Begin an pledge()-like implementation
This begins a pledge() implementation. This also retires the previous syscall grouping approach, as pledge() is the superior mechanism. Squashed: test: Begin basic pledge test pledge: Begin EXILE_SYSCALL_PLEDGE_UNIX/EXILE_SYSCALL_PLEDGE_INET test: Add pledge socket test Introduce EXILE_SYSCALL_PLEDGE_DENY_ERROR, remove exile_policy->pledge_policy pledge: Add PROT_EXEC
This commit is contained in:
parent
15a6850023
commit
7115ef8b4d
55
gengroup.py
55
gengroup.py
@ -1,55 +0,0 @@
|
|||||||
#!/usr/bin/python
|
|
||||||
import sys
|
|
||||||
import re
|
|
||||||
if len(sys.argv) < 2:
|
|
||||||
print("Usage: gengroup groupfile")
|
|
||||||
sys.exit(1)
|
|
||||||
fd = open(sys.argv[1], "r")
|
|
||||||
|
|
||||||
lines = fd.read().splitlines()
|
|
||||||
|
|
||||||
groupnames = set()
|
|
||||||
ifndef = dict()
|
|
||||||
|
|
||||||
def print_ifndefs():
|
|
||||||
for name in ifndef:
|
|
||||||
print("#ifndef __NR_%s" % name)
|
|
||||||
print("#define __NR_%s %s" % (name, ifndef[name]))
|
|
||||||
print("#endif")
|
|
||||||
|
|
||||||
def print_defines(names):
|
|
||||||
names = sorted(names)
|
|
||||||
i = 0
|
|
||||||
for name in names:
|
|
||||||
define = "#define %s ((uint64_t)1<<%s)" % (name, i)
|
|
||||||
print(define)
|
|
||||||
i = i + 1
|
|
||||||
|
|
||||||
for line in lines:
|
|
||||||
if line[0] == '#':
|
|
||||||
continue
|
|
||||||
|
|
||||||
splitted = line.split(' ')
|
|
||||||
if len(splitted) < 2:
|
|
||||||
print("Misformated line:", line)
|
|
||||||
sys.exit(1)
|
|
||||||
|
|
||||||
currentsyscall = splitted[0]
|
|
||||||
currentgroups = splitted[1].split(',')
|
|
||||||
|
|
||||||
flags = splitted[2] if len(splitted) > 2 else ""
|
|
||||||
if any( not s or s.isspace() for s in currentgroups ):
|
|
||||||
print("Misformated line (empty values):", line)
|
|
||||||
sys.exit(1)
|
|
||||||
groupnames.update(currentgroups)
|
|
||||||
|
|
||||||
genifndef = re.match(r"genifndef\((\d+)*\)", flags)
|
|
||||||
if genifndef:
|
|
||||||
ifndef[currentsyscall] = genifndef.groups(1)[0]
|
|
||||||
|
|
||||||
array_line = "{EXILE_SYS(%s), %s}," % (currentsyscall, '|'.join(currentgroups))
|
|
||||||
print(array_line)
|
|
||||||
|
|
||||||
print_ifndefs()
|
|
||||||
print_defines(groupnames)
