From 3407fded04fee0cc37dee7d3c0baab9cc9b95c7e Mon Sep 17 00:00:00 2001 From: Albert S Date: Fri, 24 Dec 2021 16:20:14 +0100 Subject: [PATCH] Add EXILE_FS_ALLOW_ALL_{READ,WRITE} Issue: #19 --- exile.h | 41 ++++++++++++++++++++++++----------------- test.c | 4 ++-- 2 files changed, 26 insertions(+), 19 deletions(-) diff --git a/exile.h b/exile.h index 9bc511d..4799116 100644 --- a/exile.h +++ b/exile.h @@ -84,22 +84,26 @@ #define EXILE_SYS(x) __NR_##x -#define EXILE_FS_ALLOW_READ 1<<0 -#define EXILE_FS_ALLOW_WRITE (1<<1) +/* Allow all read-effect operations on the path */ +#define EXILE_FS_ALLOW_ALL_READ 1<<0 +/* Allow all write-effect operations on the path, such as normal writes, creation/deletion of files */ +#define EXILE_FS_ALLOW_ALL_WRITE (1<<1) #define EXILE_FS_ALLOW_EXEC 1<<2 #define EXILE_FS_ALLOW_DEV 1<<3 #define EXILE_FS_ALLOW_SETUID 1<<4 + //don't mount recursive #define EXILE_MOUNT_NOT_REC 1<<5 +/* Fine-granular approach available with landlock */ #if HAVE_LANDLOCK == 1 #define EXILE_FS_ALLOW_REMOVE_DIR (1 << 7) #define EXILE_FS_ALLOW_REMOVE_FILE (1 << 8) -#define EXILE_FS_ALLOW_MAKE_CHAR (1 << 9) +#define EXILE_FS_ALLOW_MAKE_CHAR (1 << 9) #define EXILE_FS_ALLOW_MAKE_DIR (1 << 10) #define EXILE_FS_ALLOW_MAKE_REG (1 << 11) -#define EXILE_FS_ALLOW_MAKE_SOCK (1 << 12) -#define EXILE_FS_ALLOW_MAKE_FIFO (1 << 13) +#define EXILE_FS_ALLOW_MAKE_SOCK (1 << 12) +#define EXILE_FS_ALLOW_MAKE_FIFO (1 << 13) #define EXILE_FS_ALLOW_MAKE_BLOCK (1 << 14) #define EXILE_FS_ALLOW_MAKE_SYM (1 << 15) #define EXILE_FS_ALLOW_WRITE_FILE (1 << 16) @@ -1023,7 +1027,7 @@ static int get_policy_mount_flags(struct exile_path_policy *policy) result |= MS_NOSUID; } - if( (policy->policy & EXILE_FS_ALLOW_WRITE) == 0) + if( (policy->policy & EXILE_FS_ALLOW_ALL_WRITE) == 0) { result |= MS_RDONLY; } @@ -1069,7 +1073,7 @@ static int mount_to_chroot(const char *chroot_target_path, struct exile_path_pol mount_flags |= MS_BIND; - if(path_policy->policy & EXILE_FS_ALLOW_READ || path_policy->policy & EXILE_FS_ALLOW_WRITE) + if(path_policy->policy & EXILE_FS_ALLOW_ALL_READ || path_policy->policy & EXILE_FS_ALLOW_ALL_WRITE) { ret = mount(path_policy->path, path_inside_chroot, NULL, mount_flags, NULL); if(ret < 0 ) @@ -1329,6 +1333,19 @@ static int exile_enable_syscall_policy(struct exile_policy *policy) static unsigned int exile_flags_to_landlock(unsigned int flags) { unsigned int result = 0; + if(flags & EXILE_FS_ALLOW_ALL_READ) + { + result |= LANDLOCK_ACCESS_FS_READ_FILE; + result |= LANDLOCK_ACCESS_FS_READ_DIR; + } + if(flags & EXILE_FS_ALLOW_ALL_WRITE) + { + result |= LANDLOCK_ACCESS_FS_MAKE_REG; + result |= LANDLOCK_ACCESS_FS_WRITE_FILE; + result |= LANDLOCK_ACCESS_FS_REMOVE_DIR; + result |= LANDLOCK_ACCESS_FS_REMOVE_FILE; + result |= LANDLOCK_ACCESS_FS_MAKE_SYM; + } if(flags & EXILE_FS_ALLOW_DEV) { result |= LANDLOCK_ACCESS_FS_MAKE_BLOCK; @@ -1362,11 +1379,6 @@ static unsigned int exile_flags_to_landlock(unsigned int flags) { result |= LANDLOCK_ACCESS_FS_MAKE_SYM; } - if(flags & EXILE_FS_ALLOW_READ) - { - result |= LANDLOCK_ACCESS_FS_READ_FILE; - result |= LANDLOCK_ACCESS_FS_READ_DIR; - } if(flags & EXILE_FS_ALLOW_REMOVE) { result |= LANDLOCK_ACCESS_FS_REMOVE_DIR; @@ -1384,11 +1396,6 @@ static unsigned int exile_flags_to_landlock(unsigned int flags) { result |= LANDLOCK_ACCESS_FS_EXECUTE; } - if(flags & EXILE_FS_ALLOW_WRITE) - { - result |= LANDLOCK_ACCESS_FS_MAKE_REG; - result |= LANDLOCK_ACCESS_FS_WRITE_FILE; - } if(flags & EXILE_FS_ALLOW_WRITE_FILE) { result |= LANDLOCK_ACCESS_FS_WRITE_FILE; diff --git a/test.c b/test.c index 00dabde..178f68f 100644 --- a/test.c +++ b/test.c @@ -203,7 +203,7 @@ static int test_seccomp_group() int test_landlock() { struct exile_policy *policy = exile_init_policy(); - exile_append_path_policy(policy, EXILE_FS_ALLOW_READ, "/proc/self/fd"); + exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ, "/proc/self/fd"); xexile_enable_policy(policy); int fd = open("/", O_RDONLY | O_CLOEXEC); @@ -217,7 +217,7 @@ int test_landlock() int test_landlock_deny_write() { struct exile_policy *policy = exile_init_policy(); - exile_append_path_policy(policy, EXILE_FS_ALLOW_READ, "/tmp/"); + exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ, "/tmp/"); xexile_enable_policy(policy); int fd = open("/tmp/a", O_WRONLY | O_CLOEXEC);