Begin an pledge()-like implementation

This begins a pledge() implementation. This also
retires the previous syscall grouping approach,
as pledge() is the superior mechanism.

Squashed:
test: Begin basic pledge test
pledge: Begin EXILE_SYSCALL_PLEDGE_UNIX/EXILE_SYSCALL_PLEDGE_INET
test: Add pledge socket test
Introduce EXILE_SYSCALL_PLEDGE_DENY_ERROR, remove exile_policy->pledge_policy
pledge: Add PROT_EXEC
This commit is contained in:
Albert S. 2021-12-05 17:28:58 +01:00
джерело 15a6850023
коміт 7115ef8b4d
4 змінених файлів з 536 додано та 921 видалено

941
exile.h

Різницю між файлами не показано, бо вона завелика Завантажити різницю

@ -1,55 +0,0 @@
#!/usr/bin/python
import sys
import re
if len(sys.argv) < 2:
print("Usage: gengroup groupfile")
sys.exit(1)
fd = open(sys.argv[1], "r")
lines = fd.read().splitlines()
groupnames = set()
ifndef = dict()
def print_ifndefs():
for name in ifndef:
print("#ifndef __NR_%s" % name)
print("#define __NR_%s %s" % (name, ifndef[name]))
print("#endif")
def print_defines(names):
names = sorted(names)
i = 0
for name in names:
define = "#define %s ((uint64_t)1<<%s)" % (name, i)
print(define)
i = i + 1
for line in lines:
if line[0] == '#':
continue
splitted = line.split(' ')
if len(splitted) < 2:
print("Misformated line:", line)
sys.exit(1)
currentsyscall = splitted[0]
currentgroups = splitted[1].split(',')
flags = splitted[2] if len(splitted) > 2 else ""
if any( not s or s.isspace() for s in currentgroups ):
print("Misformated line (empty values):", line)
sys.exit(1)
groupnames.update(currentgroups)
genifndef = re.match(r"genifndef\((\d+)*\)", flags)
if genifndef:
ifndef[currentsyscall] = genifndef.groups(1)[0]
array_line = "{EXILE_SYS(%s), %s}," % (currentsyscall, '|'.join(currentgroups))
print(array_line)
print_ifndefs()
print_defines(groupnames)

@ -1,363 +0,0 @@
# Assign system calls to groups. In the future, may also include simple arg filtering.
read EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
write EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
open EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
close EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
stat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
fstat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
lstat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
poll EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
lseek EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
mmap EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
mprotect EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
munmap EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
brk EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
rt_sigaction EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
rt_sigprocmask EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
rt_sigreturn EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
ioctl EXILE_SYSCGROUP_IOCTL,EXILE_SYSCGROUP_DEFAULT_ALLOW
pread64 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
pwrite64 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
readv EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
writev EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
access EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
pipe EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
select EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
sched_yield EXILE_SYSCGROUP_SCHED,EXILE_SYSCGROUP_DEFAULT_ALLOW
mremap EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
msync EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
mincore EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
madvise EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
shmget EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
shmat EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
shmctl EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
