parent
1b4c5477a5
commit
3407fded04
41
exile.h
41
exile.h
@ -84,22 +84,26 @@
|
|||||||
|
|
||||||
#define EXILE_SYS(x) __NR_##x
|
#define EXILE_SYS(x) __NR_##x
|
||||||
|
|
||||||
#define EXILE_FS_ALLOW_READ 1<<0
|
/* Allow all read-effect operations on the path */
|
||||||
#define EXILE_FS_ALLOW_WRITE (1<<1)
|
#define EXILE_FS_ALLOW_ALL_READ 1<<0
|
||||||
|
/* Allow all write-effect operations on the path, such as normal writes, creation/deletion of files */
|
||||||
|
#define EXILE_FS_ALLOW_ALL_WRITE (1<<1)
|
||||||
#define EXILE_FS_ALLOW_EXEC 1<<2
|
#define EXILE_FS_ALLOW_EXEC 1<<2
|
||||||
#define EXILE_FS_ALLOW_DEV 1<<3
|
#define EXILE_FS_ALLOW_DEV 1<<3
|
||||||
#define EXILE_FS_ALLOW_SETUID 1<<4
|
#define EXILE_FS_ALLOW_SETUID 1<<4
|
||||||
|
|
||||||
//don't mount recursive
|
//don't mount recursive
|
||||||
#define EXILE_MOUNT_NOT_REC 1<<5
|
#define EXILE_MOUNT_NOT_REC 1<<5
|
||||||
|
|
||||||
|
/* Fine-granular approach available with landlock */
|
||||||
#if HAVE_LANDLOCK == 1
|
#if HAVE_LANDLOCK == 1
|
||||||
#define EXILE_FS_ALLOW_REMOVE_DIR (1 << 7)
|
#define EXILE_FS_ALLOW_REMOVE_DIR (1 << 7)
|
||||||
#define EXILE_FS_ALLOW_REMOVE_FILE (1 << 8)
|
#define EXILE_FS_ALLOW_REMOVE_FILE (1 << 8)
|
||||||
#define EXILE_FS_ALLOW_MAKE_CHAR (1 << 9)
|
#define EXILE_FS_ALLOW_MAKE_CHAR (1 << 9)
|
||||||
#define EXILE_FS_ALLOW_MAKE_DIR (1 << 10)
|
#define EXILE_FS_ALLOW_MAKE_DIR (1 << 10)
|
||||||
#define EXILE_FS_ALLOW_MAKE_REG (1 << 11)
|
#define EXILE_FS_ALLOW_MAKE_REG (1 << 11)
|
||||||
#define EXILE_FS_ALLOW_MAKE_SOCK (1 << 12)
|
#define EXILE_FS_ALLOW_MAKE_SOCK (1 << 12)
|
||||||
#define EXILE_FS_ALLOW_MAKE_FIFO (1 << 13)
|
#define EXILE_FS_ALLOW_MAKE_FIFO (1 << 13)
|
||||||
#define EXILE_FS_ALLOW_MAKE_BLOCK (1 << 14)
|
#define EXILE_FS_ALLOW_MAKE_BLOCK (1 << 14)
|
||||||
#define EXILE_FS_ALLOW_MAKE_SYM (1 << 15)
|
#define EXILE_FS_ALLOW_MAKE_SYM (1 << 15)
|
||||||
#define EXILE_FS_ALLOW_WRITE_FILE (1 << 16)
|
#define EXILE_FS_ALLOW_WRITE_FILE (1 << 16)
|
||||||
@ -1023,7 +1027,7 @@ static int get_policy_mount_flags(struct exile_path_policy *policy)
|
|||||||
result |= MS_NOSUID;
|
result |= MS_NOSUID;
|
||||||
}
|
}
|
||||||
|
|
||||||
if( (policy->policy & EXILE_FS_ALLOW_WRITE) == 0)
|
if( (policy->policy & EXILE_FS_ALLOW_ALL_WRITE) == 0)
|
||||||
{
|
{
|
||||||
result |= MS_RDONLY;
|
result |= MS_RDONLY;
|
||||||
}
|
}
|
||||||
@ -1069,7 +1073,7 @@ static int mount_to_chroot(const char *chroot_target_path, struct exile_path_pol
|
|||||||
mount_flags |= MS_BIND;
|
mount_flags |= MS_BIND;
|
||||||
|
|
||||||
|
|
||||||
if(path_policy->policy & EXILE_FS_ALLOW_READ || path_policy->policy & EXILE_FS_ALLOW_WRITE)
|
if(path_policy->policy & EXILE_FS_ALLOW_ALL_READ || path_policy->policy & EXILE_FS_ALLOW_ALL_WRITE)
|
||||||
{
|
{
|
||||||
ret = mount(path_policy->path, path_inside_chroot, NULL, mount_flags, NULL);
|
ret = mount(path_policy->path, path_inside_chroot, NULL, mount_flags, NULL);
|
||||||
if(ret < 0 )
|
if(ret < 0 )
|
||||||
@ -1329,6 +1333,19 @@ static int exile_enable_syscall_policy(struct exile_policy *policy)
|
|||||||
static unsigned int exile_flags_to_landlock(unsigned int flags)
|
