crtxcr/exile.h
1
0
Fork 0
Code Issues 14 Pull Requests 1 Releases Wiki Activity

Compare commits

base: crtxcr:d150c2ecd9eb01ebfadd2447313b7f13cc7f536c
Branches Tags
crtxcr:master
crtxcr:next
crtxcr:WIP/enosys
crtxcr:WIP/cpp
...
compare: crtxcr:1b4c5477a55191f74d29bc264678e041bf0f2a42
Branches Tags
crtxcr:master
crtxcr:next
crtxcr:WIP/enosys
crtxcr:WIP/cpp

2 Commits
d150c2ecd9 ... 1b4c5477a5

Author SHA1 Message Date
Albert S
1b4c5477a5 rename to exile.h 
qssb.h was a preliminary name and can't be pronounced smoothly.

exile.h is more fitting and it's also short. Something exiled is essentially
something isolated, which is pretty much what this library does (isolation from
resources such as file system, network and others accessible by system calls).
 2021-11-30 18:19:15 +01:00
Albert S
756b0fb421 rename qssb.h to exile.h 2021-11-30 17:40:36 +01:00
7 changed files with 2146 additions and 2146 deletions
Show Stats Expand all files Collapse all files

8
README.md
View File

@ -1,5 +1,5 @@
# qssb.h (quite simple sandbox)
`qssb.h` is a simple header-only library that provides an interface to sandbox processes on Linux. Using Seccomp and Linux Namespaces for that purpose requires some knowledge of annoying details which this library aims to abstract away as much as possible, when reasonable. Hence, the goal is to provide a convenient way for processes to restrict themselves in order to mitigate the effect of exploits. Currently, it utilizes technologies like Seccomp, Namespaces and Landlock to this end.
# exile.h
`exile.h` is a simple header-only library that provides an interface to isolate processes on Linux. Using Seccomp and Linux Namespaces for that purpose requires some knowledge of annoying details which this library aims to abstract away as much as possible, when reasonable. Hence, the goal is to provide a convenient way for processes to restrict themselves in order to mitigate the effect of exploits. Currently, it utilizes technologies like Seccomp, Namespaces and Landlock to this end.
## Status
No release yet, expiremental, API is unstable, builds will break on updates of this library.
@ -48,8 +48,8 @@ the library may check against that. Execute
Contributions are very welcome. Options:
1. Pull-Request on [github](https://github.com/quitesimpleorg/qssb.h)
2. Mail to `qssb at quitesimple.org` with instructions on where to pull the changes from.
1. Pull-Request on [github](https://github.com/quitesimpleorg/exile.h)
2. Mail to `exile at quitesimple.org` with instructions on where to pull the changes from.
3. Mailing a classic patch/diff to the same address.

1740
exile.h Normal file
View File

File diff suppressed because it is too large Load Diff

2
gengroup.py
View File

@ -47,7 +47,7 @@ for line in lines:
if genifndef:
ifndef[currentsyscall] = genifndef.groups(1)[0]
array_line = "{QSSB_SYS(%s), %s}," % (currentsyscall, '|'.join(currentgroups))
array_line = "{EXILE_SYS(%s), %s}," % (currentsyscall, '|'.join(currentgroups))
print(array_line)
print_ifndefs()

