Revīziju grafs

31 Revīzijas

Autors SHA1 Ziņojums Datums
70c3fef500 exile.h: Retire static child_read/write_pipe vars 2022-03-17 15:47:22 +01:00
69829374c7 exile.h: Move definitions to new file exile.c
Especially with exile_launch(), we will be included
from more than one translation unit. Thus, ODR becomes
a headache now.

So move definitions to exile.c.
2022-03-17 15:47:22 +01:00
93acb13929 test: Introduce LOG(), avoid inconsistent printf/fprintf 2022-03-17 15:47:22 +01:00
9247a6636b Introduce exile_vows_from_str() 2022-03-17 15:47:22 +01:00
ed54575b89 exile_launch(): Open another pipe to also write to child 2022-01-16 21:46:11 +01:00
080c0e53c2 test: test_mkpath(): Cleanup before run and on success 2022-01-16 21:46:11 +01:00
4adc13215b exile_append_path_policies(): Add sentinel macro, making *policy() version redundant 2022-01-16 21:46:11 +01:00
58bc50db61 test: Begin testing exile_launch*() 2022-01-16 21:46:11 +01:00
3780509078 Introduce flags indicating errors to catch non-checked return codes
Certain functions can fail before we execute exile_enable_policy().

While the return code should be checked, it's easily forgotten. For
most users, checking just the exile_enable_policy() return code
should suffice.

exile_append_path_policies(): Add check whether a path exists. If not,
set the error flag.

This also allows an early exit, allowing to cleanly handle the case
when a path does not exist. Previously, this was only caught
during activation, and a failure there is generally undefined.
2022-01-16 21:46:11 +01:00
3b61e90761 test: Add mkpath() test 2022-01-16 20:38:03 +01:00
55b43fdaac Rename our 'pledge' mechanism to 'vow'
Among other differences, pledge() from OpenBSD takes a string
and has exec promises. We don't.

Using the same name yet providing a different interface does not
appear reasonable.
2021-12-28 11:05:24 +01:00
6420ca1b40 Add landlock runtime detection
We cannot assume that landlock is enabled if we can compile it.
Even if it's enabled in the kernel it may still not be loaded.

We fill fallback to chroot/bind-mounts if we can.

If we can't (because path policies have landlock-specific options),
we can't do that either.

Closes: #21
2021-12-27 16:51:08 +01:00
77adf09d34 test: Add tests for exile_pledge() 2021-12-27 12:35:54 +01:00
7115ef8b4d Begin an pledge()-like implementation
This begins a pledge() implementation. This also
retires the previous syscall grouping approach,
as pledge() is the superior mechanism.

Squashed:
test: Begin basic pledge test
pledge: Begin EXILE_SYSCALL_PLEDGE_UNIX/EXILE_SYSCALL_PLEDGE_INET
test: Add pledge socket test
Introduce EXILE_SYSCALL_PLEDGE_DENY_ERROR, remove exile_policy->pledge_policy
pledge: Add PROT_EXEC
2021-12-27 12:35:54 +01:00
15a6850023 Begin low-level seccomp arg filter interface
Squashed:
test: Adjust existing to new API with arg filters
test: Add tests for low-level seccomp args filter API
test: Add seccomp_filter_mixed()
test: Switch to syscall() everywhere
append_syscall_to_bpf(): Apply EXILE_SYSCALL_EXIT_BPF_NO_MATCH also for sock_filter.jt
2021-12-27 12:35:54 +01:00
3407fded04 Add EXILE_FS_ALLOW_ALL_{READ,WRITE}
Issue: #19
2021-12-27 00:30:52 +01:00
1b4c5477a5 rename to exile.h
qssb.h was a preliminary name and can't be pronounced smoothly.

exile.h is more fitting and it's also short. Something exiled is essentially
something isolated, which is pretty much what this library does (isolation from
resources such as file system, network and others accessible by system calls).
2021-11-30 18:19:15 +01:00
435bcefa48 test: Skip landlock specific tests if unavailble during compile time 2021-11-20 19:25:30 +01:00
2a4cee2ece test: Use xqssb_enable_policy() throughout where reasonable 2021-11-20 16:56:19 +01:00
db17e58deb Assign syscalls into groups. Add whitelist mode (default).
Classify syscalls into groups, for x86_64 only for now.
Up to date for 5.15, generate some #ifndef for syscalls
introduced since 5.10. Only support x86_64 therefore at this point.

Switch from blacklisting to a default whitelist.
2021-11-14 21:46:47 +01:00
8a9b1730de test: Remove argc,argv from tests as there was no use for them 2021-09-05 17:12:25 +02:00
b2b501d97e test: Refactor: Put seccomp tests into child processes ; Simplfy .sh
Refactor the test logic. Seccomp tests that can be
killed run in their own subprocess now.

All test functions now return 0 on success. Therefore,
the shell script can be simplified.
2021-09-05 17:12:25 +02:00
26f391f736 test: implement test_seccomp_errno() 2021-09-05 17:12:25 +02:00
68fd1a0a87 test: test_seccomp_blacklisted_call_permitted(): Add missing default policy 2021-09-05 17:12:25 +02:00
c44ce85628 test: Add test ensuring seccomp ends with default rule, minor fixes 2021-09-05 17:12:25 +02:00
9192ec3aa4 Rewrite syscall policy logic
Instead of having a blacklist and whitelist, we now allow
setting a policy that runs as a chain.

This adds qssb_append_syscalls_policy()

Furthermore, add a feature to decide per syscall which action to take.
This allows now to return an error instead of just killing the process.

In the future, it may allow us to set optimize/shrink the BPF filter.
2021-09-05 17:12:03 +02:00
51844ea3ab bpf: Deny x32 system calls for now
The arch field is the same for x86_64 and x32, thus checking it
is not enough.

Simply using x32 system calls would allow a bypass. Thus,
we must check whether the system call number is in __X32_SYSCALL_BIT.

This is of course a lazy solution, we could also add the
same system call number + _X32_SYSCALL_BIT to our black/whitelists.

For now however, this however will do.
2021-08-12 12:25:12 +02:00
fa06287b13 Use new qssb_append_*_syscall functions, remove old fields 2021-08-12 11:37:19 +02:00
4a4d551e75 Introduce "no_fs" and "no_new_fd" options.
no_fs is a simple way to take away all
FS access, without constructing path_policies etc.

no_new_fd disallows opening any new
file descriptors
2021-08-10 16:58:43 +02:00
a7c04537f7 Rename allowed_syscalls to whitelisted_syscalls for consistency 2021-06-05 20:15:09 +02:00
85c01899a9 Start implementing tests 2021-06-05 20:11:07 +02:00