|
|
||||||
|
|
@ -1,363 +0,0 @@
|
|||||||
# Assign system calls to groups. In the future, may also include simple arg filtering.
|
|
||||||
read EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
write EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
open EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
close EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
stat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
fstat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
lstat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
poll EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
lseek EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
mmap EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
mprotect EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
munmap EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
brk EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
rt_sigaction EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
rt_sigprocmask EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
rt_sigreturn EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
ioctl EXILE_SYSCGROUP_IOCTL,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
pread64 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
pwrite64 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
readv EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
writev EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
access EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
pipe EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
select EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
sched_yield EXILE_SYSCGROUP_SCHED,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
mremap EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
msync EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
mincore EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
madvise EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
shmget EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
shmat EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
shmctl EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
dup EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
dup2 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
pause EXILE_SYSCGROUP_PAUSE,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
nanosleep EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
getitimer EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
alarm EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
setitimer EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
getpid EXILE_SYSCGROUP_PROCESS,EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
sendfile EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
socket EXILE_SYSCGROUP_SOCKET
|
|
||||||
connect EXILE_SYSCGROUP_SOCKET
|
|
||||||
accept EXILE_SYSCGROUP_SOCKET
|
|
||||||
sendto EXILE_SYSCGROUP_SOCKET
|
|
||||||
recvfrom EXILE_SYSCGROUP_SOCKET
|
|
||||||
sendmsg EXILE_SYSCGROUP_SOCKET
|
|
||||||
recvmsg EXILE_SYSCGROUP_SOCKET
|
|
||||||
shutdown EXILE_SYSCGROUP_SOCKET
|
|
||||||
bind EXILE_SYSCGROUP_SOCKET
|
|
||||||
listen EXILE_SYSCGROUP_SOCKET
|
|
||||||
getsockname EXILE_SYSCGROUP_SOCKET
|
|
||||||
getpeername EXILE_SYSCGROUP_SOCKET
|
|
||||||
socketpair EXILE_SYSCGROUP_SOCKET,EXILE_SYSCGROUP_IPC
|
|
||||||
setsockopt EXILE_SYSCGROUP_SOCKET
|
|
||||||
getsockopt EXILE_SYSCGROUP_SOCKET
|
|
||||||
clone EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
fork EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
vfork EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
execve EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_EXEC
|
|
||||||
exit EXILE_SYSCGROUP_PROCESS,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
wait4 EXILE_SYSCGROUP_EXEC
|
|
||||||
kill EXILE_SYSCGROUP_KILL
|
|
||||||
uname EXILE_SYSCGROUP_SYS,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
