Begin an pledge()-like implementation
This begins a pledge() implementation. This also retires the previous syscall grouping approach, as pledge() is the superior mechanism. Squashed: test: Begin basic pledge test pledge: Begin EXILE_SYSCALL_PLEDGE_UNIX/EXILE_SYSCALL_PLEDGE_INET test: Add pledge socket test Introduce EXILE_SYSCALL_PLEDGE_DENY_ERROR, remove exile_policy->pledge_policy pledge: Add PROT_EXEC
This commit is contained in:
vanhempi
15a6850023
commit
7115ef8b4d
55
gengroup.py
55
gengroup.py
@ -1,55 +0,0 @@
|
||||
#!/usr/bin/python
|
||||
import sys
|
||||
import re
|
||||
if len(sys.argv) < 2:
|
||||
print("Usage: gengroup groupfile")
|
||||
sys.exit(1)
|
||||
fd = open(sys.argv[1], "r")
|
||||
|
||||
lines = fd.read().splitlines()
|
||||
|
||||
groupnames = set()
|
||||
ifndef = dict()
|
||||
|
||||
def print_ifndefs():
|
||||
for name in ifndef:
|
||||
print("#ifndef __NR_%s" % name)
|
||||
print("#define __NR_%s %s" % (name, ifndef[name]))
|
||||
print("#endif")
|
||||
|
||||
def print_defines(names):
|
||||
names = sorted(names)
|
||||
i = 0
|
||||
for name in names:
|
||||
define = "#define %s ((uint64_t)1<<%s)" % (name, i)
|
||||
print(define)
|
||||
i = i + 1
|
||||
|
||||
for line in lines:
|
||||
if line[0] == '#':
|
||||
continue
|
||||
|
||||
splitted = line.split(' ')
|
||||
if len(splitted) < 2:
|
||||
print("Misformated line:", line)
|
||||
sys.exit(1)
|
||||
|
||||
currentsyscall = splitted[0]
|
||||
currentgroups = splitted[1].split(',')
|
||||
|
||||
flags = splitted[2] if len(splitted) > 2 else ""
|
||||
if any( not s or s.isspace() for s in currentgroups ):
|
||||
print("Misformated line (empty values):", line)
|
||||
sys.exit(1)
|
||||
groupnames.update(currentgroups)
|
||||
|
||||
genifndef = re.match(r"genifndef\((\d+)*\)", flags)
|
||||
if genifndef:
|
||||
ifndef[currentsyscall] = genifndef.groups(1)[0]
|
||||
|
||||
array_line = "{EXILE_SYS(%s), %s}," % (currentsyscall, '|'.join(currentgroups))
|
||||
print(array_line)
|
||||
|
||||
print_ifndefs()
|
||||
print_defines(groupnames)
