Сравнить коммиты

...

16 Коммитов

Автор SHA1 Сообщение Дата
6420ca1b40 Add landlock runtime detection
We cannot assume that landlock is enabled if we can compile it.
Even if it's enabled in the kernel it may still not be loaded.

We fill fallback to chroot/bind-mounts if we can.

If we can't (because path policies have landlock-specific options),
we can't do that either.

Closes: #21
2021-12-27 16:51:08 +01:00
98c76089de Handle new 5.16 syscall: futex_waitv 2021-12-27 14:26:37 +01:00
631980b775 Include linux/capability.h instead of sys/capability.h
Some distros put sys/capability.h into libcap-dev or
similiar, which is a bit unforunate, we don't need
libcap-dev or anything like that.

Since we anyway only used the capget()/capset(), we can
just define a simple wrapper and call the syscall directly
and therefore avoid above mentioned issue.
2021-12-27 14:15:50 +01:00
0be081c55d Merge get_pledge_argfilter() with get_pledge_argfilter() 2021-12-27 14:11:58 +01:00
ca0f82790c Use some macros to increase readabiltiy of BPF rules 2021-12-27 12:35:54 +01:00
77adf09d34 test: Add tests for exile_pledge() 2021-12-27 12:35:54 +01:00
bcab0377f1 Add exile_pledge(): A convenience wrapper
exile_pledge() adds seccomp filters derived from the
promises.
2021-12-27 12:35:54 +01:00
b469a82eec pledge: Allow NO_NEW_PRIVS prctls
Retreiving it does no harm. It cannot be unset once set, thus
no harm in allowing to set it either.
2021-12-27 12:35:54 +01:00
6711b394d9 pledge: Add EXILE_SYSCALL_PLEDGE_SECCOMP_INSTALL to allow adding further seccomp filters 2021-12-27 12:35:54 +01:00
9abbc7510c Introduce exile_create_policy(): Creates an clean/empty policy.
exile_create_policy() Creates an empty policy that can be
used by the exile.h API.

exile_init_policy() sets opinionated default values.
2021-12-27 12:35:54 +01:00
029762e894 pledge: Add EXILE_SYSCALL_PLEDGE_IOCTL to allow ioctl() without argfilters 2021-12-27 12:35:54 +01:00
6b513f8339 pledge: Add prctl() default filter 2021-12-27 12:35:54 +01:00
d2357ac676 pledge: Introduce clone() filter and EXILE_SYSCALL_PLEDGE_THREAD 2021-12-27 12:35:54 +01:00
0b0dda0de1 pledge: Begin filter for setsockopt() args 2021-12-27 12:35:54 +01:00
7115ef8b4d Begin an pledge()-like implementation
This begins a pledge() implementation. This also
retires the previous syscall grouping approach,
as pledge() is the superior mechanism.

Squashed:
test: Begin basic pledge test
pledge: Begin EXILE_SYSCALL_PLEDGE_UNIX/EXILE_SYSCALL_PLEDGE_INET
test: Add pledge socket test
Introduce EXILE_SYSCALL_PLEDGE_DENY_ERROR, remove exile_policy->pledge_policy
pledge: Add PROT_EXEC
2021-12-27 12:35:54 +01:00
15a6850023 Begin low-level seccomp arg filter interface
Squashed:
test: Adjust existing to new API with arg filters
test: Add tests for low-level seccomp args filter API
test: Add seccomp_filter_mixed()
test: Switch to syscall() everywhere
append_syscall_to_bpf(): Apply EXILE_SYSCALL_EXIT_BPF_NO_MATCH also for sock_filter.jt
2021-12-27 12:35:54 +01:00
4 изменённых файлов: 970 добавлений и 1027 удалений

1340
exile.h

Разница между файлами не показана из-за своего большого размера Загрузить разницу