720
grouping_x86-64.txt
View File

@ -1,363 +1,363 @@
# Assign system calls to groups. In the future, may also include simple arg filtering.
read QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
write QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
open QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
close QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
stat QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
fstat QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
lstat QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
poll QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
lseek QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
mmap QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
mprotect QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
munmap QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
brk QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
rt_sigaction QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
rt_sigprocmask QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
rt_sigreturn QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
ioctl QSSB_SYSCGROUP_IOCTL,QSSB_SYSCGROUP_DEFAULT_ALLOW
pread64 QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
pwrite64 QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
readv QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
writev QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
access QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
pipe QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
select QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
sched_yield QSSB_SYSCGROUP_SCHED,QSSB_SYSCGROUP_DEFAULT_ALLOW
mremap QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
msync QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
mincore QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
madvise QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
shmget QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
shmat QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
shmctl QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
dup QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
dup2 QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
pause QSSB_SYSCGROUP_PAUSE,QSSB_SYSCGROUP_DEFAULT_ALLOW
nanosleep QSSB_SYSCGROUP_TIMER,QSSB_SYSCGROUP_DEFAULT_ALLOW
getitimer QSSB_SYSCGROUP_TIMER,QSSB_SYSCGROUP_DEFAULT_ALLOW
alarm QSSB_SYSCGROUP_TIMER,QSSB_SYSCGROUP_DEFAULT_ALLOW
setitimer QSSB_SYSCGROUP_TIMER,QSSB_SYSCGROUP_DEFAULT_ALLOW
getpid QSSB_SYSCGROUP_PROCESS,QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
sendfile QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
socket QSSB_SYSCGROUP_SOCKET
connect QSSB_SYSCGROUP_SOCKET
accept QSSB_SYSCGROUP_SOCKET
sendto QSSB_SYSCGROUP_SOCKET
recvfrom QSSB_SYSCGROUP_SOCKET
sendmsg QSSB_SYSCGROUP_SOCKET
recvmsg QSSB_SYSCGROUP_SOCKET
shutdown QSSB_SYSCGROUP_SOCKET
bind QSSB_SYSCGROUP_SOCKET
listen QSSB_SYSCGROUP_SOCKET
getsockname QSSB_SYSCGROUP_SOCKET
getpeername QSSB_SYSCGROUP_SOCKET
socketpair QSSB_SYSCGROUP_SOCKET,QSSB_SYSCGROUP_IPC
setsockopt QSSB_SYSCGROUP_SOCKET
getsockopt QSSB_SYSCGROUP_SOCKET
clone QSSB_SYSCGROUP_CLONE,QSSB_SYSCGROUP_DEFAULT_ALLOW
fork QSSB_SYSCGROUP_CLONE,QSSB_SYSCGROUP_DEFAULT_ALLOW
vfork QSSB_SYSCGROUP_CLONE,QSSB_SYSCGROUP_DEFAULT_ALLOW
execve QSSB_SYSCGROUP_CLONE,QSSB_SYSCGROUP_EXEC
exit QSSB_SYSCGROUP_PROCESS,QSSB_SYSCGROUP_DEFAULT_ALLOW
wait4 QSSB_SYSCGROUP_EXEC
kill QSSB_SYSCGROUP_KILL
uname QSSB_SYSCGROUP_SYS,QSSB_SYSCGROUP_DEFAULT_ALLOW
semget QSSB_SYSCGROUP_SHM,QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
semop QSSB_SYSCGROUP_SHM,QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
semctl QSSB_SYSCGROUP_SHM,QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
shmdt QSSB_SYSCGROUP_SHM,QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
msgget QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
msgsnd QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
msgrcv QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
msgctl QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
fcntl QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
flock QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
fsync QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
fdatasync QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
truncate QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
ftruncate QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
getdents QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
getcwd QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
chdir QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
fchdir QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
rename QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
mkdir QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
rmdir QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
creat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
link QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
unlink QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
symlink QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
readlink QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
chmod QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
fchmod QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
chown QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
fchown QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
lchown QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
umask QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW
gettimeofday QSSB_SYSCGROUP_TIME,QSSB_SYSCGROUP_DEFAULT_ALLOW
getrlimit QSSB_SYSCGROUP_RES,QSSB_SYSCGROUP_DEFAULT_ALLOW
getrusage QSSB_SYSCGROUP_RES,QSSB_SYSCGROUP_DEFAULT_ALLOW
sysinfo QSSB_SYSCGROUP_SYS,QSSB_SYSCGROUP_DEFAULT_ALLOW
