ENH: Add sitecustomize with seccomp filter; respect SANDBOX_SECCOMP_ALLOW= env var

Author: kernc

.github/workflows/ci.yml

@@ -23,9 +23,10 @@ jobs:
           # Alternative:
           # sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=1
           # sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=1
-      - run: sudo apt-get install bubblewrap
+      - run: sudo apt-get install bubblewrap libseccomp
       - run: time bash tests/smoke-test.sh
       - run: time bash tests/test-bwrap-opts.sh
+      - run: time bash tests/test-seccomp.sh
 
   workflow-keepalive:
     if: github.event_name == 'schedule'

README.md

@@ -57,14 +57,14 @@ Installation
 There are **no dependencies other than a POSIX shell** with
 [its standard set of utilities](https://en.wikipedia.org/wiki/List_of_POSIX_commands)
 **and `bubblewrap`**.
-The installation instructions, as well as the script runtime,
-should work similarly on all relevant compute platforms,
+The installation process, as well as the script runtime,
+should behave similarly on all relevant compute platforms,
 including GNU/Linux and even
 [Windos/WSL](https://learn.microsoft.com/en-us/windows/wsl/install). 🤞
 
 ```shell
-# Install required dependencies, e.g.
-sudo apt install binutils bubblewrap python3
+# Install the few, unlikely to be missing dependencies, e.g.
+sudo apt install coreutils binutils bubblewrap libseccomp python3
 
 # Download the script and put it somewhere on PATH
 curl -vL 'https://bit.ly/sandbox-venv' | sudo tee /usr/local/bin/sandbox-venv
@@ -126,6 +126,21 @@ Anything else not explicitly mounted by an extra CLI switch
 is lost upon container termination.
 
 
+#### Linux Seccomp
+
+Linux kernel `seccomp` facility for restricting syscalls is
+**automatically enabled when the appropriate package is
+available**—`apt install seccomp` (requires virtualenv with `--system-site-packages`)
+or `pip install pyseccomp`.
+The initialiying module `sitecustomize.py` installs a filter
+that thereafter only allows syscalls listed in the environment variable
+`SANDBOX_SECCOMP_ALLOW=`
+(by default, some 200 syscalls that should cover most non-special cases).
+You can populate the variable with custom stricter syscalls list
+or set it to blank
+(i.e. `export SANDBOX_SECCOMP_ALLOW=`) to disable seccomp completely.
+
+
 #### Runtime monitoring
 
 If **environment variable `VERBOSE=`** is set to a non-empty value,
@@ -159,7 +174,13 @@ Viable alternatives
    [<del>Red Hat</del><ins>IBM</ins> has a reasonable position on](https://github.com/containers/bubblewrap?tab=readme-ov-file#related-project-comparison-firejail))
    that sets up its own sandbox. I guess it's a matter of trust.
    Similarly to AppArmor, requires writing a custom profile.
-4. On macOS, [`sandbox-exec`](https://igorstechnoclub.com/sandbox-exec/)
+4. A custom
+   [`seccomp` initialization script](https://healeycodes.com/running-untrusted-python-code),
+   executed at interpreter startup using
+   [~~`PYTHONSTARTUP=`~~](https://docs.python.org/3/using/cmdline.html#envvar-PYTHONSTARTUP)
+   [`sitecustomize`](https://docs.python.org/3/library/site.html#module-sitecustomize)
+   startup hook.
+5. On macOS, [`sandbox-exec`](https://igorstechnoclub.com/sandbox-exec/)
    or Apple Containerization®.
 
 In comparison to the above, `sandbox-venv` is like `chroot` on steroids.

_wrapper_exe.sh

@@ -36,8 +36,10 @@ executables="
     /bin/env
     /bin/ls
     /bin/sh
+
     /bin/uname
-    "