Просмотреть файл

@ -1,55 +0,0 @@
#!/usr/bin/python
import sys
import re
if len(sys.argv) < 2:
print("Usage: gengroup groupfile")
sys.exit(1)
fd = open(sys.argv[1], "r")
lines = fd.read().splitlines()
groupnames = set()
ifndef = dict()
def print_ifndefs():
for name in ifndef:
print("#ifndef __NR_%s" % name)
print("#define __NR_%s %s" % (name, ifndef[name]))
print("#endif")
def print_defines(names):
names = sorted(names)
i = 0
for name in names:
define = "#define %s ((uint64_t)1<<%s)" % (name, i)
print(define)
i = i + 1
for line in lines:
if line[0] == '#':
continue
splitted = line.split(' ')
if len(splitted) < 2:
print("Misformated line:", line)
sys.exit(1)
currentsyscall = splitted[0]
currentgroups = splitted[1].split(',')
flags = splitted[2] if len(splitted) > 2 else ""
if any( not s or s.isspace() for s in currentgroups ):
print("Misformated line (empty values):", line)
sys.exit(1)
groupnames.update(currentgroups)
genifndef = re.match(r"genifndef\((\d+)*\)", flags)
if genifndef:
ifndef[currentsyscall] = genifndef.groups(1)[0]
array_line = "{EXILE_SYS(%s), %s}," % (currentsyscall, '|'.join(currentgroups))
print(array_line)
print_ifndefs()
print_defines(groupnames)