times QSSB_SYSCGROUP_TIME,QSSB_SYSCGROUP_DEFAULT_ALLOW
ptrace QSSB_SYSCGROUP_PTRACE,QSSB_SYSCGROUP_DEFAULT_ALLOW
getuid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
syslog QSSB_SYSCGROUP_SYS
getgid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
setuid QSSB_SYSCGROUP_ID
setgid QSSB_SYSCGROUP_ID
geteuid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
getegid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
setpgid QSSB_SYSCGROUP_ID
getppid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
getpgrp QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
setsid QSSB_SYSCGROUP_ID
setreuid QSSB_SYSCGROUP_ID
setregid QSSB_SYSCGROUP_ID
getgroups QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
setgroups QSSB_SYSCGROUP_ID
setresuid QSSB_SYSCGROUP_ID
getresuid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
setresgid QSSB_SYSCGROUP_ID
getresgid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
getpgid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
setfsuid QSSB_SYSCGROUP_ID
setfsgid QSSB_SYSCGROUP_ID
getsid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
capget QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
capset QSSB_SYSCGROUP_ID
rt_sigpending QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
rt_sigtimedwait QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
rt_sigqueueinfo QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
rt_sigsuspend QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
sigaltstack QSSB_SYSCGROUP_THREAD,QSSB_SYSCGROUP_SIGNAL
utime QSSB_SYSCGROUP_TIME,QSSB_SYSCGROUP_FS
mknod QSSB_SYSCGROUP_DEV,QSSB_SYSCGROUP_FS
uselib QSSB_SYSCGROUP_LIB,QSSB_SYSCGROUP_DEFAULT_ALLOW
personality QSSB_SYSCGROUP_PROCESS
ustat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_STAT,QSSB_SYSCGROUP_FS
statfs QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_STAT,QSSB_SYSCGROUP_FS
fstatfs QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_STAT,QSSB_SYSCGROUP_FS
sysfs QSSB_SYSCGROUP_SYS,QSSB_SYSCGROUP_FS
getpriority QSSB_SYSCGROUP_SCHED
setpriority QSSB_SYSCGROUP_SCHED
sched_setparam QSSB_SYSCGROUP_SCHED
sched_getparam QSSB_SYSCGROUP_SCHED
sched_setscheduler QSSB_SYSCGROUP_SCHED
sched_getscheduler QSSB_SYSCGROUP_SCHED
sched_get_priority_max QSSB_SYSCGROUP_SCHED
sched_get_priority_min QSSB_SYSCGROUP_SCHED
sched_rr_get_interval QSSB_SYSCGROUP_SCHED
mlock QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
munlock QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
mlockall QSSB_SYSCGROUP_MEMORY
munlockall QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
vhangup QSSB_SYSCGROUP_TTY
modify_ldt QSSB_SYSCGROUP_PROCESS
pivot_root QSSB_SYSCGROUP_CHROOT
_sysctl QSSB_SYSCGROUP_SYS
prctl QSSB_SYSCGROUP_PROCESS
arch_prctl QSSB_SYSCGROUP_PROCESS
adjtimex QSSB_SYSCGROUP_CLOCK
setrlimit QSSB_SYSCGROUP_RES
chroot QSSB_SYSCGROUP_CHROOT,QSSB_SYSCGROUP_FS
sync QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
acct QSSB_SYSCGROUP_PROCESS
settimeofday QSSB_SYSCGROUP_TIME
mount QSSB_SYSCGROUP_MOUNT,QSSB_SYSCGROUP_FS
umount2 QSSB_SYSCGROUP_UMOUNT,QSSB_SYSCGROUP_FS
swapon QSSB_SYSCGROUP_SWAP
swapoff QSSB_SYSCGROUP_SWAP
reboot QSSB_SYSCGROUP_POWER
sethostname QSSB_SYSCGROUP_HOST
setdomainname QSSB_SYSCGROUP_HOST
iopl QSSB_SYSCGROUP_IOPL
ioperm QSSB_SYSCGROUP_IOPL
create_module QSSB_SYSCGROUP_KMOD
init_module QSSB_SYSCGROUP_KMOD
delete_module QSSB_SYSCGROUP_KMOD
get_kernel_syms QSSB_SYSCGROUP_KMOD
query_module QSSB_SYSCGROUP_KMOD
quotactl QSSB_SYSCGROUP_QUOTA
nfsservctl QSSB_SYSCGROUP_NONE
getpmsg QSSB_SYSCGROUP_UNIMPLEMENTED
putpmsg QSSB_SYSCGROUP_UNIMPLEMENTED
afs_syscall QSSB_SYSCGROUP_UNIMPLEMENTED
tuxcall QSSB_SYSCGROUP_UNIMPLEMENTED
security QSSB_SYSCGROUP_UNIMPLEMENTED
gettid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_THREAD
readahead QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_FS
setxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
lsetxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
fsetxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
getxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
lgetxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
fgetxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
listxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
llistxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
flistxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
removexattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
lremovexattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
fremovexattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
tkill QSSB_SYSCGROUP_THREAD,QSSB_SYSCGROUP_SIGNAL
time QSSB_SYSCGROUP_TIME
futex QSSB_SYSCGROUP_THREAD,QSSB_SYSCGROUP_FUTEX
sched_setaffinity QSSB_SYSCGROUP_SCHED
sched_getaffinity QSSB_SYSCGROUP_SCHED
set_thread_area QSSB_SYSCGROUP_THREAD
io_setup QSSB_SYSCGROUP_IO
io_destroy QSSB_SYSCGROUP_IO
io_getevents QSSB_SYSCGROUP_IO
io_submit QSSB_SYSCGROUP_IO
io_cancel QSSB_SYSCGROUP_IO
get_thread_area QSSB_SYSCGROUP_THREAD
lookup_dcookie QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_FS
epoll_create QSSB_SYSCGROUP_STDIO
epoll_ctl_old QSSB_SYSCGROUP_STDIO
epoll_wait_old QSSB_SYSCGROUP_STDIO
remap_file_pages QSSB_SYSCGROUP_NONE
getdents64 QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_FS
set_tid_address QSSB_SYSCGROUP_THREAD
restart_syscall QSSB_SYSCGROUP_SYSCALL
semtimedop QSSB_SYSCGROUP_SEM
fadvise64 QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_FD
timer_create QSSB_SYSCGROUP_TIMER
timer_settime QSSB_SYSCGROUP_TIMER
timer_gettime QSSB_SYSCGROUP_TIMER
timer_getoverrun QSSB_SYSCGROUP_TIMER
timer_delete QSSB_SYSCGROUP_TIMER
clock_settime QSSB_SYSCGROUP_TIME
clock_gettime QSSB_SYSCGROUP_TIME
clock_getres QSSB_SYSCGROUP_TIME
clock_nanosleep QSSB_SYSCGROUP_TIME
exit_group QSSB_SYSCGROUP_EXIT,QSSB_SYSCGROUP_DEFAULT_ALLOW
epoll_wait QSSB_SYSCGROUP_FD
epoll_ctl QSSB_SYSCGROUP_FD
