Compare commits

...

2 Commits

Author SHA1 Message Date
ebe043c08d Fix missing \n in some error outputs 2021-09-12 19:50:05 +02:00
8bc0d1e73a Use overflow-safe operator builtins
As a precaution as it does not hurt
2021-09-12 19:47:45 +02:00

34
qssb.h
View File

@ -250,8 +250,8 @@ static int qssb_entry_append(struct qssb_allocated_entry *entry, void *data, siz
if(remaining < bytes) if(remaining < bytes)
{ {
size_t expandval = QSSB_ENTRY_ALLOC_SIZE > bytes ? QSSB_ENTRY_ALLOC_SIZE : bytes; size_t expandval = QSSB_ENTRY_ALLOC_SIZE > bytes ? QSSB_ENTRY_ALLOC_SIZE : bytes;
size_t sizenew = entry->size + expandval; size_t sizenew = 0;
if(sizenew < entry->size) if(__builtin_add_overflow(entry->size, expandval, &sizenew))
{ {
QSSB_LOG_ERROR("overflow in qssb_entry_append\n"); QSSB_LOG_ERROR("overflow in qssb_entry_append\n");
return -EINVAL; return -EINVAL;
@ -273,7 +273,13 @@ static int qssb_entry_append(struct qssb_allocated_entry *entry, void *data, siz
static int qssb_append_syscall(struct qssb_allocated_entry *entry, long *syscalls, size_t n) static int qssb_append_syscall(struct qssb_allocated_entry *entry, long *syscalls, size_t n)
{ {
return qssb_entry_append(entry, syscalls, n * sizeof(long)); size_t bytes = 0;
if(__builtin_mul_overflow(n, sizeof(long), &bytes))
{
QSSB_LOG_ERROR("Overflow while trying to add system calls\n");
return -EINVAL;
}
return qssb_entry_append(entry, syscalls, bytes);
} }
static int is_valid_syscall_policy(unsigned int policy) static int is_valid_syscall_policy(unsigned int policy)
@ -561,7 +567,7 @@ static int mount_to_chroot(const char *chroot_target_path, struct qssb_path_poli
ret = mount(NULL, path_inside_chroot, NULL, mount_flags | MS_REMOUNT, NULL); ret = mount(NULL, path_inside_chroot, NULL, mount_flags | MS_REMOUNT, NULL);
if(ret < 0 ) if(ret < 0 )
{ {
QSSB_LOG_ERROR("Error: Failed to remount %s: %s", path_inside_chroot, strerror(errno)); QSSB_LOG_ERROR("Error: Failed to remount %s: %s\n", path_inside_chroot, strerror(errno));
return ret; return ret;
} }
} }
@ -664,7 +670,7 @@ static int drop_caps()
if(res == -1 && errno != EINVAL) if(res == -1 && errno != EINVAL)
{ {
QSSB_LOG_ERROR("Failed to drop the capability bounding set!"); QSSB_LOG_ERROR("Failed to drop the capability bounding set!\n");
return -errno; return -errno;
} }
@ -743,12 +749,24 @@ static int qssb_enable_syscall_policy(struct qssb_policy *policy)
{ {
if(!is_valid_syscall_policy(current_policy->policy)) if(!is_valid_syscall_policy(current_policy->policy))
{ {
QSSB_LOG_ERROR("invalid syscall policy specified"); QSSB_LOG_ERROR("invalid syscall policy specified\n");
return -1; return -1;
} }
long *syscalls = NULL; long *syscalls = NULL;
size_t n = 0; size_t n = 0;
get_syscall_array(current_policy, &syscalls, &n); get_syscall_array(current_policy, &syscalls, &n);
unsigned short int newsize;
if(__builtin_add_overflow(current_filter_index, n, &newsize))
{
QSSB_LOG_ERROR("Overflow when trying to add new system calls\n");
return -EINVAL;
}
if(newsize > (sizeof(filter)/sizeof(filter[0]))-1)
{
QSSB_LOG_ERROR("Too many system calls added\n");
return -EINVAL;
}
append_syscalls_to_bpf(syscalls, n, current_policy->policy, filter, &current_filter_index); append_syscalls_to_bpf(syscalls, n, current_policy->policy, filter, &current_filter_index);
current_policy = current_policy->next; current_policy = current_policy->next;
} }
@ -854,7 +872,7 @@ static int landlock_prepare_ruleset(struct qssb_path_policy *policies)
ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
if (ruleset_fd < 0) if (ruleset_fd < 0)
{ {
QSSB_LOG_ERROR("Failed to create landlock ruleset"); QSSB_LOG_ERROR("Failed to create landlock ruleset\n");
return -1; return -1;
} }
struct qssb_path_policy *policy = policies; struct qssb_path_policy *policy = policies;
@ -924,7 +942,7 @@ static int check_policy_sanity(struct qssb_policy *policy)
} }
if(policy->no_fs == 1) if(policy->no_fs == 1)
{ {
QSSB_LOG_ERROR("If path_policies are specified, no_fs cannot be set to 1"); QSSB_LOG_ERROR("If path_policies are specified, no_fs cannot be set to 1\n");
return -1; return -1;
} }
} }