+    /sbin/ldconfig
+"
 
 case $- in *x*) xtrace=-x ;; *) xtrace=+x ;; esac; set +x
 
@@ -67,7 +69,12 @@ py_libs="
     /usr/include/python3*
     /usr/lib/python3*
     /usr/lib64/python3*
-    /usr/local/lib/python3*"
+    /usr/local/lib/python3*
+
+    /usr/lib/python3*/*/seccomp.*.so
+    /usr/lib/*/libseccomp.so*
+    /usr/lib64/libseccomp.so*
+"
 git_libs="
     /usr/lib*/git-core
 "
@@ -84,7 +91,7 @@ ro_bind_extra="
     /etc/pki
     /etc/ssl
     /usr/share/pki*
-    "
+"
 
 collect="
     $collect
@@ -182,4 +189,5 @@ exec bwrap \
     --setenv HOME "$home" \
     --setenv USER "user" \
     --setenv VIRTUAL_ENV "$venv" \
+    --setenv PYTHONPATH "$venv/sandbox:${PYTHONPATH-}" \
     "$@"

build.sh

@@ -6,12 +6,12 @@ script_file="sandbox-venv.sh"
 out="build/${script_file%.sh}"
 {
     cat "$script_file"
-    appendix_cnt=1
-    for appendix in _wrapper_pip _wrapper_exe; do
+    i=1
+    for appendix in _wrapper_pip.sh _wrapper_exe.sh sitecustomize.py; do
         printf '\n\n'
-        echo "# CUT HERE ------------------- Appendix $appendix_cnt: sandbox-venv $appendix.sh script"
-        cat "$appendix.sh"
-        appendix_cnt=$((appendix_cnt + 1))
+        echo "# CUT HERE ------------------- Appendix $i: sandbox-venv $appendix script"
+        cat "$appendix"
+        i=$((i + 1))
     done
 } > "$out"
 chmod +x "$out"

sandbox-venv.sh

@@ -89,10 +89,15 @@ wrap_all () (
         echo "$file"
     done
 
+    # Install $venv/bin/shell
     file="$(realpath "$bin/shell")"
     add_bin_shell "$file"
     chmod +x "$file"
     echo "$file"
+
+    # Install PYTHONPATH=$venv/sandbox with sitecustomize.py
+    mkdir -p "$bin/../sandbox"
+    extract_segment 3 "$@" > "$bin/../sandbox/sitecustomize.py"
 )
 
 wrap_all "$@"

sitecustomize.py

@@ -0,0 +1,124 @@
+#!/usr/bin/python3
+"""
+Importing this module inits seccomp/pyseccomp, restricting allowed syscalls to those
+listed in SANDBOX_SECCOMP_ALLOW environment variable (or, by default, the list below).
+The module is imported automatically upon startup when on PYTHONPATH.
+
+https://docs.python.org/3/library/site.html#module-sitecustomize
+"""
+import os
+import re
+import sys
+
+# XXX: You can debug this list (e.g. update missing items) by
+#  looking for EPERM in `strace -f` output.
+ALLOW_SYSCALLS = [
+    # Process & signals
+    "clone", "clone3", "fork", "vfork", "execve", "exit", "exit_group",
+    "kill", "tgkill", "tkill", "wait4", "getpid", "getppid", "gettid",
+    "prctl", "arch_prctl", "getpgrp",
+    "pidfd_open", "pidfd_send_signal",
+    "sigaction", "sigreturn",
+    "rt_sigaction", "rt_sigreturn",
+    "rt_sigprocmask", "rt_sigpending", "rt_sigsuspend",
+    "sigaltstack", "rseq", "process_madvise",
+
+    # File I/O
+    "open", "openat", "close", "close_range", "read", "write",
+    "name_to_handle_at",
+    "pread64", "pwrite64", "preadv", "pwritev", "preadv2", "pwritev2",
+    "lseek",
+    "stat", "statx", "fstat", "lstat", "fstatat64", "newfstatat",
+    "stat64", "lstat64", "fstat64", "fadvise64",
+    "faccessat2", "getdents", "getdents64", "access",
+    "unlink", "unlinkat", "mkdir", "mkdirat", "rmdir",
+    "rename", "renameat", "renameat2",
+    "readlink", "readlinkat", "symlink", "symlinkat", "link", "linkat",
+    "truncate", "ftruncate", "utime", "utimes", "futimesat", "utimensat",
+    "chown", "fchown", "lchown", "fchmod", "fchmodat", "chmod", "mknod", "mknodat",
+    "getxattr", "setxattr", "listxattr", "removexattr",
