Assign syscalls into groups. Add whitelist mode (default).
Classify syscalls into groups, for x86_64 only for now. Up to date for 5.15, generate some #ifndef for syscalls introduced since 5.10. Only support x86_64 therefore at this point. Switch from blacklisting to a default whitelist.
このコミットが含まれているのは:
55
gengroup.py
実行可能ファイル
55
gengroup.py
実行可能ファイル
@@ -0,0 +1,55 @@
|
||||
#!/usr/bin/python
|
||||
import sys
|
||||
import re
|
||||
if len(sys.argv) < 2:
|
||||
print("Usage: gengroup groupfile")
|
||||
sys.exit(1)
|
||||
fd = open(sys.argv[1], "r")
|
||||
|
||||
lines = fd.read().splitlines()
|
||||
|
||||
groupnames = set()
|
||||
ifndef = dict()
|
||||
|
||||
def print_ifndefs():
|
||||
for name in ifndef:
|
||||
print("#ifndef __NR_%s" % name)
|
||||
print("#define __NR_%s %s" % (name, ifndef[name]))
|
||||
print("#endif")
|
||||
|
||||
def print_defines(names):
|
||||
names = sorted(names)
|
||||
i = 0
|
||||
for name in names:
|
||||
define = "#define %s ((uint64_t)1<<%s)" % (name, i)
|
||||
print(define)
|
||||
i = i + 1
|
||||
|
||||
for line in lines:
|
||||
if line[0] == '#':
|
||||
continue
|
||||
|
||||
splitted = line.split(' ')
|
||||
if len(splitted) < 2:
|
||||
print("Misformated line:", line)
|
||||
sys.exit(1)
|
||||
|
||||
currentsyscall = splitted[0]
|
||||
currentgroups = splitted[1].split(',')
|
||||
|
||||
flags = splitted[2] if len(splitted) > 2 else ""
|
||||
if any( not s or s.isspace() for s in currentgroups ):
|
||||
print("Misformated line (empty values):", line)
|
||||
sys.exit(1)
|
||||
groupnames.update(currentgroups)
|
||||
|
||||
genifndef = re.match(r"genifndef\((\d+)*\)", flags)
|
||||
if genifndef:
|
||||
ifndef[currentsyscall] = genifndef.groups(1)[0]
|
||||
|
||||
array_line = "{QSSB_SYS(%s), %s}," % (currentsyscall, '|'.join(currentgroups))
|
||||
print(array_line)
|
||||
|
||||
print_ifndefs()
|
||||
print_defines(groupnames)
|
||||
|
||||
363
grouping_x86-64.txt
ノーマルファイル
363
grouping_x86-64.txt
ノーマルファイル
@@ -0,0 +1,363 @@
|
||||
# Assign system calls to groups. In the future, may also include simple arg filtering.
|
||||
read QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
write QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
open QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
close QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
stat QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
fstat QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
lstat QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
poll QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
lseek QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
mmap QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
mprotect QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
munmap QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
brk QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
rt_sigaction QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
rt_sigprocmask QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
rt_sigreturn QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
ioctl QSSB_SYSCGROUP_IOCTL,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
pread64 QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
pwrite64 QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
readv QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
writev QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
access QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
pipe QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
select QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
sched_yield QSSB_SYSCGROUP_SCHED,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
mremap QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
msync QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
mincore QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
madvise QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
shmget QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
shmat QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
shmctl QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
dup QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
dup2 QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
pause QSSB_SYSCGROUP_PAUSE,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
nanosleep QSSB_SYSCGROUP_TIMER,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
getitimer QSSB_SYSCGROUP_TIMER,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
alarm QSSB_SYSCGROUP_TIMER,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
setitimer QSSB_SYSCGROUP_TIMER,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
getpid QSSB_SYSCGROUP_PROCESS,QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
sendfile QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
socket QSSB_SYSCGROUP_SOCKET
|
||||
connect QSSB_SYSCGROUP_SOCKET
|
||||
accept QSSB_SYSCGROUP_SOCKET
|
||||
sendto QSSB_SYSCGROUP_SOCKET
|
||||
recvfrom QSSB_SYSCGROUP_SOCKET
|
||||
sendmsg QSSB_SYSCGROUP_SOCKET
|
||||
recvmsg QSSB_SYSCGROUP_SOCKET
|
||||
shutdown QSSB_SYSCGROUP_SOCKET
|
||||
bind QSSB_SYSCGROUP_SOCKET
|
||||
listen QSSB_SYSCGROUP_SOCKET
|
||||
getsockname QSSB_SYSCGROUP_SOCKET
|
||||
getpeername QSSB_SYSCGROUP_SOCKET
|
||||
socketpair QSSB_SYSCGROUP_SOCKET,QSSB_SYSCGROUP_IPC
|
||||
setsockopt QSSB_SYSCGROUP_SOCKET
|
||||
getsockopt QSSB_SYSCGROUP_SOCKET
|
||||
clone QSSB_SYSCGROUP_CLONE,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
fork QSSB_SYSCGROUP_CLONE,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
vfork QSSB_SYSCGROUP_CLONE,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
execve QSSB_SYSCGROUP_CLONE,QSSB_SYSCGROUP_EXEC
|
||||
exit QSSB_SYSCGROUP_PROCESS,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
wait4 QSSB_SYSCGROUP_EXEC
|
||||
kill QSSB_SYSCGROUP_KILL
|
||||
uname QSSB_SYSCGROUP_SYS,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
semget QSSB_SYSCGROUP_SHM,QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
semop QSSB_SYSCGROUP_SHM,QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
semctl QSSB_SYSCGROUP_SHM,QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
shmdt QSSB_SYSCGROUP_SHM,QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
msgget QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
msgsnd QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
msgrcv QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
msgctl QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
fcntl QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
flock QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
fsync QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
fdatasync QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
truncate QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
ftruncate QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
getdents QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
getcwd QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
chdir QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
fchdir QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
rename QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
mkdir QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
rmdir QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
creat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
link QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
unlink QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
symlink QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
readlink QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
