Introduce exile_vows_from_str()
This commit is contained in:
förälder
4a3ac8e0bc
incheckning
9247a6636b
75
exile.h
75
exile.h
@ -245,6 +245,12 @@ struct syscall_vow_map
|
|||||||
uint64_t vowmask;
|
uint64_t vowmask;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
struct str_to_vow_map
|
||||||
|
{
|
||||||
|
char *str;
|
||||||
|
uint64_t value;
|
||||||
|
};
|
||||||
|
|
||||||
struct exile_path_policy
|
struct exile_path_policy
|
||||||
{
|
{
|
||||||
const char *path;
|
const char *path;
|
||||||
@ -644,6 +650,73 @@ static struct syscall_vow_map exile_vow_map[] =
|
|||||||
{EXILE_SYS(futex_waitv), EXILE_SYSCALL_VOW_THREAD}
|
{EXILE_SYS(futex_waitv), EXILE_SYSCALL_VOW_THREAD}
|
||||||
};
|
};
|
||||||
|
|
||||||
|
struct str_to_vow_map str_to_vow_map[] =
|
||||||
|
{
|
||||||
|
{ "chown", EXILE_SYSCALL_VOW_CHOWN},
|
||||||
|
{ "clone", EXILE_SYSCALL_VOW_CLONE},
|
||||||
|
{ "cpath", EXILE_SYSCALL_VOW_CPATH},
|
||||||
|
{ "dpath", EXILE_SYSCALL_VOW_DPATH},
|
||||||
|
{ "exec", EXILE_SYSCALL_VOW_EXEC},
|
||||||
|
{ "fattr", EXILE_SYSCALL_VOW_FATTR},
|
||||||
|
{ "fsnotify", EXILE_SYSCALL_VOW_FSNOTIFY},
|
||||||
|
{ "id", EXILE_SYSCALL_VOW_ID},
|
||||||
|
{ "inet", EXILE_SYSCALL_VOW_INET},
|
||||||
|
{ "ioctl", EXILE_SYSCALL_VOW_IOCTL},
|
||||||
|
{ "prctl", EXILE_SYSCALL_VOW_PRCTL},
|
||||||
|
{ "proc", EXILE_SYSCALL_VOW_PROC},
|
||||||
|
{ "prot_exec", EXILE_SYSCALL_VOW_PROT_EXEC},
|
||||||
|
{ "rpath", EXILE_SYSCALL_VOW_RPATH},
|
||||||
|
{ "sched", EXILE_SYSCALL_VOW_SCHED},
|
||||||
|
{ "seccomp_install", EXILE_SYSCALL_VOW_SECCOMP_INSTALL},
|
||||||
|
{ "shm", EXILE_SYSCALL_VOW_SHM},
|
||||||
|
{ "stdio", EXILE_SYSCALL_VOW_STDIO},
|
||||||
|
{ "thread", EXILE_SYSCALL_VOW_THREAD},
|
||||||
|
{ "unix", EXILE_SYSCALL_VOW_UNIX},
|
||||||
|
{ "wpath", EXILE_SYSCALL_VOW_WPATH},
|
||||||
|
{ "error", EXILE_SYSCALL_VOW_DENY_ERROR}
|
||||||
|
};
|
||||||
|
|
||||||
|
/* Converts the whitespace separated vows strings to vows flags
|
||||||
|
*
|
||||||
|
* This mainly helps readability, as lots of flags ORed together is not
|
||||||
|
* very readable.
|
||||||
|
*
|
||||||
|
* If an unkown string is found, abort() is called.
|
||||||
|
*/
|
||||||
|
uint64_t exile_vows_from_str(const char *str)
|
||||||
|
{
|
||||||
|
uint64_t result = 0;
|
||||||
|
char current[64] = { 0 };
|
||||||
|
char *ptr = current;
|
||||||
|
const char *end = ptr + sizeof(current)-1;
|
||||||
|
do
|
||||||
|
{
|
||||||
|
while(ptr <= end && *str != '\0' && *str != ' ')
|
||||||
|
{
|
||||||
|
*ptr = *str;
|
||||||
|
++ptr;
|
||||||
|
++str;
|
||||||
|
}
|
||||||
|
int found = 0;
|
||||||
|
for(size_t i = 0; i < sizeof(str_to_vow_map)/sizeof(str_to_vow_map[0]); i++)
|
||||||
|
{
|
||||||
|
if(strcmp(str_to_vow_map[i].str, current) == 0)
|
||||||
|
{
|
||||||
|
result |= str_to_vow_map[i].value;
|
||||||
|
found = 1;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if(!found)
|
||||||
|
{
|
||||||
|
EXILE_LOG_ERROR("No such vow: %s\n", current);
|
||||||
|
abort();
|
||||||
|
}
|
||||||
|
memset(current, 0, sizeof(current));
|
||||||
|
ptr = current;
|
||||||
|
} while(*str++ != '\0');
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
||||||
static int is_valid_syscall_policy(unsigned int policy)
|
static int is_valid_syscall_policy(unsigned int policy)
|
||||||
{
|
{
|
||||||
@ -1999,6 +2072,8 @@ int exile_vow(uint64_t promises)
|
|||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
struct exile_launch_params
|
struct exile_launch_params
|
||||||
{
|
{
|
||||||
struct exile_policy *policy; /* Policy to activate before jumping to func */
|
struct exile_policy *policy; /* Policy to activate before jumping to func */
|
||||||
|
13
test.c
13
test.c
@ -625,6 +625,18 @@ int test_launch_get()
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int test_vows_from_str()
|
||||||
|
{
|
||||||
|
uint64_t expected = EXILE_SYSCALL_VOW_CHOWN | EXILE_SYSCALL_VOW_WPATH | EXILE_SYSCALL_VOW_INET | EXILE_SYSCALL_VOW_DENY_ERROR;
|
||||||
|
uint64_t actual = exile_vows_from_str("chown wpath inet error");
|
||||||
|
if(expected != actual)
|
||||||
|
{
|
||||||
|
printf("Masks don't match: %lu vs %lu\n", expected, actual);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
struct dispatcher
|
struct dispatcher
|
||||||
{
|
{
|
||||||
char *name;
|
char *name;
|
||||||
@ -651,6 +663,7 @@ struct dispatcher dispatchers[] = {
|
|||||||
{ "failflags", &test_fail_flags},
|
{ "failflags", &test_fail_flags},
|
||||||
{ "launch", &test_launch},
|
{ "launch", &test_launch},
|
||||||
{ "launch-get", &test_launch_get},
|
{ "launch-get", &test_launch_get},
|
||||||
|
{ "vow_from_str", &test_vows_from_str},
|
||||||
};
|
};
|
||||||
|
|
||||||
int main(int argc, char *argv[])
|
int main(int argc, char *argv[])
|
||||||
|
Laddar…
Referens i nytt ärende
Block a user