dup EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
dup2 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
pause EXILE_SYSCGROUP_PAUSE,EXILE_SYSCGROUP_DEFAULT_ALLOW
nanosleep EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW
getitimer EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW
alarm EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW
setitimer EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW
getpid EXILE_SYSCGROUP_PROCESS,EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
sendfile EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
socket EXILE_SYSCGROUP_SOCKET
connect EXILE_SYSCGROUP_SOCKET
accept EXILE_SYSCGROUP_SOCKET
sendto EXILE_SYSCGROUP_SOCKET
recvfrom EXILE_SYSCGROUP_SOCKET
sendmsg EXILE_SYSCGROUP_SOCKET
recvmsg EXILE_SYSCGROUP_SOCKET
shutdown EXILE_SYSCGROUP_SOCKET
bind EXILE_SYSCGROUP_SOCKET
listen EXILE_SYSCGROUP_SOCKET
getsockname EXILE_SYSCGROUP_SOCKET
getpeername EXILE_SYSCGROUP_SOCKET
socketpair EXILE_SYSCGROUP_SOCKET,EXILE_SYSCGROUP_IPC
setsockopt EXILE_SYSCGROUP_SOCKET
getsockopt EXILE_SYSCGROUP_SOCKET
clone EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW
fork EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW
vfork EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW
execve EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_EXEC
exit EXILE_SYSCGROUP_PROCESS,EXILE_SYSCGROUP_DEFAULT_ALLOW
wait4 EXILE_SYSCGROUP_EXEC
kill EXILE_SYSCGROUP_KILL
uname EXILE_SYSCGROUP_SYS,EXILE_SYSCGROUP_DEFAULT_ALLOW
semget EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
semop EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
semctl EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
shmdt EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
msgget EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
msgsnd EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
msgrcv EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
msgctl EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
fcntl EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
flock EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
fsync EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
fdatasync EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
truncate EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
ftruncate EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
getdents EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
getcwd EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
chdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
fchdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
rename EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
mkdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
rmdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
creat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
link EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
unlink EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
symlink EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
readlink EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
chmod EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
fchmod EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
chown EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
fchown EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
lchown EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
umask EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW
gettimeofday EXILE_SYSCGROUP_TIME,EXILE_SYSCGROUP_DEFAULT_ALLOW
getrlimit EXILE_SYSCGROUP_RES,EXILE_SYSCGROUP_DEFAULT_ALLOW
getrusage EXILE_SYSCGROUP_RES,EXILE_SYSCGROUP_DEFAULT_ALLOW
sysinfo EXILE_SYSCGROUP_SYS,EXILE_SYSCGROUP_DEFAULT_ALLOW
times EXILE_SYSCGROUP_TIME,EXILE_SYSCGROUP_DEFAULT_ALLOW
ptrace EXILE_SYSCGROUP_PTRACE,EXILE_SYSCGROUP_DEFAULT_ALLOW
getuid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
syslog EXILE_SYSCGROUP_SYS
