Add EXILE_FS_ALLOW_ALL_{READ,WRITE}

Issue: #19
This commit is contained in:
Albert S. 2021-12-24 16:20:14 +01:00
parent 1b4c5477a5
commit 3407fded04
2 changed files with 26 additions and 19 deletions

41
exile.h
View File

@ -84,22 +84,26 @@
#define EXILE_SYS(x) __NR_##x #define EXILE_SYS(x) __NR_##x
#define EXILE_FS_ALLOW_READ 1<<0 /* Allow all read-effect operations on the path */
#define EXILE_FS_ALLOW_WRITE (1<<1) #define EXILE_FS_ALLOW_ALL_READ 1<<0
/* Allow all write-effect operations on the path, such as normal writes, creation/deletion of files */
#define EXILE_FS_ALLOW_ALL_WRITE (1<<1)
#define EXILE_FS_ALLOW_EXEC 1<<2 #define EXILE_FS_ALLOW_EXEC 1<<2
#define EXILE_FS_ALLOW_DEV 1<<3 #define EXILE_FS_ALLOW_DEV 1<<3
#define EXILE_FS_ALLOW_SETUID 1<<4 #define EXILE_FS_ALLOW_SETUID 1<<4
//don't mount recursive //don't mount recursive
#define EXILE_MOUNT_NOT_REC 1<<5 #define EXILE_MOUNT_NOT_REC 1<<5
/* Fine-granular approach available with landlock */
#if HAVE_LANDLOCK == 1 #if HAVE_LANDLOCK == 1
#define EXILE_FS_ALLOW_REMOVE_DIR (1 << 7) #define EXILE_FS_ALLOW_REMOVE_DIR (1 << 7)
#define EXILE_FS_ALLOW_REMOVE_FILE (1 << 8) #define EXILE_FS_ALLOW_REMOVE_FILE (1 << 8)
#define EXILE_FS_ALLOW_MAKE_CHAR (1 << 9) #define EXILE_FS_ALLOW_MAKE_CHAR (1 << 9)
#define EXILE_FS_ALLOW_MAKE_DIR (1 << 10) #define EXILE_FS_ALLOW_MAKE_DIR (1 << 10)
#define EXILE_FS_ALLOW_MAKE_REG (1 << 11) #define EXILE_FS_ALLOW_MAKE_REG (1 << 11)
#define EXILE_FS_ALLOW_MAKE_SOCK (1 << 12) #define EXILE_FS_ALLOW_MAKE_SOCK (1 << 12)
#define EXILE_FS_ALLOW_MAKE_FIFO (1 << 13) #define EXILE_FS_ALLOW_MAKE_FIFO (1 << 13)
#define EXILE_FS_ALLOW_MAKE_BLOCK (1 << 14) #define EXILE_FS_ALLOW_MAKE_BLOCK (1 << 14)
#define EXILE_FS_ALLOW_MAKE_SYM (1 << 15) #define EXILE_FS_ALLOW_MAKE_SYM (1 << 15)
#define EXILE_FS_ALLOW_WRITE_FILE (1 << 16) #define EXILE_FS_ALLOW_WRITE_FILE (1 << 16)
@ -1023,7 +1027,7 @@ static int get_policy_mount_flags(struct exile_path_policy *policy)
result |= MS_NOSUID; result |= MS_NOSUID;
} }
if( (policy->policy & EXILE_FS_ALLOW_WRITE) == 0) if( (policy->policy & EXILE_FS_ALLOW_ALL_WRITE) == 0)
{ {
result |= MS_RDONLY; result |= MS_RDONLY;
} }
@ -1069,7 +1073,7 @@ static int mount_to_chroot(const char *chroot_target_path, struct exile_path_pol
mount_flags |= MS_BIND; mount_flags |= MS_BIND;
if(path_policy->policy & EXILE_FS_ALLOW_READ || path_policy->policy & EXILE_FS_ALLOW_WRITE) if(path_policy->policy & EXILE_FS_ALLOW_ALL_READ || path_policy->policy & EXILE_FS_ALLOW_ALL_WRITE)
{ {
ret = mount(path_policy->path, path_inside_chroot, NULL, mount_flags, NULL); ret = mount(path_policy->path, path_inside_chroot, NULL, mount_flags, NULL);
if(ret < 0 ) if(ret < 0 )