tgkill QSSB_SYSCGROUP_SIGNAL,QSSB_SYSCGROUP_THREAD
utimes QSSB_SYSCGROUP_PATH
vserver QSSB_SYSCGROUP_UNIMPLEMENTED
mbind QSSB_SYSCGROUP_MEMORY
set_mempolicy QSSB_SYSCGROUP_MEMORY
get_mempolicy QSSB_SYSCGROUP_MEMORY
mq_open QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC
mq_unlink QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC
mq_timedsend QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC
mq_timedreceive QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC
mq_notify QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC
mq_getsetattr QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC
kexec_load QSSB_SYSCGROUP_KEXEC
waitid QSSB_SYSCGROUP_SIGNAL
add_key QSSB_SYSCGROUP_KEYS
request_key QSSB_SYSCGROUP_KEYS
keyctl QSSB_SYSCGROUP_KEYS
ioprio_set QSSB_SYSCGROUP_PRIO
ioprio_get QSSB_SYSCGROUP_PRIO
inotify_init QSSB_SYSCGROUP_INOTIFY
inotify_add_watch QSSB_SYSCGROUP_INOTIFY
inotify_rm_watch QSSB_SYSCGROUP_INOTIFY
migrate_pages QSSB_SYSCGROUP_PROCESS
openat QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
mkdirat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
mknodat QSSB_SYSCGROUP_DEV,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
fchownat QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
futimesat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
newfstatat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
unlinkat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
renameat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
linkat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
symlinkat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
readlinkat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
fchmodat QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
faccessat QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
pselect6 QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
ppoll QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
unshare QSSB_SYSCGROUP_NS,QSSB_SYSCGROUP_FS
set_robust_list QSSB_SYSCGROUP_FUTEX
get_robust_list QSSB_SYSCGROUP_FUTEX
splice QSSB_SYSCGROUP_FD
tee QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
sync_file_range QSSB_SYSCGROUP_FD
vmsplice QSSB_SYSCGROUP_FD
move_pages QSSB_SYSCGROUP_PROCESS
utimensat QSSB_SYSCGROUP_PATH
epoll_pwait QSSB_SYSCGROUP_STDIO
signalfd QSSB_SYSCGROUP_SIGNAL
timerfd_create QSSB_SYSCGROUP_TIMER
eventfd QSSB_SYSCGROUP_FD
fallocate QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_FD
timerfd_settime QSSB_SYSCGROUP_TIMER
timerfd_gettime QSSB_SYSCGROUP_TIMER
accept4 QSSB_SYSCGROUP_SOCKET
signalfd4 QSSB_SYSCGROUP_FD
eventfd2 QSSB_SYSCGROUP_FD
epoll_create1 QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
dup3 QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
pipe2 QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
inotify_init1 QSSB_SYSCGROUP_INOTIFY
preadv QSSB_SYSCGROUP_STDIO
pwritev QSSB_SYSCGROUP_STDIO
rt_tgsigqueueinfo QSSB_SYSCGROUP_RT
perf_event_open QSSB_SYSCGROUP_PERF
recvmmsg QSSB_SYSCGROUP_SOCKET
fanotify_init QSSB_SYSCGROUP_FANOTIFY
fanotify_mark QSSB_SYSCGROUP_FANOTIFY
prlimit64 QSSB_SYSCGROUP_RES
name_to_handle_at QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_FS
open_by_handle_at QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_FS
clock_adjtime QSSB_SYSCGROUP_CLOCK
syncfs QSSB_SYSCGROUP_FD
sendmmsg QSSB_SYSCGROUP_SOCKET
setns QSSB_SYSCGROUP_NS
getcpu QSSB_SYSCGROUP_SCHED
read EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
write EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
open EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
close EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
stat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
fstat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
lstat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
poll EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
lseek EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
mmap EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
mprotect EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
munmap EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
brk EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
rt_sigaction EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
rt_sigprocmask EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
rt_sigreturn EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
ioctl EXILE_SYSCGROUP_IOCTL,EXILE_SYSCGROUP_DEFAULT_ALLOW
pread64 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
pwrite64 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
readv EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
writev EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
access EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
pipe EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
select EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
sched_yield EXILE_SYSCGROUP_SCHED,EXILE_SYSCGROUP_DEFAULT_ALLOW
mremap EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
msync EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
mincore EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
madvise EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
shmget EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
shmat EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
shmctl EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
dup EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
dup2 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
pause EXILE_SYSCGROUP_PAUSE,EXILE_SYSCGROUP_DEFAULT_ALLOW
nanosleep EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW
getitimer EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW
alarm EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW
setitimer EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW
getpid EXILE_SYSCGROUP_PROCESS,EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
