Don't add any seccomp rules by default

Cannot be done properly on a pure syscall basis at this point.

A whitelist is almost certainly too restrictive, which means user
has to manually adjust the policy anyway. Then the default is not
of much use. Or too permissive.

A blacklist has to play catchup with new kernel versions. This may
be be improved upon by blocking all unknown (too new) syscall
numbers. However, in light of the fact we drop caps and set no_new_privs,
it's debtable how much we can gain from a blacklist anyway.

So best to leave it to the user. We also need to allow checking args
too in order to make it easier to build policies. Perhaps get
inspiration from pledge() in OpenBSD.
Αυτή η υποβολή περιλαμβάνεται σε:
Albert S. 2021-11-20 20:21:51 +01:00
γονέας 435bcefa48
υποβολή d150c2ecd9

24
qssb.h

@ -1583,21 +1583,6 @@ static int enable_no_fs(struct qssb_policy *policy)
return 0;
}
static int qssb_append_predefined_standard_syscall_policy(struct qssb_policy *policy)
{
int appendresult = qssb_append_group_syscall_policy(policy, QSSB_SYSCALL_ALLOW, QSSB_SYSCGROUP_DEFAULT_ALLOW);
if(appendresult != 0)
{
return 1;
}
appendresult = qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_DENY_RET_ERROR);
if(appendresult != 0)
{
return 1;
}
return 0;
}
/* Enables the specified qssb_policy.
*
* This function is not atomic (and can't be). This means some
@ -1745,15 +1730,6 @@ int qssb_enable_policy(struct qssb_policy *policy)
close(landlock_ruleset_fd);
#endif
if(policy->syscall_policies == NULL && policy->disable_syscall_filter == 0)
{
if(qssb_append_predefined_standard_syscall_policy(policy) != 0)
{
QSSB_LOG_ERROR("Failed to add standard predefined syscall policy\n");
return -1;
}
}
if(policy->syscall_policies != NULL)
{
return qssb_enable_syscall_policy(policy);