Γράφημα Υποβολών

62 Υποβολές

Συγγραφέας SHA1 Μήνυμα Ημερομηνία
d847d0f996 qssb_append_group_syscall_policy(): Make QSSB_SYSCGROUP_NONE an invalid group 2021-11-14 21:46:47 +01:00
1a2443db18 qssb_append_syscalls_policy(): Fix mem leak on failure 2021-11-14 21:46:47 +01:00
db17e58deb Assign syscalls into groups. Add whitelist mode (default).
Classify syscalls into groups, for x86_64 only for now.
Up to date for 5.15, generate some #ifndef for syscalls
introduced since 5.10. Only support x86_64 therefore at this point.

Switch from blacklisting to a default whitelist.
2021-11-14 21:46:47 +01:00
0d7c5bd6d4 append_syscall_to_bpf(): Explicit type cast to fix (C++) warnings 2021-10-25 18:18:31 +02:00
55e1f42ca8 check_policy_sanity(): Initialize last_policy 2021-10-03 21:25:37 +02:00
11d64c6fcf enter_namespaces(): Check fopen/fprintf errors 2021-09-12 20:00:03 +02:00
ebe043c08d Fix missing \n in some error outputs 2021-09-12 19:50:05 +02:00
8bc0d1e73a Use overflow-safe operator builtins
As a precaution as it does not hurt
2021-09-12 19:47:45 +02:00
215032f32c enable_no_fs(): Fix corresponding test by adding missing default policy 2021-09-06 21:43:50 +02:00
411e00715d Rename qssb_append_default_syscall_policy() to better distinguish it from qssb_append_syscall_default_policy() 2021-09-05 17:24:42 +02:00
25d8ed9bca check_policy_sanity(): Add syscall policy checks 2021-09-05 17:12:25 +02:00
f6af1bb78f policy: Add disable_syscall_filter policy. Add defaults only on enable.
Only add default syscall policy when disable_syscall_filter is 0 (default)
and no user-custom policy has been added.
2021-09-05 17:12:25 +02:00
9192ec3aa4 Rewrite syscall policy logic
Instead of having a blacklist and whitelist, we now allow
setting a policy that runs as a chain.

This adds qssb_append_syscalls_policy()

Furthermore, add a feature to decide per syscall which action to take.
This allows now to return an error instead of just killing the process.

In the future, it may allow us to set optimize/shrink the BPF filter.
2021-09-05 17:12:03 +02:00
51844ea3ab bpf: Deny x32 system calls for now
The arch field is the same for x86_64 and x32, thus checking it
is not enough.

Simply using x32 system calls would allow a bypass. Thus,
we must check whether the system call number is in __X32_SYSCALL_BIT.

This is of course a lazy solution, we could also add the
same system call number + _X32_SYSCALL_BIT to our black/whitelists.

For now however, this however will do.
2021-08-12 12:25:12 +02:00
66c6d28dcd bpf: Check arch value
The filter was missing this check for arch, allowing bypasses
by using different calling conventions of other architectures.

A trivial example is execve() of x86 from and x86_64 process.
2021-08-12 11:57:13 +02:00
5cd45c09b7 bpf: Use SECCOMP_RET_KILL_PROCESS instead SECCOMP_RET_KILL
We generally want to kill the process not the thread.
2021-08-12 11:40:29 +02:00
fa06287b13 Use new qssb_append_*_syscall functions, remove old fields 2021-08-12 11:37:19 +02:00
68694723fe Begin qssb_append_*_syscall family of functions
The purpose of these new functions is to make it simpler for users
to add new syscalls to the whitelist and blacklist.

The current approach uses a user-supplied pointer which however
was difficult to manage with "no_fs", which may add systemcalls
to the blacklist. Then we must resize arrays, and suddenly
it's our job to free them.