semget EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
semop EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
semctl EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
shmdt EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
msgget EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
msgsnd EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
msgrcv EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
msgctl EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
fcntl EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
flock EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
fsync EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
fdatasync EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
truncate EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
ftruncate EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
getdents EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
getcwd EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
chdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
fchdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
rename EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
mkdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
rmdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
creat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
link EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
unlink EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
symlink EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
readlink EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
chmod EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
fchmod EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
chown EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
fchown EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
lchown EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
umask EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
gettimeofday EXILE_SYSCGROUP_TIME,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
getrlimit EXILE_SYSCGROUP_RES,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
getrusage EXILE_SYSCGROUP_RES,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
sysinfo EXILE_SYSCGROUP_SYS,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
times EXILE_SYSCGROUP_TIME,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
ptrace EXILE_SYSCGROUP_PTRACE,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
getuid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
syslog EXILE_SYSCGROUP_SYS
|
|
||||||
getgid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
setuid EXILE_SYSCGROUP_ID
|
|
||||||
setgid EXILE_SYSCGROUP_ID
|
|
||||||
geteuid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
getegid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
setpgid EXILE_SYSCGROUP_ID
|
|
||||||
getppid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
getpgrp EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
setsid EXILE_SYSCGROUP_ID
|
|
||||||
setreuid EXILE_SYSCGROUP_ID
|
|
||||||
setregid EXILE_SYSCGROUP_ID
|
|
||||||
getgroups EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
setgroups EXILE_SYSCGROUP_ID
|
|
||||||
setresuid EXILE_SYSCGROUP_ID
|
|
||||||
getresuid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
setresgid EXILE_SYSCGROUP_ID
|
|
||||||
getresgid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
getpgid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
setfsuid EXILE_SYSCGROUP_ID
|
|
||||||
setfsgid EXILE_SYSCGROUP_ID
|
|
||||||
getsid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
capget EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
capset EXILE_SYSCGROUP_ID
|
|
||||||
rt_sigpending EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
rt_sigtimedwait EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
rt_sigqueueinfo EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
