[pitboss] phase 17: Track E.1 — Linux process backend hardening

build.rs

@@ -1,8 +1,15 @@
+use std::collections::BTreeMap;
 use std::path::Path;
 use std::process::Command;
 
 fn main() {
-    // Only relevant when the serve feature is active
+    // Phase 17 (Track E.1): always emit the seccomp policy table to
+    // OUT_DIR.  Gated runtime via `#[cfg(target_os = "linux")]`, but the
+    // codegen runs on every host so `cargo check` on macOS still emits
+    // the file (the include never actually compiles on non-Linux).
+    emit_seccomp_policy();
+
+    // Only relevant when the serve feature is active.
     if std::env::var("CARGO_FEATURE_SERVE").is_err() {
         return;
     }
@@ -70,3 +77,209 @@ fn emit_placeholder_and_warn(dist_dir: &Path) {
         "cargo:warning=Node.js/npm not available — wrote placeholder frontend assets. Run 'cd frontend && npm install && npm run build' for the real UI."
     );
 }
+
+// ── Phase 17 (Track E.1) — seccomp policy codegen ────────────────────────────
+
+const SECCOMP_POLICY_PATH: &str = "src/dynamic/sandbox/seccomp/seccomp_policy.toml";
+
+/// Cap-name → Cap bit value table.  Mirrors the `bitflags!` block in
+/// `src/labels/mod.rs`.  Keep in sync when adding/removing `Cap`
+/// constants.
+const CAP_BIT_FOR_NAME: &[(&str, u32)] = &[
+    ("ENV_VAR", 1 << 0),
+    ("HTML_ESCAPE", 1 << 1),
+    ("SHELL_ESCAPE", 1 << 2),
+    ("URL_ENCODE", 1 << 3),
+    ("JSON_PARSE", 1 << 4),
+    ("FILE_IO", 1 << 5),
+    ("FMT_STRING", 1 << 6),
+    ("SQL_QUERY", 1 << 7),
+    ("DESERIALIZE", 1 << 8),
+    ("SSRF", 1 << 9),
+    ("CODE_EXEC", 1 << 10),
+    ("CRYPTO", 1 << 11),
+    ("UNAUTHORIZED_ID", 1 << 12),
+    ("DATA_EXFIL", 1 << 13),
+    ("LDAP_INJECTION", 1 << 14),
+    ("XPATH_INJECTION", 1 << 15),
+    ("HEADER_INJECTION", 1 << 16),
+    ("OPEN_REDIRECT", 1 << 17),
+    ("SSTI", 1 << 18),
+    ("XXE", 1 << 19),
+    ("PROTOTYPE_POLLUTION", 1 << 20),
+];
+
+fn emit_seccomp_policy() {
+    println!("cargo:rerun-if-changed={}", SECCOMP_POLICY_PATH);
+
+    let out_dir = std::env::var("OUT_DIR").expect("OUT_DIR must be set by cargo");
+    let out_path = Path::new(&out_dir).join("seccomp_policy.rs");
+
+    // Read the policy file; on missing file (e.g. fresh checkout on a
+    // foreign target), emit empty tables so compilation still succeeds.
+    let toml_text = match std::fs::read_to_string(SECCOMP_POLICY_PATH) {
+        Ok(s) => s,
+        Err(_) => {
+            std::fs::write(
+                &out_path,
+                "pub static BASE: &[&str] = &[];\npub static CAP: &[(u32, &[&str])] = &[];\n",
+            )
+            .expect("write empty seccomp policy stub");
+            return;
+        }
+    };
+
+    let parsed = parse_seccomp_toml(&toml_text);
+
+    let mut out = String::new();
+    out.push_str("// generated by build.rs from seccomp_policy.toml — do not edit\n\n");
+
+    // Base allowlist.
+    out.push_str("pub static BASE: &[&str] = &[\n");
+    for name in &parsed.base {
+        out.push_str(&format!("    \"{}\",\n", escape(name)));
+    }
+    out.push_str("];\n\n");
+
+    // Per-cap allowlists.
+    out.push_str("pub static CAP: &[(u32, &[&str])] = &[\n");
+    for (cap_name, allow) in &parsed.caps {
+        let bit = CAP_BIT_FOR_NAME
+            .iter()
+            .find(|(n, _)| *n == cap_name.as_str())
+            .map(|(_, b)| *b)
+            .unwrap_or_else(|| panic!(
+                "seccomp_policy.toml references unknown Cap '{cap_name}' — \
+                 add it to CAP_BIT_FOR_NAME in build.rs first"
+            ));
+        out.push_str(&format!("    (0x{bit:08x}_u32, &[\n"));
+        for name in allow {
+            out.push_str(&format!("        \"{}\",\n", escape(name)));
+        }
+        out.push_str("    ]),\n");