chmod QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
fchmod QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
chown QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
fchown QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
lchown QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
umask QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
gettimeofday QSSB_SYSCGROUP_TIME,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
getrlimit QSSB_SYSCGROUP_RES,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
getrusage QSSB_SYSCGROUP_RES,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
sysinfo QSSB_SYSCGROUP_SYS,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
times QSSB_SYSCGROUP_TIME,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
ptrace QSSB_SYSCGROUP_PTRACE,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
getuid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
syslog QSSB_SYSCGROUP_SYS
|
||||
getgid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
setuid QSSB_SYSCGROUP_ID
|
||||
setgid QSSB_SYSCGROUP_ID
|
||||
geteuid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
getegid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
setpgid QSSB_SYSCGROUP_ID
|
||||
getppid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
getpgrp QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
setsid QSSB_SYSCGROUP_ID
|
||||
setreuid QSSB_SYSCGROUP_ID
|
||||
setregid QSSB_SYSCGROUP_ID
|
||||
getgroups QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
setgroups QSSB_SYSCGROUP_ID
|
||||
setresuid QSSB_SYSCGROUP_ID
|
||||
getresuid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
setresgid QSSB_SYSCGROUP_ID
|
||||
getresgid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
getpgid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
setfsuid QSSB_SYSCGROUP_ID
|
||||
setfsgid QSSB_SYSCGROUP_ID
|
||||
getsid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
capget QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
capset QSSB_SYSCGROUP_ID
|
||||
rt_sigpending QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
rt_sigtimedwait QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
rt_sigqueueinfo QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
rt_sigsuspend QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
sigaltstack QSSB_SYSCGROUP_THREAD,QSSB_SYSCGROUP_SIGNAL
|
||||
utime QSSB_SYSCGROUP_TIME,QSSB_SYSCGROUP_FS
|
||||
mknod QSSB_SYSCGROUP_DEV,QSSB_SYSCGROUP_FS
|
||||
uselib QSSB_SYSCGROUP_LIB,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
personality QSSB_SYSCGROUP_PROCESS
|
||||
ustat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_STAT,QSSB_SYSCGROUP_FS
|
||||
statfs QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_STAT,QSSB_SYSCGROUP_FS
|
||||
fstatfs QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_STAT,QSSB_SYSCGROUP_FS
|
||||
sysfs QSSB_SYSCGROUP_SYS,QSSB_SYSCGROUP_FS
|
||||
getpriority QSSB_SYSCGROUP_SCHED
|
||||
setpriority QSSB_SYSCGROUP_SCHED
|
||||
sched_setparam QSSB_SYSCGROUP_SCHED
|
||||
sched_getparam QSSB_SYSCGROUP_SCHED
|
||||
sched_setscheduler QSSB_SYSCGROUP_SCHED
|
||||
sched_getscheduler QSSB_SYSCGROUP_SCHED
|
||||
sched_get_priority_max QSSB_SYSCGROUP_SCHED
|
||||
sched_get_priority_min QSSB_SYSCGROUP_SCHED
|
||||
sched_rr_get_interval QSSB_SYSCGROUP_SCHED
|
||||
mlock QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
munlock QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
mlockall QSSB_SYSCGROUP_MEMORY
|
||||
munlockall QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
vhangup QSSB_SYSCGROUP_TTY
|
||||
modify_ldt QSSB_SYSCGROUP_PROCESS
|
||||
pivot_root QSSB_SYSCGROUP_CHROOT
|
||||
_sysctl QSSB_SYSCGROUP_SYS
|
||||
prctl QSSB_SYSCGROUP_PROCESS
|
||||
arch_prctl QSSB_SYSCGROUP_PROCESS
|
||||
adjtimex QSSB_SYSCGROUP_CLOCK
|
||||
setrlimit QSSB_SYSCGROUP_RES
|
||||
chroot QSSB_SYSCGROUP_CHROOT,QSSB_SYSCGROUP_FS
|
||||
sync QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
acct QSSB_SYSCGROUP_PROCESS
|
||||
settimeofday QSSB_SYSCGROUP_TIME
|
||||
mount QSSB_SYSCGROUP_MOUNT,QSSB_SYSCGROUP_FS
|
||||
umount2 QSSB_SYSCGROUP_UMOUNT,QSSB_SYSCGROUP_FS
|
||||
swapon QSSB_SYSCGROUP_SWAP
|
||||
swapoff QSSB_SYSCGROUP_SWAP
|
||||
reboot QSSB_SYSCGROUP_POWER
|
||||
sethostname QSSB_SYSCGROUP_HOST
|
||||
setdomainname QSSB_SYSCGROUP_HOST
|
||||
iopl QSSB_SYSCGROUP_IOPL
|
||||
ioperm QSSB_SYSCGROUP_IOPL
|
||||
create_module QSSB_SYSCGROUP_KMOD
|
||||
init_module QSSB_SYSCGROUP_KMOD
|
||||
delete_module QSSB_SYSCGROUP_KMOD
|
||||
get_kernel_syms QSSB_SYSCGROUP_KMOD
|
||||
query_module QSSB_SYSCGROUP_KMOD
|
||||
quotactl QSSB_SYSCGROUP_QUOTA
|
||||
nfsservctl QSSB_SYSCGROUP_NONE
|
||||
getpmsg QSSB_SYSCGROUP_UNIMPLEMENTED
|
||||
putpmsg QSSB_SYSCGROUP_UNIMPLEMENTED
|
||||
afs_syscall QSSB_SYSCGROUP_UNIMPLEMENTED
|
||||
tuxcall QSSB_SYSCGROUP_UNIMPLEMENTED
|
||||
security QSSB_SYSCGROUP_UNIMPLEMENTED
|
||||
gettid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_THREAD
|
||||
readahead QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_FS
|
||||
setxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
|
||||
lsetxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
|
||||
fsetxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
|
||||
getxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
lgetxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
fgetxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
listxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
|
||||
llistxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
|
||||
flistxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
|
||||
removexattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
|
||||
lremovexattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
|
||||
fremovexattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
|
||||
tkill QSSB_SYSCGROUP_THREAD,QSSB_SYSCGROUP_SIGNAL
|
||||
time QSSB_SYSCGROUP_TIME
|
||||
futex QSSB_SYSCGROUP_THREAD,QSSB_SYSCGROUP_FUTEX
|
||||
sched_setaffinity QSSB_SYSCGROUP_SCHED
|
||||
sched_getaffinity QSSB_SYSCGROUP_SCHED
|
||||
set_thread_area QSSB_SYSCGROUP_THREAD
|
||||
io_setup QSSB_SYSCGROUP_IO
|
||||
io_destroy QSSB_SYSCGROUP_IO
|
||||
io_getevents QSSB_SYSCGROUP_IO
|
||||
io_submit QSSB_SYSCGROUP_IO
|
||||
io_cancel QSSB_SYSCGROUP_IO
|
||||
get_thread_area QSSB_SYSCGROUP_THREAD
|
||||
lookup_dcookie QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_FS
|
||||
epoll_create QSSB_SYSCGROUP_STDIO
|
||||
epoll_ctl_old QSSB_SYSCGROUP_STDIO
|
||||
epoll_wait_old QSSB_SYSCGROUP_STDIO
|
||||
remap_file_pages QSSB_SYSCGROUP_NONE
|
||||
getdents64 QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_FS
|
||||
set_tid_address QSSB_SYSCGROUP_THREAD
|
||||
restart_syscall QSSB_SYSCGROUP_SYSCALL
|
||||
semtimedop QSSB_SYSCGROUP_SEM
|
||||
fadvise64 QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_FD
|
||||
timer_create QSSB_SYSCGROUP_TIMER
|
||||
timer_settime QSSB_SYSCGROUP_TIMER
|
||||
timer_gettime QSSB_SYSCGROUP_TIMER
|
||||
timer_getoverrun QSSB_SYSCGROUP_TIMER
|
||||
timer_delete QSSB_SYSCGROUP_TIMER
|
||||
clock_settime QSSB_SYSCGROUP_TIME
|
||||
clock_gettime QSSB_SYSCGROUP_TIME
|
||||
clock_getres QSSB_SYSCGROUP_TIME
|
||||
clock_nanosleep QSSB_SYSCGROUP_TIME
|
||||
exit_group QSSB_SYSCGROUP_EXIT,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
epoll_wait QSSB_SYSCGROUP_FD
|
||||
epoll_ctl QSSB_SYSCGROUP_FD
|
||||
tgkill QSSB_SYSCGROUP_SIGNAL,QSSB_SYSCGROUP_THREAD
|
||||
utimes QSSB_SYSCGROUP_PATH
|
||||
vserver QSSB_SYSCGROUP_UNIMPLEMENTED
|
||||
mbind QSSB_SYSCGROUP_MEMORY
|
||||
set_mempolicy QSSB_SYSCGROUP_MEMORY
|
||||
