foster/bitcoin-bitcoin-core
0
0
Fork 0
mirror of https://github.com/bitcoin/bitcoin.git synced 2025-02-03 09:56:38 -05:00
Code Issues Activity

Merge bitcoin/bitcoin#24758: Disable the syscall sandbox for bitcoin-qt and remove gui-related syscalls

Browse source 
fabdf9f870 Remove gui-only syscalls (MarcoFalke)
fa0c2aa826 init: Disable syscall sandbox in the bitcoin-qt process (MarcoFalke)

Pull request description:

  It is basically impossible (and a bit out of scope) for us to maintain a sandbox for the qt library. I am not sure if it is possible to only sandbox a few threads in a process, but I doubt this will add no practical benefit anyway, so I am disabling the sandbox for the whole bitcoin-qt process.

  See also https://github.com/bitcoin/bitcoin/pull/24690#issuecomment-1084372400

ACKs for top commit:
  laanwj:
    Code review ACK fabdf9f870

Tree-SHA512: 944ded03ee25f7dfd0bfeea9c3f97f575f2d470aa03b387b07f3e3bec5cb886e4aaa17e4a9fb359d3e670e6da69adc9111673d13e6561ec55b3161bb67dfe760
This commit is contained in:
laanwj 2022-04-06 11:51:05 +02:00
commit c5c4fb3182
No known key found for this signature in database
GPG key ID: 1E4AED62986CD25D
5 changed files with 6 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
src/init.cpp
View file

@ -792,7 +792,7 @@ bool AppInitBasicSetup(const ArgsManager& args)
return true; return true;
} }
bool AppInitParameterInteraction(const ArgsManager& args) bool AppInitParameterInteraction(const ArgsManager& args, bool use_syscall_sandbox)
{ {
const CChainParams& chainparams = Params(); const CChainParams& chainparams = Params();
// ********************************************************* Step 2: parameter interactions // ********************************************************* Step 2: parameter interactions
@ -1058,6 +1058,9 @@ bool AppInitParameterInteraction(const ArgsManager& args)
if (!SetupSyscallSandbox(log_syscall_violation_before_terminating)) { if (!SetupSyscallSandbox(log_syscall_violation_before_terminating)) {
return InitError(Untranslated("Installation of the syscall sandbox failed.")); return InitError(Untranslated("Installation of the syscall sandbox failed."));
} }
if (use_syscall_sandbox) {
SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION);
}
LogPrintf("Experimental syscall sandbox enabled (-sandbox=%s): bitcoind will terminate if an unexpected (not allowlisted) syscall is invoked.\n", sandbox_arg); LogPrintf("Experimental syscall sandbox enabled (-sandbox=%s): bitcoind will terminate if an unexpected (not allowlisted) syscall is invoked.\n", sandbox_arg);
} }
#endif // USE_SYSCALL_SANDBOX #endif // USE_SYSCALL_SANDBOX

2
src/init.h
View file

@ -41,7 +41,7 @@ bool AppInitBasicSetup(const ArgsManager& args);
* @note This can be done before daemonization. Do not call Shutdown() if this function fails. * @note This can be done before daemonization. Do not call Shutdown() if this function fails.
* @pre Parameters should be parsed and config file should be read, AppInitBasicSetup should have been called. * @pre Parameters should be parsed and config file should be read, AppInitBasicSetup should have been called.
*/ */
bool AppInitParameterInteraction(const ArgsManager& args); bool AppInitParameterInteraction(const ArgsManager& args, bool use_syscall_sandbox = true);
/** /**
* Initialization sanity checks: ecc init, sanity checks, dir lock. * Initialization sanity checks: ecc init, sanity checks, dir lock.
* @note This can be done before daemonization. Do not call Shutdown() if this function fails. * @note This can be done before daemonization. Do not call Shutdown() if this function fails.

2
src/node/interfaces.cpp
View file

@ -90,7 +90,7 @@ public:
uint32_t getLogCategories() override { return LogInstance().GetCategoryMask(); } uint32_t getLogCategories() override { return LogInstance().GetCategoryMask(); }
bool baseInitialize() override bool baseInitialize() override
{ {
return AppInitBasicSetup(gArgs) && AppInitParameterInteraction(gArgs) && AppInitSanityChecks() && return AppInitBasicSetup(gArgs) && AppInitParameterInteraction(gArgs, /*use_syscall_sandbox=*/false) && AppInitSanityChecks() &&
AppInitLockDataDirectory() && AppInitInterfaces(*m_context); AppInitLockDataDirectory() && AppInitInterfaces(*m_context);
} }
bool appInitMain(interfaces::BlockAndHeaderTipInfo* tip_info) override bool appInitMain(interfaces::BlockAndHeaderTipInfo* tip_info) override

3
src/util/syscall_sandbox.cpp
View file

@ -592,8 +592,6 @@ public:
allowed_syscalls.insert(__NR_getcwd); // get current working directory allowed_syscalls.insert(__NR_getcwd); // get current working directory
allowed_syscalls.insert(__NR_getdents); // get directory entries allowed_syscalls.insert(__NR_getdents); // get directory entries
allowed_syscalls.insert(__NR_getdents64); // get directory entries allowed_syscalls.insert(__NR_getdents64); // get directory entries
allowed_syscalls.insert(__NR_inotify_rm_watch);// remove an existing watch from an inotify instance
allowed_syscalls.insert(__NR_linkat); // create relative to a directory file descriptor
allowed_syscalls.insert(__NR_lstat); // get file status allowed_syscalls.insert(__NR_lstat); // get file status
allowed_syscalls.insert(__NR_mkdir); // create a directory allowed_syscalls.insert(__NR_mkdir); // create a directory
allowed_syscalls.insert(__NR_newfstatat); // get file status allowed_syscalls.insert(__NR_newfstatat); // get file status
@ -823,7 +821,6 @@ bool SetupSyscallSandbox(bool log_syscall_violation_before_terminating)
return false; return false;
} }
} }
SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION);
return true; return true;
} }

3
src/util/syscall_sandbox.h
View file

@ -45,9 +45,6 @@ void SetSyscallSandboxPolicy(SyscallSandboxPolicy syscall_policy);
#if defined(USE_SYSCALL_SANDBOX) #if defined(USE_SYSCALL_SANDBOX)
//! Setup and enable the experimental syscall sandbox for the running process. //! Setup and enable the experimental syscall sandbox for the running process.
//!
//! SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION) is called as part of
//! SetupSyscallSandbox(...).
[[nodiscard]] bool SetupSyscallSandbox(bool log_syscall_violation_before_terminating); [[nodiscard]] bool SetupSyscallSandbox(bool log_syscall_violation_before_terminating);
//! Invoke a disallowed syscall. Use for testing purposes. //! Invoke a disallowed syscall. Use for testing purposes.