Просмотреть файл

@ -1,363 +0,0 @@
# Assign system calls to groups. In the future, may also include simple arg filtering.
read EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
write EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
open EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
close EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
stat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
fstat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
lstat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
poll EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
lseek EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
mmap EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
mprotect EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
munmap EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
brk EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
rt_sigaction EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
rt_sigprocmask EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
rt_sigreturn EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
ioctl EXILE_SYSCGROUP_IOCTL,EXILE_SYSCGROUP_DEFAULT_ALLOW
pread64 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
pwrite64 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
readv EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
writev EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
access EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
pipe EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
select EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
sched_yield EXILE_SYSCGROUP_SCHED,EXILE_SYSCGROUP_DEFAULT_ALLOW
mremap EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
msync EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
mincore EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
madvise EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
shmget EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
shmat EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
shmctl EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
dup EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
dup2 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
pause EXILE_SYSCGROUP_PAUSE,EXILE_SYSCGROUP_DEFAULT_ALLOW
nanosleep EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW
getitimer EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW
alarm EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW
setitimer EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW
getpid EXILE_SYSCGROUP_PROCESS,EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
sendfile EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
socket EXILE_SYSCGROUP_SOCKET
connect EXILE_SYSCGROUP_SOCKET
accept EXILE_SYSCGROUP_SOCKET
sendto EXILE_SYSCGROUP_SOCKET
recvfrom EXILE_SYSCGROUP_SOCKET
sendmsg EXILE_SYSCGROUP_SOCKET
recvmsg EXILE_SYSCGROUP_SOCKET
shutdown EXILE_SYSCGROUP_SOCKET
bind EXILE_SYSCGROUP_SOCKET
listen EXILE_SYSCGROUP_SOCKET
getsockname EXILE_SYSCGROUP_SOCKET
getpeername EXILE_SYSCGROUP_SOCKET
socketpair EXILE_SYSCGROUP_SOCKET,EXILE_SYSCGROUP_IPC
setsockopt EXILE_SYSCGROUP_SOCKET
getsockopt EXILE_SYSCGROUP_SOCKET
clone EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW
fork EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW
vfork EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW
execve EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_EXEC
exit EXILE_SYSCGROUP_PROCESS,EXILE_SYSCGROUP_DEFAULT_ALLOW
wait4 EXILE_SYSCGROUP_EXEC
kill EXILE_SYSCGROUP_KILL
uname EXILE_SYSCGROUP_SYS,EXILE_SYSCGROUP_DEFAULT_ALLOW
semget EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
semop EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
semctl EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
shmdt EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
msgget EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
msgsnd EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
msgrcv EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
msgctl EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
fcntl EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
flock EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
fsync EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
fdatasync EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
truncate EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