get_mempolicy QSSB_SYSCGROUP_MEMORY
|
||||
mq_open QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC
|
||||
mq_unlink QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC
|
||||
mq_timedsend QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC
|
||||
mq_timedreceive QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC
|
||||
mq_notify QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC
|
||||
mq_getsetattr QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC
|
||||
kexec_load QSSB_SYSCGROUP_KEXEC
|
||||
waitid QSSB_SYSCGROUP_SIGNAL
|
||||
add_key QSSB_SYSCGROUP_KEYS
|
||||
request_key QSSB_SYSCGROUP_KEYS
|
||||
keyctl QSSB_SYSCGROUP_KEYS
|
||||
ioprio_set QSSB_SYSCGROUP_PRIO
|
||||
ioprio_get QSSB_SYSCGROUP_PRIO
|
||||
inotify_init QSSB_SYSCGROUP_INOTIFY
|
||||
inotify_add_watch QSSB_SYSCGROUP_INOTIFY
|
||||
inotify_rm_watch QSSB_SYSCGROUP_INOTIFY
|
||||
migrate_pages QSSB_SYSCGROUP_PROCESS
|
||||
openat QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
mkdirat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
mknodat QSSB_SYSCGROUP_DEV,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
fchownat QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
futimesat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
newfstatat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
unlinkat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
renameat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
linkat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
symlinkat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
readlinkat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
fchmodat QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
faccessat QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
pselect6 QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
ppoll QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
||||
unshare QSSB_SYSCGROUP_NS,QSSB_SYSCGROUP_FS
|
||||
set_robust_list QSSB_SYSCGROUP_FUTEX
|
||||
get_robust_list QSSB_SYSCGROUP_FUTEX
|
||||
splice QSSB_SYSCGROUP_FD
|
||||
tee QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
sync_file_range QSSB_SYSCGROUP_FD
|
||||
vmsplice QSSB_SYSCGROUP_FD
|
||||
move_pages QSSB_SYSCGROUP_PROCESS
|
||||
utimensat QSSB_SYSCGROUP_PATH
|
||||
epoll_pwait QSSB_SYSCGROUP_STDIO
|
||||
signalfd QSSB_SYSCGROUP_SIGNAL
|
||||
timerfd_create QSSB_SYSCGROUP_TIMER
|
||||
eventfd QSSB_SYSCGROUP_FD
|
||||
fallocate QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_FD
|
||||
timerfd_settime QSSB_SYSCGROUP_TIMER
|
||||
timerfd_gettime QSSB_SYSCGROUP_TIMER
|
||||
accept4 QSSB_SYSCGROUP_SOCKET
|
||||
signalfd4 QSSB_SYSCGROUP_FD
|
||||
eventfd2 QSSB_SYSCGROUP_FD
|
||||
epoll_create1 QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
dup3 QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
pipe2 QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
inotify_init1 QSSB_SYSCGROUP_INOTIFY
|
||||
preadv QSSB_SYSCGROUP_STDIO
|
||||
pwritev QSSB_SYSCGROUP_STDIO
|
||||
rt_tgsigqueueinfo QSSB_SYSCGROUP_RT
|
||||
perf_event_open QSSB_SYSCGROUP_PERF
|
||||
recvmmsg QSSB_SYSCGROUP_SOCKET
|
||||
fanotify_init QSSB_SYSCGROUP_FANOTIFY
|
||||
fanotify_mark QSSB_SYSCGROUP_FANOTIFY
|
||||
prlimit64 QSSB_SYSCGROUP_RES
|
||||
name_to_handle_at QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_FS
|
||||
open_by_handle_at QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_FS
|
||||
clock_adjtime QSSB_SYSCGROUP_CLOCK
|
||||
syncfs QSSB_SYSCGROUP_FD
|
||||
sendmmsg QSSB_SYSCGROUP_SOCKET
|
||||
setns QSSB_SYSCGROUP_NS
|
||||
getcpu QSSB_SYSCGROUP_SCHED
|
||||
#maybe IPC, but feels wrong
|
||||
process_vm_readv QSSB_SYSCGROUP_NONE
|
||||
process_vm_writev QSSB_SYSCGROUP_NONE
|
||||
kcmp QSSB_SYSCGROUP_NONE
|
||||
finit_module QSSB_SYSCGROUP_KMOD
|
||||
sched_setattr QSSB_SYSCGROUP_SCHED
|
||||
sched_getattr QSSB_SYSCGROUP_SCHED,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
renameat2 QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
seccomp QSSB_SYSCGROUP_NONE
|
||||
getrandom QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
memfd_create QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
kexec_file_load QSSB_SYSCGROUP_KEXEC
|
||||
bpf QSSB_SYSCGROUP_NONE
|
||||
execveat QSSB_SYSCGROUP_EXEC
|
||||
userfaultfd QSSB_SYSCGROUP_NONE
|
||||
membarrier QSSB_SYSCGROUP_NONE
|
||||
mlock2 QSSB_SYSCGROUP_MEMORY
|
||||
copy_file_range QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
||||
preadv2 QSSB_SYSCGROUP_STDIO
|
||||
pwritev2 QSSB_SYSCGROUP_STDIO
|
||||
#Those are newer than 5.10, wrap them in ifndef so we can compile on old systems
|
||||
pkey_mprotect QSSB_SYSCGROUP_PKEY genifndef(329)
|
||||
pkey_alloc QSSB_SYSCGROUP_PKEY genifndef(330)
|
||||
pkey_free QSSB_SYSCGROUP_PKEY genifndef(331)
|
||||
statx QSSB_SYSCGROUP_STAT,QSSB_SYSCGROUP_DEFAULT_ALLOW genifndef(332)
|
||||
io_pgetevents QSSB_SYSCGROUP_NONE genifndef(333)
|
||||
rseq QSSB_SYSCGROUP_THREAD genifndef(334)
|
||||
pidfd_send_signal QSSB_SYSCGROUP_PIDFD genifndef(424)
|
||||
io_uring_setup QSSB_SYSCGROUP_IOURING genifndef(425)
|
||||
io_uring_enter QSSB_SYSCGROUP_IOURING genifndef(426)
|
||||
io_uring_register QSSB_SYSCGROUP_IOURING genifndef(427)
|
||||
open_tree QSSB_SYSCGROUP_NEWMOUNT genifndef(428)
|
||||
move_mount QSSB_SYSCGROUP_NEWMOUNT genifndef(429)
|
||||
fsopen QSSB_SYSCGROUP_NEWMOUNT genifndef(430)
|
||||
fsconfig QSSB_SYSCGROUP_NEWMOUNT genifndef(431)
|
||||
fsmount QSSB_SYSCGROUP_NEWMOUNT genifndef(432)
|
||||
fspick QSSB_SYSCGROUP_NEWMOUNT genifndef(433)
|
||||
pidfd_open QSSB_SYSCGROUP_PIDFD genifndef(434)
|
||||
clone3 QSSB_SYSCGROUP_CLONE,QSSB_SYSCGROUP_DEFAULT_ALLOW genifndef(435)
|
||||
close_range QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW genifndef(436)
|
||||
openat2 QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW genifndef(437)
|
||||
pidfd_getfd QSSB_SYSCGROUP_PIDFD genifndef(438)
|
||||
faccessat2 QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW genifndef(439)
|
||||
process_madvise QSSB_SYSCGROUP_MEMORY genifndef(440)
|
||||
epoll_pwait2 QSSB_SYSCGROUP_STDIO genifndef(441)
|
||||
mount_setattr QSSB_SYSCGROUP_NONE genifndef(442)
|
||||
quotactl_fd QSSB_SYSCGROUP_QUOTA genifndef(443)
|
||||
landlock_create_ruleset QSSB_SYSCGROUP_LANDLOCK genifndef(444)
|
||||
landlock_add_rule QSSB_SYSCGROUP_LANDLOCK genifndef(445)
|
||||
landlock_restrict_self QSSB_SYSCGROUP_LANDLOCK genifndef(446)
|
||||
memfd_secret QSSB_SYSCGROUP_NONE genifndef(447)
|
||||
process_mrelease QSSB_SYSCGROUP_NONE genifndef(448)
|
||||
614
qssb.h
614
qssb.h
@@ -60,12 +60,10 @@
|
||||
#endif
|
||||
|
||||
|
||||
#if defined(__i386__)
|
||||
#define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
|
||||
#elif defined(__x86_64__)
|
||||
#if defined(__x86_64__)
|
||||
#define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
|
||||
#else
|
||||
#warning Seccomp support has not been tested for qssb.h for this platform yet
|
||||
#error Seccomp support has not been tested for qssb.h for this platform yet
|
||||
#endif
|
||||
|
||||
#define SYSCALL(nr, jt) \
|
||||
@@ -84,7 +82,7 @@
|
||||
#define QSSB_TEMP_DIR "/tmp"
|
||||
#endif
|
||||
|
||||
#define QSSB_SYS(x) (__NR_##x)
|
||||
#define QSSB_SYS(x) __NR_##x
|
||||
|
||||
#define QSSB_FS_ALLOW_READ 1<<0
|
||||
#define QSSB_FS_ALLOW_WRITE (1<<1)
|
||||
@@ -136,53 +134,534 @@ static inline int landlock_restrict_self(const int ruleset_fd,
|
||||
#endif
|
||||
#endif
|
||||
|
||||
/* Most exploits have more need for those syscalls than the
|
||||
* exploited programs. In cases they are needed, this list should be
|
||||
* filtered or simply not used.
