Introduce EXILE_SYSCALL_DENY_RET_NOSYS for syscalls like clone3()

clone3() is used more and more, but we cannot filter it. We can either allow it fully or return ENONYS. Some libraries perform fallbacks to the older clone() in that case, which we can filter again.
2022-06-06 10:07:11 +02:00
parent bbbdfc44da
commit bd3641981c
3 changed files with 29 additions and 4 deletions
--- a/exile.h
+++ b/exile.h
@ -75,6 +75,7 @@
 #define EXILE_UNSHARE_NETWORK 1<<1
 #define EXILE_UNSHARE_USER 1<<2
 #define EXILE_UNSHARE_MOUNT 1<<3
+#define EXILE_UNSHARE_AUTOMATIC 1<<4

 #ifndef EXILE_LOG_ERROR
 #define EXILE_LOG_ERROR(...) do { fprintf(stderr, "exile.h: %s(): Error: ", __func__); fprintf(stderr, __VA_ARGS__); } while(0)
@ -273,6 +274,7 @@ struct exile_path_policy
 #define EXILE_SYSCALL_ALLOW 1
 #define EXILE_SYSCALL_DENY_KILL_PROCESS 2
 #define EXILE_SYSCALL_DENY_RET_ERROR 3
+#define EXILE_SYSCALL_DENY_RET_NOSYS 4

 #define EXILE_BPF_NOP \
 BPF_STMT(BPF_JMP+BPF_JA,0)