ftruncate EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
getdents EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
getcwd EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
chdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
fchdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
rename EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
mkdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
rmdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
creat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
link EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
unlink EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
symlink EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
readlink EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
chmod EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
fchmod EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
chown EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
fchown EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
lchown EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
umask EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW
gettimeofday EXILE_SYSCGROUP_TIME,EXILE_SYSCGROUP_DEFAULT_ALLOW
getrlimit EXILE_SYSCGROUP_RES,EXILE_SYSCGROUP_DEFAULT_ALLOW
getrusage EXILE_SYSCGROUP_RES,EXILE_SYSCGROUP_DEFAULT_ALLOW
sysinfo EXILE_SYSCGROUP_SYS,EXILE_SYSCGROUP_DEFAULT_ALLOW
times EXILE_SYSCGROUP_TIME,EXILE_SYSCGROUP_DEFAULT_ALLOW
ptrace EXILE_SYSCGROUP_PTRACE,EXILE_SYSCGROUP_DEFAULT_ALLOW
getuid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
syslog EXILE_SYSCGROUP_SYS
getgid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
setuid EXILE_SYSCGROUP_ID
setgid EXILE_SYSCGROUP_ID
geteuid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
getegid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
setpgid EXILE_SYSCGROUP_ID
getppid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
getpgrp EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
setsid EXILE_SYSCGROUP_ID
setreuid EXILE_SYSCGROUP_ID
setregid EXILE_SYSCGROUP_ID
getgroups EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
setgroups EXILE_SYSCGROUP_ID
setresuid EXILE_SYSCGROUP_ID
getresuid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
setresgid EXILE_SYSCGROUP_ID
getresgid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
getpgid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
setfsuid EXILE_SYSCGROUP_ID
setfsgid EXILE_SYSCGROUP_ID
getsid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
capget EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
capset EXILE_SYSCGROUP_ID
rt_sigpending EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
rt_sigtimedwait EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
rt_sigqueueinfo EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
rt_sigsuspend EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
sigaltstack EXILE_SYSCGROUP_THREAD,EXILE_SYSCGROUP_SIGNAL
utime EXILE_SYSCGROUP_TIME,EXILE_SYSCGROUP_FS
mknod EXILE_SYSCGROUP_DEV,EXILE_SYSCGROUP_FS
uselib EXILE_SYSCGROUP_LIB,EXILE_SYSCGROUP_DEFAULT_ALLOW
personality EXILE_SYSCGROUP_PROCESS
ustat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_FS
statfs EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_FS
fstatfs EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_FS
sysfs EXILE_SYSCGROUP_SYS,EXILE_SYSCGROUP_FS
getpriority EXILE_SYSCGROUP_SCHED
setpriority EXILE_SYSCGROUP_SCHED
sched_setparam EXILE_SYSCGROUP_SCHED
sched_getparam EXILE_SYSCGROUP_SCHED
sched_setscheduler EXILE_SYSCGROUP_SCHED
sched_getscheduler EXILE_SYSCGROUP_SCHED
sched_get_priority_max EXILE_SYSCGROUP_SCHED
sched_get_priority_min EXILE_SYSCGROUP_SCHED
sched_rr_get_interval EXILE_SYSCGROUP_SCHED
mlock EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
munlock EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
mlockall EXILE_SYSCGROUP_MEMORY
munlockall EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
vhangup EXILE_SYSCGROUP_TTY
modify_ldt EXILE_SYSCGROUP_PROCESS
pivot_root EXILE_SYSCGROUP_CHROOT
_sysctl EXILE_SYSCGROUP_SYS
prctl EXILE_SYSCGROUP_PROCESS
arch_prctl EXILE_SYSCGROUP_PROCESS
adjtimex EXILE_SYSCGROUP_CLOCK
setrlimit EXILE_SYSCGROUP_RES
chroot EXILE_SYSCGROUP_CHROOT,EXILE_SYSCGROUP_FS
sync EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
acct EXILE_SYSCGROUP_PROCESS
settimeofday EXILE_SYSCGROUP_TIME
mount EXILE_SYSCGROUP_MOUNT,EXILE_SYSCGROUP_FS