As a bonus, implementing them here allows easier data structure
changes and decreases the chances tgat users of this API
do something wrong, like forgetting -1 at then end, etc.
2021-08-12 11:37:19 +02:00
4a4d551e75 Introduce "no_fs" and "no_new_fd" options.
no_fs is a simple way to take away all
FS access, without constructing path_policies etc.

no_new_fd disallows opening any new
file descriptors
2021-08-10 16:58:43 +02:00
57238b535c Expand disallowed system calls
Relevant: #8
2021-08-10 16:57:44 +02:00
b4e8116c20 seccomp_enable_whitelist(): Fix comment 2021-08-10 16:55:58 +02:00
75f607bc35 qssb_append_path_policies(): Add explicit type cast for c++ 2021-08-07 12:05:58 +02:00
a585db7778 qssb_free_policy(): Allow passing NULL 2021-06-08 22:04:46 +02:00
55ec51ba21 Improve and add functions comments 2021-06-08 22:04:46 +02:00
a7c04537f7 Rename allowed_syscalls to whitelisted_syscalls for consistency 2021-06-05 20:15:09 +02:00
0b13f551f4 Fix stray = in #define 2021-06-05 14:03:42 +02:00
bb07b95993 Fix stray semicolon 2021-06-05 11:55:59 +02:00
d070268fca Add more system calls to blacklist 2021-05-29 23:15:04 +02:00
d6f4a37de8 Remove unused qssb_end_policy() 2021-05-22 22:36:01 +02:00
afb429e124 qssb_policy: Remove unused syscall_default_policy member 2021-05-22 22:35:26 +02:00
946492c28e qssb_free_policy(): free path policies 2021-05-22 20:05:31 +02:00
ad9c391e3f QSSB_FS_ALLOW_WRITE does not imply ALLOW_READ anymore
Landlock can handle write access without it implying read access,
in contrast to the existing bind mounts solution. Hence, remove
ALLOW_READ from ALLOW_WRITE bitmask.
2021-05-22 20:05:31 +02:00
fcebed557c Add qssb_append_path_polic{ies,y}: Convenience function to add path policies 2021-05-22 20:05:25 +02:00
bb02e40101 Begin landlock support 2021-05-15 23:30:05 +02:00
7e2d4139cb Begin check_policy_sanity(): Checks whether policy is reasonable
Issue: #3
2021-05-09 12:59:58 +02:00
6e6812e13d Introduce mount_path_policies_to_chroot option, changing path_policy enforcement logic
Previously, we needed chroot and bind mounts to enforce path_policies. Therefore,
in the presence of path policies, we had to explicitly create a chroot
dir.

With the coming landlock support, this is not required anymore.

However, one might still want to chroot and bind mount flags. But
path policies don't dictate that anymore.
2021-05-09 12:59:58 +02:00
edf144bbc7 Allow overriding HAVE_LANDLOCK irrespectible of kernel verison 2021-05-09 12:59:58 +02:00
67e1afc904 Remove unused policy flag QSSB_FS_ALLOW_NOTHING 2021-05-09 12:59:58 +02:00
2c94fe8225 qssb_path_policy: rename 'mountpoint' to 'path', make 'policy' unsigned 2021-05-09 12:59:58 +02:00
4674638e9a Add landlock policy flags if landlock is supported 2021-05-09 12:59:58 +02:00
8697fd8b84 qssb.h: Add copyright header 2021-05-09 10:02:31 +02:00
ed6a2a1067 Rename general QSSB_MOUNT* flags to QSSB_FS* 2021-05-09 09:35:17 +02:00
9df2e9ee90 seccomp_enable(): Replace param types with correct unsigned int versions 2021-04-18 13:24:49 +02:00
763c65c3fe qssb_enable_policy: check for empty str instead of NULL ptr
This was missed in 0a851790b8
2020-09-26 16:09:43 +02:00
dbdb35db37 Remove wrong static keywords from some qssb_*_policy functions 2020-04-13 23:00:33 +02:00
0a851790b8 change chroot_target_path from pointer to array
Fixes memory leak.

Breaks existing API.
2020-04-13 22:50:30 +02:00
60776be416 only chdir to / by default when actually chrooting and no dir given 2019-12-07 23:44:55 +01:00
ff2bc24c6b only create chroot directory when path policies are available 2019-12-07 23:26:27 +01:00
7547644013 silence multiple compiler warnings 2019-11-17 15:13:25 +01:00
8f104a231c bugfix: qssb_enable_policy: pointer to stack-local variable 2019-11-17 12:50:27 +01:00