Get Libevent's PRNG functioning under the linux sandbox

Libevent uses an arc4random implementation (I know, I know) to
generate DNS transaction IDs and capitalization.  But it liked to
initialize it either with opening /dev/urandom (which won't work
under the sandbox if it doesn't use the right pointer), or with
sysctl({CTL_KERN,KERN_RANDOM,RANDOM_UUIC}).  To make _that_ work, we
were permitting sysctl unconditionally.  That's not such a great
idea.

Instead, we try to initialize the libevent PRNG _before_ installing
the sandbox, and make sysctl always fail with EPERM under the
sandbox.

1 files changed, 18 insertions, 1 deletions

diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 2a1ddd13d1..40f2003096 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -124,7 +124,6 @@ static int filter_nopar_gen[] = {
     SCMP_SYS(read),
     SCMP_SYS(rt_sigreturn),
     SCMP_SYS(set_robust_list),
-    SCMP_SYS(_sysctl),
 #ifdef __NR_sigreturn
     SCMP_SYS(sigreturn),
 #endif
@@ -373,6 +372,23 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
   return 0;
 }
 
+static int
+sb__sysctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+{
+  int rc;
+  (void) filter;
+  (void) ctx;
+
+  rc = seccomp_rule_add_0(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(_sysctl));
+  if (rc != 0) {
+    log_err(LD_BUG,"(Sandbox) failed to add _sysctl syscall, "
+        "received libseccomp error %d", rc);
+    return rc;
+  }
+
+  return 0;
+}
+
 /**
  * Function responsible for setting up the rename syscall for
  * the seccomp filter sandbox.
@@ -850,6 +866,7 @@ static sandbox_filter_func_t filter_func[] = {
 #endif
     sb_open,
     sb_openat,
+    sb__sysctl,
     sb_rename,
 #ifdef __NR_fcntl64
     sb_fcntl64,