Introduce mount_path_policies_to_chroot option, changing path_policy enforcement logic

Previously, we needed chroot and bind mounts to enforce path_policies. Therefore,
in the presence of path policies, we had to explicitly create a chroot
dir.

With the coming landlock support, this is not required anymore.

However, one might still want to chroot and bind mount flags. But
path policies don't dictate that anymore.
This commit is contained in:
Albert S. 2021-05-09 12:29:03 +02:00
parent edf144bbc7
commit 6e6812e13d

31
qssb.h
View File

@ -136,6 +136,9 @@ struct qssb_policy
int no_new_privs; int no_new_privs;
int namespace_options; int namespace_options;
int syscall_default_policy; int syscall_default_policy;
/* Bind mounts all paths in path_policies into the chroot and applies
non-landlock policies */
int mount_path_policies_to_chroot;
int *blacklisted_syscalls; int *blacklisted_syscalls;
int *allowed_syscalls; int *allowed_syscalls;
char chroot_target_path[PATH_MAX]; char chroot_target_path[PATH_MAX];
@ -156,6 +159,7 @@ struct qssb_policy *qssb_init_policy()
result->no_new_privs = 1; result->no_new_privs = 1;
result->namespace_options = QSSB_UNSHARE_MOUNT | QSSB_UNSHARE_USER; result->namespace_options = QSSB_UNSHARE_MOUNT | QSSB_UNSHARE_USER;
result->chdir_path = NULL; result->chdir_path = NULL;
result->mount_path_policies_to_chroot = 0;
result->chroot_target_path[0] = '\0'; result->chroot_target_path[0] = '\0';
result->path_policies = NULL; result->path_policies = NULL;
return result; return result;
@ -503,6 +507,13 @@ static int seccomp_enable_whitelist(int *syscalls)
return seccomp_enable(syscalls, SECCOMP_RET_ALLOW, SECCOMP_RET_KILL); return seccomp_enable(syscalls, SECCOMP_RET_ALLOW, SECCOMP_RET_KILL);
} }
#if HAVE_LANDLOCK == 1
static int enable_landlock_policies(struct qssb_path_policy *policies)
{
return 0;
}
#endif
/* Enables the specified qssb_policy. /* Enables the specified qssb_policy.
* *
* The calling process is supposed *TO BE WRITTEN* if * The calling process is supposed *TO BE WRITTEN* if
@ -523,7 +534,7 @@ int qssb_enable_policy(struct qssb_policy *policy)
return -1; return -1;
} }
if(policy->path_policies != NULL) if(policy->mount_path_policies_to_chroot && policy->path_policies != NULL)
{ {
if(*policy->chroot_target_path == '\0') if(*policy->chroot_target_path == '\0')
{ {
@ -551,21 +562,35 @@ int qssb_enable_policy(struct qssb_policy *policy)
if(mount_to_chroot(policy->chroot_target_path, policy->path_policies) < 0) if(mount_to_chroot(policy->chroot_target_path, policy->path_policies) < 0)
{ {
QSSB_LOG_ERROR("mount_to_chroot: setup of path policies failed\n"); QSSB_LOG_ERROR("mount_to_chroot: bind mounting of path policies failed\n");
return -1; return -1;
} }
}
if(*policy->chroot_target_path != '\0')
{
if(chroot(policy->chroot_target_path) < 0) if(chroot(policy->chroot_target_path) < 0)
{ {
QSSB_LOG_ERROR("chroot: failed to enter %s\n", policy->chroot_target_path); QSSB_LOG_ERROR("chroot: failed to enter %s\n", policy->chroot_target_path);
return -1; return -1;
} }
}
#if HAVE_LANDLOCK == 1
if(policy->path_policies != NULL)
{
if(enable_landlock_policies(policy->path_policies) < 0)
{
QSSB_LOG_ERROR("enable_landlock_policies: Failed to enable landlock policies\n");
return -1;
}
}
#endif
if(policy->chdir_path == NULL) if(policy->chdir_path == NULL)
{ {
policy->chdir_path = "/"; policy->chdir_path = "/";
} }
}
if(policy->chdir_path != NULL && chdir(policy->chdir_path) < 0) if(policy->chdir_path != NULL && chdir(policy->chdir_path) < 0)
{ {