getgid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
setuid EXILE_SYSCGROUP_ID
setgid EXILE_SYSCGROUP_ID
geteuid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
getegid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
setpgid EXILE_SYSCGROUP_ID
getppid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
getpgrp EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
setsid EXILE_SYSCGROUP_ID
setreuid EXILE_SYSCGROUP_ID
setregid EXILE_SYSCGROUP_ID
getgroups EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
setgroups EXILE_SYSCGROUP_ID
setresuid EXILE_SYSCGROUP_ID
getresuid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
setresgid EXILE_SYSCGROUP_ID
getresgid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
getpgid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
setfsuid EXILE_SYSCGROUP_ID
setfsgid EXILE_SYSCGROUP_ID
getsid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
capget EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
capset EXILE_SYSCGROUP_ID
rt_sigpending EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
rt_sigtimedwait EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
rt_sigqueueinfo EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
rt_sigsuspend EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
sigaltstack EXILE_SYSCGROUP_THREAD,EXILE_SYSCGROUP_SIGNAL
utime EXILE_SYSCGROUP_TIME,EXILE_SYSCGROUP_FS
mknod EXILE_SYSCGROUP_DEV,EXILE_SYSCGROUP_FS
uselib EXILE_SYSCGROUP_LIB,EXILE_SYSCGROUP_DEFAULT_ALLOW
personality EXILE_SYSCGROUP_PROCESS
ustat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_FS
statfs EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_FS
fstatfs EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_FS
sysfs EXILE_SYSCGROUP_SYS,EXILE_SYSCGROUP_FS
getpriority EXILE_SYSCGROUP_SCHED
setpriority EXILE_SYSCGROUP_SCHED
sched_setparam EXILE_SYSCGROUP_SCHED
sched_getparam EXILE_SYSCGROUP_SCHED
sched_setscheduler EXILE_SYSCGROUP_SCHED
sched_getscheduler EXILE_SYSCGROUP_SCHED
sched_get_priority_max EXILE_SYSCGROUP_SCHED
sched_get_priority_min EXILE_SYSCGROUP_SCHED
sched_rr_get_interval EXILE_SYSCGROUP_SCHED
mlock EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
munlock EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
mlockall EXILE_SYSCGROUP_MEMORY
munlockall EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
vhangup EXILE_SYSCGROUP_TTY
modify_ldt EXILE_SYSCGROUP_PROCESS
pivot_root EXILE_SYSCGROUP_CHROOT
_sysctl EXILE_SYSCGROUP_SYS
prctl EXILE_SYSCGROUP_PROCESS
arch_prctl EXILE_SYSCGROUP_PROCESS
adjtimex EXILE_SYSCGROUP_CLOCK
setrlimit EXILE_SYSCGROUP_RES
chroot EXILE_SYSCGROUP_CHROOT,EXILE_SYSCGROUP_FS
sync EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
acct EXILE_SYSCGROUP_PROCESS
settimeofday EXILE_SYSCGROUP_TIME
mount EXILE_SYSCGROUP_MOUNT,EXILE_SYSCGROUP_FS
umount2 EXILE_SYSCGROUP_UMOUNT,EXILE_SYSCGROUP_FS
swapon EXILE_SYSCGROUP_SWAP
swapoff EXILE_SYSCGROUP_SWAP
reboot EXILE_SYSCGROUP_POWER
sethostname EXILE_SYSCGROUP_HOST
setdomainname EXILE_SYSCGROUP_HOST
iopl EXILE_SYSCGROUP_IOPL
ioperm EXILE_SYSCGROUP_IOPL
create_module EXILE_SYSCGROUP_KMOD
init_module EXILE_SYSCGROUP_KMOD
delete_module EXILE_SYSCGROUP_KMOD
get_kernel_syms EXILE_SYSCGROUP_KMOD
query_module EXILE_SYSCGROUP_KMOD
quotactl EXILE_SYSCGROUP_QUOTA
nfsservctl EXILE_SYSCGROUP_NONE
getpmsg EXILE_SYSCGROUP_UNIMPLEMENTED
putpmsg EXILE_SYSCGROUP_UNIMPLEMENTED
afs_syscall EXILE_SYSCGROUP_UNIMPLEMENTED
tuxcall EXILE_SYSCGROUP_UNIMPLEMENTED
security EXILE_SYSCGROUP_UNIMPLEMENTED
gettid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_THREAD
readahead EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_FS
setxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
lsetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
fsetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
getxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
lgetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
fgetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
listxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
llistxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
flistxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
removexattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
lremovexattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
fremovexattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
tkill EXILE_SYSCGROUP_THREAD,EXILE_SYSCGROUP_SIGNAL
time EXILE_SYSCGROUP_TIME
futex EXILE_SYSCGROUP_THREAD,EXILE_SYSCGROUP_FUTEX
sched_setaffinity EXILE_SYSCGROUP_SCHED
sched_getaffinity EXILE_SYSCGROUP_SCHED
set_thread_area EXILE_SYSCGROUP_THREAD
io_setup EXILE_SYSCGROUP_IO
io_destroy EXILE_SYSCGROUP_IO
io_getevents EXILE_SYSCGROUP_IO
io_submit EXILE_SYSCGROUP_IO
io_cancel EXILE_SYSCGROUP_IO
get_thread_area EXILE_SYSCGROUP_THREAD
lookup_dcookie EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FS
epoll_create EXILE_SYSCGROUP_STDIO
epoll_ctl_old EXILE_SYSCGROUP_STDIO
epoll_wait_old EXILE_SYSCGROUP_STDIO
remap_file_pages EXILE_SYSCGROUP_NONE
getdents64 EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FS
set_tid_address EXILE_SYSCGROUP_THREAD
restart_syscall EXILE_SYSCGROUP_SYSCALL
semtimedop EXILE_SYSCGROUP_SEM
fadvise64 EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FD
timer_create EXILE_SYSCGROUP_TIMER
timer_settime EXILE_SYSCGROUP_TIMER
timer_gettime EXILE_SYSCGROUP_TIMER
timer_getoverrun EXILE_SYSCGROUP_TIMER
timer_delete EXILE_SYSCGROUP_TIMER
clock_settime EXILE_SYSCGROUP_TIME
clock_gettime EXILE_SYSCGROUP_TIME
clock_getres EXILE_SYSCGROUP_TIME
clock_nanosleep EXILE_SYSCGROUP_TIME
exit_group EXILE_SYSCGROUP_EXIT,EXILE_SYSCGROUP_DEFAULT_ALLOW
epoll_wait EXILE_SYSCGROUP_FD
epoll_ctl EXILE_SYSCGROUP_FD
tgkill EXILE_SYSCGROUP_SIGNAL,EXILE_SYSCGROUP_THREAD
utimes EXILE_SYSCGROUP_PATH
vserver EXILE_SYSCGROUP_UNIMPLEMENTED
mbind EXILE_SYSCGROUP_MEMORY
set_mempolicy EXILE_SYSCGROUP_MEMORY
get_mempolicy EXILE_SYSCGROUP_MEMORY
mq_open EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
mq_unlink EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
mq_timedsend EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
mq_timedreceive EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
mq_notify EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
mq_getsetattr EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
kexec_load EXILE_SYSCGROUP_KEXEC
waitid EXILE_SYSCGROUP_SIGNAL
add_key EXILE_SYSCGROUP_KEYS
request_key EXILE_SYSCGROUP_KEYS
keyctl EXILE_SYSCGROUP_KEYS
ioprio_set EXILE_SYSCGROUP_PRIO
ioprio_get EXILE_SYSCGROUP_PRIO
inotify_init EXILE_SYSCGROUP_INOTIFY
inotify_add_watch EXILE_SYSCGROUP_INOTIFY
inotify_rm_watch EXILE_SYSCGROUP_INOTIFY
migrate_pages EXILE_SYSCGROUP_PROCESS
openat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
mkdirat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
mknodat EXILE_SYSCGROUP_DEV,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
fchownat EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
futimesat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
newfstatat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
unlinkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
renameat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
linkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
symlinkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
readlinkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
fchmodat EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
faccessat EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
pselect6 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
ppoll EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
unshare EXILE_SYSCGROUP_NS,EXILE_SYSCGROUP_FS
set_robust_list EXILE_SYSCGROUP_FUTEX
get_robust_list EXILE_SYSCGROUP_FUTEX
splice EXILE_SYSCGROUP_FD
tee EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