|
||||
|
||||
@ -1,363 +0,0 @@
|
||||
# Assign system calls to groups. In the future, may also include simple arg filtering.
|
||||
read EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
write EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
open EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
close EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
stat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
fstat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
lstat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
poll EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
lseek EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
mmap EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
mprotect EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
munmap EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
brk EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
rt_sigaction EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
rt_sigprocmask EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
rt_sigreturn EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
ioctl EXILE_SYSCGROUP_IOCTL,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
pread64 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
pwrite64 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
readv EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
writev EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
access EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
pipe EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
select EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
sched_yield EXILE_SYSCGROUP_SCHED,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
mremap EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
msync EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
mincore EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
madvise EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
shmget EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
shmat EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
shmctl EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
dup EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
dup2 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
pause EXILE_SYSCGROUP_PAUSE,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
nanosleep EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
getitimer EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
alarm EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
setitimer EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
getpid EXILE_SYSCGROUP_PROCESS,EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
sendfile EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
socket EXILE_SYSCGROUP_SOCKET
|
||||
connect EXILE_SYSCGROUP_SOCKET
|
||||
accept EXILE_SYSCGROUP_SOCKET
|
||||
sendto EXILE_SYSCGROUP_SOCKET
|
||||
recvfrom EXILE_SYSCGROUP_SOCKET
|
||||
sendmsg EXILE_SYSCGROUP_SOCKET
|
||||
recvmsg EXILE_SYSCGROUP_SOCKET
|
||||
shutdown EXILE_SYSCGROUP_SOCKET
|
||||
bind EXILE_SYSCGROUP_SOCKET
|
||||
listen EXILE_SYSCGROUP_SOCKET
|
||||
getsockname EXILE_SYSCGROUP_SOCKET
|
||||
getpeername EXILE_SYSCGROUP_SOCKET
|
||||
socketpair EXILE_SYSCGROUP_SOCKET,EXILE_SYSCGROUP_IPC
|
||||
setsockopt EXILE_SYSCGROUP_SOCKET
|
||||
getsockopt EXILE_SYSCGROUP_SOCKET
|
||||
clone EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
fork EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
vfork EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
execve EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_EXEC
|
||||
exit EXILE_SYSCGROUP_PROCESS,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
wait4 EXILE_SYSCGROUP_EXEC
|
||||
kill EXILE_SYSCGROUP_KILL
|
||||
uname EXILE_SYSCGROUP_SYS,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
semget EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
semop EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
semctl EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
shmdt EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