|
||||
*/
|
||||
/* TODO: more execv* in some architectures */
|
||||
/* TODO: add more */
|
||||
static long default_blacklisted_syscalls[] = {
|
||||
QSSB_SYS(setuid),
|
||||
QSSB_SYS(setgid),
|
||||
QSSB_SYS(chroot),
|
||||
QSSB_SYS(pivot_root),
|
||||
QSSB_SYS(mount),
|
||||
QSSB_SYS(setns),
|
||||
QSSB_SYS(unshare),
|
||||
QSSB_SYS(ptrace),
|
||||
QSSB_SYS(personality),
|
||||
QSSB_SYS(execve),
|
||||
QSSB_SYS(process_vm_readv),
|
||||
QSSB_SYS(process_vm_writev),
|
||||
QSSB_SYS(userfaultfd),
|
||||
QSSB_SYS(init_module),
|
||||
QSSB_SYS(finit_module),
|
||||
QSSB_SYS(delete_module),
|
||||
#if defined(__x86_64__)
|
||||
#ifndef __NR_pkey_mprotect
|
||||
#define __NR_pkey_mprotect 329
|
||||
#endif
|
||||
#ifndef __NR_pkey_alloc
|
||||
#define __NR_pkey_alloc 330
|
||||
#endif
|
||||
#ifndef __NR_pkey_free
|
||||
#define __NR_pkey_free 331
|
||||
#endif
|
||||
#ifndef __NR_statx
|
||||
#define __NR_statx 332
|
||||
#endif
|
||||
#ifndef __NR_io_pgetevents
|
||||
#define __NR_io_pgetevents 333
|
||||
#endif
|
||||
#ifndef __NR_rseq
|
||||
#define __NR_rseq 334
|
||||
#endif
|
||||
#ifndef __NR_pidfd_send_signal
|
||||
#define __NR_pidfd_send_signal 424
|
||||
#endif
|
||||
#ifndef __NR_io_uring_setup
|
||||
#define __NR_io_uring_setup 425
|
||||
#endif
|
||||
#ifndef __NR_io_uring_enter
|
||||
#define __NR_io_uring_enter 426
|
||||
#endif
|
||||
#ifndef __NR_io_uring_register
|
||||
#define __NR_io_uring_register 427
|
||||
#endif
|
||||
#ifndef __NR_open_tree
|
||||
#define __NR_open_tree 428
|
||||
#endif
|
||||
#ifndef __NR_move_mount
|
||||
#define __NR_move_mount 429
|
||||
#endif
|
||||
#ifndef __NR_fsopen
|
||||
#define __NR_fsopen 430
|
||||
#endif
|
||||
#ifndef __NR_fsconfig
|
||||
#define __NR_fsconfig 431
|
||||
#endif
|
||||
#ifndef __NR_fsmount
|
||||
#define __NR_fsmount 432
|
||||
#endif
|
||||
#ifndef __NR_fspick
|
||||
#define __NR_fspick 433
|
||||
#endif
|
||||
#ifndef __NR_pidfd_open
|
||||
#define __NR_pidfd_open 434
|
||||
#endif
|
||||
#ifndef __NR_clone3
|
||||
#define __NR_clone3 435
|
||||
#endif
|
||||
#ifndef __NR_close_range
|
||||
#define __NR_close_range 436
|
||||
#endif
|
||||
#ifndef __NR_openat2
|
||||
#define __NR_openat2 437
|
||||
#endif
|
||||
#ifndef __NR_pidfd_getfd
|
||||
#define __NR_pidfd_getfd 438
|
||||
#endif
|
||||
#ifndef __NR_faccessat2
|
||||
#define __NR_faccessat2 439
|
||||
#endif
|
||||
#ifndef __NR_process_madvise
|
||||
#define __NR_process_madvise 440
|
||||
#endif
|
||||
#ifndef __NR_epoll_pwait2
|
||||
#define __NR_epoll_pwait2 441
|
||||
#endif
|
||||
#ifndef __NR_mount_setattr
|
||||
#define __NR_mount_setattr 442
|
||||
#endif
|
||||
#ifndef __NR_quotactl_fd
|
||||
#define __NR_quotactl_fd 443
|
||||
#endif
|
||||
#ifndef __NR_landlock_create_ruleset
|
||||
#define __NR_landlock_create_ruleset 444
|
||||
#endif
|
||||
#ifndef __NR_landlock_add_rule
|
||||
#define __NR_landlock_add_rule 445
|
||||
#endif
|
||||
#ifndef __NR_landlock_restrict_self
|
||||
#define __NR_landlock_restrict_self 446
|
||||
#endif
|
||||
#ifndef __NR_memfd_secret
|
||||
#define __NR_memfd_secret 447
|
||||
#endif
|
||||
#ifndef __NR_process_mrelease
|
||||
#define __NR_process_mrelease 448
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#define QSSB_SYSCGROUP_CHROOT ((uint64_t)1<<0)
|
||||
#define QSSB_SYSCGROUP_CLOCK ((uint64_t)1<<1)
|
||||
#define QSSB_SYSCGROUP_CLONE ((uint64_t)1<<2)
|
||||
#define QSSB_SYSCGROUP_DEFAULT_ALLOW ((uint64_t)1<<3)
|
||||
#define QSSB_SYSCGROUP_DEV ((uint64_t)1<<4)
|
||||
#define QSSB_SYSCGROUP_EXEC ((uint64_t)1<<5)
|
||||
#define QSSB_SYSCGROUP_EXIT ((uint64_t)1<<6)
|
||||
#define QSSB_SYSCGROUP_FANOTIFY ((uint64_t)1<<7)
|
||||
#define QSSB_SYSCGROUP_FD ((uint64_t)1<<8)
|
||||
#define QSSB_SYSCGROUP_FS ((uint64_t)1<<9)
|
||||
#define QSSB_SYSCGROUP_FUTEX ((uint64_t)1<<10)
|
||||
#define QSSB_SYSCGROUP_HOST ((uint64_t)1<<11)
|
||||
#define QSSB_SYSCGROUP_ID ((uint64_t)1<<12)
|
||||
#define QSSB_SYSCGROUP_INOTIFY ((uint64_t)1<<13)
|
||||
#define QSSB_SYSCGROUP_IO ((uint64_t)1<<14)
|
||||
#define QSSB_SYSCGROUP_IOCTL ((uint64_t)1<<15)
|
||||
#define QSSB_SYSCGROUP_IOPL ((uint64_t)1<<16)
|
||||
#define QSSB_SYSCGROUP_IOURING ((uint64_t)1<<17)
|
||||
#define QSSB_SYSCGROUP_IPC ((uint64_t)1<<18)
|
||||
#define QSSB_SYSCGROUP_KEXEC ((uint64_t)1<<19)
|
||||
#define QSSB_SYSCGROUP_KEYS ((uint64_t)1<<20)
|
||||
#define QSSB_SYSCGROUP_KILL ((uint64_t)1<<21)
|
||||
#define QSSB_SYSCGROUP_KMOD ((uint64_t)1<<22)
|
||||
#define QSSB_SYSCGROUP_LANDLOCK ((uint64_t)1<<23)
|
||||
#define QSSB_SYSCGROUP_LIB ((uint64_t)1<<24)
|
||||
#define QSSB_SYSCGROUP_MEMORY ((uint64_t)1<<25)
|
||||
#define QSSB_SYSCGROUP_MOUNT ((uint64_t)1<<26)
|
||||
#define QSSB_SYSCGROUP_MQ ((uint64_t)1<<27)
|
||||
#define QSSB_SYSCGROUP_NEWMOUNT ((uint64_t)1<<28)
|
||||
#define QSSB_SYSCGROUP_NONE ((uint64_t)1<<29)
|
||||
#define QSSB_SYSCGROUP_NS ((uint64_t)1<<30)
|
||||
#define QSSB_SYSCGROUP_PATH ((uint64_t)1<<31)
|
||||
#define QSSB_SYSCGROUP_PAUSE ((uint64_t)1<<32)
|
||||
#define QSSB_SYSCGROUP_PERF ((uint64_t)1<<33)
|
||||
#define QSSB_SYSCGROUP_PERMS ((uint64_t)1<<34)
|
||||
#define QSSB_SYSCGROUP_PIDFD ((uint64_t)1<<35)
|
||||
#define QSSB_SYSCGROUP_PKEY ((uint64_t)1<<36)
|
||||
#define QSSB_SYSCGROUP_POWER ((uint64_t)1<<37)
|
||||
#define QSSB_SYSCGROUP_PRIO ((uint64_t)1<<38)
|
||||
#define QSSB_SYSCGROUP_PROCESS ((uint64_t)1<<39)
|
||||
#define QSSB_SYSCGROUP_PTRACE ((uint64_t)1<<40)
|
||||
#define QSSB_SYSCGROUP_QUOTA ((uint64_t)1<<41)
|
||||
#define QSSB_SYSCGROUP_RES ((uint64_t)1<<42)
|
||||
#define QSSB_SYSCGROUP_RT ((uint64_t)1<<43)
|
||||
#define QSSB_SYSCGROUP_SCHED ((uint64_t)1<<44)
|
||||
#define QSSB_SYSCGROUP_SEM ((uint64_t)1<<45)
|
||||
#define QSSB_SYSCGROUP_SHM ((uint64_t)1<<46)
|
||||
#define QSSB_SYSCGROUP_SIGNAL ((uint64_t)1<<47)
|
||||
#define QSSB_SYSCGROUP_SOCKET ((uint64_t)1<<48)
|
||||
#define QSSB_SYSCGROUP_STAT ((uint64_t)1<<49)
|
||||
#define QSSB_SYSCGROUP_STDIO ((uint64_t)1<<50)
|
||||
#define QSSB_SYSCGROUP_SWAP ((uint64_t)1<<51)
|
||||
#define QSSB_SYSCGROUP_SYS ((uint64_t)1<<52)
|
||||
#define QSSB_SYSCGROUP_SYSCALL ((uint64_t)1<<53)
|
||||
#define QSSB_SYSCGROUP_THREAD ((uint64_t)1<<54)
|
||||
#define QSSB_SYSCGROUP_TIME ((uint64_t)1<<55)
|
||||
#define QSSB_SYSCGROUP_TIMER ((uint64_t)1<<56)
|
||||
#define QSSB_SYSCGROUP_TTY ((uint64_t)1<<57)
|
||||
#define QSSB_SYSCGROUP_UMOUNT ((uint64_t)1<<58)
|
||||
#define QSSB_SYSCGROUP_UNIMPLEMENTED ((uint64_t)1<<59)
|
||||
#define QSSB_SYSCGROUP_XATTR ((uint64_t)1<<60)
|
||||
|
||||
struct syscall_group_map
|
||||
{
|
||||
long syscall;
|
||||
uint64_t groupmask;
|
||||
};
|
||||
|
||||
/* TODO: Check for completion
|
||||
* Known blacklisting problem (catch up game, etc.)