rt_sigsuspend EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
sigaltstack EXILE_SYSCGROUP_THREAD,EXILE_SYSCGROUP_SIGNAL
|
|
||||||
utime EXILE_SYSCGROUP_TIME,EXILE_SYSCGROUP_FS
|
|
||||||
mknod EXILE_SYSCGROUP_DEV,EXILE_SYSCGROUP_FS
|
|
||||||
uselib EXILE_SYSCGROUP_LIB,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
personality EXILE_SYSCGROUP_PROCESS
|
|
||||||
ustat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_FS
|
|
||||||
statfs EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_FS
|
|
||||||
fstatfs EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_FS
|
|
||||||
sysfs EXILE_SYSCGROUP_SYS,EXILE_SYSCGROUP_FS
|
|
||||||
getpriority EXILE_SYSCGROUP_SCHED
|
|
||||||
setpriority EXILE_SYSCGROUP_SCHED
|
|
||||||
sched_setparam EXILE_SYSCGROUP_SCHED
|
|
||||||
sched_getparam EXILE_SYSCGROUP_SCHED
|
|
||||||
sched_setscheduler EXILE_SYSCGROUP_SCHED
|
|
||||||
sched_getscheduler EXILE_SYSCGROUP_SCHED
|
|
||||||
sched_get_priority_max EXILE_SYSCGROUP_SCHED
|
|
||||||
sched_get_priority_min EXILE_SYSCGROUP_SCHED
|
|
||||||
sched_rr_get_interval EXILE_SYSCGROUP_SCHED
|
|
||||||
mlock EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
munlock EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
mlockall EXILE_SYSCGROUP_MEMORY
|
|
||||||
munlockall EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
vhangup EXILE_SYSCGROUP_TTY
|
|
||||||
modify_ldt EXILE_SYSCGROUP_PROCESS
|
|
||||||
pivot_root EXILE_SYSCGROUP_CHROOT
|
|
||||||
_sysctl EXILE_SYSCGROUP_SYS
|
|
||||||
prctl EXILE_SYSCGROUP_PROCESS
|
|
||||||
arch_prctl EXILE_SYSCGROUP_PROCESS
|
|
||||||
adjtimex EXILE_SYSCGROUP_CLOCK
|
|
||||||
setrlimit EXILE_SYSCGROUP_RES
|
|
||||||
chroot EXILE_SYSCGROUP_CHROOT,EXILE_SYSCGROUP_FS
|
|
||||||
sync EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
acct EXILE_SYSCGROUP_PROCESS
|
|
||||||
settimeofday EXILE_SYSCGROUP_TIME
|
|
||||||
mount EXILE_SYSCGROUP_MOUNT,EXILE_SYSCGROUP_FS
|
|
||||||
umount2 EXILE_SYSCGROUP_UMOUNT,EXILE_SYSCGROUP_FS
|
|
||||||
swapon EXILE_SYSCGROUP_SWAP
|
|
||||||
swapoff EXILE_SYSCGROUP_SWAP
|
|
||||||
reboot EXILE_SYSCGROUP_POWER
|
|
||||||
sethostname EXILE_SYSCGROUP_HOST
|
|
||||||
setdomainname EXILE_SYSCGROUP_HOST
|
|
||||||
iopl EXILE_SYSCGROUP_IOPL
|
|
||||||
ioperm EXILE_SYSCGROUP_IOPL
|
|
||||||
create_module EXILE_SYSCGROUP_KMOD
|
|
||||||
init_module EXILE_SYSCGROUP_KMOD
|
|
||||||
delete_module EXILE_SYSCGROUP_KMOD
|
|
||||||
get_kernel_syms EXILE_SYSCGROUP_KMOD
|
|
||||||
query_module EXILE_SYSCGROUP_KMOD
|
|
||||||
quotactl EXILE_SYSCGROUP_QUOTA
|
|
||||||
nfsservctl EXILE_SYSCGROUP_NONE
|
|
||||||
getpmsg EXILE_SYSCGROUP_UNIMPLEMENTED
|
|
||||||
putpmsg EXILE_SYSCGROUP_UNIMPLEMENTED
|
|
||||||
afs_syscall EXILE_SYSCGROUP_UNIMPLEMENTED
|
|
||||||
tuxcall EXILE_SYSCGROUP_UNIMPLEMENTED
|
|
||||||
security EXILE_SYSCGROUP_UNIMPLEMENTED
|
|
||||||
gettid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_THREAD
|
|
||||||
readahead EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_FS
|
|
||||||
setxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
|
|
||||||
lsetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
|
|
||||||
fsetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
|
|
||||||
getxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
lgetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
fgetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
listxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
|
|
||||||
llistxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
|
|
||||||
flistxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
|
|
||||||
removexattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
|
|
||||||
lremovexattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
|
|
||||||
fremovexattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
|
|
||||||
tkill EXILE_SYSCGROUP_THREAD,EXILE_SYSCGROUP_SIGNAL
|
|
||||||
time EXILE_SYSCGROUP_TIME
