Add exile_pledge(): A convenience wrapper

exile_pledge() adds seccomp filters derived from the
promises.
This commit is contained in:
Albert S. 2021-12-27 11:59:16 +01:00
vanhempi b469a82eec
commit bcab0377f1

55
exile.h
Näytä tiedosto

@ -1774,3 +1774,58 @@ int exile_enable_policy(struct exile_policy *policy)
return 0;
}
#endif
/* Convenience wrapper for the pledge-related subset of exile.h
*
* Only installs seccomp filters for the specified pledge promises.
*
* Useful if only pledge is required from exile.h, but nothing else
*
* As with OpenBSD's, subsequent calls can only reduce allowed syscalls.
*
* Here, adding more promises than a previous call set may return success, but
* won't be allowed during execution.
*
* Due to the nature of seccomp, it's furthermore required the EXILE_SYSCALL_PLEDGE_SECCOMP_INSTALL promise
* is set if further calls are expected. Generally, it's reasonable for the last call to
* exile_pledge() a program makes to not set EXILE_SYSCALL_PLEDGE_SECCOMP_INSTALL.
*
* There are no seperate exec_promises. All children of the process inherit the filter.
* .
* Return value: 0 on success, any other value on failure.
*/
int exile_pledge(uint64_t promises)
{
struct __user_cap_header_struct h = { 0 };
h.pid = 0;
h.version = _LINUX_CAPABILITY_VERSION_3;
struct __user_cap_data_struct cap[2];
cap[0].effective = 0;
cap[0].permitted = 0;
cap[0].inheritable = 0;
cap[1].effective = 0;
cap[1].permitted = 0;
cap[1].inheritable = 0;
if(capget(&h, cap) == -1)
{
EXILE_LOG_ERROR("Failed to get capabilities: %s\n", strerror(errno));
return -errno;
}
struct exile_policy *policy = exile_create_policy();
if(policy == NULL)
{
EXILE_LOG_ERROR("Failed to create policy\n");
return 1;
}
policy->pledge_promises = promises;
if((cap[0].effective & (1<<CAP_SYS_ADMIN)) == 0)
{
policy->no_new_privs = 1;
}
int ret = exile_enable_policy(policy);
exile_free_policy(policy);
return ret;
}