Compare commits
No commits in common. "631980b7756236a0ccfd2706134b2768d6996393" and "ca0f82790c79dd6edcda49f3edceb70b6b560a25" have entirely different histories.
631980b775
...
ca0f82790c
43
exile.h
43
exile.h
@ -43,15 +43,11 @@
|
|||||||
#include <linux/seccomp.h>
|
#include <linux/seccomp.h>
|
||||||
#include <linux/version.h>
|
#include <linux/version.h>
|
||||||
#include <linux/audit.h>
|
#include <linux/audit.h>
|
||||||
#include <linux/capability.h>
|
#include <sys/capability.h>
|
||||||
#include <stddef.h>
|
#include <stddef.h>
|
||||||
#include <inttypes.h>
|
#include <inttypes.h>
|
||||||
#include <asm/unistd.h>
|
#include <asm/unistd.h>
|
||||||
|
|
||||||
#define capget(hdrp,datap) syscall(__NR_capget,hdrp,datap)
|
|
||||||
#define capset(hdrp,datap) syscall(__NR_capset,hdrp,datap)
|
|
||||||
|
|
||||||
|
|
||||||
#ifndef HAVE_LANDLOCK
|
#ifndef HAVE_LANDLOCK
|
||||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5,13,0)
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5,13,0)
|
||||||
/* TODO: Hopefully a fair assumption. But we need to runtime checks */
|
/* TODO: Hopefully a fair assumption. But we need to runtime checks */
|
||||||
@ -668,7 +664,7 @@ int exile_append_syscall_default_policy(struct exile_policy *exile_policy, unsig
|
|||||||
Returns: 0 if none copied, otherwise the number of entries in "filter".
|
Returns: 0 if none copied, otherwise the number of entries in "filter".
|
||||||
*/
|
*/
|
||||||
|
|
||||||
static int get_pledge_argfilter(long syscall, uint64_t pledge_promises, struct sock_filter *filter , int *policy)
|
static int get_pledge_argfilter(long syscall, uint64_t pledge_promises, struct sock_filter *filter)
|
||||||
{
|
{
|
||||||
|
|
||||||
/* How to read this:
|
/* How to read this:
|
||||||
@ -737,7 +733,6 @@ static int get_pledge_argfilter(long syscall, uint64_t pledge_promises, struct s
|
|||||||
EXILE_BPF_CMP_EQ(PR_CAPBSET_READ, EXILE_SYSCALL_EXIT_BPF_RETURN, EXILE_SYSCALL_EXIT_BPF_NO_MATCH),
|
EXILE_BPF_CMP_EQ(PR_CAPBSET_READ, EXILE_SYSCALL_EXIT_BPF_RETURN, EXILE_SYSCALL_EXIT_BPF_NO_MATCH),
|
||||||
};
|
};
|
||||||
|
|
||||||
*policy = EXILE_SYSCALL_ALLOW;
|
|
||||||
int result = 0;
|
int result = 0;
|
||||||
int current_filter_index = 1;
|
int current_filter_index = 1;
|
||||||
switch(syscall)
|
switch(syscall)
|
||||||
@ -799,10 +794,6 @@ static int get_pledge_argfilter(long syscall, uint64_t pledge_promises, struct s
|
|||||||
result = sizeof(open_rdonly)/sizeof(open_rdonly[0]);
|
result = sizeof(open_rdonly)/sizeof(open_rdonly[0]);
|
||||||
memcpy(filter, open_rdonly, sizeof(open_rdonly));
|
memcpy(filter, open_rdonly, sizeof(open_rdonly));
|
||||||
break;
|
break;
|
||||||
case EXILE_SYS(openat2):
|
|
||||||
result = 0;
|
|
||||||
*policy = EXILE_SYSCALL_DENY_RET_ERROR;
|
|
||||||
break;
|
|
||||||
case EXILE_SYS(socket):
|
case EXILE_SYS(socket):
|
||||||
if(pledge_promises & EXILE_SYSCALL_PLEDGE_UNIX)
|
if(pledge_promises & EXILE_SYSCALL_PLEDGE_UNIX)
