exile_enable_policy(): Only chdir() post chroot()

enter_namespaces(): Fix error message
Add EXILE_FS_ALLOW_ALL_{READ,WRITE}
2021-12-27 12:35:35 +01:00 · 2021-12-27 12:35:35 +01:00 · 2021-12-27 00:30:52 +01:00
2 changed files with 39 additions and 30 deletions
--- a/exile.h
+++ b/exile.h
@ -84,14 +84,18 @@
 #define EXILE_SYS(x) __NR_##x
-#define EXILE_FS_ALLOW_READ 1<<0
+/* Allow all read-effect operations on the path */
-#define EXILE_FS_ALLOW_WRITE (1<<1)
+#define EXILE_FS_ALLOW_ALL_READ 1<<0
 /* Allow all write-effect operations on the path, such as normal writes, creation/deletion of files */
 #define EXILE_FS_ALLOW_ALL_WRITE (1<<1)
 #define EXILE_FS_ALLOW_EXEC 1<<2
 #define EXILE_FS_ALLOW_DEV 1<<3
 #define EXILE_FS_ALLOW_SETUID 1<<4
 //don't mount recursive
 #define EXILE_MOUNT_NOT_REC 1<<5
 /* Fine-granular approach available with landlock */
 #if HAVE_LANDLOCK == 1
 #define EXILE_FS_ALLOW_REMOVE_DIR		(1 << 7)
 #define EXILE_FS_ALLOW_REMOVE_FILE		(1 << 8)
@ -1023,7 +1027,7 @@ static int get_policy_mount_flags(struct exile_path_policy *policy)
 		result |= MS_NOSUID;
 	}
-	if( (policy->policy & EXILE_FS_ALLOW_WRITE) == 0)
+	if( (policy->policy & EXILE_FS_ALLOW_ALL_WRITE) == 0)
 	{
 		result |= MS_RDONLY;
 	}
@ -1069,7 +1073,7 @@ static int mount_to_chroot(const char *chroot_target_path, struct exile_path_pol
 		mount_flags |= MS_BIND;
-		if(path_policy->policy & EXILE_FS_ALLOW_READ || path_policy->policy & EXILE_FS_ALLOW_WRITE)
+		if(path_policy->policy & EXILE_FS_ALLOW_ALL_READ || path_policy->policy & EXILE_FS_ALLOW_ALL_WRITE)
 		{
 			ret = mount(path_policy->path, path_inside_chroot,  NULL, mount_flags, NULL);
 			if(ret < 0 )
@ -1141,7 +1145,7 @@ static int enter_namespaces(int namespace_options)
 		}
 		if(fprintf(fp, "deny") < 0)
 		{
-			EXILE_LOG_ERROR("fprintf failed while trying to write uid_map\n");
+			EXILE_LOG_ERROR("fprintf failed while trying to write setgroups\n");
 			return -1;
 		}
 		fclose(fp);
@ -1329,6 +1333,19 @@ static int exile_enable_syscall_policy(struct exile_policy *policy)
 static unsigned int exile_flags_to_landlock(unsigned int flags)
 {
 	unsigned int result = 0;
 	if(flags & EXILE_FS_ALLOW_ALL_READ)
 	{
 		result |= LANDLOCK_ACCESS_FS_READ_FILE;
 		result |= LANDLOCK_ACCESS_FS_READ_DIR;
 	}
 	if(flags & EXILE_FS_ALLOW_ALL_WRITE)
 	{
 		result |= LANDLOCK_ACCESS_FS_MAKE_REG;
 		result |= LANDLOCK_ACCESS_FS_WRITE_FILE;
 		result |= LANDLOCK_ACCESS_FS_REMOVE_DIR;
 		result |= LANDLOCK_ACCESS_FS_REMOVE_FILE;
 		result |= LANDLOCK_ACCESS_FS_MAKE_SYM;
 	}
 	if(flags & EXILE_FS_ALLOW_DEV)
 	{
 		result |= LANDLOCK_ACCESS_FS_MAKE_BLOCK;