msgget EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
msgsnd EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
msgrcv EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
msgctl EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
fcntl EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
flock EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
fsync EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
fdatasync EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
truncate EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
ftruncate EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
getdents EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
getcwd EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
chdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
fchdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
rename EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
mkdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
rmdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
creat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
link EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
unlink EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
symlink EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
readlink EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
chmod EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
fchmod EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
chown EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
fchown EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
lchown EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
umask EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
gettimeofday EXILE_SYSCGROUP_TIME,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
getrlimit EXILE_SYSCGROUP_RES,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
getrusage EXILE_SYSCGROUP_RES,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
sysinfo EXILE_SYSCGROUP_SYS,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
times EXILE_SYSCGROUP_TIME,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
ptrace EXILE_SYSCGROUP_PTRACE,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
getuid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
syslog EXILE_SYSCGROUP_SYS
|
||||
getgid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
setuid EXILE_SYSCGROUP_ID
|
||||
setgid EXILE_SYSCGROUP_ID
|
||||
geteuid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
getegid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
setpgid EXILE_SYSCGROUP_ID
|
||||
getppid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
getpgrp EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
setsid EXILE_SYSCGROUP_ID
|
||||
setreuid EXILE_SYSCGROUP_ID
|
||||
setregid EXILE_SYSCGROUP_ID
|
||||
getgroups EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
setgroups EXILE_SYSCGROUP_ID
|
||||
setresuid EXILE_SYSCGROUP_ID
|
||||
getresuid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
setresgid EXILE_SYSCGROUP_ID
|
||||
getresgid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
getpgid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
setfsuid EXILE_SYSCGROUP_ID
|
||||
setfsgid EXILE_SYSCGROUP_ID
|
||||
getsid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
capget EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
capset EXILE_SYSCGROUP_ID
|
||||
rt_sigpending EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
rt_sigtimedwait EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
rt_sigqueueinfo EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
rt_sigsuspend EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
sigaltstack EXILE_SYSCGROUP_THREAD,EXILE_SYSCGROUP_SIGNAL
|
||||
utime EXILE_SYSCGROUP_TIME,EXILE_SYSCGROUP_FS
|
||||
mknod EXILE_SYSCGROUP_DEV,EXILE_SYSCGROUP_FS
|
||||
uselib EXILE_SYSCGROUP_LIB,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
personality EXILE_SYSCGROUP_PROCESS
|
||||
ustat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_FS
|
||||
statfs EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_FS
|
||||
