From fcc77b6b242cf6c4cf69d31f1d0d04da31c635c5 Mon Sep 17 00:00:00 2001 From: Christian Duerr Date: Tue, 17 Oct 2023 21:23:45 +0200 Subject: [PATCH 1/3] Update birdcage to v0.5.0 --- Cargo.lock | 41 +++------------------- cli/Cargo.toml | 2 +- cli/src/commands/extensions/permissions.rs | 10 +++--- cli/src/commands/sandbox.rs | 20 ++--------- 4 files changed, 15 insertions(+), 58 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 6764e82f5..eebe6fbb2 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -414,11 +414,11 @@ dependencies = [ [[package]] name = "birdcage" -version = "0.3.1" +version = "0.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d92dd4267938d2d01b141f1af28e31c78c764a2550f66fb4f28611fed20c97b3" +checksum = "4a00b46409c8a47c3d58d2adae897a5975bc13b363babb6f2bb1df3063e1b398" dependencies = [ - "landlock", + "bitflags 2.4.0", "libc", "seccompiler", ] @@ -1807,26 +1807,6 @@ dependencies = [ "syn 1.0.109", ] -[[package]] -name = "enumflags2" -version = "0.7.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5998b4f30320c9d93aed72f63af821bfdac50465b75428fce77b48ec482c3939" -dependencies = [ - "enumflags2_derive", -] - -[[package]] -name = "enumflags2_derive" -version = "0.7.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f95e2801cd355d4a1a3e3953ce6ee5ae9603a5c833455343a8bfe3f44d418246" -dependencies = [ - "proc-macro2 1.0.69", - "quote 1.0.33", - "syn 2.0.38", -] - [[package]] name = "env_logger" version = "0.10.0" @@ -2795,17 +2775,6 @@ dependencies = [ "libc", ] -[[package]] -name = "landlock" -version = "0.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "520baa32708c4e957d2fc3a186bc5bd8d26637c33137f399ddfc202adb240068" -dependencies = [ - "enumflags2", - "libc", - "thiserror", -] - [[package]] name = "lazy-regex" version = "2.5.0" @@ -4556,9 +4525,9 @@ dependencies = [ [[package]] name = "seccompiler" -version = "0.2.0" +version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e01d1292a1131b22ccea49f30bd106f1238b5ddeec1a98d39268dcc31d540e68" +checksum = "6f6575e3c2b3a0fe2ef3e53855b6a8dead7c29f783da5e123d378c8c6a89017e" dependencies = [ "libc", ] diff --git a/cli/Cargo.toml b/cli/Cargo.toml index 109d37fe7..2a76f2bf0 100644 --- a/cli/Cargo.toml +++ b/cli/Cargo.toml @@ -64,7 +64,7 @@ once_cell = "1.12.0" deno_runtime = { version = "0.122.0" } deno_core = { version = "0.199.0" } deno_ast = { version = "0.27.2", features = ["transpiling"] } -birdcage = { version = "0.3.1" } +birdcage = { version = "0.5.0" } libc = "0.2.135" ignore = { version = "0.4.20", optional = true } uuid = "1.4.1" diff --git a/cli/src/commands/extensions/permissions.rs b/cli/src/commands/extensions/permissions.rs index 1f7269acf..2bf73fa84 100644 --- a/cli/src/commands/extensions/permissions.rs +++ b/cli/src/commands/extensions/permissions.rs @@ -6,7 +6,9 @@ use std::{env, fs}; use anyhow::{anyhow, Result}; #[cfg(unix)] -use birdcage::error::{Error as SandboxError, Result as SandboxResult}; +use birdcage::error::Error as SandboxError; +#[cfg(unix)] +use birdcage::error::Result as SandboxResult; #[cfg(unix)] use birdcage::{Birdcage, Exception, Sandbox}; use deno_runtime::permissions::PermissionsOptions; @@ -208,7 +210,7 @@ impl Permissions { add_exception(&mut birdcage, Exception::Read(path))?; } for path in self.write.sandbox_paths().iter().map(PathBuf::from) { - add_exception(&mut birdcage, Exception::Write(path))?; + add_exception(&mut birdcage, Exception::WriteAndRead(path))?; } for path in self.run.sandbox_paths().iter() { let absolute_path = resolve_bin_path(path); @@ -291,7 +293,7 @@ impl From<&Permissions> for PermissionsOptions { /// Construct sandbox with a set of pre-defined acceptable exceptions. #[cfg(unix)] pub fn default_sandbox() -> SandboxResult { - let mut birdcage = Birdcage::new()?; + let mut birdcage = Birdcage::new(); // Permit