crtxcr/exile.h
1
0
Fork 0
Code Issues 14 Pull Requests 1 Releases Wiki Activity

Compare commits

base: crtxcr:WIP/enosys
Branches Tags
crtxcr:master crtxcr:next crtxcr:WIP/enosys crtxcr:WIP/cpp
..
compare: crtxcr:3fa73b0b97a83ac2e6f77d9351d41bef6719146b
Branches Tags
crtxcr:master crtxcr:next crtxcr:WIP/enosys crtxcr:WIP/cpp

2 Commits
WIP/enosys ... 3fa73b0b97

Author SHA1 Message Date
Albert S
3fa73b0b97 Close file fds by default, introduce policy->keep_fds_open 
The better default is to close them, not keeping them open.

Does not close sockets and pipes to not interfere with IPC.

Issue: #10
 2022-07-17 13:00:02 +02:00
Albert S
8f38dc4480 check_policy_sanity(): Allow vows and syscall policies 
Adjust checks to allow a mixed mode between syscall policies and vows.
Check for some easy to make mistakes in such scenario.
 2022-06-09 10:02:12 +02:00
2 changed files with 28 additions and 4 deletions
Expand all files Collapse all files

31
exile.c
View File

@ -388,10 +388,10 @@ int exile_append_syscall_policy(struct exile_policy *exile_policy, long syscall,
newpolicy->argfilters[i] = argfilters[i];
}
newpolicy->next = NULL;
*(exile_policy->syscall_policies_tail) = newpolicy;
exile_policy->syscall_policies_tail = &(newpolicy->next);
exile_policy->disable_syscall_filter = 0;
return 0;
}
@ -1410,6 +1410,11 @@ static int check_policy_sanity(struct exile_policy *policy)
{
if(syscall_policy->syscall == EXILE_SYSCALL_MATCH_ALL)
{
if(policy->vow_promises != 0)
{
EXILE_LOG_ERROR("It's not possible to specify a default, all matching syscall policy while also using vows\n");
return -1;
}
last_match_all = i;
match_all_policy = syscall_policy->policy;
}
@ -1420,7 +1425,7 @@ static int check_policy_sanity(struct exile_policy *policy)
syscall_policy = syscall_policy->next;
++i;
}
if(last_match_all == -1 || i - last_match_all != 1)
if(policy->vow_promises == 0 && (last_match_all == -1 || i - last_match_all != 1))
{
EXILE_LOG_ERROR("The last entry in the syscall policy list must match all syscalls (default rule)\n");
return -1;
@ -1441,7 +1446,20 @@ static void close_file_fds()
long max_files = sysconf(_SC_OPEN_MAX);
for(long i = 3; i <= max_files; i++)
{
close((int)i);
struct stat statbuf;
int fd = (int) max_files;
int result = fstat(i, &statbuf);
if(result == -1 && errno != EBADF && errno != EACCES)
{
EXILE_LOG_ERROR("Could not fstat %i: %s\n", fd, strerror(errno));
abort();
}
int type = statbuf.st_mode & S_IFMT;
if(type != S_IFIFO && type != S_IFSOCK)
{
/* No error check, retrying not recommended */
close(fd);
}
}
}
@ -1504,6 +1522,11 @@ int exile_enable_policy(struct exile_policy *policy)
return -EINVAL;
}
if(policy->keep_fds_open != 1)
{
close_file_fds();
}
if(enter_namespaces(policy->namespace_options) < 0)
{
EXILE_LOG_ERROR("Error while trying to enter namespaces\n");

1
exile.h
View File

@ -364,6 +364,7 @@ struct exile_policy
int no_new_privs;
int no_fs;
int no_new_fds;
int keep_fds_open;
int namespace_options;
int disable_syscall_filter;
/* Bind mounts all paths in path_policies into the chroot and applies