|
||||
*
|
||||
* However, we use it to enhance "no_fs" policy, which does not solely rely
|
||||
* on seccomp anyway */
|
||||
static long fs_access_syscalls[] = {
|
||||
QSSB_SYS(chdir),
|
||||
QSSB_SYS(truncate),
|
||||
QSSB_SYS(stat),
|
||||
QSSB_SYS(flock),
|
||||
QSSB_SYS(chmod),
|
||||
QSSB_SYS(chown),
|
||||
QSSB_SYS(setxattr),
|
||||
QSSB_SYS(utime),
|
||||
QSSB_SYS(ioctl),
|
||||
QSSB_SYS(fcntl),
|
||||
QSSB_SYS(access),
|
||||
QSSB_SYS(open),
|
||||
QSSB_SYS(openat),
|
||||
QSSB_SYS(unlink),
|
||||
struct syscall_group_map sc_group_map[] = {
|
||||
{QSSB_SYS(read), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(write), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(open), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(close), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(stat), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(fstat), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(lstat), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(poll), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(lseek), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(mmap), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(mprotect), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(munmap), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(brk), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(rt_sigaction), QSSB_SYSCGROUP_RT|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(rt_sigprocmask), QSSB_SYSCGROUP_RT|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(rt_sigreturn), QSSB_SYSCGROUP_RT|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(ioctl), QSSB_SYSCGROUP_IOCTL|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(pread64), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(pwrite64), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(readv), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(writev), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(access), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(pipe), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(select), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(sched_yield), QSSB_SYSCGROUP_SCHED|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(mremap), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(msync), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(mincore), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(madvise), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(shmget), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(shmat), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(shmctl), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(dup), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(dup2), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(pause), QSSB_SYSCGROUP_PAUSE|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(nanosleep), QSSB_SYSCGROUP_TIMER|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(getitimer), QSSB_SYSCGROUP_TIMER|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(alarm), QSSB_SYSCGROUP_TIMER|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(setitimer), QSSB_SYSCGROUP_TIMER|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(getpid), QSSB_SYSCGROUP_PROCESS|QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(sendfile), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(socket), QSSB_SYSCGROUP_SOCKET},
|
||||
{QSSB_SYS(connect), QSSB_SYSCGROUP_SOCKET},
|
||||
{QSSB_SYS(accept), QSSB_SYSCGROUP_SOCKET},
|
||||
{QSSB_SYS(sendto), QSSB_SYSCGROUP_SOCKET},
|
||||
{QSSB_SYS(recvfrom), QSSB_SYSCGROUP_SOCKET},
|
||||
{QSSB_SYS(sendmsg), QSSB_SYSCGROUP_SOCKET},
|
||||
{QSSB_SYS(recvmsg), QSSB_SYSCGROUP_SOCKET},
|
||||
{QSSB_SYS(shutdown), QSSB_SYSCGROUP_SOCKET},
|
||||
{QSSB_SYS(bind), QSSB_SYSCGROUP_SOCKET},
|
||||
{QSSB_SYS(listen), QSSB_SYSCGROUP_SOCKET},
|
||||
{QSSB_SYS(getsockname), QSSB_SYSCGROUP_SOCKET},
|
||||
{QSSB_SYS(getpeername), QSSB_SYSCGROUP_SOCKET},
|
||||
{QSSB_SYS(socketpair), QSSB_SYSCGROUP_SOCKET|QSSB_SYSCGROUP_IPC},
|
||||
{QSSB_SYS(setsockopt), QSSB_SYSCGROUP_SOCKET},
|
||||
{QSSB_SYS(getsockopt), QSSB_SYSCGROUP_SOCKET},
|
||||
{QSSB_SYS(clone), QSSB_SYSCGROUP_CLONE|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(fork), QSSB_SYSCGROUP_CLONE|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(vfork), QSSB_SYSCGROUP_CLONE|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(execve), QSSB_SYSCGROUP_CLONE|QSSB_SYSCGROUP_EXEC},
|
||||
{QSSB_SYS(exit), QSSB_SYSCGROUP_PROCESS|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(wait4), QSSB_SYSCGROUP_EXEC},
|
||||
{QSSB_SYS(kill), QSSB_SYSCGROUP_KILL},
|
||||
{QSSB_SYS(uname), QSSB_SYSCGROUP_SYS|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(semget), QSSB_SYSCGROUP_SHM|QSSB_SYSCGROUP_IPC|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(semop), QSSB_SYSCGROUP_SHM|QSSB_SYSCGROUP_IPC|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(semctl), QSSB_SYSCGROUP_SHM|QSSB_SYSCGROUP_IPC|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(shmdt), QSSB_SYSCGROUP_SHM|QSSB_SYSCGROUP_IPC|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(msgget), QSSB_SYSCGROUP_IPC|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(msgsnd), QSSB_SYSCGROUP_IPC|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(msgrcv), QSSB_SYSCGROUP_IPC|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(msgctl), QSSB_SYSCGROUP_IPC|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(fcntl), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(flock), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(fsync), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(fdatasync), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(truncate), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(ftruncate), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(getdents), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(getcwd), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(chdir), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(fchdir), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(rename), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(mkdir), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(rmdir), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(creat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(link), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(unlink), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(symlink), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(readlink), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(chmod), QSSB_SYSCGROUP_PERMS|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(fchmod), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(chown), QSSB_SYSCGROUP_PERMS|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(fchown), QSSB_SYSCGROUP_PERMS|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(lchown), QSSB_SYSCGROUP_PERMS|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(umask), QSSB_SYSCGROUP_PERMS|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(gettimeofday), QSSB_SYSCGROUP_TIME|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(getrlimit), QSSB_SYSCGROUP_RES|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(getrusage), QSSB_SYSCGROUP_RES|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(sysinfo), QSSB_SYSCGROUP_SYS|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(times), QSSB_SYSCGROUP_TIME|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(ptrace), QSSB_SYSCGROUP_PTRACE|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(getuid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(syslog), QSSB_SYSCGROUP_SYS},
