d070268fca
Add more system calls to blacklist
2021-05-29 23:15:04 +02:00
d6f4a37de8
Remove unused qssb_end_policy()
2021-05-22 22:36:01 +02:00
afb429e124
qssb_policy: Remove unused syscall_default_policy member
2021-05-22 22:35:26 +02:00
946492c28e
qssb_free_policy(): free path policies
2021-05-22 20:05:31 +02:00
ad9c391e3f
QSSB_FS_ALLOW_WRITE does not imply ALLOW_READ anymore
...
Landlock can handle write access without it implying read access,
in contrast to the existing bind mounts solution. Hence, remove
ALLOW_READ from ALLOW_WRITE bitmask.
2021-05-22 20:05:31 +02:00
fcebed557c
Add qssb_append_path_polic{ies,y}: Convenience function to add path policies
2021-05-22 20:05:25 +02:00
bb02e40101
Begin landlock support
2021-05-15 23:30:05 +02:00
7e2d4139cb
Begin check_policy_sanity(): Checks whether policy is reasonable
...
Issue: #3
2021-05-09 12:59:58 +02:00
6e6812e13d
Introduce mount_path_policies_to_chroot option, changing path_policy enforcement logic
...
Previously, we needed chroot and bind mounts to enforce path_policies. Therefore,
in the presence of path policies, we had to explicitly create a chroot
dir.
With the coming landlock support, this is not required anymore.
However, one might still want to chroot and bind mount flags. But
path policies don't dictate that anymore.
2021-05-09 12:59:58 +02:00
edf144bbc7
Allow overriding HAVE_LANDLOCK irrespectible of kernel verison
2021-05-09 12:59:58 +02:00
67e1afc904
Remove unused policy flag QSSB_FS_ALLOW_NOTHING
2021-05-09 12:59:58 +02:00
2c94fe8225
qssb_path_policy: rename 'mountpoint' to 'path', make 'policy' unsigned
2021-05-09 12:59:58 +02:00
4674638e9a
Add landlock policy flags if landlock is supported
2021-05-09 12:59:58 +02:00
8697fd8b84
qssb.h: Add copyright header
2021-05-09 10:02:31 +02:00
ed6a2a1067
Rename general QSSB_MOUNT* flags to QSSB_FS*
2021-05-09 09:35:17 +02:00
9df2e9ee90
seccomp_enable(): Replace param types with correct unsigned int versions
2021-04-18 13:24:49 +02:00
763c65c3fe
qssb_enable_policy: check for empty str instead of NULL ptr
...
This was missed in 0a851790b8
2020-09-26 16:09:43 +02:00
dbdb35db37
Remove wrong static keywords from some qssb_*_policy functions
2020-04-13 23:00:33 +02:00
0a851790b8
change chroot_target_path from pointer to array
...
Fixes memory leak.
Breaks existing API.
2020-04-13 22:50:30 +02:00
60776be416
only chdir to / by default when actually chrooting and no dir given
2019-12-07 23:44:55 +01:00
ff2bc24c6b
only create chroot directory when path policies are available
2019-12-07 23:26:27 +01:00
7547644013
silence multiple compiler warnings
2019-11-17 15:13:25 +01:00
8f104a231c
bugfix: qssb_enable_policy: pointer to stack-local variable
2019-11-17 12:50:27 +01:00
fbf51e095f
introduce path policies, replacing readonly/writable paths vars
2019-11-16 23:35:08 +01:00
1b8504c052
updated README
2019-11-15 21:53:26 +01:00
6f1b27ee51
qssb_init_policy: explicit cast (for C++)
2019-11-15 21:40:56 +01:00
ee6bd18027
begin a default blacklist of syscalls
2019-11-15 21:17:33 +01:00
8298a30e7c
make PATH_MAX consistent across all buffers throughout the code
2019-11-10 12:29:53 +01:00
338e578350
seccomp_enable: fix unused default_action parameter
2019-11-10 12:10:37 +01:00
069349eaf6
generate a random directory for chroot if none given
2019-11-10 12:08:35 +01:00
1de1ae0b32
introduce bitmasks indicating which namespaces to unshare
2019-11-09 21:13:40 +01:00
bad600b3a8
set #defines only if not set already
2019-11-09 20:55:12 +01:00
a7c6ef6c57
bind mount recursively
2019-11-09 16:27:54 +01:00
7a2cf18c19
check drop_caps() return value ; silence compiler warning
2019-11-09 15:47:08 +01:00
200cd7878c
Initial commit
2019-11-09 15:41:54 +01:00