umount2 EXILE_SYSCGROUP_UMOUNT,EXILE_SYSCGROUP_FS
swapon EXILE_SYSCGROUP_SWAP
swapoff EXILE_SYSCGROUP_SWAP
reboot EXILE_SYSCGROUP_POWER
sethostname EXILE_SYSCGROUP_HOST
setdomainname EXILE_SYSCGROUP_HOST
iopl EXILE_SYSCGROUP_IOPL
ioperm EXILE_SYSCGROUP_IOPL
create_module EXILE_SYSCGROUP_KMOD
init_module EXILE_SYSCGROUP_KMOD
delete_module EXILE_SYSCGROUP_KMOD
get_kernel_syms EXILE_SYSCGROUP_KMOD
query_module EXILE_SYSCGROUP_KMOD
quotactl EXILE_SYSCGROUP_QUOTA
nfsservctl EXILE_SYSCGROUP_NONE
getpmsg EXILE_SYSCGROUP_UNIMPLEMENTED
putpmsg EXILE_SYSCGROUP_UNIMPLEMENTED
afs_syscall EXILE_SYSCGROUP_UNIMPLEMENTED
tuxcall EXILE_SYSCGROUP_UNIMPLEMENTED
security EXILE_SYSCGROUP_UNIMPLEMENTED
gettid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_THREAD
readahead EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_FS
setxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
lsetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
fsetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
getxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
lgetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
fgetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
listxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
llistxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
flistxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
removexattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
lremovexattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
fremovexattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
tkill EXILE_SYSCGROUP_THREAD,EXILE_SYSCGROUP_SIGNAL
time EXILE_SYSCGROUP_TIME
futex EXILE_SYSCGROUP_THREAD,EXILE_SYSCGROUP_FUTEX
sched_setaffinity EXILE_SYSCGROUP_SCHED
sched_getaffinity EXILE_SYSCGROUP_SCHED
set_thread_area EXILE_SYSCGROUP_THREAD
io_setup EXILE_SYSCGROUP_IO
io_destroy EXILE_SYSCGROUP_IO
io_getevents EXILE_SYSCGROUP_IO
io_submit EXILE_SYSCGROUP_IO
io_cancel EXILE_SYSCGROUP_IO
get_thread_area EXILE_SYSCGROUP_THREAD
lookup_dcookie EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FS
epoll_create EXILE_SYSCGROUP_STDIO
epoll_ctl_old EXILE_SYSCGROUP_STDIO
epoll_wait_old EXILE_SYSCGROUP_STDIO
remap_file_pages EXILE_SYSCGROUP_NONE
getdents64 EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FS
set_tid_address EXILE_SYSCGROUP_THREAD
restart_syscall EXILE_SYSCGROUP_SYSCALL
semtimedop EXILE_SYSCGROUP_SEM
fadvise64 EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FD
timer_create EXILE_SYSCGROUP_TIMER
timer_settime EXILE_SYSCGROUP_TIMER
timer_gettime EXILE_SYSCGROUP_TIMER
timer_getoverrun EXILE_SYSCGROUP_TIMER
timer_delete EXILE_SYSCGROUP_TIMER
clock_settime EXILE_SYSCGROUP_TIME
clock_gettime EXILE_SYSCGROUP_TIME
clock_getres EXILE_SYSCGROUP_TIME
clock_nanosleep EXILE_SYSCGROUP_TIME
exit_group EXILE_SYSCGROUP_EXIT,EXILE_SYSCGROUP_DEFAULT_ALLOW
epoll_wait EXILE_SYSCGROUP_FD
epoll_ctl EXILE_SYSCGROUP_FD
tgkill EXILE_SYSCGROUP_SIGNAL,EXILE_SYSCGROUP_THREAD
utimes EXILE_SYSCGROUP_PATH
vserver EXILE_SYSCGROUP_UNIMPLEMENTED
mbind EXILE_SYSCGROUP_MEMORY
set_mempolicy EXILE_SYSCGROUP_MEMORY
get_mempolicy EXILE_SYSCGROUP_MEMORY
mq_open EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
mq_unlink EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
mq_timedsend EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
mq_timedreceive EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
mq_notify EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
mq_getsetattr EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
kexec_load EXILE_SYSCGROUP_KEXEC
waitid EXILE_SYSCGROUP_SIGNAL
add_key EXILE_SYSCGROUP_KEYS
request_key EXILE_SYSCGROUP_KEYS
keyctl EXILE_SYSCGROUP_KEYS
ioprio_set EXILE_SYSCGROUP_PRIO
ioprio_get EXILE_SYSCGROUP_PRIO
inotify_init EXILE_SYSCGROUP_INOTIFY
inotify_add_watch EXILE_SYSCGROUP_INOTIFY
inotify_rm_watch EXILE_SYSCGROUP_INOTIFY
migrate_pages EXILE_SYSCGROUP_PROCESS
openat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
mkdirat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
mknodat EXILE_SYSCGROUP_DEV,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
fchownat EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
futimesat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
newfstatat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
unlinkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
renameat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
linkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
symlinkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
readlinkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
fchmodat EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
faccessat EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
pselect6 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
ppoll EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
unshare EXILE_SYSCGROUP_NS,EXILE_SYSCGROUP_FS
set_robust_list EXILE_SYSCGROUP_FUTEX
get_robust_list EXILE_SYSCGROUP_FUTEX
splice EXILE_SYSCGROUP_FD
tee EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
sync_file_range EXILE_SYSCGROUP_FD
vmsplice EXILE_SYSCGROUP_FD
move_pages EXILE_SYSCGROUP_PROCESS
utimensat EXILE_SYSCGROUP_PATH
epoll_pwait EXILE_SYSCGROUP_STDIO
signalfd EXILE_SYSCGROUP_SIGNAL
timerfd_create EXILE_SYSCGROUP_TIMER
eventfd EXILE_SYSCGROUP_FD
fallocate EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FD
timerfd_settime EXILE_SYSCGROUP_TIMER
timerfd_gettime EXILE_SYSCGROUP_TIMER
accept4 EXILE_SYSCGROUP_SOCKET
signalfd4 EXILE_SYSCGROUP_FD
eventfd2 EXILE_SYSCGROUP_FD
epoll_create1 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
dup3 EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
pipe2 EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
inotify_init1 EXILE_SYSCGROUP_INOTIFY
preadv EXILE_SYSCGROUP_STDIO
pwritev EXILE_SYSCGROUP_STDIO
rt_tgsigqueueinfo EXILE_SYSCGROUP_RT
perf_event_open EXILE_SYSCGROUP_PERF
recvmmsg EXILE_SYSCGROUP_SOCKET
fanotify_init EXILE_SYSCGROUP_FANOTIFY
fanotify_mark EXILE_SYSCGROUP_FANOTIFY
prlimit64 EXILE_SYSCGROUP_RES
name_to_handle_at EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_FS
open_by_handle_at EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_FS
clock_adjtime EXILE_SYSCGROUP_CLOCK
syncfs EXILE_SYSCGROUP_FD
sendmmsg EXILE_SYSCGROUP_SOCKET
setns EXILE_SYSCGROUP_NS
getcpu EXILE_SYSCGROUP_SCHED
#maybe IPC, but feels wrong
process_vm_readv EXILE_SYSCGROUP_NONE
process_vm_writev EXILE_SYSCGROUP_NONE
kcmp EXILE_SYSCGROUP_NONE
finit_module EXILE_SYSCGROUP_KMOD
sched_setattr EXILE_SYSCGROUP_SCHED
sched_getattr EXILE_SYSCGROUP_SCHED,EXILE_SYSCGROUP_DEFAULT_ALLOW
renameat2 EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW
seccomp EXILE_SYSCGROUP_NONE
getrandom EXILE_SYSCGROUP_DEFAULT_ALLOW
memfd_create EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
kexec_file_load EXILE_SYSCGROUP_KEXEC
bpf EXILE_SYSCGROUP_NONE
execveat EXILE_SYSCGROUP_EXEC
userfaultfd EXILE_SYSCGROUP_NONE
membarrier EXILE_SYSCGROUP_NONE
mlock2 EXILE_SYSCGROUP_MEMORY
copy_file_range EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
preadv2 EXILE_SYSCGROUP_STDIO
pwritev2 EXILE_SYSCGROUP_STDIO
#Those are newer than 5.10, wrap them in ifndef so we can compile on old systems
pkey_mprotect EXILE_SYSCGROUP_PKEY genifndef(329)
pkey_alloc EXILE_SYSCGROUP_PKEY genifndef(330)
pkey_free EXILE_SYSCGROUP_PKEY genifndef(331)
statx EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(332)
io_pgetevents EXILE_SYSCGROUP_NONE genifndef(333)
rseq EXILE_SYSCGROUP_THREAD genifndef(334)
pidfd_send_signal EXILE_SYSCGROUP_PIDFD genifndef(424)
io_uring_setup EXILE_SYSCGROUP_IOURING genifndef(425)
io_uring_enter EXILE_SYSCGROUP_IOURING genifndef(426)
io_uring_register EXILE_SYSCGROUP_IOURING genifndef(427)
open_tree EXILE_SYSCGROUP_NEWMOUNT genifndef(428)
move_mount EXILE_SYSCGROUP_NEWMOUNT genifndef(429)
fsopen EXILE_SYSCGROUP_NEWMOUNT genifndef(430)
fsconfig EXILE_SYSCGROUP_NEWMOUNT genifndef(431)
fsmount EXILE_SYSCGROUP_NEWMOUNT genifndef(432)
fspick EXILE_SYSCGROUP_NEWMOUNT genifndef(433)
pidfd_open EXILE_SYSCGROUP_PIDFD genifndef(434)
clone3 EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(435)
close_range EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(436)
openat2 EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(437)
pidfd_getfd EXILE_SYSCGROUP_PIDFD genifndef(438)
faccessat2 EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(439)
process_madvise EXILE_SYSCGROUP_MEMORY genifndef(440)
epoll_pwait2 EXILE_SYSCGROUP_STDIO genifndef(441)
mount_setattr EXILE_SYSCGROUP_NONE genifndef(442)
quotactl_fd EXILE_SYSCGROUP_QUOTA genifndef(443)
landlock_create_ruleset EXILE_SYSCGROUP_LANDLOCK genifndef(444)
landlock_add_rule EXILE_SYSCGROUP_LANDLOCK genifndef(445)
landlock_restrict_self EXILE_SYSCGROUP_LANDLOCK genifndef(446)
memfd_secret EXILE_SYSCGROUP_NONE genifndef(447)
process_mrelease EXILE_SYSCGROUP_NONE genifndef(448)

