no_fs: Use landlock if possible
This is not 100% the same, but good enough and more importantly, does not require unsharing user/mount namespace and the chroot call.
This commit is contained in:
parent
bbc8193ea9
commit
4cfdead5d0
61
exile.c
61
exile.c
@ -1532,6 +1532,30 @@ static int enable_no_fs(struct exile_policy *policy)
|
|||||||
{
|
{
|
||||||
close_file_fds();
|
close_file_fds();
|
||||||
|
|
||||||
|
if(exile_landlock_is_available())
|
||||||
|
{
|
||||||
|
struct landlock_ruleset_attr ruleset_attr = {0};
|
||||||
|
if(landlock_set_max_handled_access(&ruleset_attr) != 0)
|
||||||
|
{
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
int ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
|
||||||
|
if (ruleset_fd < 0)
|
||||||
|
{
|
||||||
|
EXILE_LOG_ERROR("Failed to create landlock ruleset\n");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
int ret = landlock_restrict_self(ruleset_fd, 0);
|
||||||
|
if(ret != 0)
|
||||||
|
{
|
||||||
|
EXILE_LOG_ERROR("Failed to enable no_fs with landlock: %s\n", strerror(errno));
|
||||||
|
close(ruleset_fd);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
close(ret);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
if(chdir("/proc/self/fdinfo") != 0)
|
if(chdir("/proc/self/fdinfo") != 0)
|
||||||
{
|
{
|
||||||
EXILE_LOG_ERROR("Failed to change to safe directory: %s\n", strerror(errno));
|
EXILE_LOG_ERROR("Failed to change to safe directory: %s\n", strerror(errno));
|
||||||
@ -1666,14 +1690,6 @@ int exile_enable_policy(struct exile_policy *policy)
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if(policy->no_fs)
|
|
||||||
{
|
|
||||||
if(enable_no_fs(policy) != 0)
|
|
||||||
{
|
|
||||||
EXILE_LOG_ERROR("Failed to take away filesystem access of process\n");
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if(policy->no_new_fds)
|
if(policy->no_new_fds)
|
||||||
{
|
{
|
||||||
@ -1685,15 +1701,6 @@ int exile_enable_policy(struct exile_policy *policy)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if(policy->drop_caps)
|
|
||||||
{
|
|
||||||
if(drop_caps() < 0)
|
|
||||||
{
|
|
||||||
EXILE_LOG_ERROR("failed to drop capabilities\n");
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if(policy->not_dumpable)
|
if(policy->not_dumpable)
|
||||||
{
|
{
|
||||||
if(prctl(PR_SET_DUMPABLE, 0) == -1)
|
if(prctl(PR_SET_DUMPABLE, 0) == -1)
|
||||||
@ -1712,6 +1719,15 @@ int exile_enable_policy(struct exile_policy *policy)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if(policy->no_fs)
|
||||||
|
{
|
||||||
|
if(enable_no_fs(policy) != 0)
|
||||||
|
{
|
||||||
|
EXILE_LOG_ERROR("Failed to take away filesystem access of process\n");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#if HAVE_LANDLOCK == 1
|
#if HAVE_LANDLOCK == 1
|
||||||
if (can_use_landlock && policy->path_policies != NULL && landlock_restrict_self(landlock_ruleset_fd, 0) != 0)
|
if (can_use_landlock && policy->path_policies != NULL && landlock_restrict_self(landlock_ruleset_fd, 0) != 0)
|
||||||
{
|
{
|
||||||
@ -1732,12 +1748,19 @@ int exile_enable_policy(struct exile_policy *policy)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if(policy->drop_caps)
|
||||||
|
{
|
||||||
|
if(drop_caps() < 0)
|
||||||
|
{
|
||||||
|
EXILE_LOG_ERROR("failed to drop capabilities\n");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if(policy->syscall_policies != NULL)
|
if(policy->syscall_policies != NULL)
|
||||||
{
|
{
|
||||||
return exile_enable_syscall_policy(policy);
|
return exile_enable_syscall_policy(policy);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user