sendfile EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
socket EXILE_SYSCGROUP_SOCKET
connect EXILE_SYSCGROUP_SOCKET
accept EXILE_SYSCGROUP_SOCKET
sendto EXILE_SYSCGROUP_SOCKET
recvfrom EXILE_SYSCGROUP_SOCKET
sendmsg EXILE_SYSCGROUP_SOCKET
recvmsg EXILE_SYSCGROUP_SOCKET
shutdown EXILE_SYSCGROUP_SOCKET
bind EXILE_SYSCGROUP_SOCKET
listen EXILE_SYSCGROUP_SOCKET
getsockname EXILE_SYSCGROUP_SOCKET
getpeername EXILE_SYSCGROUP_SOCKET
socketpair EXILE_SYSCGROUP_SOCKET,EXILE_SYSCGROUP_IPC
setsockopt EXILE_SYSCGROUP_SOCKET
getsockopt EXILE_SYSCGROUP_SOCKET
clone EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW
fork EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW
vfork EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW
execve EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_EXEC
exit EXILE_SYSCGROUP_PROCESS,EXILE_SYSCGROUP_DEFAULT_ALLOW
wait4 EXILE_SYSCGROUP_EXEC
kill EXILE_SYSCGROUP_KILL
uname EXILE_SYSCGROUP_SYS,EXILE_SYSCGROUP_DEFAULT_ALLOW
semget EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
semop EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
semctl EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
shmdt EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
msgget EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
msgsnd EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
msgrcv EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
msgctl EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
fcntl EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
flock EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
fsync EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
fdatasync EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
truncate EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
ftruncate EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
getdents EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
getcwd EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
chdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
fchdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
rename EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
mkdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
rmdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
creat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
link EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
unlink EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
symlink EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
readlink EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
chmod EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
fchmod EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
chown EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
fchown EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
lchown EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
umask EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW
gettimeofday EXILE_SYSCGROUP_TIME,EXILE_SYSCGROUP_DEFAULT_ALLOW
getrlimit EXILE_SYSCGROUP_RES,EXILE_SYSCGROUP_DEFAULT_ALLOW
getrusage EXILE_SYSCGROUP_RES,EXILE_SYSCGROUP_DEFAULT_ALLOW
sysinfo EXILE_SYSCGROUP_SYS,EXILE_SYSCGROUP_DEFAULT_ALLOW
times EXILE_SYSCGROUP_TIME,EXILE_SYSCGROUP_DEFAULT_ALLOW
ptrace EXILE_SYSCGROUP_PTRACE,EXILE_SYSCGROUP_DEFAULT_ALLOW
getuid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
syslog EXILE_SYSCGROUP_SYS
getgid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
setuid EXILE_SYSCGROUP_ID
setgid EXILE_SYSCGROUP_ID
geteuid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
getegid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
setpgid EXILE_SYSCGROUP_ID
getppid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
getpgrp EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
setsid EXILE_SYSCGROUP_ID
setreuid EXILE_SYSCGROUP_ID
setregid EXILE_SYSCGROUP_ID
getgroups EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
setgroups EXILE_SYSCGROUP_ID
setresuid EXILE_SYSCGROUP_ID
getresuid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
setresgid EXILE_SYSCGROUP_ID
getresgid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
getpgid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
setfsuid EXILE_SYSCGROUP_ID
setfsgid EXILE_SYSCGROUP_ID
getsid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
capget EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
capset EXILE_SYSCGROUP_ID
rt_sigpending EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
rt_sigtimedwait EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
rt_sigqueueinfo EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
rt_sigsuspend EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
sigaltstack EXILE_SYSCGROUP_THREAD,EXILE_SYSCGROUP_SIGNAL
utime EXILE_SYSCGROUP_TIME,EXILE_SYSCGROUP_FS
mknod EXILE_SYSCGROUP_DEV,EXILE_SYSCGROUP_FS
uselib EXILE_SYSCGROUP_LIB,EXILE_SYSCGROUP_DEFAULT_ALLOW
personality EXILE_SYSCGROUP_PROCESS
ustat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_FS
statfs EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_FS
fstatfs EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_FS
sysfs EXILE_SYSCGROUP_SYS,EXILE_SYSCGROUP_FS
getpriority EXILE_SYSCGROUP_SCHED
setpriority EXILE_SYSCGROUP_SCHED
sched_setparam EXILE_SYSCGROUP_SCHED
sched_getparam EXILE_SYSCGROUP_SCHED
sched_setscheduler EXILE_SYSCGROUP_SCHED
sched_getscheduler EXILE_SYSCGROUP_SCHED
sched_get_priority_max EXILE_SYSCGROUP_SCHED
sched_get_priority_min EXILE_SYSCGROUP_SCHED
sched_rr_get_interval EXILE_SYSCGROUP_SCHED
mlock EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
munlock EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
mlockall EXILE_SYSCGROUP_MEMORY
munlockall EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
vhangup EXILE_SYSCGROUP_TTY
modify_ldt EXILE_SYSCGROUP_PROCESS