static unsigned int exile_flags_to_landlock(unsigned int flags)
|
||||||
{
|
{
|
||||||
unsigned int result = 0;
|
unsigned int result = 0;
|
||||||
|
if(flags & EXILE_FS_ALLOW_ALL_READ)
|
||||||
|
{
|
||||||
|
result |= LANDLOCK_ACCESS_FS_READ_FILE;
|
||||||
|
result |= LANDLOCK_ACCESS_FS_READ_DIR;
|
||||||
|
}
|
||||||
|
if(flags & EXILE_FS_ALLOW_ALL_WRITE)
|
||||||
|
{
|
||||||
|
result |= LANDLOCK_ACCESS_FS_MAKE_REG;
|
||||||
|
result |= LANDLOCK_ACCESS_FS_WRITE_FILE;
|
||||||
|
result |= LANDLOCK_ACCESS_FS_REMOVE_DIR;
|
||||||
|
result |= LANDLOCK_ACCESS_FS_REMOVE_FILE;
|
||||||
|
result |= LANDLOCK_ACCESS_FS_MAKE_SYM;
|
||||||
|
}
|
||||||
if(flags & EXILE_FS_ALLOW_DEV)
|
if(flags & EXILE_FS_ALLOW_DEV)
|
||||||
{
|
{
|
||||||
result |= LANDLOCK_ACCESS_FS_MAKE_BLOCK;
|
result |= LANDLOCK_ACCESS_FS_MAKE_BLOCK;
|
||||||
@ -1362,11 +1379,6 @@ static unsigned int exile_flags_to_landlock(unsigned int flags)
|
|||||||
{
|
{
|
||||||
result |= LANDLOCK_ACCESS_FS_MAKE_SYM;
|
result |= LANDLOCK_ACCESS_FS_MAKE_SYM;
|
||||||
}
|
}
|
||||||
if(flags & EXILE_FS_ALLOW_READ)
|
|
||||||
{
|
|
||||||
result |= LANDLOCK_ACCESS_FS_READ_FILE;
|
|
||||||
result |= LANDLOCK_ACCESS_FS_READ_DIR;
|
|
||||||
}
|
|
||||||
if(flags & EXILE_FS_ALLOW_REMOVE)
|
if(flags & EXILE_FS_ALLOW_REMOVE)
|
||||||
{
|
{
|
||||||
result |= LANDLOCK_ACCESS_FS_REMOVE_DIR;
|
result |= LANDLOCK_ACCESS_FS_REMOVE_DIR;
|
||||||
@ -1384,11 +1396,6 @@ static unsigned int exile_flags_to_landlock(unsigned int flags)
|
|||||||
{
|
{
|
||||||
result |= LANDLOCK_ACCESS_FS_EXECUTE;
|
result |= LANDLOCK_ACCESS_FS_EXECUTE;
|
||||||
}
|
}
|
||||||
if(flags & EXILE_FS_ALLOW_WRITE)
|
|
||||||
{
|
|
||||||
result |= LANDLOCK_ACCESS_FS_MAKE_REG;
|
|
||||||
result |= LANDLOCK_ACCESS_FS_WRITE_FILE;
|
|
||||||
}
|
|
||||||
if(flags & EXILE_FS_ALLOW_WRITE_FILE)
|
if(flags & EXILE_FS_ALLOW_WRITE_FILE)
|
||||||
{
|
{
|
||||||
result |= LANDLOCK_ACCESS_FS_WRITE_FILE;
|
result |= LANDLOCK_ACCESS_FS_WRITE_FILE;
|
||||||
|
4
test.c
4
test.c
@ -203,7 +203,7 @@ static int test_seccomp_group()
|
|||||||
int test_landlock()
|
int test_landlock()
|
||||||
{
|
{
|
||||||
struct exile_policy *policy = exile_init_policy();
|
struct exile_policy *policy = exile_init_policy();
|
||||||
exile_append_path_policy(policy, EXILE_FS_ALLOW_READ, "/proc/self/fd");
|
exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ, "/proc/self/fd");
|
||||||
xexile_enable_policy(policy);
|
xexile_enable_policy(policy);
|
||||||
|
|
||||||
int fd = open("/", O_RDONLY | O_CLOEXEC);
|
int fd = open("/", O_RDONLY | O_CLOEXEC);
|
||||||
@ -217,7 +217,7 @@ int test_landlock()
|
|||||||
int test_landlock_deny_write()
|
int test_landlock_deny_write()
|
||||||
{
|
{
|
||||||
struct exile_policy *policy = exile_init_policy();
|
struct exile_policy *policy = exile_init_policy();
|
||||||
exile_append_path_policy(policy, EXILE_FS_ALLOW_READ, "/tmp/");
|
exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ, "/tmp/");
|
||||||
xexile_enable_policy(policy);
|
xexile_enable_policy(policy);
|
||||||
|
|
||||||
int fd = open("/tmp/a", O_WRONLY | O_CLOEXEC);
|
int fd = open("/tmp/a", O_WRONLY | O_CLOEXEC);
|
||||||
|
Loading…
Reference in New Issue
Block a user