introduce bitmasks indicating which namespaces to unshare
This commit is contained in:
parent
bad600b3a8
commit
1de1ae0b32
30
qssb.h
30
qssb.h
@ -34,7 +34,9 @@
|
|||||||
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
|
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
|
||||||
offsetof(struct seccomp_data, nr))
|
offsetof(struct seccomp_data, nr))
|
||||||
|
|
||||||
#define QSSB_ISOLATE_NETWORK 1<<1
|
#define QSSB_UNSHARE_NETWORK 1<<1
|
||||||
|
#define QSSB_UNSHARE_USER 1<<2
|
||||||
|
#define QSSB_UNSHARE_MOUNT 1<<3
|
||||||
|
|
||||||
#ifndef QSSB_LOG_ERROR
|
#ifndef QSSB_LOG_ERROR
|
||||||
#define QSSB_LOG_ERROR(...) fprintf(stderr, __VA_ARGS__)
|
#define QSSB_LOG_ERROR(...) fprintf(stderr, __VA_ARGS__)
|
||||||
@ -67,7 +69,7 @@ struct qssb_policy *qssb_init_policy()
|
|||||||
result->drop_caps = 1;
|
result->drop_caps = 1;
|
||||||
result->not_dumpable = 1;
|
result->not_dumpable = 1;
|
||||||
result->no_new_privs = 1;
|
result->no_new_privs = 1;
|
||||||
result->namespace_options = 0;
|
result->namespace_options = QSSB_UNSHARE_MOUNT | QSSB_UNSHARE_USER;
|
||||||
result->chdir_path = "/";
|
result->chdir_path = "/";
|
||||||
result->chroot_target_path = NULL;
|
result->chroot_target_path = NULL;
|
||||||
result->readonly_paths = NULL;
|
result->readonly_paths = NULL;
|
||||||
@ -173,8 +175,10 @@ static void qssb_free_policy(struct qssb_policy *ctxt)
|
|||||||
free(ctxt);
|
free(ctxt);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Enters the user and mount namespaces */
|
/* Enters the specified namespaces */
|
||||||
static int enter_namespaces()
|
static int enter_namespaces(int namespace_options)
|
||||||
|
{
|
||||||
|
if(namespace_options & QSSB_UNSHARE_USER)
|
||||||
{
|
{
|
||||||
int ret = unshare(CLONE_NEWUSER);
|
int ret = unshare(CLONE_NEWUSER);
|
||||||
if(ret == -1)
|
if(ret == -1)
|
||||||
@ -198,13 +202,27 @@ static int enter_namespaces()
|
|||||||
fp = fopen("/proc/self/gid_map", "w");
|
fp = fopen("/proc/self/gid_map", "w");
|
||||||
fprintf(fp, "0 %i", current_gid);
|
fprintf(fp, "0 %i", current_gid);
|
||||||
fclose(fp);
|
fclose(fp);
|
||||||
|
}
|
||||||
|
|
||||||
ret = unshare(CLONE_NEWNS);
|
if(namespace_options & QSSB_UNSHARE_MOUNT)
|
||||||
|
{
|
||||||
|
int ret = unshare(CLONE_NEWNS);
|
||||||
if(ret == -1)
|
if(ret == -1)
|
||||||
{
|
{
|
||||||
QSSB_LOG_ERROR("Error: Failed to unshare mount namespaces: %s\n", strerror(errno));
|
QSSB_LOG_ERROR("Error: Failed to unshare mount namespaces: %s\n", strerror(errno));
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if(namespace_options & QSSB_UNSHARE_NETWORK)
|
||||||
|
{
|
||||||
|
int ret = unshare(CLONE_NEWNET);
|
||||||
|
if(ret == -1)
|
||||||
|
{
|
||||||
|
QSSB_LOG_ERROR("Error: Failed to unshare network namespace: %s\n", strerror(errno));
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -331,7 +349,7 @@ int qssb_enable_policy(struct qssb_policy *policy)
|
|||||||
policy->chroot_target_path = "/tmp/.TODOIMPLEMENT"; //TODO: implement
|
policy->chroot_target_path = "/tmp/.TODOIMPLEMENT"; //TODO: implement
|
||||||
}
|
}
|
||||||
|
|
||||||
if(enter_namespaces() < 0)
|
if(enter_namespaces(policy->namespace_options) < 0)
|
||||||
{
|
{
|
||||||
QSSB_LOG_ERROR("Error while trying to enter namespaces\n");
|
QSSB_LOG_ERROR("Error while trying to enter namespaces\n");
|
||||||
return -1;
|
return -1;
|
||||||
|
Loading…
Reference in New Issue
Block a user