rand: add --no-derandomize, and disable ASLR

aristanetworks · May 13, 2020 · 8613a54 · 8613a54
1 parent cd08a8b
commit 8613a54
Show file tree

Hide file tree

Showing 8 changed files with 58 additions and 15 deletions.
diff --git a/bst.1.scd b/bst.1.scd
@@ -129,6 +129,13 @@ Users of bst may choose to opt-out of some of the isolation.
 	namespace yet still have access to non-problematic devices like _/dev/null_
 	to pass in _--mount dev,/dev,devtmpfs_ and have this work out of the box.
 
+\--no-derandomize
+	Do not try to reduce sources of randomness.
+
+	By default, *bst* tries to run inner processes in a somewhat more deterministic
+	environment. So far, it does so by symlinking _/dev/random_ and _/dev/urandom_ to
+	_/dev/zero_, and by disabling ASLR for the inner process.
+
 # SEE ALSO
 
 *namespaces*(7), *mount*(1), *setarch*(1)
diff --git a/enter.c b/enter.c
@@ -18,6 +18,7 @@
 #include <string.h>
 #include <sys/capability.h>
 #include <sys/mount.h>
+#include <sys/personality.h>
 #include <sys/prctl.h>
 #include <sys/syscall.h>
 #include <sys/wait.h>
@@ -175,6 +176,13 @@ int enter(struct entry_settings *opts)
 		setarch(opts->arch);
 	}
 
+	if (!opts->no_derandomize) {
+		unsigned long persona = personality(0xffffffff) | ADDR_NO_RANDOMIZE;
+		if (personality(persona) == -1) {
+			err(1, "personality(%lu)", persona);
+		}
+	}
+
 	if (unshareflags & BST_CLONE_NEWTIME) {
 		init_clocks(timens_offsets, opts->clockspecs, lengthof(opts->clockspecs));
 	}
@@ -322,7 +330,7 @@ int enter(struct entry_settings *opts)
 			}
 		}
 
-		mount_entries(root, opts->mounts, opts->nmounts);
+		mount_entries(root, opts->mounts, opts->nmounts, opts->no_derandomize);
 		mount_mutables(root, opts->mutables, opts->nmutables);
 	}
 

diff --git a/enter.h b/enter.h
@@ -50,6 +50,7 @@ struct entry_settings {
 	const char *arch;
 
 	int no_fake_devtmpfs;
+	int no_derandomize;
 };
 
 int enter(struct entry_settings *opts);

diff --git a/main.c b/main.c
@@ -32,6 +32,7 @@ enum {
 	OPTION_DOMAIN,
 	OPTION_TIME,
 	OPTION_NO_FAKE_DEVTMPFS,
+	OPTION_NO_DERANDOMIZE,
 };
 
 /* Usage is generated from usage.txt. Note that the array is not null-terminated,
@@ -77,6 +78,7 @@ int main(int argc, char *argv[], char *envp[])
 
 		/* Opt-out feature flags */
 		{ "no-fake-devtmpfs",   no_argument,    NULL,       OPTION_NO_FAKE_DEVTMPFS },
+		{ "no-derandomize",     no_argument,    NULL,       OPTION_NO_DERANDOMIZE   },
 
 		{ 0, 0, 0, 0 }
 	};
@@ -215,6 +217,10 @@ int main(int argc, char *argv[], char *envp[])
 				opts.no_fake_devtmpfs = 1;
 				break;
 
+			case OPTION_NO_DERANDOMIZE:
+				opts.no_derandomize = 1;
+				break;
+
 			case 'r':
 				opts.root = optarg;
 				break;

diff --git a/mount.c b/mount.c
@@ -192,8 +192,10 @@ static char *makepath(char *fmt, ...) {
 	return buf;
 }
 
-void mount_entries(const char *root, const struct mount_entry *mounts, size_t nmounts)
+void mount_entries(const char *root, const struct mount_entry *mounts, size_t nmounts, int no_derandomize)
 {
+	mode_t old_mask = umask(0);
+
 	for (const struct mount_entry *mnt = mounts; mnt < mounts + nmounts; ++mnt) {
 		unsigned long flags = 0;
 		update_mount_flags_and_options(&flags, mnt->options);
@@ -233,16 +235,19 @@ void mount_entries(const char *root, const struct mount_entry *mounts, size_t nm
 		/* Construct the contents of our fake devtmpfs. */
 		if (strcmp(mnt->type, "bst_devtmpfs") == 0) {
 
-			static const char *directories[] = {
-				"net",
-				"shm",
-				"pts",
+			static struct {
+				const char *path;
+				mode_t mode;
+			} directories[] = {
+				{ "net", 0755 },
+				{ "shm", S_ISVTX | 0777 },
+				{ "pts", 0755 },
 			};
 
 			for (size_t i = 0; i < lengthof(directories); ++i) {
-				const char *path = makepath("%s%s/%s", root, mnt->target, directories[i]);
+				const char *path = makepath("%s%s/%s", root, mnt->target, directories[i].path);
 