sync_file_range EXILE_SYSCGROUP_FD
vmsplice EXILE_SYSCGROUP_FD
move_pages EXILE_SYSCGROUP_PROCESS
utimensat EXILE_SYSCGROUP_PATH
epoll_pwait EXILE_SYSCGROUP_STDIO
signalfd EXILE_SYSCGROUP_SIGNAL
timerfd_create EXILE_SYSCGROUP_TIMER
eventfd EXILE_SYSCGROUP_FD
fallocate EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FD
timerfd_settime EXILE_SYSCGROUP_TIMER
timerfd_gettime EXILE_SYSCGROUP_TIMER
accept4 EXILE_SYSCGROUP_SOCKET
signalfd4 EXILE_SYSCGROUP_FD
eventfd2 EXILE_SYSCGROUP_FD
epoll_create1 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
dup3 EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
pipe2 EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
inotify_init1 EXILE_SYSCGROUP_INOTIFY
preadv EXILE_SYSCGROUP_STDIO
pwritev EXILE_SYSCGROUP_STDIO
rt_tgsigqueueinfo EXILE_SYSCGROUP_RT
perf_event_open EXILE_SYSCGROUP_PERF
recvmmsg EXILE_SYSCGROUP_SOCKET
fanotify_init EXILE_SYSCGROUP_FANOTIFY
fanotify_mark EXILE_SYSCGROUP_FANOTIFY
prlimit64 EXILE_SYSCGROUP_RES
name_to_handle_at EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_FS
open_by_handle_at EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_FS
clock_adjtime EXILE_SYSCGROUP_CLOCK
syncfs EXILE_SYSCGROUP_FD
sendmmsg EXILE_SYSCGROUP_SOCKET
setns EXILE_SYSCGROUP_NS
getcpu EXILE_SYSCGROUP_SCHED
#maybe IPC, but feels wrong
process_vm_readv EXILE_SYSCGROUP_NONE
process_vm_writev EXILE_SYSCGROUP_NONE
kcmp EXILE_SYSCGROUP_NONE
finit_module EXILE_SYSCGROUP_KMOD
sched_setattr EXILE_SYSCGROUP_SCHED
sched_getattr EXILE_SYSCGROUP_SCHED,EXILE_SYSCGROUP_DEFAULT_ALLOW
renameat2 EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW
seccomp EXILE_SYSCGROUP_NONE
getrandom EXILE_SYSCGROUP_DEFAULT_ALLOW
memfd_create EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
kexec_file_load EXILE_SYSCGROUP_KEXEC
bpf EXILE_SYSCGROUP_NONE
execveat EXILE_SYSCGROUP_EXEC
userfaultfd EXILE_SYSCGROUP_NONE
membarrier EXILE_SYSCGROUP_NONE
mlock2 EXILE_SYSCGROUP_MEMORY
copy_file_range EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
preadv2 EXILE_SYSCGROUP_STDIO
pwritev2 EXILE_SYSCGROUP_STDIO
#Those are newer than 5.10, wrap them in ifndef so we can compile on old systems
pkey_mprotect EXILE_SYSCGROUP_PKEY genifndef(329)
pkey_alloc EXILE_SYSCGROUP_PKEY genifndef(330)
pkey_free EXILE_SYSCGROUP_PKEY genifndef(331)
statx EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(332)
io_pgetevents EXILE_SYSCGROUP_NONE genifndef(333)
rseq EXILE_SYSCGROUP_THREAD genifndef(334)
pidfd_send_signal EXILE_SYSCGROUP_PIDFD genifndef(424)
io_uring_setup EXILE_SYSCGROUP_IOURING genifndef(425)
io_uring_enter EXILE_SYSCGROUP_IOURING genifndef(426)
io_uring_register EXILE_SYSCGROUP_IOURING genifndef(427)
open_tree EXILE_SYSCGROUP_NEWMOUNT genifndef(428)
move_mount EXILE_SYSCGROUP_NEWMOUNT genifndef(429)
fsopen EXILE_SYSCGROUP_NEWMOUNT genifndef(430)
fsconfig EXILE_SYSCGROUP_NEWMOUNT genifndef(431)
fsmount EXILE_SYSCGROUP_NEWMOUNT genifndef(432)
fspick EXILE_SYSCGROUP_NEWMOUNT genifndef(433)
pidfd_open EXILE_SYSCGROUP_PIDFD genifndef(434)
clone3 EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(435)
close_range EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(436)
openat2 EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(437)
pidfd_getfd EXILE_SYSCGROUP_PIDFD genifndef(438)
faccessat2 EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(439)
process_madvise EXILE_SYSCGROUP_MEMORY genifndef(440)
epoll_pwait2 EXILE_SYSCGROUP_STDIO genifndef(441)
mount_setattr EXILE_SYSCGROUP_NONE genifndef(442)
quotactl_fd EXILE_SYSCGROUP_QUOTA genifndef(443)
landlock_create_ruleset EXILE_SYSCGROUP_LANDLOCK genifndef(444)
landlock_add_rule EXILE_SYSCGROUP_LANDLOCK genifndef(445)
landlock_restrict_self EXILE_SYSCGROUP_LANDLOCK genifndef(446)
memfd_secret EXILE_SYSCGROUP_NONE genifndef(447)
process_mrelease EXILE_SYSCGROUP_NONE genifndef(448)

98
test.c

@ -181,38 +181,16 @@ int test_seccomp_errno()
