Commit Graph

145 Commitit

Tekijä SHA1 Viesti Päivämäärä
bbbdfc44da exile.hpp: do_clone(): free stack memory 2022-05-29 19:25:53 +02:00
2dc61828f1 README: Clarify limitations 2022-04-29 21:25:21 +02:00
cdc265cedf c++: exile_launch(): Correct std::enable_if logic if type is a ptr 2022-04-29 21:23:53 +02:00
91858efa51 vows map: Add memfd_create, rseq 2022-04-22 08:37:34 +02:00
88995d214d README.md: Minor improvements (typos, rephrasing) 2022-04-07 00:04:52 +02:00
6eb47daf84 README: Update Debian section 2022-03-28 19:25:55 +02:00
8bf87717a5 vows: ioctl: Make TIOCSTI illegal even when IOCTL vow is set 2022-03-28 19:14:02 +02:00
bcaefffbe8 Improve various error messages 2022-03-28 19:04:28 +02:00
ed5098f2c6 README: Begin demo section 2022-03-17 17:10:38 +01:00
ea66ef76eb exile_flags_to_landlock(): Cover more with ALL_WRITE, except devices
More consistent with mount(), where MS_NODEV disallows those.

We may need to introduce a flag that simply allows everything
2022-03-17 15:47:22 +01:00
66def7a28f append_syscall_to_bpf(): Check for unlikely case of too many sock_filters 2022-03-17 15:47:22 +01:00
dbf8e87440 exile.hpp: Mark do_clone inline, not static 2022-03-17 15:47:22 +01:00
98421fab90 Makefile: Build exile.o separately, link it in all tests 2022-03-17 15:47:22 +01:00
70c3fef500 exile.h: Retire static child_read/write_pipe vars 2022-03-17 15:47:22 +01:00
69829374c7 exile.h: Move definitions to new file exile.c
Especially with exile_launch(), we will be included
from more than one translation unit. Thus, ODR becomes
a headache now.

So move definitions to exile.c.
2022-03-17 15:47:22 +01:00
005851c645 exile.h: Add extern "C" guards 2022-03-17 15:47:22 +01:00
95fa11e928 c++: Add explicit exile_launch() std::basic_string variant 2022-03-17 15:47:22 +01:00
97e2025758 c++: Retire exile_launch_trivial(), use std::enable_if 2022-03-17 15:47:22 +01:00
8cfb73568a Makefile: Add 'tests' target, depend on headers too to rebuild on changes of those 2022-03-17 15:47:22 +01:00
e7a5ba7f7f test.sh: Also run C++ tests 2022-03-17 15:47:22 +01:00
e52eda186b Add test.cpp to test C++ API 2022-03-17 15:47:22 +01:00
90ed5bbae9 Begin C++ API: Add exile.hpp with exile_launch() wrappers 2022-03-17 15:47:22 +01:00
48b6de9036 struct syscall_vow_map: change 'str' to const char* 2022-03-17 15:47:22 +01:00
93acb13929 test: Introduce LOG(), avoid inconsistent printf/fprintf 2022-03-17 15:47:22 +01:00
9247a6636b Introduce exile_vows_from_str() 2022-03-17 15:47:22 +01:00
4a3ac8e0bc exile_launch(): Improve handling/logging of errors 2022-01-16 21:46:11 +01:00
ed54575b89 exile_launch(): Open another pipe to also write to child 2022-01-16 21:46:11 +01:00
0caff45600 EXILE_LOG_ERROR: Prepend function name 2022-01-16 21:46:11 +01:00
080c0e53c2 test: test_mkpath(): Cleanup before run and on success 2022-01-16 21:46:11 +01:00
4adc13215b exile_append_path_policies(): Add sentinel macro, making *policy() version redundant 2022-01-16 21:46:11 +01:00
bf29edf213 Update README with most recent draft 2022-01-16 21:46:11 +01:00
68bfd7e66c Update copyright header 2022-01-16 21:46:11 +01:00
58bc50db61 test: Begin testing exile_launch*() 2022-01-16 21:46:11 +01:00
1e63fa75ef Introduce exile_launch*(): Simplifies launching functions protected by policy
Those functions clone(), then activate the specified policy.
They then jump to the supplied function and pass an argument to it.

exile_launch() returns a read file descriptor, that can be
used by the parent process to get the data.

exile_launch_get() is a convenience wrapper, return a buffer
containing everything read from the sandboxed function.
2022-01-16 21:46:11 +01:00
6c44c88397 create_chroot_dirs(): Correct comment 2022-01-16 21:46:11 +01:00
3780509078 Introduce flags indicating errors to catch non-checked return codes
Certain functions can fail before we execute exile_enable_policy().

While the return code should be checked, it's easily forgotten. For
most users, checking just the exile_enable_policy() return code
should suffice.

exile_append_path_policies(): Add check whether a path exists. If not,
set the error flag.

This also allows an early exit, allowing to cleanly handle the case
when a path does not exist. Previously, this was only caught
during activation, and a failure there is generally undefined.
2022-01-16 21:46:11 +01:00
fd4dfb12f0 vow: Add prlimit64(),arch_prctl() 2022-01-16 21:46:11 +01:00
a9e6b3ee67 chroot: Create all paths first, then mount
We mounted after creating dirs, this was potentially problematic
for the next path policy to follow.

Perform two passes on the path_policies list, first creates all
dirs, second does the mounts.
2022-01-16 21:46:11 +01:00
3b61e90761 test: Add mkpath() test 2022-01-16 20:38:03 +01:00
0e27b19999 Handle files for bind-mounts too, rename mkdir_structure() to mkpath() 2022-01-16 20:38:03 +01:00
ff70142e04 exile_flags_to_landlock(): Only add flags for a path that a reasonable 2022-01-08 12:19:31 +01:00
4824c6eaa9 check_policy_sanity(): Traverse path_policy list only if no landlock available 2021-12-29 11:03:51 +01:00
9048a3b4fe append_syscall_to_bpf(): Improve readability 2021-12-29 11:03:51 +01:00
0b54e73ff4 Rework get_vow_argfilter() for readability and easiness
The previous approach had too many special cases, was quite
error-prone when changing things and a bit messy in general.
2021-12-29 11:03:51 +01:00
b2306299d5 vow: fix clone filter broken by ca0f8279 2021-12-28 13:17:20 +01:00
55b43fdaac Rename our 'pledge' mechanism to 'vow'
Among other differences, pledge() from OpenBSD takes a string
and has exec promises. We don't.

Using the same name yet providing a different interface does not
appear reasonable.
2021-12-28 11:05:24 +01:00
6420ca1b40 Add landlock runtime detection
We cannot assume that landlock is enabled if we can compile it.
Even if it's enabled in the kernel it may still not be loaded.

We fill fallback to chroot/bind-mounts if we can.

If we can't (because path policies have landlock-specific options),
we can't do that either.

Closes: #21
2021-12-27 16:51:08 +01:00
98c76089de Handle new 5.16 syscall: futex_waitv 2021-12-27 14:26:37 +01:00
631980b775 Include linux/capability.h instead of sys/capability.h
Some distros put sys/capability.h into libcap-dev or
similiar, which is a bit unforunate, we don't need
libcap-dev or anything like that.

Since we anyway only used the capget()/capset(), we can
just define a simple wrapper and call the syscall directly
and therefore avoid above mentioned issue.
2021-12-27 14:15:50 +01:00
0be081c55d Merge get_pledge_argfilter() with get_pledge_argfilter() 2021-12-27 14:11:58 +01:00