Compare commits

..

No commits in common. "48deab0ddee1dbd326389450f12211912f40279d" and "1b4c5477a55191f74d29bc264678e041bf0f2a42" have entirely different histories.

2 changed files with 30 additions and 39 deletions

59
exile.h
View File

@ -84,18 +84,14 @@
#define EXILE_SYS(x) __NR_##x #define EXILE_SYS(x) __NR_##x
/* Allow all read-effect operations on the path */ #define EXILE_FS_ALLOW_READ 1<<0
#define EXILE_FS_ALLOW_ALL_READ 1<<0 #define EXILE_FS_ALLOW_WRITE (1<<1)
/* Allow all write-effect operations on the path, such as normal writes, creation/deletion of files */
#define EXILE_FS_ALLOW_ALL_WRITE (1<<1)
#define EXILE_FS_ALLOW_EXEC 1<<2 #define EXILE_FS_ALLOW_EXEC 1<<2
#define EXILE_FS_ALLOW_DEV 1<<3 #define EXILE_FS_ALLOW_DEV 1<<3
#define EXILE_FS_ALLOW_SETUID 1<<4 #define EXILE_FS_ALLOW_SETUID 1<<4
//don't mount recursive //don't mount recursive
#define EXILE_MOUNT_NOT_REC 1<<5 #define EXILE_MOUNT_NOT_REC 1<<5
/* Fine-granular approach available with landlock */
#if HAVE_LANDLOCK == 1 #if HAVE_LANDLOCK == 1
#define EXILE_FS_ALLOW_REMOVE_DIR (1 << 7) #define EXILE_FS_ALLOW_REMOVE_DIR (1 << 7)
#define EXILE_FS_ALLOW_REMOVE_FILE (1 << 8) #define EXILE_FS_ALLOW_REMOVE_FILE (1 << 8)
@ -1027,7 +1023,7 @@ static int get_policy_mount_flags(struct exile_path_policy *policy)
result |= MS_NOSUID; result |= MS_NOSUID;
} }
if( (policy->policy & EXILE_FS_ALLOW_ALL_WRITE) == 0) if( (policy->policy & EXILE_FS_ALLOW_WRITE) == 0)
{ {
result |= MS_RDONLY; result |= MS_RDONLY;
} }
@ -1073,7 +1069,7 @@ static int mount_to_chroot(const char *chroot_target_path, struct exile_path_pol
mount_flags |= MS_BIND; mount_flags |= MS_BIND;
if(path_policy->policy & EXILE_FS_ALLOW_ALL_READ || path_policy->policy & EXILE_FS_ALLOW_ALL_WRITE) if(path_policy->policy & EXILE_FS_ALLOW_READ || path_policy->policy & EXILE_FS_ALLOW_WRITE)
{ {
ret = mount(path_policy->path, path_inside_chroot, NULL, mount_flags, NULL); ret = mount(path_policy->path, path_inside_chroot, NULL, mount_flags, NULL);
if(ret < 0 ) if(ret < 0 )
@ -1145,7 +1141,7 @@ static int enter_namespaces(int namespace_options)
} }
if(fprintf(fp, "deny") < 0) if(fprintf(fp, "deny") < 0)
{ {
EXILE_LOG_ERROR("fprintf failed while trying to write setgroups\n"); EXILE_LOG_ERROR("fprintf failed while trying to write uid_map\n");
return -1; return -1;
} }
fclose(fp); fclose(fp);
@ -1333,19 +1329,6 @@ static int exile_enable_syscall_policy(struct exile_policy *policy)
static unsigned int exile_flags_to_landlock(unsigned int flags) static unsigned int exile_flags_to_landlock(unsigned int flags)
{ {
unsigned int result = 0; unsigned int result = 0;
if(flags & EXILE_FS_ALLOW_ALL_READ)
{
result |= LANDLOCK_ACCESS_FS_READ_FILE;
result |= LANDLOCK_ACCESS_FS_READ_DIR;
}
if(flags & EXILE_FS_ALLOW_ALL_WRITE)
{
result |= LANDLOCK_ACCESS_FS_MAKE_REG;
result |= LANDLOCK_ACCESS_FS_WRITE_FILE;
result |= LANDLOCK_ACCESS_FS_REMOVE_DIR;
result |= LANDLOCK_ACCESS_FS_REMOVE_FILE;
result |= LANDLOCK_ACCESS_FS_MAKE_SYM;
}
if(flags & EXILE_FS_ALLOW_DEV) if(flags & EXILE_FS_ALLOW_DEV)