pivot_root EXILE_SYSCGROUP_CHROOT
_sysctl EXILE_SYSCGROUP_SYS
prctl EXILE_SYSCGROUP_PROCESS
arch_prctl EXILE_SYSCGROUP_PROCESS
adjtimex EXILE_SYSCGROUP_CLOCK
setrlimit EXILE_SYSCGROUP_RES
chroot EXILE_SYSCGROUP_CHROOT,EXILE_SYSCGROUP_FS
sync EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
acct EXILE_SYSCGROUP_PROCESS
settimeofday EXILE_SYSCGROUP_TIME
mount EXILE_SYSCGROUP_MOUNT,EXILE_SYSCGROUP_FS
umount2 EXILE_SYSCGROUP_UMOUNT,EXILE_SYSCGROUP_FS
swapon EXILE_SYSCGROUP_SWAP
swapoff EXILE_SYSCGROUP_SWAP
reboot EXILE_SYSCGROUP_POWER
sethostname EXILE_SYSCGROUP_HOST
setdomainname EXILE_SYSCGROUP_HOST
iopl EXILE_SYSCGROUP_IOPL
ioperm EXILE_SYSCGROUP_IOPL
create_module EXILE_SYSCGROUP_KMOD
init_module EXILE_SYSCGROUP_KMOD
delete_module EXILE_SYSCGROUP_KMOD
get_kernel_syms EXILE_SYSCGROUP_KMOD
query_module EXILE_SYSCGROUP_KMOD
quotactl EXILE_SYSCGROUP_QUOTA
nfsservctl EXILE_SYSCGROUP_NONE
getpmsg EXILE_SYSCGROUP_UNIMPLEMENTED
putpmsg EXILE_SYSCGROUP_UNIMPLEMENTED
afs_syscall EXILE_SYSCGROUP_UNIMPLEMENTED
tuxcall EXILE_SYSCGROUP_UNIMPLEMENTED
security EXILE_SYSCGROUP_UNIMPLEMENTED
gettid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_THREAD
readahead EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_FS
setxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
lsetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
fsetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
getxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
lgetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
fgetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
listxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
llistxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
flistxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
removexattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
lremovexattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
fremovexattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
tkill EXILE_SYSCGROUP_THREAD,EXILE_SYSCGROUP_SIGNAL
time EXILE_SYSCGROUP_TIME
futex EXILE_SYSCGROUP_THREAD,EXILE_SYSCGROUP_FUTEX
sched_setaffinity EXILE_SYSCGROUP_SCHED
sched_getaffinity EXILE_SYSCGROUP_SCHED
set_thread_area EXILE_SYSCGROUP_THREAD
io_setup EXILE_SYSCGROUP_IO
io_destroy EXILE_SYSCGROUP_IO
io_getevents EXILE_SYSCGROUP_IO
io_submit EXILE_SYSCGROUP_IO
io_cancel EXILE_SYSCGROUP_IO
get_thread_area EXILE_SYSCGROUP_THREAD
lookup_dcookie EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FS
epoll_create EXILE_SYSCGROUP_STDIO
epoll_ctl_old EXILE_SYSCGROUP_STDIO
epoll_wait_old EXILE_SYSCGROUP_STDIO
remap_file_pages EXILE_SYSCGROUP_NONE
getdents64 EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FS
set_tid_address EXILE_SYSCGROUP_THREAD
restart_syscall EXILE_SYSCGROUP_SYSCALL
semtimedop EXILE_SYSCGROUP_SEM
fadvise64 EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FD
timer_create EXILE_SYSCGROUP_TIMER
timer_settime EXILE_SYSCGROUP_TIMER
timer_gettime EXILE_SYSCGROUP_TIMER
timer_getoverrun EXILE_SYSCGROUP_TIMER
timer_delete EXILE_SYSCGROUP_TIMER
clock_settime EXILE_SYSCGROUP_TIME
clock_gettime EXILE_SYSCGROUP_TIME
clock_getres EXILE_SYSCGROUP_TIME
clock_nanosleep EXILE_SYSCGROUP_TIME
exit_group EXILE_SYSCGROUP_EXIT,EXILE_SYSCGROUP_DEFAULT_ALLOW
epoll_wait EXILE_SYSCGROUP_FD
epoll_ctl EXILE_SYSCGROUP_FD
tgkill EXILE_SYSCGROUP_SIGNAL,EXILE_SYSCGROUP_THREAD
utimes EXILE_SYSCGROUP_PATH
vserver EXILE_SYSCGROUP_UNIMPLEMENTED
mbind EXILE_SYSCGROUP_MEMORY
set_mempolicy EXILE_SYSCGROUP_MEMORY
get_mempolicy EXILE_SYSCGROUP_MEMORY
mq_open EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
mq_unlink EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
mq_timedsend EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
mq_timedreceive EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
mq_notify EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
mq_getsetattr EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
kexec_load EXILE_SYSCGROUP_KEXEC
waitid EXILE_SYSCGROUP_SIGNAL
add_key EXILE_SYSCGROUP_KEYS
request_key EXILE_SYSCGROUP_KEYS
keyctl EXILE_SYSCGROUP_KEYS
ioprio_set EXILE_SYSCGROUP_PRIO
ioprio_get EXILE_SYSCGROUP_PRIO
inotify_init EXILE_SYSCGROUP_INOTIFY
inotify_add_watch EXILE_SYSCGROUP_INOTIFY
inotify_rm_watch EXILE_SYSCGROUP_INOTIFY
migrate_pages EXILE_SYSCGROUP_PROCESS
openat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
mkdirat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
mknodat EXILE_SYSCGROUP_DEV,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
fchownat EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
futimesat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
newfstatat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
unlinkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
renameat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
linkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
symlinkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
readlinkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
fchmodat EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
faccessat EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
pselect6 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
ppoll EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
unshare EXILE_SYSCGROUP_NS,EXILE_SYSCGROUP_FS
set_robust_list EXILE_SYSCGROUP_FUTEX
get_robust_list EXILE_SYSCGROUP_FUTEX
splice EXILE_SYSCGROUP_FD
tee EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
sync_file_range EXILE_SYSCGROUP_FD
vmsplice EXILE_SYSCGROUP_FD
move_pages EXILE_SYSCGROUP_PROCESS
utimensat EXILE_SYSCGROUP_PATH
epoll_pwait EXILE_SYSCGROUP_STDIO
signalfd EXILE_SYSCGROUP_SIGNAL
timerfd_create EXILE_SYSCGROUP_TIMER
eventfd EXILE_SYSCGROUP_FD
fallocate EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FD
timerfd_settime EXILE_SYSCGROUP_TIMER
timerfd_gettime EXILE_SYSCGROUP_TIMER
accept4 EXILE_SYSCGROUP_SOCKET
