crtxcr/exile.h
1
0
複製 0
程式碼 問題管理 14 合併請求 1 版本發佈 Wiki Activity

Compare commits

base: crtxcr:WIP/enosys
分支列表 標籤列表
crtxcr:master crtxcr:next crtxcr:WIP/enosys crtxcr:WIP/cpp
..
compare: crtxcr:3fa73b0b97a83ac2e6f77d9351d41bef6719146b
分支列表 標籤列表
crtxcr:master crtxcr:next crtxcr:WIP/enosys crtxcr:WIP/cpp

2 次程式碼提交
WIP/enosys ... 3fa73b0b97

作者 SHA1 備註 提交日期
Albert S
3fa73b0b97 Close file fds by default, introduce policy->keep_fds_open 
The better default is to close them, not keeping them open.

Does not close sockets and pipes to not interfere with IPC.

Issue: #10
 2022-07-17 13:00:02 +02:00
Albert S
8f38dc4480 check_policy_sanity(): Allow vows and syscall policies 
Adjust checks to allow a mixed mode between syscall policies and vows.
Check for some easy to make mistakes in such scenario.
 2022-06-09 10:02:12 +02:00
共有 2 個文件被更改,包括 28 次插入4 次删除
Expand all files Collapse all files

27
exile.c
查看文件

@ -1410,6 +1410,11 @@ static int check_policy_sanity(struct exile_policy *policy)
{ {
if(syscall_policy->syscall == EXILE_SYSCALL_MATCH_ALL) if(syscall_policy->syscall == EXILE_SYSCALL_MATCH_ALL)
{ {
if(policy->vow_promises != 0)
{
EXILE_LOG_ERROR("It's not possible to specify a default, all matching syscall policy while also using vows\n");
return -1;
}
last_match_all = i; last_match_all = i;
match_all_policy = syscall_policy->policy; match_all_policy = syscall_policy->policy;
} }
@ -1420,7 +1425,7 @@ static int check_policy_sanity(struct exile_policy *policy)
syscall_policy = syscall_policy->next; syscall_policy = syscall_policy->next;
++i; ++i;
} }
if(last_match_all == -1 || i - last_match_all != 1) if(policy->vow_promises == 0 && (last_match_all == -1 || i - last_match_all != 1))
{ {
EXILE_LOG_ERROR("The last entry in the syscall policy list must match all syscalls (default rule)\n"); EXILE_LOG_ERROR("The last entry in the syscall policy list must match all syscalls (default rule)\n");
return -1; return -1;
@ -1441,7 +1446,20 @@ static void close_file_fds()
long max_files = sysconf(_SC_OPEN_MAX); long max_files = sysconf(_SC_OPEN_MAX);
for(long i = 3; i <= max_files; i++) for(long i = 3; i <= max_files; i++)
{ {
close((int)i); struct stat statbuf;
int fd = (int) max_files;
int result = fstat(i, &statbuf);
if(result == -1 && errno != EBADF && errno != EACCES)
{
EXILE_LOG_ERROR("Could not fstat %i: %s\n", fd, strerror(errno));
abort();
}
int type = statbuf.st_mode & S_IFMT;
if(type != S_IFIFO && type != S_IFSOCK)
{
/* No error check, retrying not recommended */
close(fd);
}
} }
} }
@ -1504,6 +1522,11 @@ int exile_enable_policy(struct exile_policy *policy)
return -EINVAL; return -EINVAL;
} }
if(policy->keep_fds_open != 1)
{
close_file_fds();
}
if(enter_namespaces(policy->namespace_options) < 0) if(enter_namespaces(policy->namespace_options) < 0)
{ {
EXILE_LOG_ERROR("Error while trying to enter namespaces\n"); EXILE_LOG_ERROR("Error while trying to enter namespaces\n");

1
exile.h
查看文件

@ -364,6 +364,7 @@ struct exile_policy
int no_new_privs; int no_new_privs;
int no_fs; int no_fs;
int no_new_fds; int no_new_fds;
int keep_fds_open;
int namespace_options; int namespace_options;
int disable_syscall_filter; int disable_syscall_filter;
/* Bind mounts all paths in path_policies into the chroot and applies /* Bind mounts all paths in path_policies into the chroot and applies