|
||||
{QSSB_SYS(getgid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(setuid), QSSB_SYSCGROUP_ID},
|
||||
{QSSB_SYS(setgid), QSSB_SYSCGROUP_ID},
|
||||
{QSSB_SYS(geteuid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(getegid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(setpgid), QSSB_SYSCGROUP_ID},
|
||||
{QSSB_SYS(getppid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(getpgrp), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(setsid), QSSB_SYSCGROUP_ID},
|
||||
{QSSB_SYS(setreuid), QSSB_SYSCGROUP_ID},
|
||||
{QSSB_SYS(setregid), QSSB_SYSCGROUP_ID},
|
||||
{QSSB_SYS(getgroups), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(setgroups), QSSB_SYSCGROUP_ID},
|
||||
{QSSB_SYS(setresuid), QSSB_SYSCGROUP_ID},
|
||||
{QSSB_SYS(getresuid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(setresgid), QSSB_SYSCGROUP_ID},
|
||||
{QSSB_SYS(getresgid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(getpgid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(setfsuid), QSSB_SYSCGROUP_ID},
|
||||
{QSSB_SYS(setfsgid), QSSB_SYSCGROUP_ID},
|
||||
{QSSB_SYS(getsid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(capget), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(capset), QSSB_SYSCGROUP_ID},
|
||||
{QSSB_SYS(rt_sigpending), QSSB_SYSCGROUP_RT|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(rt_sigtimedwait), QSSB_SYSCGROUP_RT|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(rt_sigqueueinfo), QSSB_SYSCGROUP_RT|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(rt_sigsuspend), QSSB_SYSCGROUP_RT|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(sigaltstack), QSSB_SYSCGROUP_THREAD|QSSB_SYSCGROUP_SIGNAL},
|
||||
{QSSB_SYS(utime), QSSB_SYSCGROUP_TIME|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(mknod), QSSB_SYSCGROUP_DEV|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(uselib), QSSB_SYSCGROUP_LIB|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(personality), QSSB_SYSCGROUP_PROCESS},
|
||||
{QSSB_SYS(ustat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_STAT|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(statfs), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_STAT|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(fstatfs), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_STAT|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(sysfs), QSSB_SYSCGROUP_SYS|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(getpriority), QSSB_SYSCGROUP_SCHED},
|
||||
{QSSB_SYS(setpriority), QSSB_SYSCGROUP_SCHED},
|
||||
{QSSB_SYS(sched_setparam), QSSB_SYSCGROUP_SCHED},
|
||||
{QSSB_SYS(sched_getparam), QSSB_SYSCGROUP_SCHED},
|
||||
{QSSB_SYS(sched_setscheduler), QSSB_SYSCGROUP_SCHED},
|
||||
{QSSB_SYS(sched_getscheduler), QSSB_SYSCGROUP_SCHED},
|
||||
{QSSB_SYS(sched_get_priority_max), QSSB_SYSCGROUP_SCHED},
|
||||
{QSSB_SYS(sched_get_priority_min), QSSB_SYSCGROUP_SCHED},
|
||||
{QSSB_SYS(sched_rr_get_interval), QSSB_SYSCGROUP_SCHED},
|
||||
{QSSB_SYS(mlock), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(munlock), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(mlockall), QSSB_SYSCGROUP_MEMORY},
|
||||
{QSSB_SYS(munlockall), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(vhangup), QSSB_SYSCGROUP_TTY},
|
||||
{QSSB_SYS(modify_ldt), QSSB_SYSCGROUP_PROCESS},
|
||||
{QSSB_SYS(pivot_root), QSSB_SYSCGROUP_CHROOT},
|
||||
{QSSB_SYS(_sysctl), QSSB_SYSCGROUP_SYS},
|
||||
{QSSB_SYS(prctl), QSSB_SYSCGROUP_PROCESS},
|
||||
{QSSB_SYS(arch_prctl), QSSB_SYSCGROUP_PROCESS},
|
||||
{QSSB_SYS(adjtimex), QSSB_SYSCGROUP_CLOCK},
|
||||
{QSSB_SYS(setrlimit), QSSB_SYSCGROUP_RES},
|
||||
{QSSB_SYS(chroot), QSSB_SYSCGROUP_CHROOT|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(sync), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(acct), QSSB_SYSCGROUP_PROCESS},
|
||||
{QSSB_SYS(settimeofday), QSSB_SYSCGROUP_TIME},
|
||||
{QSSB_SYS(mount), QSSB_SYSCGROUP_MOUNT|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(umount2), QSSB_SYSCGROUP_UMOUNT|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(swapon), QSSB_SYSCGROUP_SWAP},
|
||||
{QSSB_SYS(swapoff), QSSB_SYSCGROUP_SWAP},
|
||||
{QSSB_SYS(reboot), QSSB_SYSCGROUP_POWER},
|
||||
{QSSB_SYS(sethostname), QSSB_SYSCGROUP_HOST},
|
||||
{QSSB_SYS(setdomainname), QSSB_SYSCGROUP_HOST},
|
||||
{QSSB_SYS(iopl), QSSB_SYSCGROUP_IOPL},
|
||||
{QSSB_SYS(ioperm), QSSB_SYSCGROUP_IOPL},
|
||||
{QSSB_SYS(create_module), QSSB_SYSCGROUP_KMOD},
|
||||
{QSSB_SYS(init_module), QSSB_SYSCGROUP_KMOD},
|
||||
{QSSB_SYS(delete_module), QSSB_SYSCGROUP_KMOD},
|
||||
{QSSB_SYS(get_kernel_syms), QSSB_SYSCGROUP_KMOD},
|
||||
{QSSB_SYS(query_module), QSSB_SYSCGROUP_KMOD},
|
||||
{QSSB_SYS(quotactl), QSSB_SYSCGROUP_QUOTA},
|
||||
{QSSB_SYS(nfsservctl), QSSB_SYSCGROUP_NONE},
|
||||
{QSSB_SYS(getpmsg), QSSB_SYSCGROUP_UNIMPLEMENTED},
|
||||
{QSSB_SYS(putpmsg), QSSB_SYSCGROUP_UNIMPLEMENTED},
|
||||
{QSSB_SYS(afs_syscall), QSSB_SYSCGROUP_UNIMPLEMENTED},
|
||||
{QSSB_SYS(tuxcall), QSSB_SYSCGROUP_UNIMPLEMENTED},
|
||||
{QSSB_SYS(security), QSSB_SYSCGROUP_UNIMPLEMENTED},
|
||||
{QSSB_SYS(gettid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_THREAD},
|
||||
{QSSB_SYS(readahead), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(setxattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(lsetxattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(fsetxattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(getxattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(lgetxattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(fgetxattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(listxattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(llistxattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(flistxattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(removexattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(lremovexattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(fremovexattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(tkill), QSSB_SYSCGROUP_THREAD|QSSB_SYSCGROUP_SIGNAL},
|
||||
{QSSB_SYS(time), QSSB_SYSCGROUP_TIME},
|
||||