|
||||||
{
|
{
|
||||||
@ -833,13 +824,6 @@ static int get_pledge_argfilter(long syscall, uint64_t pledge_promises, struct s
|
|||||||
result = sizeof(clone_filter)/sizeof(clone_filter[0]);
|
result = sizeof(clone_filter)/sizeof(clone_filter[0]);
|
||||||
memcpy(filter, clone_filter, sizeof(clone_filter));
|
memcpy(filter, clone_filter, sizeof(clone_filter));
|
||||||
break;
|
break;
|
||||||
case EXILE_SYS(clone3):
|
|
||||||
if((pledge_promises & EXILE_SYSCALL_PLEDGE_CLONE) == 0)
|
|
||||||
{
|
|
||||||
result = 0;
|
|
||||||
*policy = EXILE_SYSCALL_DENY_RET_ERROR;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
case EXILE_SYS(prctl):
|
case EXILE_SYS(prctl):
|
||||||
if(pledge_promises & EXILE_SYSCALL_PLEDGE_PRCTL)
|
if(pledge_promises & EXILE_SYSCALL_PLEDGE_PRCTL)
|
||||||
{
|
{
|
||||||
@ -857,8 +841,27 @@ static int get_pledge_argfilter(long syscall, uint64_t pledge_promises, struct s
|
|||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int get_pledge_syscall_policy(long syscall, uint64_t pledge_promises)
|
||||||
|
{
|
||||||
|
int result = EXILE_SYSCALL_ALLOW;
|
||||||
|
switch(syscall)
|
||||||
|
{
|
||||||
|
case EXILE_SYS(openat2):
|
||||||
|
result = EXILE_SYSCALL_DENY_RET_ERROR;
|
||||||
|
break;
|
||||||
|
case EXILE_SYS(clone3):
|
||||||
|
if((pledge_promises & EXILE_SYSCALL_PLEDGE_CLONE) == 0)
|
||||||
|
{
|
||||||
|
result = EXILE_SYSCALL_DENY_RET_ERROR;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
||||||
int exile_append_pledge_promises(struct exile_policy *policy, uint64_t pledge_promises)
|
int exile_append_pledge_promises(struct exile_policy *policy, uint64_t pledge_promises)
|
||||||
{
|
{
|
||||||
|
|
||||||
for(unsigned int i = 0; i < sizeof(exile_pledge_map)/sizeof(exile_pledge_map[0]); i++)
|
for(unsigned int i = 0; i < sizeof(exile_pledge_map)/sizeof(exile_pledge_map[0]); i++)
|
||||||
{
|
{
|
||||||
struct syscall_pledge_map *current_map = &exile_pledge_map[i];
|
struct syscall_pledge_map *current_map = &exile_pledge_map[i];
|
||||||
@ -866,8 +869,8 @@ int exile_append_pledge_promises(struct exile_policy *policy, uint64_t pledge_pr
|
|||||||
{
|
{
|
||||||
struct sock_filter filter[EXILE_ARGFILTERS_COUNT];
|
struct sock_filter filter[EXILE_ARGFILTERS_COUNT];
|
||||||
long syscall = current_map->syscall;
|
long syscall = current_map->syscall;
|
||||||
int syscall_policy = EXILE_SYSCALL_ALLOW;
|
int syscall_policy = get_pledge_syscall_policy(syscall, pledge_promises);
|
||||||
int argfilters = get_pledge_argfilter(syscall, pledge_promises, filter, &syscall_policy);
|
int argfilters = get_pledge_argfilter(syscall, pledge_promises, filter);
|
||||||
int ret = exile_append_syscall_policy(policy, syscall, syscall_policy, filter, argfilters);
|
int ret = exile_append_syscall_policy(policy, syscall, syscall_policy, filter, argfilters);
|
||||||
if(ret != 0)
|
if(ret != 0)
|
||||||
{
|
{
|
||||||
|
Loading…
Reference in New Issue
Block a user