return test_successful_exit(&do_test_seccomp_errno);
}
static int test_seccomp_group()
{
struct exile_policy *policy = exile_init_policy();
if(exile_append_group_syscall_policy(policy, EXILE_SYSCALL_DENY_RET_ERROR, EXILE_SYSCGROUP_SOCKET) != 0)
{
printf("nothing added\n");
return 1;
}
exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
xexile_enable_policy(policy);
int s = socket(AF_INET,SOCK_STREAM,0);
if(s != -1)
{
printf("Failed: socket was expected to return error, but returned %i\n", s);
return 1;
}
return 0;
}
int test_seccomp_argfilter_allowed()
{
struct exile_policy *policy = exile_init_policy();
struct sock_filter argfilter[2] =
struct sock_filter argfilter[2] =
{
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[1]))),
BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, O_WRONLY, 0, EXILE_SYSCALL_EXIT_BPF_NO_MATCH)
};
exile_append_syscall_policy(policy, EXILE_SYS(open),EXILE_SYSCALL_DENY_RET_ERROR, argfilter, 2);
exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
xexile_enable_policy(policy);
@ -233,7 +211,7 @@ int test_seccomp_argfilter_filtered()
{
struct exile_policy *policy = exile_init_policy();
struct sock_filter argfilter[2] =
struct sock_filter argfilter[2] =
{
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[1]))),
BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, O_WRONLY, 0, EXILE_SYSCALL_EXIT_BPF_NO_MATCH)
@ -259,7 +237,7 @@ int test_seccomp_argfilter_mixed()
{
struct exile_policy *policy = exile_init_policy();
struct sock_filter argfilter[2] =
struct sock_filter argfilter[2] =
{
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[1]))),
BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, O_WRONLY, 0, EXILE_SYSCALL_EXIT_BPF_NO_MATCH)
@ -303,6 +281,72 @@ int test_seccomp_argfilter_mixed()
return 0;
}
int do_test_seccomp_pledge_socket()
{
struct exile_policy *policy = exile_init_policy();
policy->pledge_promises = EXILE_SYSCALL_PLEDGE_STDIO | EXILE_SYSCALL_PLEDGE_INET | EXILE_SYSCALL_PLEDGE_DENY_ERROR;
xexile_enable_policy(policy);
int s = socket(AF_INET, SOCK_STREAM, 0);
if(s == -1)
{
printf("Failed: socket was expected to succeed, but returned %i\n", s);
return 1;
}
s = socket(AF_UNIX, SOCK_DGRAM, 0);
if(s != -1)
{
printf("Failed: socket was expected to fail, but returned %i\n", s);
return 1;
}
return 0;
}
int do_test_seccomp_pledge_open()
{
struct exile_policy *policy = exile_init_policy();
policy->pledge_promises = EXILE_SYSCALL_PLEDGE_STDIO | EXILE_SYSCALL_PLEDGE_RPATH | EXILE_SYSCALL_PLEDGE_DENY_ERROR;
xexile_enable_policy(policy);
int ret = open("/dev/urandom", O_WRONLY | O_APPEND);
if(ret != -1)
{
printf("Failed: open was expected to fail, but returned %i\n", ret);
return 1;
}
ret = open("/dev/urandom", O_RDWR);
if(ret != -1)
{
printf("Failed: open O_RDWR was expected to fail, but returned %i\n", ret);
return 1;
}
ret = open("/dev/urandom", O_RDONLY);
if(ret == -1)
{
printf("Failed: open was expected to succceed, but returned %i\n", ret);
return 1;
}
return 0;
}
int test_seccomp_pledge()
{
int ret = test_successful_exit(&do_test_seccomp_pledge_open);
if(ret != 0)
{
printf("Failed: do_test_seccomp_pledge_open()\n");
return 1;
}
ret = test_successful_exit(&do_test_seccomp_pledge_socket);
if(ret != 0)
{
printf("Failed: do_test_seccomp_pledge_socket()\n");
return 1;
}
return 0;
}
#if HAVE_LANDLOCK == 1
int test_landlock()
{
@ -403,10 +447,10 @@ struct dispatcher dispatchers[] = {
{ "seccomp-x32-kill", &test_seccomp_x32_kill},
{ "seccomp-require-last-matchall", &test_seccomp_require_last_matchall},
{ "seccomp-errno", &test_seccomp_errno},
{ "seccomp-group", &test_seccomp_group},
{ "seccomp-argfilter-allowed", &test_seccomp_argfilter_allowed},
{ "seccomp-argfilter-filtered", &test_seccomp_argfilter_filtered},
{ "seccomp-argfilter-mixed", &test_seccomp_argfilter_mixed},
{ "seccomp-pledge", &test_seccomp_pledge},
{ "landlock", &test_landlock},
{ "landlock-deny-write", &test_landlock_deny_write },
{ "no_fs", &test_nofs},