{QSSB_SYS(futex), QSSB_SYSCGROUP_THREAD|QSSB_SYSCGROUP_FUTEX},
|
||||
{QSSB_SYS(sched_setaffinity), QSSB_SYSCGROUP_SCHED},
|
||||
{QSSB_SYS(sched_getaffinity), QSSB_SYSCGROUP_SCHED},
|
||||
{QSSB_SYS(set_thread_area), QSSB_SYSCGROUP_THREAD},
|
||||
{QSSB_SYS(io_setup), QSSB_SYSCGROUP_IO},
|
||||
{QSSB_SYS(io_destroy), QSSB_SYSCGROUP_IO},
|
||||
{QSSB_SYS(io_getevents), QSSB_SYSCGROUP_IO},
|
||||
{QSSB_SYS(io_submit), QSSB_SYSCGROUP_IO},
|
||||
{QSSB_SYS(io_cancel), QSSB_SYSCGROUP_IO},
|
||||
{QSSB_SYS(get_thread_area), QSSB_SYSCGROUP_THREAD},
|
||||
{QSSB_SYS(lookup_dcookie), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(epoll_create), QSSB_SYSCGROUP_STDIO},
|
||||
{QSSB_SYS(epoll_ctl_old), QSSB_SYSCGROUP_STDIO},
|
||||
{QSSB_SYS(epoll_wait_old), QSSB_SYSCGROUP_STDIO},
|
||||
{QSSB_SYS(remap_file_pages), QSSB_SYSCGROUP_NONE},
|
||||
{QSSB_SYS(getdents64), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(set_tid_address), QSSB_SYSCGROUP_THREAD},
|
||||
{QSSB_SYS(restart_syscall), QSSB_SYSCGROUP_SYSCALL},
|
||||
{QSSB_SYS(semtimedop), QSSB_SYSCGROUP_SEM},
|
||||
{QSSB_SYS(fadvise64), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_FD},
|
||||
{QSSB_SYS(timer_create), QSSB_SYSCGROUP_TIMER},
|
||||
{QSSB_SYS(timer_settime), QSSB_SYSCGROUP_TIMER},
|
||||
{QSSB_SYS(timer_gettime), QSSB_SYSCGROUP_TIMER},
|
||||
{QSSB_SYS(timer_getoverrun), QSSB_SYSCGROUP_TIMER},
|
||||
{QSSB_SYS(timer_delete), QSSB_SYSCGROUP_TIMER},
|
||||
{QSSB_SYS(clock_settime), QSSB_SYSCGROUP_TIME},
|
||||
{QSSB_SYS(clock_gettime), QSSB_SYSCGROUP_TIME},
|
||||
{QSSB_SYS(clock_getres), QSSB_SYSCGROUP_TIME},
|
||||
{QSSB_SYS(clock_nanosleep), QSSB_SYSCGROUP_TIME},
|
||||
{QSSB_SYS(exit_group), QSSB_SYSCGROUP_EXIT|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(epoll_wait), QSSB_SYSCGROUP_FD},
|
||||
{QSSB_SYS(epoll_ctl), QSSB_SYSCGROUP_FD},
|
||||
{QSSB_SYS(tgkill), QSSB_SYSCGROUP_SIGNAL|QSSB_SYSCGROUP_THREAD},
|
||||
{QSSB_SYS(utimes), QSSB_SYSCGROUP_PATH},
|
||||
{QSSB_SYS(vserver), QSSB_SYSCGROUP_UNIMPLEMENTED},
|
||||
{QSSB_SYS(mbind), QSSB_SYSCGROUP_MEMORY},
|
||||
{QSSB_SYS(set_mempolicy), QSSB_SYSCGROUP_MEMORY},
|
||||
{QSSB_SYS(get_mempolicy), QSSB_SYSCGROUP_MEMORY},
|
||||
{QSSB_SYS(mq_open), QSSB_SYSCGROUP_MQ|QSSB_SYSCGROUP_IPC},
|
||||
{QSSB_SYS(mq_unlink), QSSB_SYSCGROUP_MQ|QSSB_SYSCGROUP_IPC},
|
||||
{QSSB_SYS(mq_timedsend), QSSB_SYSCGROUP_MQ|QSSB_SYSCGROUP_IPC},
|
||||
{QSSB_SYS(mq_timedreceive), QSSB_SYSCGROUP_MQ|QSSB_SYSCGROUP_IPC},
|
||||
{QSSB_SYS(mq_notify), QSSB_SYSCGROUP_MQ|QSSB_SYSCGROUP_IPC},
|
||||
{QSSB_SYS(mq_getsetattr), QSSB_SYSCGROUP_MQ|QSSB_SYSCGROUP_IPC},
|
||||
{QSSB_SYS(kexec_load), QSSB_SYSCGROUP_KEXEC},
|
||||
{QSSB_SYS(waitid), QSSB_SYSCGROUP_SIGNAL},
|
||||
{QSSB_SYS(add_key), QSSB_SYSCGROUP_KEYS},
|
||||
{QSSB_SYS(request_key), QSSB_SYSCGROUP_KEYS},
|
||||
{QSSB_SYS(keyctl), QSSB_SYSCGROUP_KEYS},
|
||||
{QSSB_SYS(ioprio_set), QSSB_SYSCGROUP_PRIO},
|
||||
{QSSB_SYS(ioprio_get), QSSB_SYSCGROUP_PRIO},
|
||||
{QSSB_SYS(inotify_init), QSSB_SYSCGROUP_INOTIFY},
|
||||
{QSSB_SYS(inotify_add_watch), QSSB_SYSCGROUP_INOTIFY},
|
||||
{QSSB_SYS(inotify_rm_watch), QSSB_SYSCGROUP_INOTIFY},
|
||||
{QSSB_SYS(migrate_pages), QSSB_SYSCGROUP_PROCESS},
|
||||
{QSSB_SYS(openat), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(mkdirat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(mknodat), QSSB_SYSCGROUP_DEV|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(fchownat), QSSB_SYSCGROUP_PERMS|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(futimesat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(newfstatat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(unlinkat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(renameat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(linkat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(symlinkat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(readlinkat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(fchmodat), QSSB_SYSCGROUP_PERMS|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(faccessat), QSSB_SYSCGROUP_PERMS|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(pselect6), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(ppoll), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(unshare), QSSB_SYSCGROUP_NS|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(set_robust_list), QSSB_SYSCGROUP_FUTEX},
|
||||
{QSSB_SYS(get_robust_list), QSSB_SYSCGROUP_FUTEX},
|
||||
{QSSB_SYS(splice), QSSB_SYSCGROUP_FD},
|
||||
{QSSB_SYS(tee), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(sync_file_range), QSSB_SYSCGROUP_FD},
|
||||
{QSSB_SYS(vmsplice), QSSB_SYSCGROUP_FD},
|
||||
{QSSB_SYS(move_pages), QSSB_SYSCGROUP_PROCESS},
|
||||
{QSSB_SYS(utimensat), QSSB_SYSCGROUP_PATH},
|
||||
{QSSB_SYS(epoll_pwait), QSSB_SYSCGROUP_STDIO},
|
||||
{QSSB_SYS(signalfd), QSSB_SYSCGROUP_SIGNAL},
|
||||
{QSSB_SYS(timerfd_create), QSSB_SYSCGROUP_TIMER},
|
||||
{QSSB_SYS(eventfd), QSSB_SYSCGROUP_FD},
|
||||
{QSSB_SYS(fallocate), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_FD},
|
||||
{QSSB_SYS(timerfd_settime), QSSB_SYSCGROUP_TIMER},
|
||||
{QSSB_SYS(timerfd_gettime), QSSB_SYSCGROUP_TIMER},
|
||||
{QSSB_SYS(accept4), QSSB_SYSCGROUP_SOCKET},
|
||||
{QSSB_SYS(signalfd4), QSSB_SYSCGROUP_FD},
|
||||
{QSSB_SYS(eventfd2), QSSB_SYSCGROUP_FD},
|
||||
{QSSB_SYS(epoll_create1), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(dup3), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(pipe2), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(inotify_init1), QSSB_SYSCGROUP_INOTIFY},
|
||||
{QSSB_SYS(preadv), QSSB_SYSCGROUP_STDIO},
|
||||
{QSSB_SYS(pwritev), QSSB_SYSCGROUP_STDIO},
|
||||
{QSSB_SYS(rt_tgsigqueueinfo), QSSB_SYSCGROUP_RT},
|
||||
{QSSB_SYS(perf_event_open), QSSB_SYSCGROUP_PERF},
|
||||
{QSSB_SYS(recvmmsg), QSSB_SYSCGROUP_SOCKET},
|
||||
{QSSB_SYS(fanotify_init), QSSB_SYSCGROUP_FANOTIFY},
|
||||
{QSSB_SYS(fanotify_mark), QSSB_SYSCGROUP_FANOTIFY},
|
||||
{QSSB_SYS(prlimit64), QSSB_SYSCGROUP_RES},
|
||||
{QSSB_SYS(name_to_handle_at), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(open_by_handle_at), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_FS},
|
||||
{QSSB_SYS(clock_adjtime), QSSB_SYSCGROUP_CLOCK},
|
||||
{QSSB_SYS(syncfs), QSSB_SYSCGROUP_FD},
|
||||
{QSSB_SYS(sendmmsg), QSSB_SYSCGROUP_SOCKET},
|
||||
{QSSB_SYS(setns), QSSB_SYSCGROUP_NS},
|
||||
{QSSB_SYS(getcpu), QSSB_SYSCGROUP_SCHED},
|
||||
{QSSB_SYS(process_vm_readv), QSSB_SYSCGROUP_NONE},
|
||||
{QSSB_SYS(process_vm_writev), QSSB_SYSCGROUP_NONE},
|
||||
{QSSB_SYS(kcmp), QSSB_SYSCGROUP_NONE},
|
||||
{QSSB_SYS(finit_module), QSSB_SYSCGROUP_KMOD},
|
||||
{QSSB_SYS(sched_setattr), QSSB_SYSCGROUP_SCHED},
|
||||
{QSSB_SYS(sched_getattr), QSSB_SYSCGROUP_SCHED|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(renameat2), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(seccomp), QSSB_SYSCGROUP_NONE},
|
||||