|
|
||||||
futex EXILE_SYSCGROUP_THREAD,EXILE_SYSCGROUP_FUTEX
|
|
||||||
sched_setaffinity EXILE_SYSCGROUP_SCHED
|
|
||||||
sched_getaffinity EXILE_SYSCGROUP_SCHED
|
|
||||||
set_thread_area EXILE_SYSCGROUP_THREAD
|
|
||||||
io_setup EXILE_SYSCGROUP_IO
|
|
||||||
io_destroy EXILE_SYSCGROUP_IO
|
|
||||||
io_getevents EXILE_SYSCGROUP_IO
|
|
||||||
io_submit EXILE_SYSCGROUP_IO
|
|
||||||
io_cancel EXILE_SYSCGROUP_IO
|
|
||||||
get_thread_area EXILE_SYSCGROUP_THREAD
|
|
||||||
lookup_dcookie EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FS
|
|
||||||
epoll_create EXILE_SYSCGROUP_STDIO
|
|
||||||
epoll_ctl_old EXILE_SYSCGROUP_STDIO
|
|
||||||
epoll_wait_old EXILE_SYSCGROUP_STDIO
|
|
||||||
remap_file_pages EXILE_SYSCGROUP_NONE
|
|
||||||
getdents64 EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FS
|
|
||||||
set_tid_address EXILE_SYSCGROUP_THREAD
|
|
||||||
restart_syscall EXILE_SYSCGROUP_SYSCALL
|
|
||||||
semtimedop EXILE_SYSCGROUP_SEM
|
|
||||||
fadvise64 EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FD
|
|
||||||
timer_create EXILE_SYSCGROUP_TIMER
|
|
||||||
timer_settime EXILE_SYSCGROUP_TIMER
|
|
||||||
timer_gettime EXILE_SYSCGROUP_TIMER
|
|
||||||
timer_getoverrun EXILE_SYSCGROUP_TIMER
|
|
||||||
timer_delete EXILE_SYSCGROUP_TIMER
|
|
||||||
clock_settime EXILE_SYSCGROUP_TIME
|
|
||||||
clock_gettime EXILE_SYSCGROUP_TIME
|
|
||||||
clock_getres EXILE_SYSCGROUP_TIME
|
|
||||||
clock_nanosleep EXILE_SYSCGROUP_TIME
|
|
||||||
exit_group EXILE_SYSCGROUP_EXIT,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
epoll_wait EXILE_SYSCGROUP_FD
|
|
||||||
epoll_ctl EXILE_SYSCGROUP_FD
|
|
||||||
tgkill EXILE_SYSCGROUP_SIGNAL,EXILE_SYSCGROUP_THREAD
|
|
||||||
utimes EXILE_SYSCGROUP_PATH
|
|
||||||
vserver EXILE_SYSCGROUP_UNIMPLEMENTED
|
|
||||||
mbind EXILE_SYSCGROUP_MEMORY
|
|
||||||
set_mempolicy EXILE_SYSCGROUP_MEMORY
|
|
||||||
get_mempolicy EXILE_SYSCGROUP_MEMORY
|
|
||||||
mq_open EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
|
|
||||||
mq_unlink EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
|
|
||||||
mq_timedsend EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
|
|
||||||
mq_timedreceive EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
|
|
||||||
mq_notify EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
|
|
||||||
mq_getsetattr EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
|
|
||||||
kexec_load EXILE_SYSCGROUP_KEXEC
|
|
||||||
waitid EXILE_SYSCGROUP_SIGNAL
|
|
||||||
add_key EXILE_SYSCGROUP_KEYS
|
|
||||||
request_key EXILE_SYSCGROUP_KEYS
|
|
||||||
keyctl EXILE_SYSCGROUP_KEYS
|
|
||||||
ioprio_set EXILE_SYSCGROUP_PRIO
|
|
||||||
ioprio_get EXILE_SYSCGROUP_PRIO
|
|
||||||
inotify_init EXILE_SYSCGROUP_INOTIFY
|
|
||||||
inotify_add_watch EXILE_SYSCGROUP_INOTIFY
|
|
||||||
inotify_rm_watch EXILE_SYSCGROUP_INOTIFY
|
|
||||||
migrate_pages EXILE_SYSCGROUP_PROCESS
|
|
||||||
openat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
mkdirat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
mknodat EXILE_SYSCGROUP_DEV,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
fchownat EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
futimesat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
newfstatat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
unlinkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
renameat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
linkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
symlinkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
readlinkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
fchmodat EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
faccessat EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
pselect6 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
ppoll EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
|
|
||||||
unshare EXILE_SYSCGROUP_NS,EXILE_SYSCGROUP_FS
|
|
||||||