239
test.c
Просмотреть файл

@ -87,13 +87,13 @@ static int test_successful_exit(int (*f)())
static int do_test_seccomp_blacklisted()
{
struct exile_policy *policy = exile_init_policy();
exile_append_syscall_policy(policy, EXILE_SYSCALL_DENY_KILL_PROCESS, EXILE_SYS(getuid));
exile_append_syscall_policy(policy,EXILE_SYS(getuid), EXILE_SYSCALL_DENY_KILL_PROCESS, NULL, 0);
exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
xexile_enable_policy(policy);
uid_t pid = geteuid();
pid = getuid();
uid_t pid = syscall(EXILE_SYS(geteuid));
pid = syscall(EXILE_SYS(getuid));
return 0;
@ -108,12 +108,12 @@ static int do_test_seccomp_blacklisted_call_permitted()
{
struct exile_policy *policy = exile_init_policy();
exile_append_syscall_policy(policy, EXILE_SYSCALL_DENY_KILL_PROCESS, EXILE_SYS(getuid));
exile_append_syscall_policy(policy, EXILE_SYS(getuid), EXILE_SYSCALL_DENY_KILL_PROCESS, NULL, 0);
exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
xexile_enable_policy(policy);
//geteuid is not blacklisted, so must succeed
uid_t pid = geteuid();
uid_t pid = syscall(EXILE_SYS(geteuid));
return 0;
}
@ -127,7 +127,7 @@ static int do_test_seccomp_x32_kill()
{
struct exile_policy *policy = exile_init_policy();
exile_append_syscall_policy(policy, EXILE_SYSCALL_DENY_KILL_PROCESS, EXILE_SYS(getuid));
exile_append_syscall_policy(policy, EXILE_SYS(getuid), EXILE_SYSCALL_DENY_KILL_PROCESS, NULL, 0);
exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
xexile_enable_policy(policy);
@ -148,7 +148,7 @@ int test_seccomp_require_last_matchall()
{
struct exile_policy *policy = exile_init_policy();
exile_append_syscall_policy(policy, EXILE_SYSCALL_DENY_KILL_PROCESS, EXILE_SYS(getuid));
exile_append_syscall_policy(policy, EXILE_SYS(getuid), EXILE_SYSCALL_DENY_KILL_PROCESS, NULL, 0);
int status = exile_enable_policy(policy);
if(status == 0)
@ -163,13 +163,13 @@ static int do_test_seccomp_errno()
{
struct exile_policy *policy = exile_init_policy();
exile_append_syscall_policy(policy, EXILE_SYSCALL_DENY_RET_ERROR, EXILE_SYS(close));
exile_append_syscall_policy(policy, EXILE_SYS(close),EXILE_SYSCALL_DENY_RET_ERROR, NULL, 0);
exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
xexile_enable_policy(policy);
uid_t id = getuid();
uid_t id = syscall(EXILE_SYS(getuid));
int fd = close(0);
int fd = syscall(EXILE_SYS(close), 0);
printf("close() return code: %i, errno: %s\n", fd, strerror(errno));
return fd == -1 ? 0 : 1;
}
@ -181,27 +181,228 @@ int test_seccomp_errno()
return test_successful_exit(&do_test_seccomp_errno);
}
static int test_seccomp_group()
int test_seccomp_argfilter_allowed()
{
struct exile_policy *policy = exile_init_policy();
exile_append_group_syscall_policy(policy, EXILE_SYSCALL_DENY_RET_ERROR, EXILE_SYSCGROUP_SOCKET);
exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
struct sock_filter argfilter[2] =
{
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[1]))),
BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, O_WRONLY, 0, EXILE_SYSCALL_EXIT_BPF_NO_MATCH)
};
exile_append_syscall_policy(policy, EXILE_SYS(open),EXILE_SYSCALL_DENY_RET_ERROR, argfilter, 2);
exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
xexile_enable_policy(policy);
int s = socket(AF_INET,SOCK_STREAM,0);
if(s != -1)
char *t = "/dev/random";
int ret = (int) syscall(EXILE_SYS(open),t, O_RDONLY);
if(ret == -1)
{
printf("Failed: socket was expected to return error\n");
printf("Failed: open was expected to succeed, but returned %i\n", ret);
return 1;
}
return 0;
}
int test_seccomp_argfilter_filtered()
{
struct exile_policy *policy = exile_init_policy();
struct sock_filter argfilter[2] =
{
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[1]))),
BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, O_WRONLY, 0, EXILE_SYSCALL_EXIT_BPF_NO_MATCH)
};
exile_append_syscall_policy(policy, EXILE_SYS(open),EXILE_SYSCALL_DENY_RET_ERROR, argfilter, 2);
exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
xexile_enable_policy(policy);
char *t = "/dev/random";
int ret = (int) syscall(EXILE_SYS(open),t, O_WRONLY);
if(ret != -1)
{
printf("Failed: open was expected to fail, but returned %i\n", ret);
return 1;
}
return 0;
}
int test_seccomp_argfilter_mixed()
{
struct exile_policy *policy = exile_init_policy();
struct sock_filter argfilter[2] =
{
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[1]))),
BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, O_WRONLY, 0, EXILE_SYSCALL_EXIT_BPF_NO_MATCH)
};
exile_append_syscall_policy(policy, EXILE_SYS(stat),EXILE_SYSCALL_DENY_RET_ERROR, NULL,0);
exile_append_syscall_policy(policy, EXILE_SYS(open),EXILE_SYSCALL_DENY_RET_ERROR, argfilter, 2);