signalfd4 EXILE_SYSCGROUP_FD
eventfd2 EXILE_SYSCGROUP_FD
epoll_create1 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
dup3 EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
pipe2 EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
inotify_init1 EXILE_SYSCGROUP_INOTIFY
preadv EXILE_SYSCGROUP_STDIO
pwritev EXILE_SYSCGROUP_STDIO
rt_tgsigqueueinfo EXILE_SYSCGROUP_RT
perf_event_open EXILE_SYSCGROUP_PERF
recvmmsg EXILE_SYSCGROUP_SOCKET
fanotify_init EXILE_SYSCGROUP_FANOTIFY
fanotify_mark EXILE_SYSCGROUP_FANOTIFY
prlimit64 EXILE_SYSCGROUP_RES
name_to_handle_at EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_FS
open_by_handle_at EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_FS
clock_adjtime EXILE_SYSCGROUP_CLOCK
syncfs EXILE_SYSCGROUP_FD
sendmmsg EXILE_SYSCGROUP_SOCKET
setns EXILE_SYSCGROUP_NS
getcpu EXILE_SYSCGROUP_SCHED
#maybe IPC, but feels wrong
process_vm_readv QSSB_SYSCGROUP_NONE
process_vm_writev QSSB_SYSCGROUP_NONE
kcmp QSSB_SYSCGROUP_NONE
finit_module QSSB_SYSCGROUP_KMOD
sched_setattr QSSB_SYSCGROUP_SCHED
sched_getattr QSSB_SYSCGROUP_SCHED,QSSB_SYSCGROUP_DEFAULT_ALLOW
renameat2 QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW
seccomp QSSB_SYSCGROUP_NONE
getrandom QSSB_SYSCGROUP_DEFAULT_ALLOW
memfd_create QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
kexec_file_load QSSB_SYSCGROUP_KEXEC
bpf QSSB_SYSCGROUP_NONE
execveat QSSB_SYSCGROUP_EXEC
userfaultfd QSSB_SYSCGROUP_NONE
membarrier QSSB_SYSCGROUP_NONE
mlock2 QSSB_SYSCGROUP_MEMORY
copy_file_range QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
preadv2 QSSB_SYSCGROUP_STDIO
pwritev2 QSSB_SYSCGROUP_STDIO
process_vm_readv EXILE_SYSCGROUP_NONE
process_vm_writev EXILE_SYSCGROUP_NONE
kcmp EXILE_SYSCGROUP_NONE
finit_module EXILE_SYSCGROUP_KMOD
sched_setattr EXILE_SYSCGROUP_SCHED
sched_getattr EXILE_SYSCGROUP_SCHED,EXILE_SYSCGROUP_DEFAULT_ALLOW
renameat2 EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW
seccomp EXILE_SYSCGROUP_NONE
getrandom EXILE_SYSCGROUP_DEFAULT_ALLOW
memfd_create EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
kexec_file_load EXILE_SYSCGROUP_KEXEC
bpf EXILE_SYSCGROUP_NONE
execveat EXILE_SYSCGROUP_EXEC
userfaultfd EXILE_SYSCGROUP_NONE
membarrier EXILE_SYSCGROUP_NONE
mlock2 EXILE_SYSCGROUP_MEMORY
copy_file_range EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
preadv2 EXILE_SYSCGROUP_STDIO
pwritev2 EXILE_SYSCGROUP_STDIO
#Those are newer than 5.10, wrap them in ifndef so we can compile on old systems
pkey_mprotect QSSB_SYSCGROUP_PKEY genifndef(329)
pkey_alloc QSSB_SYSCGROUP_PKEY genifndef(330)
pkey_free QSSB_SYSCGROUP_PKEY genifndef(331)
statx QSSB_SYSCGROUP_STAT,QSSB_SYSCGROUP_DEFAULT_ALLOW genifndef(332)
io_pgetevents QSSB_SYSCGROUP_NONE genifndef(333)
rseq QSSB_SYSCGROUP_THREAD genifndef(334)
pidfd_send_signal QSSB_SYSCGROUP_PIDFD genifndef(424)
io_uring_setup QSSB_SYSCGROUP_IOURING genifndef(425)
io_uring_enter QSSB_SYSCGROUP_IOURING genifndef(426)
io_uring_register QSSB_SYSCGROUP_IOURING genifndef(427)
open_tree QSSB_SYSCGROUP_NEWMOUNT genifndef(428)
move_mount QSSB_SYSCGROUP_NEWMOUNT genifndef(429)
fsopen QSSB_SYSCGROUP_NEWMOUNT genifndef(430)
fsconfig QSSB_SYSCGROUP_NEWMOUNT genifndef(431)
fsmount QSSB_SYSCGROUP_NEWMOUNT genifndef(432)
fspick QSSB_SYSCGROUP_NEWMOUNT genifndef(433)
pidfd_open QSSB_SYSCGROUP_PIDFD genifndef(434)
clone3 QSSB_SYSCGROUP_CLONE,QSSB_SYSCGROUP_DEFAULT_ALLOW genifndef(435)
close_range QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW genifndef(436)
openat2 QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW genifndef(437)
pidfd_getfd QSSB_SYSCGROUP_PIDFD genifndef(438)
faccessat2 QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW genifndef(439)
process_madvise QSSB_SYSCGROUP_MEMORY genifndef(440)
epoll_pwait2 QSSB_SYSCGROUP_STDIO genifndef(441)
mount_setattr QSSB_SYSCGROUP_NONE genifndef(442)
quotactl_fd QSSB_SYSCGROUP_QUOTA genifndef(443)
landlock_create_ruleset QSSB_SYSCGROUP_LANDLOCK genifndef(444)
landlock_add_rule QSSB_SYSCGROUP_LANDLOCK genifndef(445)
landlock_restrict_self QSSB_SYSCGROUP_LANDLOCK genifndef(446)
memfd_secret QSSB_SYSCGROUP_NONE genifndef(447)
process_mrelease QSSB_SYSCGROUP_NONE genifndef(448)
pkey_mprotect EXILE_SYSCGROUP_PKEY genifndef(329)
pkey_alloc EXILE_SYSCGROUP_PKEY genifndef(330)
pkey_free EXILE_SYSCGROUP_PKEY genifndef(331)
statx EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(332)
io_pgetevents EXILE_SYSCGROUP_NONE genifndef(333)
rseq EXILE_SYSCGROUP_THREAD genifndef(334)
pidfd_send_signal EXILE_SYSCGROUP_PIDFD genifndef(424)
io_uring_setup EXILE_SYSCGROUP_IOURING genifndef(425)
io_uring_enter EXILE_SYSCGROUP_IOURING genifndef(426)
io_uring_register EXILE_SYSCGROUP_IOURING genifndef(427)
open_tree EXILE_SYSCGROUP_NEWMOUNT genifndef(428)
move_mount EXILE_SYSCGROUP_NEWMOUNT genifndef(429)
fsopen EXILE_SYSCGROUP_NEWMOUNT genifndef(430)
fsconfig EXILE_SYSCGROUP_NEWMOUNT genifndef(431)
fsmount EXILE_SYSCGROUP_NEWMOUNT genifndef(432)
fspick EXILE_SYSCGROUP_NEWMOUNT genifndef(433)
pidfd_open EXILE_SYSCGROUP_PIDFD genifndef(434)
clone3 EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(435)
close_range EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(436)
openat2 EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(437)
pidfd_getfd EXILE_SYSCGROUP_PIDFD genifndef(438)
faccessat2 EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(439)
process_madvise EXILE_SYSCGROUP_MEMORY genifndef(440)
epoll_pwait2 EXILE_SYSCGROUP_STDIO genifndef(441)
mount_setattr EXILE_SYSCGROUP_NONE genifndef(442)
quotactl_fd EXILE_SYSCGROUP_QUOTA genifndef(443)
landlock_create_ruleset EXILE_SYSCGROUP_LANDLOCK genifndef(444)
landlock_add_rule EXILE_SYSCGROUP_LANDLOCK genifndef(445)
landlock_restrict_self EXILE_SYSCGROUP_LANDLOCK genifndef(446)
memfd_secret EXILE_SYSCGROUP_NONE genifndef(447)
process_mrelease EXILE_SYSCGROUP_NONE genifndef(448)