set_robust_list EXILE_SYSCGROUP_FUTEX
|
|
||||||
get_robust_list EXILE_SYSCGROUP_FUTEX
|
|
||||||
splice EXILE_SYSCGROUP_FD
|
|
||||||
tee EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
sync_file_range EXILE_SYSCGROUP_FD
|
|
||||||
vmsplice EXILE_SYSCGROUP_FD
|
|
||||||
move_pages EXILE_SYSCGROUP_PROCESS
|
|
||||||
utimensat EXILE_SYSCGROUP_PATH
|
|
||||||
epoll_pwait EXILE_SYSCGROUP_STDIO
|
|
||||||
signalfd EXILE_SYSCGROUP_SIGNAL
|
|
||||||
timerfd_create EXILE_SYSCGROUP_TIMER
|
|
||||||
eventfd EXILE_SYSCGROUP_FD
|
|
||||||
fallocate EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FD
|
|
||||||
timerfd_settime EXILE_SYSCGROUP_TIMER
|
|
||||||
timerfd_gettime EXILE_SYSCGROUP_TIMER
|
|
||||||
accept4 EXILE_SYSCGROUP_SOCKET
|
|
||||||
signalfd4 EXILE_SYSCGROUP_FD
|
|
||||||
eventfd2 EXILE_SYSCGROUP_FD
|
|
||||||
epoll_create1 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
dup3 EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
pipe2 EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
inotify_init1 EXILE_SYSCGROUP_INOTIFY
|
|
||||||
preadv EXILE_SYSCGROUP_STDIO
|
|
||||||
pwritev EXILE_SYSCGROUP_STDIO
|
|
||||||
rt_tgsigqueueinfo EXILE_SYSCGROUP_RT
|
|
||||||
perf_event_open EXILE_SYSCGROUP_PERF
|
|
||||||
recvmmsg EXILE_SYSCGROUP_SOCKET
|
|
||||||
fanotify_init EXILE_SYSCGROUP_FANOTIFY
|
|
||||||
fanotify_mark EXILE_SYSCGROUP_FANOTIFY
|
|
||||||
prlimit64 EXILE_SYSCGROUP_RES
|
|
||||||
name_to_handle_at EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_FS
|
|
||||||
open_by_handle_at EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_FS
|
|
||||||
clock_adjtime EXILE_SYSCGROUP_CLOCK
|
|
||||||
syncfs EXILE_SYSCGROUP_FD
|
|
||||||
sendmmsg EXILE_SYSCGROUP_SOCKET
|
|
||||||
setns EXILE_SYSCGROUP_NS
|
|
||||||
getcpu EXILE_SYSCGROUP_SCHED
|
|
||||||
#maybe IPC, but feels wrong
|
|
||||||
process_vm_readv EXILE_SYSCGROUP_NONE
|
|
||||||
process_vm_writev EXILE_SYSCGROUP_NONE
|
|
||||||
kcmp EXILE_SYSCGROUP_NONE
|
|
||||||
finit_module EXILE_SYSCGROUP_KMOD
|
|
||||||
sched_setattr EXILE_SYSCGROUP_SCHED
|
|
||||||
sched_getattr EXILE_SYSCGROUP_SCHED,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
renameat2 EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
seccomp EXILE_SYSCGROUP_NONE
|
|
||||||
getrandom EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
memfd_create EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
kexec_file_load EXILE_SYSCGROUP_KEXEC
|
|
||||||
bpf EXILE_SYSCGROUP_NONE
|
|
||||||
execveat EXILE_SYSCGROUP_EXEC
|
|
||||||
userfaultfd EXILE_SYSCGROUP_NONE
|
|
||||||
membarrier EXILE_SYSCGROUP_NONE
|
|
||||||
mlock2 EXILE_SYSCGROUP_MEMORY
|
|
||||||
copy_file_range EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
preadv2 EXILE_SYSCGROUP_STDIO
|
|
||||||
pwritev2 EXILE_SYSCGROUP_STDIO
|
|
||||||
#Those are newer than 5.10, wrap them in ifndef so we can compile on old systems
|
|
||||||
pkey_mprotect EXILE_SYSCGROUP_PKEY genifndef(329)
|
|
||||||
pkey_alloc EXILE_SYSCGROUP_PKEY genifndef(330)
|
|
||||||
pkey_free EXILE_SYSCGROUP_PKEY genifndef(331)
|
|
||||||
statx EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(332)
|
|
||||||
io_pgetevents EXILE_SYSCGROUP_NONE genifndef(333)
|
|
||||||
rseq EXILE_SYSCGROUP_THREAD genifndef(334)
|
|
||||||
pidfd_send_signal EXILE_SYSCGROUP_PIDFD genifndef(424)
|
|
||||||
io_uring_setup EXILE_SYSCGROUP_IOURING genifndef(425)
|
|
||||||
io_uring_enter EXILE_SYSCGROUP_IOURING genifndef(426)
|
|
||||||
io_uring_register EXILE_SYSCGROUP_IOURING genifndef(427)
|
|
||||||
open_tree EXILE_SYSCGROUP_NEWMOUNT genifndef(428)
|
|
||||||
move_mount EXILE_SYSCGROUP_NEWMOUNT genifndef(429)
|
|
||||||
fsopen EXILE_SYSCGROUP_NEWMOUNT genifndef(430)
|
|
||||||
fsconfig EXILE_SYSCGROUP_NEWMOUNT genifndef(431)
|
|
||||||
fsmount EXILE_SYSCGROUP_NEWMOUNT genifndef(432)
|
|
||||||
fspick EXILE_SYSCGROUP_NEWMOUNT genifndef(433)
|
|
||||||
pidfd_open EXILE_SYSCGROUP_PIDFD genifndef(434)
