crtxcr/exile.h
1
0
Fork 0
Code Issues 14 Pull Requests 1 Releases Wiki Activity

introduce bitmasks indicating which namespaces to unshare

Browse Source
This commit is contained in:
Albert S. 2019-11-09 21:13:40 +01:00
parent bad600b3a8
commit 1de1ae0b32
1 changed files with 47 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
qssb.h
View File

@ -34,7 +34,9 @@
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
offsetof(struct seccomp_data, nr)) offsetof(struct seccomp_data, nr))
#define QSSB_ISOLATE_NETWORK 1<<1 #define QSSB_UNSHARE_NETWORK 1<<1
#define QSSB_UNSHARE_USER 1<<2
#define QSSB_UNSHARE_MOUNT 1<<3
#ifndef QSSB_LOG_ERROR #ifndef QSSB_LOG_ERROR
#define QSSB_LOG_ERROR(...) fprintf(stderr, __VA_ARGS__) #define QSSB_LOG_ERROR(...) fprintf(stderr, __VA_ARGS__)
@ -67,7 +69,7 @@ struct qssb_policy *qssb_init_policy()
result->drop_caps = 1; result->drop_caps = 1;
result->not_dumpable = 1; result->not_dumpable = 1;
result->no_new_privs = 1; result->no_new_privs = 1;
result->namespace_options = 0; result->namespace_options = QSSB_UNSHARE_MOUNT | QSSB_UNSHARE_USER;
result->chdir_path = "/"; result->chdir_path = "/";
result->chroot_target_path = NULL; result->chroot_target_path = NULL;
result->readonly_paths = NULL; result->readonly_paths = NULL;
@ -173,37 +175,53 @@ static void qssb_free_policy(struct qssb_policy *ctxt)
free(ctxt); free(ctxt);
} }
/* Enters the user and mount namespaces */ /* Enters the specified namespaces */
static int enter_namespaces() static int enter_namespaces(int namespace_options)
{ {
int ret = unshare(CLONE_NEWUSER); if(namespace_options & QSSB_UNSHARE_USER)
if(ret == -1)
{ {
QSSB_LOG_ERROR("Error: Failed to unshare user namespaces: %s\n", strerror(errno)); int ret = unshare(CLONE_NEWUSER);
return ret; if(ret == -1)
{
QSSB_LOG_ERROR("Error: Failed to unshare user namespaces: %s\n", strerror(errno));
return ret;
}
uid_t current_uid = getuid();
gid_t current_gid = getgid();
//TODO: check errors
FILE *fp = fopen("/proc/self/setgroups", "w");
fprintf(fp, "deny");
fclose(fp);
fp = fopen("/proc/self/uid_map", "w");
fprintf(fp, "0 %i", current_uid);
fclose(fp);
fp = fopen("/proc/self/gid_map", "w");
fprintf(fp, "0 %i", current_gid);
fclose(fp);
} }
uid_t current_uid = getuid(); if(namespace_options & QSSB_UNSHARE_MOUNT)
gid_t current_gid = getgid();
//TODO: check errors
FILE *fp = fopen("/proc/self/setgroups", "w");
fprintf(fp, "deny");
fclose(fp);
fp = fopen("/proc/self/uid_map", "w");
fprintf(fp, "0 %i", current_uid);
fclose(fp);
fp = fopen("/proc/self/gid_map", "w");
fprintf(fp, "0 %i", current_gid);
fclose(fp);
ret = unshare(CLONE_NEWNS);
if(ret == -1)
{ {
QSSB_LOG_ERROR("Error: Failed to unshare mount namespaces: %s\n", strerror(errno)); int ret = unshare(CLONE_NEWNS);
return ret; if(ret == -1)
{
QSSB_LOG_ERROR("Error: Failed to unshare mount namespaces: %s\n", strerror(errno));
return ret;
}
}
if(namespace_options & QSSB_UNSHARE_NETWORK)
{
int ret = unshare(CLONE_NEWNET);
if(ret == -1)
{
QSSB_LOG_ERROR("Error: Failed to unshare network namespace: %s\n", strerror(errno));
return ret;
}
} }
return 0; return 0;
@ -331,7 +349,7 @@ int qssb_enable_policy(struct qssb_policy *policy)
policy->chroot_target_path = "/tmp/.TODOIMPLEMENT"; //TODO: implement policy->chroot_target_path = "/tmp/.TODOIMPLEMENT"; //TODO: implement
} }
if(enter_namespaces() < 0) if(enter_namespaces(policy->namespace_options) < 0)
{ {
QSSB_LOG_ERROR("Error while trying to enter namespaces\n"); QSSB_LOG_ERROR("Error while trying to enter namespaces\n");
return -1; return -1;