fstatfs EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_FS
|
||||
sysfs EXILE_SYSCGROUP_SYS,EXILE_SYSCGROUP_FS
|
||||
getpriority EXILE_SYSCGROUP_SCHED
|
||||
setpriority EXILE_SYSCGROUP_SCHED
|
||||
sched_setparam EXILE_SYSCGROUP_SCHED
|
||||
sched_getparam EXILE_SYSCGROUP_SCHED
|
||||
sched_setscheduler EXILE_SYSCGROUP_SCHED
|
||||
sched_getscheduler EXILE_SYSCGROUP_SCHED
|
||||
sched_get_priority_max EXILE_SYSCGROUP_SCHED
|
||||
sched_get_priority_min EXILE_SYSCGROUP_SCHED
|
||||
sched_rr_get_interval EXILE_SYSCGROUP_SCHED
|
||||
mlock EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
munlock EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
mlockall EXILE_SYSCGROUP_MEMORY
|
||||
munlockall EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
vhangup EXILE_SYSCGROUP_TTY
|
||||
modify_ldt EXILE_SYSCGROUP_PROCESS
|
||||
pivot_root EXILE_SYSCGROUP_CHROOT
|
||||
_sysctl EXILE_SYSCGROUP_SYS
|
||||
prctl EXILE_SYSCGROUP_PROCESS
|
||||
arch_prctl EXILE_SYSCGROUP_PROCESS
|
||||
adjtimex EXILE_SYSCGROUP_CLOCK
|
||||
setrlimit EXILE_SYSCGROUP_RES
|
||||
chroot EXILE_SYSCGROUP_CHROOT,EXILE_SYSCGROUP_FS
|
||||
sync EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
acct EXILE_SYSCGROUP_PROCESS
|
||||
settimeofday EXILE_SYSCGROUP_TIME
|
||||
mount EXILE_SYSCGROUP_MOUNT,EXILE_SYSCGROUP_FS
|
||||
umount2 EXILE_SYSCGROUP_UMOUNT,EXILE_SYSCGROUP_FS
|
||||
swapon EXILE_SYSCGROUP_SWAP
|
||||
swapoff EXILE_SYSCGROUP_SWAP
|
||||
reboot EXILE_SYSCGROUP_POWER
|
||||
sethostname EXILE_SYSCGROUP_HOST
|
||||
setdomainname EXILE_SYSCGROUP_HOST
|
||||
iopl EXILE_SYSCGROUP_IOPL
|
||||
ioperm EXILE_SYSCGROUP_IOPL
|
||||
create_module EXILE_SYSCGROUP_KMOD
|
||||
init_module EXILE_SYSCGROUP_KMOD
|
||||
delete_module EXILE_SYSCGROUP_KMOD
|
||||
get_kernel_syms EXILE_SYSCGROUP_KMOD
|
||||
query_module EXILE_SYSCGROUP_KMOD
|
||||
quotactl EXILE_SYSCGROUP_QUOTA
|
||||
nfsservctl EXILE_SYSCGROUP_NONE
|
||||
getpmsg EXILE_SYSCGROUP_UNIMPLEMENTED
|
||||
putpmsg EXILE_SYSCGROUP_UNIMPLEMENTED
|
||||
afs_syscall EXILE_SYSCGROUP_UNIMPLEMENTED
|
||||
tuxcall EXILE_SYSCGROUP_UNIMPLEMENTED
|
||||
security EXILE_SYSCGROUP_UNIMPLEMENTED
|
||||
gettid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_THREAD
|
||||
readahead EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_FS
|
||||
setxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
|
||||
lsetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
|
||||
fsetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
|
||||
getxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
lgetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
fgetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
listxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
|
||||
llistxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
|
||||
flistxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
|
||||
removexattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
|
||||
lremovexattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
|
||||
fremovexattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
|
||||
tkill EXILE_SYSCGROUP_THREAD,EXILE_SYSCGROUP_SIGNAL
|
||||
time EXILE_SYSCGROUP_TIME
|
||||
futex EXILE_SYSCGROUP_THREAD,EXILE_SYSCGROUP_FUTEX
|
||||
sched_setaffinity EXILE_SYSCGROUP_SCHED
|
||||
sched_getaffinity EXILE_SYSCGROUP_SCHED
|
||||
set_thread_area EXILE_SYSCGROUP_THREAD
|
||||
io_setup EXILE_SYSCGROUP_IO
|
||||
io_destroy EXILE_SYSCGROUP_IO
|
||||
io_getevents EXILE_SYSCGROUP_IO
|
||||
io_submit EXILE_SYSCGROUP_IO
|
||||
io_cancel EXILE_SYSCGROUP_IO
|
||||
get_thread_area EXILE_SYSCGROUP_THREAD
|
||||
lookup_dcookie EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FS
|
||||
epoll_create EXILE_SYSCGROUP_STDIO
|
||||
epoll_ctl_old EXILE_SYSCGROUP_STDIO
|
||||
epoll_wait_old EXILE_SYSCGROUP_STDIO
|
||||
remap_file_pages EXILE_SYSCGROUP_NONE
|
||||
getdents64 EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FS
|
||||
set_tid_address EXILE_SYSCGROUP_THREAD
|
||||
restart_syscall EXILE_SYSCGROUP_SYSCALL
|
||||
semtimedop EXILE_SYSCGROUP_SEM
|
||||
fadvise64 EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FD
|
