Compare commits

..

No commits in common. "631980b7756236a0ccfd2706134b2768d6996393" and "ca0f82790c79dd6edcda49f3edceb70b6b560a25" have entirely different histories.

43
exile.h
View File

@ -43,15 +43,11 @@
#include <linux/seccomp.h> #include <linux/seccomp.h>
#include <linux/version.h> #include <linux/version.h>
#include <linux/audit.h> #include <linux/audit.h>
#include <linux/capability.h> #include <sys/capability.h>
#include <stddef.h> #include <stddef.h>
#include <inttypes.h> #include <inttypes.h>
#include <asm/unistd.h> #include <asm/unistd.h>
#define capget(hdrp,datap) syscall(__NR_capget,hdrp,datap)
#define capset(hdrp,datap) syscall(__NR_capset,hdrp,datap)
#ifndef HAVE_LANDLOCK #ifndef HAVE_LANDLOCK
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5,13,0) #if LINUX_VERSION_CODE >= KERNEL_VERSION(5,13,0)
/* TODO: Hopefully a fair assumption. But we need to runtime checks */ /* TODO: Hopefully a fair assumption. But we need to runtime checks */
@ -668,7 +664,7 @@ int exile_append_syscall_default_policy(struct exile_policy *exile_policy, unsig
Returns: 0 if none copied, otherwise the number of entries in "filter". Returns: 0 if none copied, otherwise the number of entries in "filter".
*/ */
static int get_pledge_argfilter(long syscall, uint64_t pledge_promises, struct sock_filter *filter , int *policy) static int get_pledge_argfilter(long syscall, uint64_t pledge_promises, struct sock_filter *filter)
{ {
/* How to read this: /* How to read this:
@ -737,7 +733,6 @@ static int get_pledge_argfilter(long syscall, uint64_t pledge_promises, struct s
EXILE_BPF_CMP_EQ(PR_CAPBSET_READ, EXILE_SYSCALL_EXIT_BPF_RETURN, EXILE_SYSCALL_EXIT_BPF_NO_MATCH), EXILE_BPF_CMP_EQ(PR_CAPBSET_READ, EXILE_SYSCALL_EXIT_BPF_RETURN, EXILE_SYSCALL_EXIT_BPF_NO_MATCH),
}; };
*policy = EXILE_SYSCALL_ALLOW;
int result = 0; int result = 0;
int current_filter_index = 1; int current_filter_index = 1;
switch(syscall) switch(syscall)
@ -799,10 +794,6 @@ static int get_pledge_argfilter(long syscall, uint64_t pledge_promises, struct s
result = sizeof(open_rdonly)/sizeof(open_rdonly[0]); result = sizeof(open_rdonly)/sizeof(open_rdonly[0]);
memcpy(filter, open_rdonly, sizeof(open_rdonly)); memcpy(filter, open_rdonly, sizeof(open_rdonly));
break; break;
case EXILE_SYS(openat2):
result = 0;
*policy = EXILE_SYSCALL_DENY_RET_ERROR;
break;
case EXILE_SYS(socket): case EXILE_SYS(socket):
if(pledge_promises & EXILE_SYSCALL_PLEDGE_UNIX) if(pledge_promises & EXILE_SYSCALL_PLEDGE_UNIX)
{ {
@ -833,13 +824,6 @@ static int get_pledge_argfilter(long syscall, uint64_t pledge_promises, struct s
result = sizeof(clone_filter)/sizeof(clone_filter[0]); result = sizeof(clone_filter)/sizeof(clone_filter[0]);
memcpy(filter, clone_filter, sizeof(clone_filter)); memcpy(filter, clone_filter, sizeof(clone_filter));
break; break;
case EXILE_SYS(clone3):
if((pledge_promises & EXILE_SYSCALL_PLEDGE_CLONE) == 0)
{
result = 0;
*policy = EXILE_SYSCALL_DENY_RET_ERROR;
}
break;
case EXILE_SYS(prctl): case EXILE_SYS(prctl):
if(pledge_promises & EXILE_SYSCALL_PLEDGE_PRCTL) if(pledge_promises & EXILE_SYSCALL_PLEDGE_PRCTL)
{ {
@ -857,8 +841,27 @@ static int get_pledge_argfilter(long syscall, uint64_t pledge_promises, struct s
return result; return result;
} }
static int get_pledge_syscall_policy(long syscall, uint64_t pledge_promises)
{
int result = EXILE_SYSCALL_ALLOW;
switch(syscall)
{
case EXILE_SYS(openat2):
result = EXILE_SYSCALL_DENY_RET_ERROR;
break;
case EXILE_SYS(clone3):
if((pledge_promises & EXILE_SYSCALL_PLEDGE_CLONE) == 0)
{
result = EXILE_SYSCALL_DENY_RET_ERROR;
}
break;
}
return result;
}
int exile_append_pledge_promises(struct exile_policy *policy, uint64_t pledge_promises) int exile_append_pledge_promises(struct exile_policy *policy, uint64_t pledge_promises)
{ {
for(unsigned int i = 0; i < sizeof(exile_pledge_map)/sizeof(exile_pledge_map[0]); i++) for(unsigned int i = 0; i < sizeof(exile_pledge_map)/sizeof(exile_pledge_map[0]); i++)
{ {
struct syscall_pledge_map *current_map = &exile_pledge_map[i]; struct syscall_pledge_map *current_map = &exile_pledge_map[i];
@ -866,8 +869,8 @@ int exile_append_pledge_promises(struct exile_policy *policy, uint64_t pledge_pr
{ {
struct sock_filter filter[EXILE_ARGFILTERS_COUNT]; struct sock_filter filter[EXILE_ARGFILTERS_COUNT];
long syscall = current_map->syscall; long syscall = current_map->syscall;
int syscall_policy = EXILE_SYSCALL_ALLOW; int syscall_policy = get_pledge_syscall_policy(syscall, pledge_promises);
int argfilters = get_pledge_argfilter(syscall, pledge_promises, filter, &syscall_policy); int argfilters = get_pledge_argfilter(syscall, pledge_promises, filter);
int ret = exile_append_syscall_policy(policy, syscall, syscall_policy, filter, argfilters); int ret = exile_append_syscall_policy(policy, syscall, syscall_policy, filter, argfilters);
if(ret != 0) if(ret != 0)
{ {