@ -1362,11 +1379,6 @@ static unsigned int exile_flags_to_landlock(unsigned int flags)
 	{
 		result |= LANDLOCK_ACCESS_FS_MAKE_SYM;
 	}
 	if(flags & EXILE_FS_ALLOW_READ)
 	{
 		result |= LANDLOCK_ACCESS_FS_READ_FILE;
 		result |= LANDLOCK_ACCESS_FS_READ_DIR;
 	}
 	if(flags & EXILE_FS_ALLOW_REMOVE)
 	{
 		result |= LANDLOCK_ACCESS_FS_REMOVE_DIR;
@ -1384,11 +1396,6 @@ static unsigned int exile_flags_to_landlock(unsigned int flags)
 	{
 		result |= LANDLOCK_ACCESS_FS_EXECUTE;
 	}
 	if(flags & EXILE_FS_ALLOW_WRITE)
 	{
 		result |= LANDLOCK_ACCESS_FS_MAKE_REG;
 		result |= LANDLOCK_ACCESS_FS_WRITE_FILE;
 	}
 	if(flags & EXILE_FS_ALLOW_WRITE_FILE)
 	{
 		result |= LANDLOCK_ACCESS_FS_WRITE_FILE;
@ -1649,6 +1656,17 @@ int exile_enable_policy(struct exile_policy *policy)
 			EXILE_LOG_ERROR("chroot: failed to enter %s\n", policy->chroot_target_path);
 			return -1;
 		}
 		const char *chdir_target_path = policy->chdir_path;
 		if(chdir_target_path == NULL)
 		{
 			chdir_target_path = "/";
 		}
 		if(chdir(chdir_target_path) < 0)
 		{
 			EXILE_LOG_ERROR("chdir to %s failed\n", policy->chdir_path);
 			return -1;
 		}
 	}
 #if HAVE_LANDLOCK == 1
@ -1663,16 +1681,6 @@ int exile_enable_policy(struct exile_policy *policy)
 		}
 	}
 #endif
 	if(policy->chdir_path == NULL)
 	{
 		policy->chdir_path = "/";
 	}
 	if(policy->chdir_path != NULL && chdir(policy->chdir_path) < 0)
 	{
 		EXILE_LOG_ERROR("chdir to %s failed\n", policy->chdir_path);
 		return -1;
 	}
 	if(policy->no_fs)
 	{
@ -1735,6 +1743,7 @@ int exile_enable_policy(struct exile_policy *policy)
 		return exile_enable_syscall_policy(policy);
 	}
 	return 0;
 }
 #endif
--- a/test.c
+++ b/test.c
@ -203,7 +203,7 @@ static int test_seccomp_group()
 int test_landlock()
 {
 	struct exile_policy *policy = exile_init_policy();
-	exile_append_path_policy(policy, EXILE_FS_ALLOW_READ, "/proc/self/fd");
+	exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ, "/proc/self/fd");
 	xexile_enable_policy(policy);
 	int fd = open("/", O_RDONLY | O_CLOEXEC);
@ -217,7 +217,7 @@ int test_landlock()
 int test_landlock_deny_write()
 {
 	struct exile_policy *policy = exile_init_policy();
-	exile_append_path_policy(policy, EXILE_FS_ALLOW_READ, "/tmp/");
+	exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ, "/tmp/");
 	xexile_enable_policy(policy);
 	int fd = open("/tmp/a", O_WRONLY | O_CLOEXEC);
Author	SHA1	Message	Date
Albert S	48deab0dde	exile_enable_policy(): Only chdir() post chroot()	2021-12-27 12:35:35 +01:00
Albert S	ce7eb57998	enter_namespaces(): Fix error message	2021-12-27 12:35:35 +01:00
Albert S	3407fded04	Add EXILE_FS_ALLOW_ALL_{READ,WRITE} Issue: #19	2021-12-27 00:30:52 +01:00