||||
timer_create EXILE_SYSCGROUP_TIMER
|
||||
timer_settime EXILE_SYSCGROUP_TIMER
|
||||
timer_gettime EXILE_SYSCGROUP_TIMER
|
||||
timer_getoverrun EXILE_SYSCGROUP_TIMER
|
||||
timer_delete EXILE_SYSCGROUP_TIMER
|
||||
clock_settime EXILE_SYSCGROUP_TIME
|
||||
clock_gettime EXILE_SYSCGROUP_TIME
|
||||
clock_getres EXILE_SYSCGROUP_TIME
|
||||
clock_nanosleep EXILE_SYSCGROUP_TIME
|
||||
exit_group EXILE_SYSCGROUP_EXIT,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
epoll_wait EXILE_SYSCGROUP_FD
|
||||
epoll_ctl EXILE_SYSCGROUP_FD
|
||||
tgkill EXILE_SYSCGROUP_SIGNAL,EXILE_SYSCGROUP_THREAD
|
||||
utimes EXILE_SYSCGROUP_PATH
|
||||
vserver EXILE_SYSCGROUP_UNIMPLEMENTED
|
||||
mbind EXILE_SYSCGROUP_MEMORY
|
||||
set_mempolicy EXILE_SYSCGROUP_MEMORY
|
||||
get_mempolicy EXILE_SYSCGROUP_MEMORY
|
||||
mq_open EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
|
||||
mq_unlink EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
|
||||
mq_timedsend EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
|
||||
mq_timedreceive EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
|
||||
mq_notify EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
|
||||
mq_getsetattr EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
|
||||
kexec_load EXILE_SYSCGROUP_KEXEC
|
||||
waitid EXILE_SYSCGROUP_SIGNAL
|
||||
add_key EXILE_SYSCGROUP_KEYS
|
||||
request_key EXILE_SYSCGROUP_KEYS
|
||||
keyctl EXILE_SYSCGROUP_KEYS
|
||||
ioprio_set EXILE_SYSCGROUP_PRIO
|
||||
ioprio_get EXILE_SYSCGROUP_PRIO
|
||||
inotify_init EXILE_SYSCGROUP_INOTIFY
|
||||
inotify_add_watch EXILE_SYSCGROUP_INOTIFY
|
||||
inotify_rm_watch EXILE_SYSCGROUP_INOTIFY
|
||||
migrate_pages EXILE_SYSCGROUP_PROCESS
|
||||
openat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
mkdirat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
mknodat EXILE_SYSCGROUP_DEV,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
fchownat EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
futimesat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
newfstatat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
unlinkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
renameat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
linkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
symlinkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
readlinkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
fchmodat EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
faccessat EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
pselect6 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
ppoll EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
||||
unshare EXILE_SYSCGROUP_NS,EXILE_SYSCGROUP_FS
|
||||
set_robust_list EXILE_SYSCGROUP_FUTEX
|
||||
get_robust_list EXILE_SYSCGROUP_FUTEX
|
||||
splice EXILE_SYSCGROUP_FD
|
||||
tee EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
sync_file_range EXILE_SYSCGROUP_FD
|
||||
vmsplice EXILE_SYSCGROUP_FD
|
||||
move_pages EXILE_SYSCGROUP_PROCESS
|
||||
utimensat EXILE_SYSCGROUP_PATH
|
||||
epoll_pwait EXILE_SYSCGROUP_STDIO
|
||||
signalfd EXILE_SYSCGROUP_SIGNAL
|
||||
timerfd_create EXILE_SYSCGROUP_TIMER
|
||||
eventfd EXILE_SYSCGROUP_FD
|
||||
fallocate EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FD
|
||||
timerfd_settime EXILE_SYSCGROUP_TIMER
|
||||
timerfd_gettime EXILE_SYSCGROUP_TIMER
|
||||
accept4 EXILE_SYSCGROUP_SOCKET
|
||||
signalfd4 EXILE_SYSCGROUP_FD
|
||||
eventfd2 EXILE_SYSCGROUP_FD
|
||||
epoll_create1 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
dup3 EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
pipe2 EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
inotify_init1 EXILE_SYSCGROUP_INOTIFY
|
||||
preadv EXILE_SYSCGROUP_STDIO
|
||||
pwritev EXILE_SYSCGROUP_STDIO
|
||||
rt_tgsigqueueinfo EXILE_SYSCGROUP_RT
|
||||
perf_event_open EXILE_SYSCGROUP_PERF
|
||||
recvmmsg EXILE_SYSCGROUP_SOCKET
|
||||
fanotify_init EXILE_SYSCGROUP_FANOTIFY
|
||||
fanotify_mark EXILE_SYSCGROUP_FANOTIFY
|
||||
prlimit64 EXILE_SYSCGROUP_RES
|
||||
name_to_handle_at EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_FS