-				if (mkdir(path, 0777) == -1) {
+				if (mkdir(path, directories[i].mode) == -1) {
 					err(1, "mount_entries: bst_devtmpfs: mkdir(\"%s\"", path);
 				}
 			}
@@ -252,12 +257,20 @@ void mount_entries(const char *root, const struct mount_entry *mounts, size_t nm
 				mode_t mode;
 				dev_t dev;
 			} devices[] = {
-				{ "null", S_IFCHR | 0666, makedev(1, 3) },
-				{ "full", S_IFCHR | 0666, makedev(1, 7) },
-				{ "zero", S_IFCHR | 0666, makedev(1, 5) },
+				{ "null",    S_IFCHR | 0666, makedev(1, 3) },
+				{ "full",    S_IFCHR | 0666, makedev(1, 7) },
+				{ "zero",    S_IFCHR | 0666, makedev(1, 5) },
+				{ "random",  S_IFCHR | 0666, makedev(1, 8) },
+				{ "urandom", S_IFCHR | 0666, makedev(1, 9) },
 			};
 
 			for (size_t i = 0; i < lengthof(devices); ++i) {
+
+				/* Skip random and urandom when derandomizing */
+				if (!no_derandomize && major(devices[i].dev) == 1 && (minor(devices[i].dev) == 8 || minor(devices[i].dev) == 9)) {
+					continue;
+				}
+
 				const char *path = makepath("%s%s/%s", root, mnt->target, devices[i].path);
 
 				if (mknod(path, devices[i].mode, devices[i].dev) == 0) {
@@ -305,13 +318,15 @@ void mount_entries(const char *root, const struct mount_entry *mounts, size_t nm
 			for (size_t i = 0; i < lengthof(symlinks); ++i) {
 				const char *path = makepath("%s%s/%s", root, mnt->target, symlinks[i].path);
 
-				if (symlink(symlinks[i].target, path) == -1) {
+				if (symlink(symlinks[i].target, path) == -1 && errno != EEXIST) {
 					err(1, "mount_entries: bst_devtmpfs: symlink(\"%s\", \"%s\")",
 							symlinks[i].target, path);
 				}
 			}
 		}
 	}
+
+	umask(old_mask);
 }
 
 void mount_mutables(const char *root, const char *const *mutables, size_t nmutables)

diff --git a/mount.h b/mount.h
@@ -14,7 +14,7 @@ struct mount_entry {
 	char *options;
 };
 
-void mount_entries(const char *root, const struct mount_entry *mounts, size_t nmounts);
+void mount_entries(const char *root, const struct mount_entry *mounts, size_t nmounts, int no_derandomize);
 void mount_mutables(const char *root, const char *const *mutables, size_t nmutables);
 
 #endif /* !MOUNT_H */
diff --git a/usage.c b/usage.c
@@ -95,6 +95,11 @@ unsigned char usage_txt[] = {
   0x70, 0x6c, 0x61, 0x63, 0x65, 0x20, 0x64, 0x65, 0x76, 0x74, 0x6d, 0x70,
   0x66, 0x73, 0x20, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x73, 0x20, 0x77, 0x69,
   0x74, 0x68, 0x20, 0x66, 0x61, 0x6b, 0x65, 0x20, 0x6f, 0x6e, 0x65, 0x73,
-  0x2e, 0x0a
+  0x2e, 0x0a, 0x09, 0x2d, 0x2d, 0x6e, 0x6f, 0x2d, 0x64, 0x65, 0x72, 0x61,
+  0x6e, 0x64, 0x6f, 0x6d, 0x69, 0x7a, 0x65, 0x3a, 0x20, 0x20, 0x20, 0x20,
+  0x20, 0x20, 0x20, 0x44, 0x6f, 0x6e, 0x27, 0x74, 0x20, 0x61, 0x74, 0x74,
+  0x65, 0x6d, 0x70, 0x74, 0x20, 0x74, 0x6f, 0x20, 0x72, 0x65, 0x64, 0x75,
+  0x63, 0x65, 0x20, 0x72, 0x61, 0x6e, 0x64, 0x6f, 0x6d, 0x6e, 0x65, 0x73,
+  0x73, 0x20, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x2e, 0x0a
 };
-unsigned int usage_txt_len = 1070;
+unsigned int usage_txt_len = 1139;
diff --git a/usage.txt b/usage.txt
@@ -23,3 +23,4 @@ Options:
 	--time <name>=<s>[.ns]: Set the time of a specific clock.
 
 	--no-fake-devtmpfs:     Don't replace devtmpfs mounts with fake ones.
+	--no-derandomize:       Don't attempt to reduce randomness sources.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -23,3 +23,4 @@ Options:
		--time <name>=<s>[.ns]: Set the time of a specific clock.

		--no-fake-devtmpfs: Don't replace devtmpfs mounts with fake ones.
		--no-derandomize: Don't attempt to reduce randomness sources.