|
|
||||||
clone3 EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(435)
|
|
||||||
close_range EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(436)
|
|
||||||
openat2 EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(437)
|
|
||||||
pidfd_getfd EXILE_SYSCGROUP_PIDFD genifndef(438)
|
|
||||||
faccessat2 EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(439)
|
|
||||||
process_madvise EXILE_SYSCGROUP_MEMORY genifndef(440)
|
|
||||||
epoll_pwait2 EXILE_SYSCGROUP_STDIO genifndef(441)
|
|
||||||
mount_setattr EXILE_SYSCGROUP_NONE genifndef(442)
|
|
||||||
quotactl_fd EXILE_SYSCGROUP_QUOTA genifndef(443)
|
|
||||||
landlock_create_ruleset EXILE_SYSCGROUP_LANDLOCK genifndef(444)
|
|
||||||
landlock_add_rule EXILE_SYSCGROUP_LANDLOCK genifndef(445)
|
|
||||||
landlock_restrict_self EXILE_SYSCGROUP_LANDLOCK genifndef(446)
|
|
||||||
memfd_secret EXILE_SYSCGROUP_NONE genifndef(447)
|
|
||||||
process_mrelease EXILE_SYSCGROUP_NONE genifndef(448)
|
|
98
test.c
98
test.c
@ -181,38 +181,16 @@ int test_seccomp_errno()
|
|||||||
return test_successful_exit(&do_test_seccomp_errno);
|
return test_successful_exit(&do_test_seccomp_errno);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int test_seccomp_group()
|
|
||||||
{
|
|
||||||
struct exile_policy *policy = exile_init_policy();
|
|
||||||
|
|
||||||
if(exile_append_group_syscall_policy(policy, EXILE_SYSCALL_DENY_RET_ERROR, EXILE_SYSCGROUP_SOCKET) != 0)
|
|
||||||
{
|
|
||||||
printf("nothing added\n");
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
|
|
||||||
|
|
||||||
xexile_enable_policy(policy);
|
|
||||||
|
|
||||||
int s = socket(AF_INET,SOCK_STREAM,0);
|
|
||||||
if(s != -1)
|
|
||||||
{
|
|
||||||
printf("Failed: socket was expected to return error, but returned %i\n", s);
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
int test_seccomp_argfilter_allowed()
|
int test_seccomp_argfilter_allowed()
|
||||||
{
|
{
|
||||||
struct exile_policy *policy = exile_init_policy();
|
struct exile_policy *policy = exile_init_policy();
|
||||||
|
|
||||||
struct sock_filter argfilter[2] =
|
struct sock_filter argfilter[2] =
|
||||||
{
|
{
|
||||||
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[1]))),
|
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[1]))),
|
||||||
BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, O_WRONLY, 0, EXILE_SYSCALL_EXIT_BPF_NO_MATCH)
|
BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, O_WRONLY, 0, EXILE_SYSCALL_EXIT_BPF_NO_MATCH)
|
||||||
};
|
};
|
||||||
|
|
||||||
exile_append_syscall_policy(policy, EXILE_SYS(open),EXILE_SYSCALL_DENY_RET_ERROR, argfilter, 2);
|
exile_append_syscall_policy(policy, EXILE_SYS(open),EXILE_SYSCALL_DENY_RET_ERROR, argfilter, 2);
|
||||||
exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
|
exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
|
||||||
xexile_enable_policy(policy);
|
xexile_enable_policy(policy);
|
||||||
@ -233,7 +211,7 @@ int test_seccomp_argfilter_filtered()
|
|||||||
{
|
{
|
||||||
struct exile_policy *policy = exile_init_policy();
|
struct exile_policy *policy = exile_init_policy();
|
||||||
|
|
||||||
struct sock_filter argfilter[2] =
|
struct sock_filter argfilter[2] =
|
||||||
{
|
{
|
||||||
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[1]))),
|
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[1]))),
|
||||||
BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, O_WRONLY, 0, EXILE_SYSCALL_EXIT_BPF_NO_MATCH)
|
BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, O_WRONLY, 0, EXILE_SYSCALL_EXIT_BPF_NO_MATCH)
|
||||||
@ -259,7 +237,7 @@ int test_seccomp_argfilter_mixed()
|
|||||||
{
|
{
|
||||||
struct exile_policy *policy = exile_init_policy();
|
struct exile_policy *policy = exile_init_policy();
|
||||||
|
|
||||||
struct sock_filter argfilter[2] =
|
struct sock_filter argfilter[2] =
|
||||||
{
|
{
|
||||||
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[1]))),