|
||||
open_by_handle_at EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_FS
|
||||
clock_adjtime EXILE_SYSCGROUP_CLOCK
|
||||
syncfs EXILE_SYSCGROUP_FD
|
||||
sendmmsg EXILE_SYSCGROUP_SOCKET
|
||||
setns EXILE_SYSCGROUP_NS
|
||||
getcpu EXILE_SYSCGROUP_SCHED
|
||||
#maybe IPC, but feels wrong
|
||||
process_vm_readv EXILE_SYSCGROUP_NONE
|
||||
process_vm_writev EXILE_SYSCGROUP_NONE
|
||||
kcmp EXILE_SYSCGROUP_NONE
|
||||
finit_module EXILE_SYSCGROUP_KMOD
|
||||
sched_setattr EXILE_SYSCGROUP_SCHED
|
||||
sched_getattr EXILE_SYSCGROUP_SCHED,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
renameat2 EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
seccomp EXILE_SYSCGROUP_NONE
|
||||
getrandom EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
memfd_create EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
kexec_file_load EXILE_SYSCGROUP_KEXEC
|
||||
bpf EXILE_SYSCGROUP_NONE
|
||||
execveat EXILE_SYSCGROUP_EXEC
|
||||
userfaultfd EXILE_SYSCGROUP_NONE
|
||||
membarrier EXILE_SYSCGROUP_NONE
|
||||
mlock2 EXILE_SYSCGROUP_MEMORY
|
||||
copy_file_range EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
||||
preadv2 EXILE_SYSCGROUP_STDIO
|
||||
pwritev2 EXILE_SYSCGROUP_STDIO
|
||||
#Those are newer than 5.10, wrap them in ifndef so we can compile on old systems
|
||||
pkey_mprotect EXILE_SYSCGROUP_PKEY genifndef(329)
|
||||
pkey_alloc EXILE_SYSCGROUP_PKEY genifndef(330)
|
||||
pkey_free EXILE_SYSCGROUP_PKEY genifndef(331)
|
||||
statx EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(332)
|
||||
io_pgetevents EXILE_SYSCGROUP_NONE genifndef(333)
|
||||
rseq EXILE_SYSCGROUP_THREAD genifndef(334)
|
||||
pidfd_send_signal EXILE_SYSCGROUP_PIDFD genifndef(424)
|
||||
io_uring_setup EXILE_SYSCGROUP_IOURING genifndef(425)
|
||||
io_uring_enter EXILE_SYSCGROUP_IOURING genifndef(426)
|
||||
io_uring_register EXILE_SYSCGROUP_IOURING genifndef(427)
|
||||
open_tree EXILE_SYSCGROUP_NEWMOUNT genifndef(428)
|
||||
move_mount EXILE_SYSCGROUP_NEWMOUNT genifndef(429)
|
||||
fsopen EXILE_SYSCGROUP_NEWMOUNT genifndef(430)
|
||||
fsconfig EXILE_SYSCGROUP_NEWMOUNT genifndef(431)
|
||||
fsmount EXILE_SYSCGROUP_NEWMOUNT genifndef(432)
|
||||
fspick EXILE_SYSCGROUP_NEWMOUNT genifndef(433)
|
||||
pidfd_open EXILE_SYSCGROUP_PIDFD genifndef(434)
|
||||
clone3 EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(435)
|
||||
close_range EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(436)
|
||||
openat2 EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(437)
|
||||
pidfd_getfd EXILE_SYSCGROUP_PIDFD genifndef(438)
|
||||
faccessat2 EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(439)
|
||||
process_madvise EXILE_SYSCGROUP_MEMORY genifndef(440)
|
||||
epoll_pwait2 EXILE_SYSCGROUP_STDIO genifndef(441)
|
||||
mount_setattr EXILE_SYSCGROUP_NONE genifndef(442)
|
||||
quotactl_fd EXILE_SYSCGROUP_QUOTA genifndef(443)
|
||||
landlock_create_ruleset EXILE_SYSCGROUP_LANDLOCK genifndef(444)
|
||||
landlock_add_rule EXILE_SYSCGROUP_LANDLOCK genifndef(445)
|
||||
landlock_restrict_self EXILE_SYSCGROUP_LANDLOCK genifndef(446)
|
||||
memfd_secret EXILE_SYSCGROUP_NONE genifndef(447)
|
||||
process_mrelease EXILE_SYSCGROUP_NONE genifndef(448)
|
||||
98
test.c
98
test.c
@ -181,38 +181,16 @@ int test_seccomp_errno()
|
||||
return test_successful_exit(&do_test_seccomp_errno);
|
||||
}
|
||||
|
||||
static int test_seccomp_group()
|
||||
{
|
||||
struct exile_policy *policy = exile_init_policy();
|
||||
|
||||
if(exile_append_group_syscall_policy(policy, EXILE_SYSCALL_DENY_RET_ERROR, EXILE_SYSCGROUP_SOCKET) != 0)
|
||||
{
|
||||
printf("nothing added\n");
|
||||
return 1;
|
||||
}
|
||||
exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
|
||||
|
||||
xexile_enable_policy(policy);
|
||||
|
||||
int s = socket(AF_INET,SOCK_STREAM,0);
|
||||
if(s != -1)
|
||||
{
|
||||
printf("Failed: socket was expected to return error, but returned %i\n", s);
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
int test_seccomp_argfilter_allowed()
|
||||
{
|
||||
struct exile_policy *policy = exile_init_policy();
|
||||
|
||||
struct sock_filter argfilter[2] =