exile_append_syscall_policy(policy, EXILE_SYS(getpid),EXILE_SYSCALL_DENY_RET_ERROR, NULL, 0);
exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
xexile_enable_policy(policy);
struct stat statbuf;
int s = (int) syscall(EXILE_SYS(stat), "/dev/urandom", &statbuf);
if(s != -1)
{
printf("Failed: stat was expected to fail, but returned %i\n", s);
return 1;
}
pid_t p = (pid_t) syscall(EXILE_SYS(getpid));
if(p != -1)
{
printf("Failed: getpid was expected to fail, but returned %i\n", p);
return 1;
}
char *t = "/dev/random";
int ret = (int) syscall(EXILE_SYS(open),t, O_WRONLY);
if(ret != -1)
{
printf("Failed: open was expected to fail, but returned %i\n", ret);
return 1;
}
ret = (int) syscall(EXILE_SYS(open), t, O_RDONLY);
if(ret == -1)
{
printf("Failed: open with O_RDONLY was expected to succeed, but returned %i\n", ret);
return 1;
}
return 0;
}
int do_test_seccomp_pledge_socket()
{
struct exile_policy *policy = exile_init_policy();
policy->pledge_promises = EXILE_SYSCALL_PLEDGE_STDIO | EXILE_SYSCALL_PLEDGE_INET | EXILE_SYSCALL_PLEDGE_DENY_ERROR;
xexile_enable_policy(policy);
int s = socket(AF_INET, SOCK_STREAM, 0);
if(s == -1)
{
printf("Failed: socket was expected to succeed, but returned %i\n", s);
return 1;
}
s = socket(AF_UNIX, SOCK_DGRAM, 0);
if(s != -1)
{
printf("Failed: socket was expected to fail, but returned %i\n", s);
return 1;
}
return 0;
}
int do_test_seccomp_pledge_open()
{
struct exile_policy *policy = exile_init_policy();
policy->pledge_promises = EXILE_SYSCALL_PLEDGE_STDIO | EXILE_SYSCALL_PLEDGE_RPATH | EXILE_SYSCALL_PLEDGE_DENY_ERROR;
xexile_enable_policy(policy);
int ret = open("/dev/urandom", O_WRONLY | O_APPEND);
if(ret != -1)
{
printf("Failed: open was expected to fail, but returned %i\n", ret);
return 1;
}
ret = open("/dev/urandom", O_RDWR);
if(ret != -1)
{
printf("Failed: open O_RDWR was expected to fail, but returned %i\n", ret);
return 1;
}
ret = open("/dev/urandom", O_RDONLY);
if(ret == -1)
{
printf("Failed: open was expected to succceed, but returned %i\n", ret);
return 1;
}
return 0;
}
int test_seccomp_pledge()
{
int ret = test_successful_exit(&do_test_seccomp_pledge_open);
if(ret != 0)
{
printf("Failed: do_test_seccomp_pledge_open()\n");
return 1;
}
ret = test_successful_exit(&do_test_seccomp_pledge_socket);
if(ret != 0)
{
printf("Failed: do_test_seccomp_pledge_socket()\n");
return 1;
}
return 0;
}
int test_seccomp_exile_pledge_multiple()
{
int ret = exile_pledge(EXILE_SYSCALL_PLEDGE_STDIO | EXILE_SYSCALL_PLEDGE_UNIX | EXILE_SYSCALL_PLEDGE_SECCOMP_INSTALL | EXILE_SYSCALL_PLEDGE_DENY_ERROR);
if(ret != 0)
{
printf("Failed: exile_pledge() call 1 failed\n");
return 1;
}
int s = socket(AF_UNIX, SOCK_STREAM, 0);
if(s == -1)
{
printf("Failed: socket was expected to succeed, but returned %i\n", s);
return 1;
}
/* Let's take away unix sockets, so it should not be possible anymore */
ret = exile_pledge(EXILE_SYSCALL_PLEDGE_STDIO | EXILE_SYSCALL_PLEDGE_SECCOMP_INSTALL | EXILE_SYSCALL_PLEDGE_DENY_ERROR);
if(ret != 0)
{
printf("Failed: exile_pledge() call 2 failed\n");
return 1;
}
s = socket(AF_UNIX, SOCK_STREAM, 0);
if(s != -1)
{
printf("Failed: socket was expected to fail, but returned %i\n", s);
return 1;
}
/* Let's try to regain unix sockets again */
ret = exile_pledge(EXILE_SYSCALL_PLEDGE_STDIO | EXILE_SYSCALL_PLEDGE_UNIX | EXILE_SYSCALL_PLEDGE_SECCOMP_INSTALL | EXILE_SYSCALL_PLEDGE_DENY_ERROR);
if(ret != 0)
{
printf("Failed: exile_pledge() call 3 failed\n");
return 1;
}
s = socket(AF_UNIX, SOCK_STREAM, 0);
if(s != -1)
{
printf("Failed: socket was still expected to fail, but returned %i\n", s);
return 1;
}
return 0;
}
#if HAVE_LANDLOCK == 1
int test_landlock()
{
if(!exile_landlock_is_available())
{
printf("landlock not available, so cannot test\n");
return 1;
}
struct exile_policy *policy = exile_init_policy();
exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ, "/proc/self/fd");
xexile_enable_policy(policy);
@ -299,7 +500,11 @@ struct dispatcher dispatchers[] = {
{ "seccomp-x32-kill", &test_seccomp_x32_kill},
{ "seccomp-require-last-matchall", &test_seccomp_require_last_matchall},
{ "seccomp-errno", &test_seccomp_errno},
{ "seccomp-group", &test_seccomp_group},
{ "seccomp-argfilter-allowed", &test_seccomp_argfilter_allowed},
{ "seccomp-argfilter-filtered", &test_seccomp_argfilter_filtered},
{ "seccomp-argfilter-mixed", &test_seccomp_argfilter_mixed},
{ "seccomp-pledge", &test_seccomp_pledge},
{ "seccomp-pledge-exile_pledge-multi", &test_seccomp_exile_pledge_multiple},
{ "landlock", &test_landlock},
{ "landlock-deny-write", &test_landlock_deny_write },
{ "no_fs", &test_nofs},