{ {
result |= LANDLOCK_ACCESS_FS_MAKE_BLOCK; result |= LANDLOCK_ACCESS_FS_MAKE_BLOCK;
@ -1379,6 +1362,11 @@ static unsigned int exile_flags_to_landlock(unsigned int flags)
{ {
result |= LANDLOCK_ACCESS_FS_MAKE_SYM; result |= LANDLOCK_ACCESS_FS_MAKE_SYM;
} }
if(flags & EXILE_FS_ALLOW_READ)
{
result |= LANDLOCK_ACCESS_FS_READ_FILE;
result |= LANDLOCK_ACCESS_FS_READ_DIR;
}
if(flags & EXILE_FS_ALLOW_REMOVE) if(flags & EXILE_FS_ALLOW_REMOVE)
{ {
result |= LANDLOCK_ACCESS_FS_REMOVE_DIR; result |= LANDLOCK_ACCESS_FS_REMOVE_DIR;
@ -1396,6 +1384,11 @@ static unsigned int exile_flags_to_landlock(unsigned int flags)
{ {
result |= LANDLOCK_ACCESS_FS_EXECUTE; result |= LANDLOCK_ACCESS_FS_EXECUTE;
} }
if(flags & EXILE_FS_ALLOW_WRITE)
{
result |= LANDLOCK_ACCESS_FS_MAKE_REG;
result |= LANDLOCK_ACCESS_FS_WRITE_FILE;
}
if(flags & EXILE_FS_ALLOW_WRITE_FILE) if(flags & EXILE_FS_ALLOW_WRITE_FILE)
{ {
result |= LANDLOCK_ACCESS_FS_WRITE_FILE; result |= LANDLOCK_ACCESS_FS_WRITE_FILE;
@ -1656,17 +1649,6 @@ int exile_enable_policy(struct exile_policy *policy)
EXILE_LOG_ERROR("chroot: failed to enter %s\n", policy->chroot_target_path); EXILE_LOG_ERROR("chroot: failed to enter %s\n", policy->chroot_target_path);
return -1; return -1;
} }
const char *chdir_target_path = policy->chdir_path;
if(chdir_target_path == NULL)
{
chdir_target_path = "/";
}
if(chdir(chdir_target_path) < 0)
{
EXILE_LOG_ERROR("chdir to %s failed\n", policy->chdir_path);
return -1;
}
} }
#if HAVE_LANDLOCK == 1 #if HAVE_LANDLOCK == 1
@ -1681,6 +1663,16 @@ int exile_enable_policy(struct exile_policy *policy)
} }
} }
#endif #endif
if(policy->chdir_path == NULL)
{
policy->chdir_path = "/";
}
if(policy->chdir_path != NULL && chdir(policy->chdir_path) < 0)
{
EXILE_LOG_ERROR("chdir to %s failed\n", policy->chdir_path);
return -1;
}
if(policy->no_fs) if(policy->no_fs)
{ {
@ -1743,7 +1735,6 @@ int exile_enable_policy(struct exile_policy *policy)
return exile_enable_syscall_policy(policy); return exile_enable_syscall_policy(policy);
} }
return 0; return 0;
} }
#endif #endif

4
test.c
View File

@ -203,7 +203,7 @@ static int test_seccomp_group()
int test_landlock() int test_landlock()
{ {
struct exile_policy *policy = exile_init_policy(); struct exile_policy *policy = exile_init_policy();
exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ, "/proc/self/fd"); exile_append_path_policy(policy, EXILE_FS_ALLOW_READ, "/proc/self/fd");
xexile_enable_policy(policy); xexile_enable_policy(policy);
int fd = open("/", O_RDONLY | O_CLOEXEC); int fd = open("/", O_RDONLY | O_CLOEXEC);
@ -217,7 +217,7 @@ int test_landlock()
int test_landlock_deny_write() int test_landlock_deny_write()
{ {
struct exile_policy *policy = exile_init_policy(); struct exile_policy *policy = exile_init_policy();
exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ, "/tmp/"); exile_append_path_policy(policy, EXILE_FS_ALLOW_READ, "/tmp/");
xexile_enable_policy(policy); xexile_enable_policy(policy);
int fd = open("/tmp/a", O_WRONLY | O_CLOEXEC); int fd = open("/tmp/a", O_WRONLY | O_CLOEXEC);