3fa73b0b97
Close file fds by default, introduce policy->keep_fds_open
...
The better default is to close them, not keeping them open.
Does not close sockets and pipes to not interfere with IPC.
Issue: #10
2022-07-17 13:00:02 +02:00
8f38dc4480
check_policy_sanity(): Allow vows and syscall policies
...
Adjust checks to allow a mixed mode between syscall policies and vows.
Check for some easy to make mistakes in such scenario.
2022-06-09 10:02:12 +02:00
42d44b0cc1
README.md: Minor improvements throughout the file
2022-06-06 14:07:37 +02:00
bd3641981c
Introduce EXILE_SYSCALL_DENY_RET_NOSYS for syscalls like clone3()
...
clone3() is used more and more, but we cannot filter it. We can either
allow it fully or return ENONYS. Some libraries perform fallbacks to the
older clone() in that case, which we can filter again.
2022-06-06 14:07:37 +02:00
bbbdfc44da
exile.hpp: do_clone(): free stack memory
2022-05-29 19:25:53 +02:00
2dc61828f1
README: Clarify limitations
2022-04-29 21:25:21 +02:00
cdc265cedf
c++: exile_launch(): Correct std::enable_if logic if type is a ptr
2022-04-29 21:23:53 +02:00
91858efa51
vows map: Add memfd_create, rseq
2022-04-22 08:37:34 +02:00
88995d214d
README.md: Minor improvements (typos, rephrasing)
2022-04-07 00:04:52 +02:00
6eb47daf84
README: Update Debian section
2022-03-28 19:25:55 +02:00
8bf87717a5
vows: ioctl: Make TIOCSTI illegal even when IOCTL vow is set
2022-03-28 19:14:02 +02:00
bcaefffbe8
Improve various error messages
2022-03-28 19:04:28 +02:00
ed5098f2c6
README: Begin demo section
2022-03-17 17:10:38 +01:00
ea66ef76eb
exile_flags_to_landlock(): Cover more with ALL_WRITE, except devices
...
More consistent with mount(), where MS_NODEV disallows those.
We may need to introduce a flag that simply allows everything
2022-03-17 15:47:22 +01:00
66def7a28f
append_syscall_to_bpf(): Check for unlikely case of too many sock_filters
2022-03-17 15:47:22 +01:00
dbf8e87440
exile.hpp: Mark do_clone inline, not static
2022-03-17 15:47:22 +01:00
98421fab90
Makefile: Build exile.o separately, link it in all tests
2022-03-17 15:47:22 +01:00
70c3fef500
exile.h: Retire static child_read/write_pipe vars
2022-03-17 15:47:22 +01:00
69829374c7
exile.h: Move definitions to new file exile.c
...
Especially with exile_launch(), we will be included
from more than one translation unit. Thus, ODR becomes
a headache now.
So move definitions to exile.c.
2022-03-17 15:47:22 +01:00
005851c645
exile.h: Add extern "C" guards
2022-03-17 15:47:22 +01:00
95fa11e928
c++: Add explicit exile_launch() std::basic_string variant
2022-03-17 15:47:22 +01:00
97e2025758
c++: Retire exile_launch_trivial(), use std::enable_if
2022-03-17 15:47:22 +01:00
8cfb73568a
Makefile: Add 'tests' target, depend on headers too to rebuild on changes of those
2022-03-17 15:47:22 +01:00
e7a5ba7f7f
test.sh: Also run C++ tests
2022-03-17 15:47:22 +01:00
e52eda186b
Add test.cpp to test C++ API
2022-03-17 15:47:22 +01:00
90ed5bbae9
Begin C++ API: Add exile.hpp with exile_launch() wrappers
2022-03-17 15:47:22 +01:00
48b6de9036
struct syscall_vow_map: change 'str' to const char*
2022-03-17 15:47:22 +01:00
93acb13929
test: Introduce LOG(), avoid inconsistent printf/fprintf
2022-03-17 15:47:22 +01:00
9247a6636b
Introduce exile_vows_from_str()
2022-03-17 15:47:22 +01:00
4a3ac8e0bc
exile_launch(): Improve handling/logging of errors
2022-01-16 21:46:11 +01:00
ed54575b89
exile_launch(): Open another pipe to also write to child
2022-01-16 21:46:11 +01:00
0caff45600
EXILE_LOG_ERROR: Prepend function name
2022-01-16 21:46:11 +01:00
080c0e53c2
test: test_mkpath(): Cleanup before run and on success
2022-01-16 21:46:11 +01:00
4adc13215b
exile_append_path_policies(): Add sentinel macro, making *policy() version redundant
2022-01-16 21:46:11 +01:00
bf29edf213
Update README with most recent draft
2022-01-16 21:46:11 +01:00
68bfd7e66c
Update copyright header
2022-01-16 21:46:11 +01:00
58bc50db61
test: Begin testing exile_launch*()
2022-01-16 21:46:11 +01:00
1e63fa75ef
Introduce exile_launch*(): Simplifies launching functions protected by policy
...
Those functions clone(), then activate the specified policy.
They then jump to the supplied function and pass an argument to it.
exile_launch() returns a read file descriptor, that can be
used by the parent process to get the data.
exile_launch_get() is a convenience wrapper, return a buffer
containing everything read from the sandboxed function.
2022-01-16 21:46:11 +01:00
6c44c88397
create_chroot_dirs(): Correct comment
2022-01-16 21:46:11 +01:00
3780509078
Introduce flags indicating errors to catch non-checked return codes
...
Certain functions can fail before we execute exile_enable_policy().
While the return code should be checked, it's easily forgotten. For
most users, checking just the exile_enable_policy() return code
should suffice.
exile_append_path_policies(): Add check whether a path exists. If not,
set the error flag.
This also allows an early exit, allowing to cleanly handle the case
when a path does not exist. Previously, this was only caught
during activation, and a failure there is generally undefined.
2022-01-16 21:46:11 +01:00
fd4dfb12f0
vow: Add prlimit64(),arch_prctl()
2022-01-16 21:46:11 +01:00
a9e6b3ee67
chroot: Create all paths first, then mount
...
We mounted after creating dirs, this was potentially problematic
for the next path policy to follow.
Perform two passes on the path_policies list, first creates all
dirs, second does the mounts.
2022-01-16 21:46:11 +01:00
3b61e90761
test: Add mkpath() test
2022-01-16 20:38:03 +01:00
0e27b19999
Handle files for bind-mounts too, rename mkdir_structure() to mkpath()
2022-01-16 20:38:03 +01:00
ff70142e04
exile_flags_to_landlock(): Only add flags for a path that a reasonable
2022-01-08 12:19:31 +01:00
4824c6eaa9
check_policy_sanity(): Traverse path_policy list only if no landlock available
2021-12-29 11:03:51 +01:00
9048a3b4fe
append_syscall_to_bpf(): Improve readability
2021-12-29 11:03:51 +01:00
0b54e73ff4
Rework get_vow_argfilter() for readability and easiness
...
The previous approach had too many special cases, was quite
error-prone when changing things and a bit messy in general.
2021-12-29 11:03:51 +01:00
b2306299d5
vow: fix clone filter broken by ca0f8279
2021-12-28 13:17:20 +01:00
55b43fdaac
Rename our 'pledge' mechanism to 'vow'
...
Among other differences, pledge() from OpenBSD takes a string
and has exec promises. We don't.
Using the same name yet providing a different interface does not
appear reasonable.
2021-12-28 11:05:24 +01:00