1740
qssb.h
View File

File diff suppressed because it is too large Load Diff

80
test.c
View File

@ -1,4 +1,4 @@
#include "qssb.h"
#include "exile.h"
#include <stdbool.h>
#include <sys/types.h>
#include <dirent.h>
@ -6,12 +6,12 @@
#include <sys/socket.h>
#include <sys/wait.h>
int xqssb_enable_policy(struct qssb_policy *policy)
int xexile_enable_policy(struct exile_policy *policy)
{
int ret = qssb_enable_policy(policy);
int ret = exile_enable_policy(policy);
if(ret != 0)
{
fprintf(stderr, "qssb_enable_policy() failed: %i\n", ret);
fprintf(stderr, "exile_enable_policy() failed: %i\n", ret);
exit(EXIT_FAILURE);
}
return 0;
@ -19,8 +19,8 @@ int xqssb_enable_policy(struct qssb_policy *policy)
int test_default_main()
{
struct qssb_policy *policy = qssb_init_policy();
return xqssb_enable_policy(policy);
struct exile_policy *policy = exile_init_policy();
return xexile_enable_policy(policy);
}
static int test_expected_kill(int (*f)())
@ -86,11 +86,11 @@ static int test_successful_exit(int (*f)())
static int do_test_seccomp_blacklisted()
{
struct qssb_policy *policy = qssb_init_policy();
qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(getuid));
qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
struct exile_policy *policy = exile_init_policy();
exile_append_syscall_policy(policy, EXILE_SYSCALL_DENY_KILL_PROCESS, EXILE_SYS(getuid));
exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
xqssb_enable_policy(policy);
xexile_enable_policy(policy);
uid_t pid = geteuid();
pid = getuid();
@ -106,12 +106,12 @@ int test_seccomp_blacklisted()
static int do_test_seccomp_blacklisted_call_permitted()
{
struct qssb_policy *policy = qssb_init_policy();
struct exile_policy *policy = exile_init_policy();
qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(getuid));
qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
exile_append_syscall_policy(policy, EXILE_SYSCALL_DENY_KILL_PROCESS, EXILE_SYS(getuid));
exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
xqssb_enable_policy(policy);
xexile_enable_policy(policy);
//geteuid is not blacklisted, so must succeed
uid_t pid = geteuid();
return 0;
@ -125,15 +125,15 @@ int test_seccomp_blacklisted_call_permitted()
static int do_test_seccomp_x32_kill()
{
struct qssb_policy *policy = qssb_init_policy();
struct exile_policy *policy = exile_init_policy();
qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(getuid));
qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
exile_append_syscall_policy(policy, EXILE_SYSCALL_DENY_KILL_PROCESS, EXILE_SYS(getuid));
exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
xqssb_enable_policy(policy);
xexile_enable_policy(policy);
/* Attempt to bypass by falling back to x32 should be blocked */
syscall(QSSB_SYS(getuid)+__X32_SYSCALL_BIT);
syscall(EXILE_SYS(getuid)+__X32_SYSCALL_BIT);
return 0;
}
@ -146,11 +146,11 @@ int test_seccomp_x32_kill()
/* Tests whether seccomp rules end with a policy matching all syscalls */
int test_seccomp_require_last_matchall()
{
struct qssb_policy *policy = qssb_init_policy();
struct exile_policy *policy = exile_init_policy();
qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(getuid));
exile_append_syscall_policy(policy, EXILE_SYSCALL_DENY_KILL_PROCESS, EXILE_SYS(getuid));
int status = qssb_enable_policy(policy);
int status = exile_enable_policy(policy);
if(status == 0)
{
printf("Failed. Should not have been enabled!");
@ -161,12 +161,12 @@ int test_seccomp_require_last_matchall()
static int do_test_seccomp_errno()
{
struct qssb_policy *policy = qssb_init_policy();
struct exile_policy *policy = exile_init_policy();
qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_RET_ERROR, QSSB_SYS(close));
qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
exile_append_syscall_policy(policy, EXILE_SYSCALL_DENY_RET_ERROR, EXILE_SYS(close));
exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
xqssb_enable_policy(policy);
xexile_enable_policy(policy);
uid_t id = getuid();
int fd = close(0);
@ -183,12 +183,12 @@ int test_seccomp_errno()
static int test_seccomp_group()
{
struct qssb_policy *policy = qssb_init_policy();
struct exile_policy *policy = exile_init_policy();
qssb_append_group_syscall_policy(policy, QSSB_SYSCALL_DENY_RET_ERROR, QSSB_SYSCGROUP_SOCKET);
qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
exile_append_group_syscall_policy(policy, EXILE_SYSCALL_DENY_RET_ERROR, EXILE_SYSCGROUP_SOCKET);
exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
xqssb_enable_policy(policy);
xexile_enable_policy(policy);
int s = socket(AF_INET,SOCK_STREAM,0);
if(s != -1)
@ -202,9 +202,9 @@ static int test_seccomp_group()
#if HAVE_LANDLOCK == 1
int test_landlock()
{
struct qssb_policy *policy = qssb_init_policy();
qssb_append_path_policy(policy, QSSB_FS_ALLOW_READ, "/proc/self/fd");
xqssb_enable_policy(policy);
struct exile_policy *policy = exile_init_policy();
exile_append_path_policy(policy, EXILE_FS_ALLOW_READ, "/proc/self/fd");
xexile_enable_policy(policy);
int fd = open("/", O_RDONLY | O_CLOEXEC);
if(fd < 0)
@ -216,9 +216,9 @@ int test_landlock()
int test_landlock_deny_write()
{
struct qssb_policy *policy = qssb_init_policy();
qssb_append_path_policy(policy, QSSB_FS_ALLOW_READ, "/tmp/");
xqssb_enable_policy(policy);
struct exile_policy *policy = exile_init_policy();
exile_append_path_policy(policy, EXILE_FS_ALLOW_READ, "/tmp/");
xexile_enable_policy(policy);
int fd = open("/tmp/a", O_WRONLY | O_CLOEXEC);
if(fd < 0)
@ -241,9 +241,9 @@ int test_landlock_deny_write()
int test_nofs()
{
struct qssb_policy *policy = qssb_init_policy();
struct exile_policy *policy = exile_init_policy();
policy->no_fs = 1;
xqssb_enable_policy(policy);
xexile_enable_policy(policy);
int s = socket(AF_INET,SOCK_STREAM,0);
if(s == -1)
@ -265,9 +265,9 @@ int test_nofs()
int test_no_new_fds()
{
struct qssb_policy *policy = qssb_init_policy();
struct exile_policy *policy = exile_init_policy();
policy->no_new_fds = 1;
xqssb_enable_policy(policy);
xexile_enable_policy(policy);
if(open("/tmp/test", O_CREAT | O_WRONLY) >= 0)
{

2
test.sh
View File

@ -74,7 +74,7 @@ if [ -z "$LOG_OUTPUT_DIR" ] ; then
LOG_OUTPUT_DIR="./logs/"
fi
LOG_OUTPUT_DIR_PATH="${LOG_OUTPUT_DIR}/qssb_test_${GIT_ID}_${TIMESTAMP}"
LOG_OUTPUT_DIR_PATH="${LOG_OUTPUT_DIR}/exile_test_${GIT_ID}_${TIMESTAMP}"
[ -d "$LOG_OUTPUT_DIR_PATH" ] || mkdir -p "$LOG_OUTPUT_DIR_PATH"
for test in $( ./test --dumptests ) ; do