|
||||
struct sock_filter argfilter[2] =
|
||||
{
|
||||
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[1]))),
|
||||
BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, O_WRONLY, 0, EXILE_SYSCALL_EXIT_BPF_NO_MATCH)
|
||||
};
|
||||
|
||||
|
||||
exile_append_syscall_policy(policy, EXILE_SYS(open),EXILE_SYSCALL_DENY_RET_ERROR, argfilter, 2);
|
||||
exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
|
||||
xexile_enable_policy(policy);
|
||||
@ -233,7 +211,7 @@ int test_seccomp_argfilter_filtered()
|
||||
{
|
||||
struct exile_policy *policy = exile_init_policy();
|
||||
|
||||
struct sock_filter argfilter[2] =
|
||||
struct sock_filter argfilter[2] =
|
||||
{
|
||||
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[1]))),
|
||||
BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, O_WRONLY, 0, EXILE_SYSCALL_EXIT_BPF_NO_MATCH)
|
||||
@ -259,7 +237,7 @@ int test_seccomp_argfilter_mixed()
|
||||
{
|
||||
struct exile_policy *policy = exile_init_policy();
|
||||
|
||||
struct sock_filter argfilter[2] =
|
||||
struct sock_filter argfilter[2] =
|
||||
{
|
||||
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[1]))),
|
||||
BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, O_WRONLY, 0, EXILE_SYSCALL_EXIT_BPF_NO_MATCH)
|
||||
@ -303,6 +281,72 @@ int test_seccomp_argfilter_mixed()
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
int do_test_seccomp_pledge_socket()
|
||||
{
|
||||
struct exile_policy *policy = exile_init_policy();
|
||||
policy->pledge_promises = EXILE_SYSCALL_PLEDGE_STDIO | EXILE_SYSCALL_PLEDGE_INET | EXILE_SYSCALL_PLEDGE_DENY_ERROR;
|
||||
xexile_enable_policy(policy);
|
||||
|
||||
int s = socket(AF_INET, SOCK_STREAM, 0);
|
||||
if(s == -1)
|
||||
{
|
||||
printf("Failed: socket was expected to succeed, but returned %i\n", s);
|
||||
return 1;
|
||||
}
|
||||
s = socket(AF_UNIX, SOCK_DGRAM, 0);
|
||||
if(s != -1)
|
||||
{
|
||||
printf("Failed: socket was expected to fail, but returned %i\n", s);
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
int do_test_seccomp_pledge_open()
|
||||
{
|
||||
struct exile_policy *policy = exile_init_policy();
|
||||
policy->pledge_promises = EXILE_SYSCALL_PLEDGE_STDIO | EXILE_SYSCALL_PLEDGE_RPATH | EXILE_SYSCALL_PLEDGE_DENY_ERROR;
|
||||
xexile_enable_policy(policy);
|
||||
|
||||
int ret = open("/dev/urandom", O_WRONLY | O_APPEND);
|
||||
if(ret != -1)
|
||||
{
|
||||
printf("Failed: open was expected to fail, but returned %i\n", ret);
|
||||
return 1;
|
||||
}
|
||||
ret = open("/dev/urandom", O_RDWR);
|
||||
if(ret != -1)
|
||||
{
|
||||
printf("Failed: open O_RDWR was expected to fail, but returned %i\n", ret);
|
||||
return 1;
|
||||
}
|
||||
ret = open("/dev/urandom", O_RDONLY);
|
||||
if(ret == -1)
|
||||
{
|
||||
printf("Failed: open was expected to succceed, but returned %i\n", ret);
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
int test_seccomp_pledge()
|
||||
{
|
||||
int ret = test_successful_exit(&do_test_seccomp_pledge_open);
|
||||
if(ret != 0)
|
||||
{
|
||||
printf("Failed: do_test_seccomp_pledge_open()\n");
|
||||
return 1;
|
||||
}
|
||||
ret = test_successful_exit(&do_test_seccomp_pledge_socket);
|
||||
if(ret != 0)
|
||||
{
|
||||
printf("Failed: do_test_seccomp_pledge_socket()\n");
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
#if HAVE_LANDLOCK == 1
|
||||
int test_landlock()
|
||||
{
|
||||
@ -403,10 +447,10 @@ struct dispatcher dispatchers[] = {
|
||||
{ "seccomp-x32-kill", &test_seccomp_x32_kill},
|
||||
{ "seccomp-require-last-matchall", &test_seccomp_require_last_matchall},
|
||||
{ "seccomp-errno", &test_seccomp_errno},
|
||||
{ "seccomp-group", &test_seccomp_group},
|
||||
{ "seccomp-argfilter-allowed", &test_seccomp_argfilter_allowed},
|
||||
{ "seccomp-argfilter-filtered", &test_seccomp_argfilter_filtered},
|
||||
{ "seccomp-argfilter-mixed", &test_seccomp_argfilter_mixed},
|
||||
{ "seccomp-pledge", &test_seccomp_pledge},
|
||||
{ "landlock", &test_landlock},
|
||||
{ "landlock-deny-write", &test_landlock_deny_write },
|
||||
{ "no_fs", &test_nofs},
|
||||
|
||||
Ladataan…
Viittaa uudesa ongelmassa
Block a user