+
+    # fd ops
+    "dup", "dup2", "dup3", "pipe", "pipe2",
+    "fcntl", "flock", "fsync", "fdatasync",
+    "readahead",
+    "splice", "tee", "vmsplice",
+
+    # mmap / mem / threads
+    "brk", "mmap", "mmap2", "munmap", "mremap", "mprotect", "madvise", "mincore",
+    "futex", "futex_time64", "futex_waitv", "set_tid_address", "set_robust_list", "get_robust_list",
+    "sched_yield", "sched_getaffinity",
+    "mlock", "munlock", "mlockall", "munlockall",
+    "get_mempolicy", "set_mempolicy", "mbind", "migrate_pages", "move_pages",
+    "membarrier",
+
+    # Time / clocks
+    "nanosleep", "clock_gettime", "clock_getres", "gettimeofday", "time",
+    "clock_nanosleep", "clock_gettime64",
+    "timer_create", "timer_settime", "timer_gettime", "timer_delete",
+    "setitimer", "getitimer", "times",
+    "timerfd_create", "timerfd_settime", "timerfd_gettime",
+
+    # Networking
+    "socket", "socketpair", "socketcall", "bind", "listen",
+    "accept", "accept4", "connect",
+    "getsockname", "getpeername",
+    "sendto", "recvfrom", "sendmsg", "recvmsg", "shutdown",
+    "setsockopt", "getsockopt",
+    "recvmmsg", "sendmmsg",
+    "sendfile", "sendfile64",
+
+    # epoll/poll/select
+    "epoll_create", "epoll_create1", "epoll_ctl", "epoll_wait",
+    "epoll_pwait", "epoll_pwait2",
+    "poll", "ppoll", "ppoll_time64", "select", "pselect6",
+    "eventfd", "eventfd2",
+
+    # Descriptors / metadata
+    "ioctl", "readv", "writev",
+    "getcwd", "chdir", "fchdir",
+    "statfs", "fstatfs", "statfs64", "fstatfs64",
+
+    # UIDs/GIDs (read + drop privileges)
+    "getuid", "geteuid", "getgid", "getegid", "getgroups",
+    "getresuid", "getresgid", "setresuid", "setresgid", "setreuid", "setregid",
+    "setuid", "setgid",
+
+    # Limits / info
+    "getrlimit", "setrlimit", "prlimit64", "uname", "sysinfo", "getrusage", "umask",
+
+    # Random
+    "getrandom",
+
+    # Misc
+    "seccomp", "capget",
+    "shmget", "shmat", "shmdt", "shmctl",
+]
+
+
+try:
+    allow_syscalls = re.findall(r'\w+', os.environ['SANDBOX_SECCOMP_ALLOW'])
+except KeyError:
+    allow_syscalls = ALLOW_SYSCALLS
+
+if allow_syscalls:
+    try:
+        import seccomp
+    except ImportError:
+        try:
+            import pyseccomp as seccomp
+        except ImportError:
+            seccomp = None
+            if sys.platform.startswith('linux'):
+                print("sandbox-venv/seccomp: Python package 'seccomp' (or 'pyseccomp') "
+                      "not available. If you want seccomp support, apt install python3-seccomp "
+                      "(requires venv created with --system-site-packages) "
+                      "or pip install pyseccomp.", file=sys.stderr)
+    if seccomp:
+        print(f'sandbox-venv/seccomp: allowing {len(allow_syscalls)} syscalls', file=sys.stderr)
+        default_action = seccomp.ERRNO(seccomp.errno.EPERM)  # EPERM, Operation not permitted
+        filter = seccomp.SyscallFilter(default_action)
+        for syscall in allow_syscalls:
+            # print(syscall, file=sys.stderr)
+            filter.add_rule(seccomp.ALLOW, syscall)
+        filter.load()

tests/test-seccomp.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+set -eu
+
+. "${0%/*}/_init.sh"
+
+sandbox-venv .venv
+
+pip install pyseccomp
+
+assert_have_seccomp () { "$@" 2>&1 | grep -q 'sandbox-venv/seccomp: allowing'; }
+
+strace -f python -vvv -c 'import os'
+
+printf '\n\n\n    ALL OK  ✅\n\n\n'