{QSSB_SYS(getrandom), QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(memfd_create), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(kexec_file_load), QSSB_SYSCGROUP_KEXEC},
|
||||
{QSSB_SYS(bpf), QSSB_SYSCGROUP_NONE},
|
||||
{QSSB_SYS(execveat), QSSB_SYSCGROUP_EXEC},
|
||||
{QSSB_SYS(userfaultfd), QSSB_SYSCGROUP_NONE},
|
||||
{QSSB_SYS(membarrier), QSSB_SYSCGROUP_NONE},
|
||||
{QSSB_SYS(mlock2), QSSB_SYSCGROUP_MEMORY},
|
||||
{QSSB_SYS(copy_file_range), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(preadv2), QSSB_SYSCGROUP_STDIO},
|
||||
{QSSB_SYS(pwritev2), QSSB_SYSCGROUP_STDIO},
|
||||
{QSSB_SYS(pkey_mprotect), QSSB_SYSCGROUP_PKEY},
|
||||
{QSSB_SYS(pkey_alloc), QSSB_SYSCGROUP_PKEY},
|
||||
{QSSB_SYS(pkey_free), QSSB_SYSCGROUP_PKEY},
|
||||
{QSSB_SYS(statx), QSSB_SYSCGROUP_STAT|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(io_pgetevents), QSSB_SYSCGROUP_NONE},
|
||||
{QSSB_SYS(rseq), QSSB_SYSCGROUP_THREAD},
|
||||
{QSSB_SYS(pidfd_send_signal), QSSB_SYSCGROUP_PIDFD},
|
||||
{QSSB_SYS(io_uring_setup), QSSB_SYSCGROUP_IOURING},
|
||||
{QSSB_SYS(io_uring_enter), QSSB_SYSCGROUP_IOURING},
|
||||
{QSSB_SYS(io_uring_register), QSSB_SYSCGROUP_IOURING},
|
||||
{QSSB_SYS(open_tree), QSSB_SYSCGROUP_NEWMOUNT},
|
||||
{QSSB_SYS(move_mount), QSSB_SYSCGROUP_NEWMOUNT},
|
||||
{QSSB_SYS(fsopen), QSSB_SYSCGROUP_NEWMOUNT},
|
||||
{QSSB_SYS(fsconfig), QSSB_SYSCGROUP_NEWMOUNT},
|
||||
{QSSB_SYS(fsmount), QSSB_SYSCGROUP_NEWMOUNT},
|
||||
{QSSB_SYS(fspick), QSSB_SYSCGROUP_NEWMOUNT},
|
||||
{QSSB_SYS(pidfd_open), QSSB_SYSCGROUP_PIDFD},
|
||||
{QSSB_SYS(clone3), QSSB_SYSCGROUP_CLONE|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(close_range), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(openat2), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(pidfd_getfd), QSSB_SYSCGROUP_PIDFD},
|
||||
{QSSB_SYS(faccessat2), QSSB_SYSCGROUP_PERMS|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
||||
{QSSB_SYS(process_madvise), QSSB_SYSCGROUP_MEMORY},
|
||||
{QSSB_SYS(epoll_pwait2), QSSB_SYSCGROUP_STDIO},
|
||||
{QSSB_SYS(mount_setattr), QSSB_SYSCGROUP_NONE},
|
||||
{QSSB_SYS(quotactl_fd), QSSB_SYSCGROUP_QUOTA},
|
||||
{QSSB_SYS(landlock_create_ruleset), QSSB_SYSCGROUP_LANDLOCK},
|
||||
{QSSB_SYS(landlock_add_rule), QSSB_SYSCGROUP_LANDLOCK},
|
||||
{QSSB_SYS(landlock_restrict_self), QSSB_SYSCGROUP_LANDLOCK},
|
||||
{QSSB_SYS(memfd_secret), QSSB_SYSCGROUP_NONE},
|
||||
{QSSB_SYS(process_mrelease), QSSB_SYSCGROUP_NONE}
|
||||
};
|
||||
|
||||
|
||||
struct qssb_path_policy
|
||||
{
|
||||
const char *path;
|
||||
@@ -341,6 +820,35 @@ int qssb_append_syscall_default_policy(struct qssb_policy *qssb_policy, unsigned
|
||||
return qssb_append_syscall_policy(qssb_policy, default_policy, QSSB_SYSCALL_MATCH_ALL);
|
||||
}
|
||||
|
||||
static void get_group_syscalls(uint64_t mask, long *syscalls, size_t *n)
|
||||
{
|
||||
size_t count = 0;
|
||||
for(unsigned long i = 0; i < sizeof(sc_group_map)/sizeof(sc_group_map[0]); i++)
|
||||
{
|
||||
struct syscall_group_map *current = &sc_group_map[i];
|
||||
if(current->groupmask & mask)
|
||||
{
|
||||
syscalls[count] = current->syscall;
|
||||
++count;
|
||||
}
|
||||
}
|
||||
*n = count;
|
||||
}
|
||||
|
||||
int qssb_append_group_syscall_policy(struct qssb_policy *qssb_policy, unsigned int syscall_policy, uint64_t groupmask)
|
||||
{
|
||||
long syscalls[400] = { 0 };
|
||||
size_t n = 0;
|
||||
get_group_syscalls(groupmask, syscalls, &n);
|
||||
if(n == 0)
|
||||
{
|
||||
QSSB_LOG_ERROR("Error: No syscalls found for group mask\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
return qssb_append_syscalls_policy(qssb_policy, syscall_policy, syscalls, n);
|
||||
}
|
||||
|
||||
/* Creates the default policy
|
||||
* Must be freed using qssb_free_policy
|
||||
* @returns: default policy */
|
||||
@@ -781,7 +1289,6 @@ static int qssb_enable_syscall_policy(struct qssb_policy *policy)
|
||||
long *syscalls = NULL;
|
||||
size_t n = 0;
|
||||
get_syscall_array(current_policy, &syscalls, &n);
|
||||
|
||||
unsigned short int newsize;
|
||||
if(__builtin_add_overflow(current_filter_index, n, &newsize))
|
||||
{
|
||||
@@ -1055,8 +1562,7 @@ static int enable_no_fs(struct qssb_policy *policy)
|
||||
}
|
||||
|
||||
//TODO: we don't have to do this if there whitelisted policies, in that case we will be behind the default deny anyway
|
||||
size_t fs_access_syscalls_count = sizeof(fs_access_syscalls)/sizeof(fs_access_syscalls[0]);
|
||||
int ret = qssb_append_syscalls_policy(policy, QSSB_SYSCALL_DENY_RET_ERROR, fs_access_syscalls, fs_access_syscalls_count);
|
||||
int ret = qssb_append_group_syscall_policy(policy, QSSB_SYSCALL_DENY_RET_ERROR, QSSB_SYSCGROUP_FS);
|
||||
if(ret != 0)
|
||||
{
|
||||
QSSB_LOG_ERROR("Failed to add system calls to policy\n");
|
||||
@@ -1072,14 +1578,12 @@ static int enable_no_fs(struct qssb_policy *policy)
|
||||
|
||||
static int qssb_append_predefined_standard_syscall_policy(struct qssb_policy *policy)
|
||||
{
|
||||
size_t blacklisted_syscalls_count = sizeof(default_blacklisted_syscalls)/sizeof(default_blacklisted_syscalls[0]);
|
||||
|
||||
int appendresult = qssb_append_syscalls_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, default_blacklisted_syscalls, blacklisted_syscalls_count);
|
||||
int appendresult = qssb_append_group_syscall_policy(policy, QSSB_SYSCALL_ALLOW, QSSB_SYSCGROUP_DEFAULT_ALLOW);
|
||||
if(appendresult != 0)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
appendresult = qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
|
||||
appendresult = qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_DENY_RET_ERROR);
|
||||
if(appendresult != 0)
|
||||
{
|
||||
return 1;
|
||||
|
||||
19
test.c
19
test.c
@@ -182,6 +182,24 @@ int test_seccomp_errno()
|
||||
return test_successful_exit(&do_test_seccomp_errno);
|
||||
}
|
||||
|
||||
static int test_seccomp_group()
|
||||
{
|
||||
struct qssb_policy *policy = qssb_init_policy();
|
||||
|
||||
qssb_append_group_syscall_policy(policy, QSSB_SYSCALL_DENY_RET_ERROR, QSSB_SYSCGROUP_SOCKET);
|
||||
qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
|
||||
|
||||
xqssb_enable_policy(policy);
|
||||
|
||||
int s = socket(AF_INET,SOCK_STREAM,0);
|
||||
if(s != -1)
|
||||
{
|
||||
printf("Failed: socket was expected to return error\n");
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
int test_landlock()
|
||||
{
|
||||
struct qssb_policy *policy = qssb_init_policy();
|
||||
@@ -280,6 +298,7 @@ struct dispatcher dispatchers[] = {
|
||||
{ "seccomp-x32-kill", &test_seccomp_x32_kill},
|
||||
{ "seccomp-require-last-matchall", &test_seccomp_require_last_matchall},
|
||||
{ "seccomp-errno", &test_seccomp_errno},
|
||||
{ "seccomp-group", &test_seccomp_group},
|
||||
{ "landlock", &test_landlock},
|
||||
{ "landlock-deny-write", &test_landlock_deny_write },
|
||||
{ "no_fs", &test_nofs},
|
||||
|
||||
新しいイシューから参照
ユーザーをブロックする