read access to lib for dynamic linking. add_exception(&mut birdcage, Exception::ExecuteAndRead("/usr/lib".into()))?; @@ -326,7 +328,7 @@ pub fn default_sandbox() -> SandboxResult { add_exception(&mut birdcage, Exception::ExecuteAndRead("/usr/bin/env".into()))?; // Allow write access to null-sink. - add_exception(&mut birdcage, Exception::Write("/dev/null".into()))?; + add_exception(&mut birdcage, Exception::WriteAndRead("/dev/null".into()))?; // Allow applications to read from `$PATH`. birdcage.add_exception(Exception::Environment("PATH".into()))?; diff --git a/cli/src/commands/sandbox.rs b/cli/src/commands/sandbox.rs index 8be5cd6c6..5eb8d5b7c 100644 --- a/cli/src/commands/sandbox.rs +++ b/cli/src/commands/sandbox.rs @@ -4,10 +4,6 @@ use std::os::unix::process::ExitStatusExt; use std::process::Command; use anyhow::{anyhow, Result}; -#[cfg(target_os = "linux")] -use anyhow::{Context, Error}; -#[cfg(target_os = "linux")] -use birdcage::error::Error as SandboxError; use birdcage::{Birdcage, Exception, Sandbox}; use clap::ArgMatches; @@ -48,25 +44,15 @@ pub async fn handle_sandbox(matches: &ArgMatches) -> CommandResult { /// Lock down the current process. #[cfg(unix)] fn lock_process(matches: &ArgMatches) -> Result<()> { - let birdcage = - if matches.get_flag("strict") { Birdcage::new() } else { permissions::default_sandbox() }; - - // Provide additional error context. - let mut birdcage = match birdcage { - Ok(birdcage) => birdcage, - #[cfg(target_os = "linux")] - Err(err @ SandboxError::Ruleset(_)) => { - return Err(Error::from(err)).context("sandbox requires Linux kernel 5.13+"); - }, - Err(err) => return Err(err.into()), - }; + let mut birdcage = + if matches.get_flag("strict") { Birdcage::new() } else { permissions::default_sandbox()? }; // Apply filesystem exceptions. for path in matches.get_many::("allow-read").unwrap_or_default() { permissions::add_exception(&mut birdcage, Exception::Read(path.into()))?; } for path in matches.get_many::("allow-write").unwrap_or_default() { - permissions::add_exception(&mut birdcage, Exception::Write(path.into()))?; + permissions::add_exception(&mut birdcage, Exception::WriteAndRead(path.into()))?; } for path in matches.get_many::("allow-run").unwrap_or_default() { let absolute_path = permissions::resolve_bin_path(path); From c072d51420d73876e103ffd1ce58a1f7f412a781 Mon Sep 17 00:00:00 2001 From: Christian Duerr Date: Tue, 17 Oct 2023 22:09:08 +0200 Subject: [PATCH 2/3] Update lockfile --- Cargo.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.lock b/Cargo.lock index eebe6fbb2..dc6f8a1ff 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -418,7 +418,7 @@ version = "0.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4a00b46409c8a47c3d58d2adae897a5975bc13b363babb6f2bb1df3063e1b398" dependencies = [ - "bitflags 2.4.0", + "bitflags 2.4.1", "libc", "seccompiler", ] From 0b5e462043a729f8c91e7948330e2828e35fc50b Mon Sep 17 00:00:00 2001 From: Christian Duerr Date: Tue, 17 Oct 2023 22:44:29 +0200 Subject: [PATCH 3/3] Fix test error messages --- cli/tests/sandbox.rs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/cli/tests/sandbox.rs b/cli/tests/sandbox.rs index 340b95467..6c33be6a1 100644 --- a/cli/tests/sandbox.rs +++ b/cli/tests/sandbox.rs @@ -10,7 +10,7 @@ fn default_deny_fs() { let test_cli = TestCli::builder().build(); #[cfg(target_os = "linux")] - let expected_error = "Permission denied"; + let expected_error = "Read-only file system"; #[cfg(not(target_os = "linux"))] let expected_error = "Operation not permitted"; @@ -20,6 +20,9 @@ fn default_deny_fs() { .failure() .stderr(predicate::str::contains(expected_error)); + #[cfg(target_os = "linux")] + let expected_error = "No such file or directory"; + // Test read access. test_cli .run(["sandbox", "--allow-run", "cat", "cat", test_file_path])