Сравнить коммиты

..

2 Коммитов

Автор SHA1 Сообщение Дата
631980b775 Include linux/capability.h instead of sys/capability.h
Some distros put sys/capability.h into libcap-dev or
similiar, which is a bit unforunate, we don't need
libcap-dev or anything like that.

Since we anyway only used the capget()/capset(), we can
just define a simple wrapper and call the syscall directly
and therefore avoid above mentioned issue.
2021-12-27 14:15:50 +01:00
0be081c55d Merge get_pledge_argfilter() with get_pledge_argfilter() 2021-12-27 14:11:58 +01:00

43
exile.h
Просмотреть файл

@ -43,11 +43,15 @@
#include <linux/seccomp.h> #include <linux/seccomp.h>
#include <linux/version.h> #include <linux/version.h>
#include <linux/audit.h> #include <linux/audit.h>
#include <sys/capability.h> #include <linux/capability.h>
#include <stddef.h> #include <stddef.h>
#include <inttypes.h> #include <inttypes.h>
#include <asm/unistd.h> #include <asm/unistd.h>
#define capget(hdrp,datap) syscall(__NR_capget,hdrp,datap)
#define capset(hdrp,datap) syscall(__NR_capset,hdrp,datap)
#ifndef HAVE_LANDLOCK #ifndef HAVE_LANDLOCK
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5,13,0) #if LINUX_VERSION_CODE >= KERNEL_VERSION(5,13,0)
/* TODO: Hopefully a fair assumption. But we need to runtime checks */ /* TODO: Hopefully a fair assumption. But we need to runtime checks */
@ -664,7 +668,7 @@ int exile_append_syscall_default_policy(struct exile_policy *exile_policy, unsig
Returns: 0 if none copied, otherwise the number of entries in "filter". Returns: 0 if none copied, otherwise the number of entries in "filter".
*/ */
static int get_pledge_argfilter(long syscall, uint64_t pledge_promises, struct sock_filter *filter) static int get_pledge_argfilter(long syscall, uint64_t pledge_promises, struct sock_filter *filter , int *policy)
{ {
/* How to read this: /* How to read this:
@ -733,6 +737,7 @@ static int get_pledge_argfilter(long syscall, uint64_t pledge_promises, struct s
EXILE_BPF_CMP_EQ(PR_CAPBSET_READ, EXILE_SYSCALL_EXIT_BPF_RETURN, EXILE_SYSCALL_EXIT_BPF_NO_MATCH), EXILE_BPF_CMP_EQ(PR_CAPBSET_READ, EXILE_SYSCALL_EXIT_BPF_RETURN, EXILE_SYSCALL_EXIT_BPF_NO_MATCH),
}; };
*policy = EXILE_SYSCALL_ALLOW;
int result = 0; int result = 0;
int current_filter_index = 1; int current_filter_index = 1;
switch(syscall) switch(syscall)
@ -794,6 +799,10 @@ static int get_pledge_argfilter(long syscall, uint64_t pledge_promises, struct s
result = sizeof(open_rdonly)/sizeof(open_rdonly[0]); result = sizeof(open_rdonly)/sizeof(open_rdonly[0]);
memcpy(filter, open_rdonly, sizeof(open_rdonly)); memcpy(filter, open_rdonly, sizeof(open_rdonly));
break; break;
case EXILE_SYS(openat2):
result = 0;
*policy = EXILE_SYSCALL_DENY_RET_ERROR;
break;
case EXILE_SYS(socket): case EXILE_SYS(socket):
if(pledge_promises & EXILE_SYSCALL_PLEDGE_UNIX) if(pledge_promises & EXILE_SYSCALL_PLEDGE_UNIX)
{ {
@ -824,6 +833,13 @@ static int get_pledge_argfilter(long syscall, uint64_t pledge_promises, struct s
result = sizeof(clone_filter)/sizeof(clone_filter[0]); result = sizeof(clone_filter)/sizeof(clone_filter[0]);
memcpy(filter, clone_filter, sizeof(clone_filter)); memcpy(filter, clone_filter, sizeof(clone_filter));
break; break;
case EXILE_SYS(clone3):
if((pledge_promises & EXILE_SYSCALL_PLEDGE_CLONE) == 0)
{
result = 0;
*policy = EXILE_SYSCALL_DENY_RET_ERROR;
}
break;
case EXILE_SYS(prctl): case EXILE_SYS(prctl):
if(pledge_promises & EXILE_SYSCALL_PLEDGE_PRCTL) if(pledge_promises & EXILE_SYSCALL_PLEDGE_PRCTL)
{ {
@ -841,27 +857,8 @@ static int get_pledge_argfilter(long syscall, uint64_t pledge_promises, struct s
return result; return result;
} }
static int get_pledge_syscall_policy(long syscall, uint64_t pledge_promises)
{
int result = EXILE_SYSCALL_ALLOW;
switch(syscall)
{
case EXILE_SYS(openat2):
result = EXILE_SYSCALL_DENY_RET_ERROR;
break;
case EXILE_SYS(clone3):
if((pledge_promises & EXILE_SYSCALL_PLEDGE_CLONE) == 0)
{
result = EXILE_SYSCALL_DENY_RET_ERROR;
}
break;
}
return result;
}
int exile_append_pledge_promises(struct exile_policy *policy, uint64_t pledge_promises) int exile_append_pledge_promises(struct exile_policy *policy, uint64_t pledge_promises)
{ {
for(unsigned int i = 0; i < sizeof(exile_pledge_map)/sizeof(exile_pledge_map[0]); i++) for(unsigned int i = 0; i < sizeof(exile_pledge_map)/sizeof(exile_pledge_map[0]); i++)
{ {
struct syscall_pledge_map *current_map = &exile_pledge_map[i]; struct syscall_pledge_map *current_map = &exile_pledge_map[i];
@ -869,8 +866,8 @@ int exile_append_pledge_promises(struct exile_policy *policy, uint64_t pledge_pr
{ {
struct sock_filter filter[EXILE_ARGFILTERS_COUNT]; struct sock_filter filter[EXILE_ARGFILTERS_COUNT];
long syscall = current_map->syscall; long syscall = current_map->syscall;
int syscall_policy = get_pledge_syscall_policy(syscall, pledge_promises); int syscall_policy = EXILE_SYSCALL_ALLOW;
int argfilters = get_pledge_argfilter(syscall, pledge_promises, filter); int argfilters = get_pledge_argfilter(syscall, pledge_promises, filter, &syscall_policy);
int ret = exile_append_syscall_policy(policy, syscall, syscall_policy, filter, argfilters); int ret = exile_append_syscall_policy(policy, syscall, syscall_policy, filter, argfilters);
if(ret != 0) if(ret != 0)
{ {