+    }
+    out.push_str("];\n");
+
+    std::fs::write(&out_path, out).expect("write seccomp policy table");
+}
+
+#[derive(Default)]
+struct SeccompPolicy {
+    base: Vec<String>,
+    caps: BTreeMap<String, Vec<String>>,
+}
+
+/// Tiny line-oriented TOML parser scoped to the shape used by
+/// `seccomp_policy.toml`:
+///
+///   [base]
+///   allow = ["read", "write", ...]
+///
+///   [cap.SQL_QUERY]
+///   allow = [
+///       "fdatasync",
+///       ...
+///   ]
+///
+/// Comments (`#`) and blank lines are skipped.  Multi-line array bodies
+/// are accumulated until the closing `]`.
+fn parse_seccomp_toml(src: &str) -> SeccompPolicy {
+    let mut policy = SeccompPolicy::default();
+    let mut current_section: Option<String> = None;
+    let mut accumulating_array: Option<String> = None;
+    let mut array_buf = String::new();
+
+    for raw_line in src.lines() {
+        let line = strip_comment(raw_line).trim();
+        if line.is_empty() {
+            continue;
+        }
+
+        if let Some(_key) = accumulating_array.as_ref() {
+            array_buf.push_str(line);
+            array_buf.push('\n');
+            if line.contains(']') {
+                let key = accumulating_array.take().unwrap();
+                let values = parse_string_array(&array_buf);
+                store_allow(&mut policy, current_section.as_deref(), &key, values);
+                array_buf.clear();
+            }
+            continue;
+        }
+
+        if let Some(section) = line.strip_prefix('[').and_then(|s| s.strip_suffix(']')) {
+            current_section = Some(section.to_string());
+            continue;
+        }
+
+        if let Some((key, rest)) = line.split_once('=') {
+            let key = key.trim().to_string();
+            let rest = rest.trim();
+            if rest.starts_with('[') && rest.contains(']') {
+                let values = parse_string_array(rest);
+                store_allow(&mut policy, current_section.as_deref(), &key, values);
+            } else if rest.starts_with('[') {
+                accumulating_array = Some(key);
+                array_buf.push_str(rest);
+                array_buf.push('\n');
+            }
+            continue;
+        }
+    }
+
+    policy
+}
+
+fn strip_comment(line: &str) -> &str {
+    let mut in_string = false;
+    let bytes = line.as_bytes();
+    for (i, &b) in bytes.iter().enumerate() {
+        match b {
+            b'"' => in_string = !in_string,
+            b'#' if !in_string => return &line[..i],
+            _ => {}
+        }
+    }
+    line
+}
+
+fn parse_string_array(src: &str) -> Vec<String> {
+    // Find every "..." run between the first `[` and the last `]`.
+    let start = src.find('[').map(|i| i + 1).unwrap_or(0);
+    let end = src.rfind(']').unwrap_or(src.len());
+    let body = &src[start..end];
+    let mut out = Vec::new();
+    let mut chars = body.chars().peekable();
+    while let Some(c) = chars.next() {
+        if c == '"' {
+            let mut s = String::new();
+            for c2 in chars.by_ref() {
+                if c2 == '"' {
+                    break;
+                }
+                s.push(c2);
+            }
+            out.push(s);
+        }
+    }
+    out
+}
+
+fn store_allow(policy: &mut SeccompPolicy, section: Option<&str>, key: &str, values: Vec<String>) {
+    if key != "allow" {
+        return;
+    }
+    match section {
+        Some("base") => policy.base = values,
+        Some(other) => {
+            if let Some(cap_name) = other.strip_prefix("cap.") {
+                policy.caps.insert(cap_name.to_string(), values);
+            }
+        }
+        None => {}
+    }
+}
+
+fn escape(s: &str) -> String {
+    s.replace('\\', "\\\\").replace('"', "\\\"")
+}