init: Disable syscall sandbox in the bitcoin-qt process

MarcoFalke · MarcoFalke · commit fa0c2aa82628 · 2022-04-05T13:29:42.000+02:00
diff --git a/src/init.cpp b/src/init.cpp
@@ -792,7 +792,7 @@ bool AppInitBasicSetup(const ArgsManager& args)
     return true;
 }
 
-bool AppInitParameterInteraction(const ArgsManager& args)
+bool AppInitParameterInteraction(const ArgsManager& args, bool use_syscall_sandbox)
 {
     const CChainParams& chainparams = Params();
     // ********************************************************* Step 2: parameter interactions
@@ -1058,6 +1058,9 @@ bool AppInitParameterInteraction(const ArgsManager& args)
         if (!SetupSyscallSandbox(log_syscall_violation_before_terminating)) {
             return InitError(Untranslated("Installation of the syscall sandbox failed."));
         }
+        if (use_syscall_sandbox) {
+            SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION);
+        }
         LogPrintf("Experimental syscall sandbox enabled (-sandbox=%s): bitcoind will terminate if an unexpected (not allowlisted) syscall is invoked.\n", sandbox_arg);
     }
 #endif // USE_SYSCALL_SANDBOX
diff --git a/src/init.h b/src/init.h
@@ -41,7 +41,7 @@ bool AppInitBasicSetup(const ArgsManager& args);
  * @note This can be done before daemonization. Do not call Shutdown() if this function fails.
  * @pre Parameters should be parsed and config file should be read, AppInitBasicSetup should have been called.
  */
-bool AppInitParameterInteraction(const ArgsManager& args);
+bool AppInitParameterInteraction(const ArgsManager& args, bool use_syscall_sandbox = true);
 /**
  * Initialization sanity checks: ecc init, sanity checks, dir lock.
  * @note This can be done before daemonization. Do not call Shutdown() if this function fails.
diff --git a/src/node/interfaces.cpp b/src/node/interfaces.cpp
@@ -90,7 +90,7 @@ class NodeImpl : public Node
     uint32_t getLogCategories() override { return LogInstance().GetCategoryMask(); }
     bool baseInitialize() override
     {
-        return AppInitBasicSetup(gArgs) && AppInitParameterInteraction(gArgs) && AppInitSanityChecks() &&
+        return AppInitBasicSetup(gArgs) && AppInitParameterInteraction(gArgs, /*use_syscall_sandbox=*/false) && AppInitSanityChecks() &&
                AppInitLockDataDirectory() && AppInitInterfaces(*m_context);
     }
     bool appInitMain(interfaces::BlockAndHeaderTipInfo* tip_info) override
diff --git a/src/util/syscall_sandbox.cpp b/src/util/syscall_sandbox.cpp
@@ -823,7 +823,6 @@ bool SetupSyscallSandbox(bool log_syscall_violation_before_terminating)
             return false;
         }
     }
-    SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION);
     return true;
 }
 
diff --git a/src/util/syscall_sandbox.h b/src/util/syscall_sandbox.h
@@ -45,9 +45,6 @@ void SetSyscallSandboxPolicy(SyscallSandboxPolicy syscall_policy);
 
 #if defined(USE_SYSCALL_SANDBOX)
 //! Setup and enable the experimental syscall sandbox for the running process.
-//!
-//! SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION) is called as part of
-//! SetupSyscallSandbox(...).
 [[nodiscard]] bool SetupSyscallSandbox(bool log_syscall_violation_before_terminating);
 
 //! Invoke a disallowed syscall. Use for testing purposes.

Original file line number	Diff line number	Diff line change
`@@ -792,7 +792,7 @@ bool AppInitBasicSetup(const ArgsManager& args)`
`792`	`792`	`return true;`
`793`	`793`	`}`
`794`	`794`
`795`		`-bool AppInitParameterInteraction(const ArgsManager& args)`
	`795`	`+bool AppInitParameterInteraction(const ArgsManager& args, bool use_syscall_sandbox)`
`796`	`796`	`{`
`797`	`797`	`const CChainParams& chainparams = Params();`
`798`	`798`	`// ********************************************************* Step 2: parameter interactions`
`@@ -1058,6 +1058,9 @@ bool AppInitParameterInteraction(const ArgsManager& args)`
`1058`	`1058`	`if (!SetupSyscallSandbox(log_syscall_violation_before_terminating)) {`
`1059`	`1059`	`return InitError(Untranslated("Installation of the syscall sandbox failed."));`
`1060`	`1060`	`}`
	`1061`	`+ if (use_syscall_sandbox) {`
	`1062`	`+ SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION);`
	`1063`	`+ }`
`1061`	`1064`	`LogPrintf("Experimental syscall sandbox enabled (-sandbox=%s): bitcoind will terminate if an unexpected (not allowlisted) syscall is invoked.\n", sandbox_arg);`
`1062`	`1065`	`}`
`1063`	`1066`	`#endif // USE_SYSCALL_SANDBOX`
Original file line number	Diff line number	Diff line change
`@@ -90,7 +90,7 @@ class NodeImpl : public Node`
`90`	`90`	`uint32_t getLogCategories() override { return LogInstance().GetCategoryMask(); }`
`91`	`91`	`bool baseInitialize() override`
`92`	`92`	`{`
`93`		`- return AppInitBasicSetup(gArgs) && AppInitParameterInteraction(gArgs) && AppInitSanityChecks() &&`
	`93`	`+ return AppInitBasicSetup(gArgs) && AppInitParameterInteraction(gArgs, /use_syscall_sandbox=/false) && AppInitSanityChecks() &&`
`94`	`94`	`AppInitLockDataDirectory() && AppInitInterfaces(*m_context);`
`95`	`95`	`}`
`96`	`96`	`bool appInitMain(interfaces::BlockAndHeaderTipInfo* tip_info) override`
Original file line number	Diff line number	Diff line change
`@@ -823,7 +823,6 @@ bool SetupSyscallSandbox(bool log_syscall_violation_before_terminating)`
`823`	`823`	`return false;`
`824`	`824`	`}`
`825`	`825`	`}`
`826`		`- SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION);`
`827`	`826`	`return true;`
`828`	`827`	`}`
`829`	`828`