clone3() is used more and more, but we cannot filter it. We can either
allow it fully or return ENONYS. Some libraries perform fallbacks to the
older clone() in that case, which we can filter again.
Especially with exile_launch(), we will be included
from more than one translation unit. Thus, ODR becomes
a headache now.
So move definitions to exile.c.
Those functions clone(), then activate the specified policy.
They then jump to the supplied function and pass an argument to it.
exile_launch() returns a read file descriptor, that can be
used by the parent process to get the data.
exile_launch_get() is a convenience wrapper, return a buffer
containing everything read from the sandboxed function.
Certain functions can fail before we execute exile_enable_policy().
While the return code should be checked, it's easily forgotten. For
most users, checking just the exile_enable_policy() return code
should suffice.
exile_append_path_policies(): Add check whether a path exists. If not,
set the error flag.
This also allows an early exit, allowing to cleanly handle the case
when a path does not exist. Previously, this was only caught
during activation, and a failure there is generally undefined.
We mounted after creating dirs, this was potentially problematic
for the next path policy to follow.
Perform two passes on the path_policies list, first creates all
dirs, second does the mounts.
Among other differences, pledge() from OpenBSD takes a string
and has exec promises. We don't.
Using the same name yet providing a different interface does not
appear reasonable.
We cannot assume that landlock is enabled if we can compile it.
Even if it's enabled in the kernel it may still not be loaded.
We fill fallback to chroot/bind-mounts if we can.
If we can't (because path policies have landlock-specific options),
we can't do that either.
Closes: #21
Some distros put sys/capability.h into libcap-dev or
similiar, which is a bit unforunate, we don't need
libcap-dev or anything like that.
Since we anyway only used the capget()/capset(), we can
just define a simple wrapper and call the syscall directly
and therefore avoid above mentioned issue.
This begins a pledge() implementation. This also
retires the previous syscall grouping approach,
as pledge() is the superior mechanism.
Squashed:
test: Begin basic pledge test
pledge: Begin EXILE_SYSCALL_PLEDGE_UNIX/EXILE_SYSCALL_PLEDGE_INET
test: Add pledge socket test
Introduce EXILE_SYSCALL_PLEDGE_DENY_ERROR, remove exile_policy->pledge_policy
pledge: Add PROT_EXEC
Squashed:
test: Adjust existing to new API with arg filters
test: Add tests for low-level seccomp args filter API
test: Add seccomp_filter_mixed()
test: Switch to syscall() everywhere
append_syscall_to_bpf(): Apply EXILE_SYSCALL_EXIT_BPF_NO_MATCH also for sock_filter.jt
qssb.h was a preliminary name and can't be pronounced smoothly.
exile.h is more fitting and it's also short. Something exiled is essentially
something isolated, which is pretty much what this library does (isolation from
resources such as file system, network and others accessible by system calls).
Albert S.