@ -1329,6 +1333,19 @@ static int exile_enable_syscall_policy(struct exile_policy *policy)
static unsigned int exile_flags_to_landlock(unsigned int flags) static unsigned int exile_flags_to_landlock(unsigned int flags)
{ {
unsigned int result = 0; unsigned int result = 0;
if(flags & EXILE_FS_ALLOW_ALL_READ)
{
result |= LANDLOCK_ACCESS_FS_READ_FILE;
result |= LANDLOCK_ACCESS_FS_READ_DIR;
}
if(flags & EXILE_FS_ALLOW_ALL_WRITE)
{
result |= LANDLOCK_ACCESS_FS_MAKE_REG;
result |= LANDLOCK_ACCESS_FS_WRITE_FILE;
result |= LANDLOCK_ACCESS_FS_REMOVE_DIR;
result |= LANDLOCK_ACCESS_FS_REMOVE_FILE;
result |= LANDLOCK_ACCESS_FS_MAKE_SYM;
}
if(flags & EXILE_FS_ALLOW_DEV) if(flags & EXILE_FS_ALLOW_DEV)
{ {
result |= LANDLOCK_ACCESS_FS_MAKE_BLOCK; result |= LANDLOCK_ACCESS_FS_MAKE_BLOCK;
@ -1362,11 +1379,6 @@ static unsigned int exile_flags_to_landlock(unsigned int flags)
{ {
result |= LANDLOCK_ACCESS_FS_MAKE_SYM; result |= LANDLOCK_ACCESS_FS_MAKE_SYM;
} }
if(flags & EXILE_FS_ALLOW_READ)
{
result |= LANDLOCK_ACCESS_FS_READ_FILE;
result |= LANDLOCK_ACCESS_FS_READ_DIR;
}
if(flags & EXILE_FS_ALLOW_REMOVE) if(flags & EXILE_FS_ALLOW_REMOVE)
{ {
result |= LANDLOCK_ACCESS_FS_REMOVE_DIR; result |= LANDLOCK_ACCESS_FS_REMOVE_DIR;
@ -1384,11 +1396,6 @@ static unsigned int exile_flags_to_landlock(unsigned int flags)
{ {
result |= LANDLOCK_ACCESS_FS_EXECUTE; result |= LANDLOCK_ACCESS_FS_EXECUTE;
} }
if(flags & EXILE_FS_ALLOW_WRITE)
{
result |= LANDLOCK_ACCESS_FS_MAKE_REG;
result |= LANDLOCK_ACCESS_FS_WRITE_FILE;
}
if(flags & EXILE_FS_ALLOW_WRITE_FILE) if(flags & EXILE_FS_ALLOW_WRITE_FILE)
{ {
result |= LANDLOCK_ACCESS_FS_WRITE_FILE; result |= LANDLOCK_ACCESS_FS_WRITE_FILE;

4
test.c
View File

@ -203,7 +203,7 @@ static int test_seccomp_group()
int test_landlock() int test_landlock()
{ {
struct exile_policy *policy = exile_init_policy(); struct exile_policy *policy = exile_init_policy();
exile_append_path_policy(policy, EXILE_FS_ALLOW_READ, "/proc/self/fd"); exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ, "/proc/self/fd");
xexile_enable_policy(policy); xexile_enable_policy(policy);
int fd = open("/", O_RDONLY | O_CLOEXEC); int fd = open("/", O_RDONLY | O_CLOEXEC);
@ -217,7 +217,7 @@ int test_landlock()
int test_landlock_deny_write() int test_landlock_deny_write()
{ {
struct exile_policy *policy = exile_init_policy(); struct exile_policy *policy = exile_init_policy();
exile_append_path_policy(policy, EXILE_FS_ALLOW_READ, "/tmp/"); exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ, "/tmp/");
xexile_enable_policy(policy); xexile_enable_policy(policy);
int fd = open("/tmp/a", O_WRONLY | O_CLOEXEC); int fd = open("/tmp/a", O_WRONLY | O_CLOEXEC);