgsManager& args, bool use_syscall_sandbox = true);
 /**
  * Initialization sanity checks: ecc init, sanity checks, dir lock.
  * @note This can be done before daemonization. Do not call Shutdown() if this function fails.
diff --git a/src/node/interfaces.cpp b/src/node/interfaces.cpp
@@ -90,7 +90,7 @@ class NodeImpl : public Node
     uint32_t getLogCategories() override { return LogInstance().GetCategoryMask(); }
     bool baseInitialize() override
     {
-        return AppInitBasicSetup(gArgs) && AppInitParameterInteraction(gArgs) && AppInitSanityChecks() &&
+        return AppInitBasicSetup(gArgs) && AppInitParameterInteraction(gArgs, /*use_syscall_sandbox=*/false) && AppInitSanityChecks() &&
                AppInitLockDataDirectory() && AppInitInterfaces(*m_context);
     }
     bool appInitMain(interfaces::BlockAndHeaderTipInfo* tip_info) override
diff --git a/src/util/syscall_sandbox.cpp b/src/util/syscall_sandbox.cpp
@@ -592,8 +592,6 @@ class SeccompPolicyBuilder
         allowed_syscalls.insert(__NR_getcwd);          // get current working directory
         allowed_syscalls.insert(__NR_getdents);        // get directory entries
         allowed_syscalls.insert(__NR_getdents64);      // get directory entries
-        allowed_syscalls.insert(__NR_inotify_rm_watch);// remove an existing watch from an inotify instance
-        allowed_syscalls.insert(__NR_linkat);          // create relative to a directory file descriptor
         allowed_syscalls.insert(__NR_lstat);           // get file status
         allowed_syscalls.insert(__NR_mkdir);           // create a directory
         allowed_syscalls.insert(__NR_newfstatat);      // get file status
@@ -823,7 +821,6 @@ bool SetupSyscallSandbox(bool log_syscall_violation_before_terminating)
             return false;
         }
     }
-    SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION);
     return true;
 }
 
diff --git a/src/util/syscall_sandbox.h b/src/util/syscall_sandbox.h
@@ -45,9 +45,6 @@ void SetSyscallSandboxPolicy(SyscallSandboxPolicy syscall_policy);
 
 #if defined(USE_SYSCALL_SANDBOX)
 //! Setup and enable the experimental syscall sandbox for the running process.
-//!
-//! SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION) is called as part of
-//! SetupSyscallSandbox(...).
 [[nodiscard]] bool SetupSyscallSandbox(bool log_syscall_violation_before_terminating);
 
 //! Invoke a disallowed syscall. Use for testing purposes.

Original file line number	Diff line number	Diff line change
`@@ -792,7 +792,7 @@ bool AppInitBasicSetup(const ArgsManager& args)`
`792`	`792`	`return true;`
`793`	`793`	`}`
`794`	`794`
`795`		`-bool AppInitParameterInteraction(const ArgsManager& args)`
	`795`	`+bool AppInitParameterInteraction(const ArgsManager& args, bool use_syscall_sandbox)`
`796`	`796`	`{`
`797`	`797`	`const CChainParams& chainparams = Params();`
`798`	`798`	`// ********************************************************* Step 2: parameter interactions`
`@@ -1058,6 +1058,9 @@ bool AppInitParameterInteraction(const ArgsManager& args)`
`1058`	`1058`	`if (!SetupSyscallSandbox(log_syscall_violation_before_terminating)) {`
`1059`	`1059`	`return InitError(Untranslated("Installation of the syscall sandbox failed."));`
`1060`	`1060`	`}`
	`1061`	`+ if (use_syscall_sandbox) {`
	`1062`	`+ SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION);`
	`1063`	`+ }`
`1061`	`1064`	`LogPrintf("Experimental syscall sandbox enabled (-sandbox=%s): bitcoind will terminate if an unexpected (not allowlisted) syscall is invoked.\n", sandbox_arg);`
`1062`	`1065`	`}`
`1063`	`1066`	`#endif // USE_SYSCALL_SANDBOX`
Original file line number	Diff line number	Diff line change
`@@ -90,7 +90,7 @@ class NodeImpl : public Node`
`90`	`90`	`uint32_t getLogCategories() override { return LogInstance().GetCategoryMask(); }`
`91`	`91`	`bool baseInitialize() override`
`92`	`92`	`{`
`93`		`- return AppInitBasicSetup(gArgs) && AppInitParameterInteraction(gArgs) && AppInitSanityChecks() &&`
	`93`	`+ return AppInitBasicSetup(gArgs) && AppInitParameterInteraction(gArgs, /use_syscall_sandbox=/false) && AppInitSanityChecks() &&`
`94`	`94`	`AppInitLockDataDirectory() && AppInitInterfaces(*m_context);`
`95`	`95`	`}`
`96`	`96`	`bool appInitMain(interfaces::BlockAndHeaderTipInfo* tip_info) override`
Original file line number	Diff line number	Diff line change
`@@ -592,8 +592,6 @@ class SeccompPolicyBuilder`
`592`	`592`	`allowed_syscalls.insert(__NR_getcwd); // get current working directory`
`593`	`593`	`allowed_syscalls.insert(__NR_getdents); // get directory entries`
`594`	`594`	`allowed_syscalls.insert(__NR_getdents64); // get directory entries`
`595`		`- allowed_syscalls.insert(__NR_inotify_rm_watch);// remove an existing watch from an inotify instance`
`596`		`- allowed_syscalls.insert(__NR_linkat); // create relative to a directory file descriptor`
`597`	`595`	`allowed_syscalls.insert(__NR_lstat); // get file status`
`598`	`596`	`allowed_syscalls.insert(__NR_mkdir); // create a directory`
`599`	`597`	`allowed_syscalls.insert(__NR_newfstatat); // get file status`
`@@ -823,7 +821,6 @@ bool SetupSyscallSandbox(bool log_syscall_violation_before_terminating)`
`823`	`821`	`return false;`
`824`	`822`	`}`
`825`	`823`	`}`
`826`		`- SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION);`
`827`	`824`	`return true;`
`828`	`825`	`}`
`829`	`826`