|
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[1]))),
|
||||||
BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, O_WRONLY, 0, EXILE_SYSCALL_EXIT_BPF_NO_MATCH)
|
BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, O_WRONLY, 0, EXILE_SYSCALL_EXIT_BPF_NO_MATCH)
|
||||||
@ -303,6 +281,72 @@ int test_seccomp_argfilter_mixed()
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
int do_test_seccomp_pledge_socket()
|
||||||
|
{
|
||||||
|
struct exile_policy *policy = exile_init_policy();
|
||||||
|
policy->pledge_promises = EXILE_SYSCALL_PLEDGE_STDIO | EXILE_SYSCALL_PLEDGE_INET | EXILE_SYSCALL_PLEDGE_DENY_ERROR;
|
||||||
|
xexile_enable_policy(policy);
|
||||||
|
|
||||||
|
int s = socket(AF_INET, SOCK_STREAM, 0);
|
||||||
|
if(s == -1)
|
||||||
|
{
|
||||||
|
printf("Failed: socket was expected to succeed, but returned %i\n", s);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
s = socket(AF_UNIX, SOCK_DGRAM, 0);
|
||||||
|
if(s != -1)
|
||||||
|
{
|
||||||
|
printf("Failed: socket was expected to fail, but returned %i\n", s);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
int do_test_seccomp_pledge_open()
|
||||||
|
{
|
||||||
|
struct exile_policy *policy = exile_init_policy();
|
||||||
|
policy->pledge_promises = EXILE_SYSCALL_PLEDGE_STDIO | EXILE_SYSCALL_PLEDGE_RPATH | EXILE_SYSCALL_PLEDGE_DENY_ERROR;
|
||||||
|
xexile_enable_policy(policy);
|
||||||
|
|
||||||
|
int ret = open("/dev/urandom", O_WRONLY | O_APPEND);
|
||||||
|
if(ret != -1)
|
||||||
|
{
|
||||||
|
printf("Failed: open was expected to fail, but returned %i\n", ret);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
ret = open("/dev/urandom", O_RDWR);
|
||||||
|
if(ret != -1)
|
||||||
|
{
|
||||||
|
printf("Failed: open O_RDWR was expected to fail, but returned %i\n", ret);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
ret = open("/dev/urandom", O_RDONLY);
|
||||||
|
if(ret == -1)
|
||||||
|
{
|
||||||
|
printf("Failed: open was expected to succceed, but returned %i\n", ret);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
int test_seccomp_pledge()
|
||||||
|
{
|
||||||
|
int ret = test_successful_exit(&do_test_seccomp_pledge_open);
|
||||||
|
if(ret != 0)
|
||||||
|
{
|
||||||
|
printf("Failed: do_test_seccomp_pledge_open()\n");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
ret = test_successful_exit(&do_test_seccomp_pledge_socket);
|
||||||
|
if(ret != 0)
|
||||||
|
{
|
||||||
|
printf("Failed: do_test_seccomp_pledge_socket()\n");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
#if HAVE_LANDLOCK == 1
|
#if HAVE_LANDLOCK == 1
|
||||||
int test_landlock()
|
int test_landlock()
|
||||||
{
|
{
|
||||||
@ -403,10 +447,10 @@ struct dispatcher dispatchers[] = {
|
|||||||
{ "seccomp-x32-kill", &test_seccomp_x32_kill},
|
{ "seccomp-x32-kill", &test_seccomp_x32_kill},
|
||||||
{ "seccomp-require-last-matchall", &test_seccomp_require_last_matchall},
|
{ "seccomp-require-last-matchall", &test_seccomp_require_last_matchall},
|
||||||
{ "seccomp-errno", &test_seccomp_errno},
|
{ "seccomp-errno", &test_seccomp_errno},
|
||||||
{ "seccomp-group", &test_seccomp_group},
|
|
||||||
{ "seccomp-argfilter-allowed", &test_seccomp_argfilter_allowed},
|
{ "seccomp-argfilter-allowed", &test_seccomp_argfilter_allowed},
|
||||||
{ "seccomp-argfilter-filtered", &test_seccomp_argfilter_filtered},
|
{ "seccomp-argfilter-filtered", &test_seccomp_argfilter_filtered},
|
||||||
{ "seccomp-argfilter-mixed", &test_seccomp_argfilter_mixed},
|
{ "seccomp-argfilter-mixed", &test_seccomp_argfilter_mixed},
|
||||||
|
{ "seccomp-pledge", &test_seccomp_pledge},
|
||||||
{ "landlock", &test_landlock},
|
{ "landlock", &test_landlock},
|
||||||
{ "landlock-deny-write", &test_landlock_deny_write },
|
{ "landlock-deny-write", &test_landlock_deny_write },
|
||||||
{ "no_fs", &test_nofs},
|
{ "no_fs", &test_nofs},
|
||||||
|
Loading…
Reference in New Issue
Block a user