Jämför commits
No commits in common. "d847d0f996679c77741b85959988dd9e65d63b97" and "0d7c5bd6d437ae95a4900aab6b7b6cc207acbd1b" have entirely different histories.
d847d0f996
...
0d7c5bd6d4
55
gengroup.py
55
gengroup.py
@ -1,55 +0,0 @@
|
|||||||
#!/usr/bin/python
|
|
||||||
import sys
|
|
||||||
import re
|
|
||||||
if len(sys.argv) < 2:
|
|
||||||
print("Usage: gengroup groupfile")
|
|
||||||
sys.exit(1)
|
|
||||||
fd = open(sys.argv[1], "r")
|
|
||||||
|
|
||||||
lines = fd.read().splitlines()
|
|
||||||
|
|
||||||
groupnames = set()
|
|
||||||
ifndef = dict()
|
|
||||||
|
|
||||||
def print_ifndefs():
|
|
||||||
for name in ifndef:
|
|
||||||
print("#ifndef __NR_%s" % name)
|
|
||||||
print("#define __NR_%s %s" % (name, ifndef[name]))
|
|
||||||
print("#endif")
|
|
||||||
|
|
||||||
def print_defines(names):
|
|
||||||
names = sorted(names)
|
|
||||||
i = 0
|
|
||||||
for name in names:
|
|
||||||
define = "#define %s ((uint64_t)1<<%s)" % (name, i)
|
|
||||||
print(define)
|
|
||||||
i = i + 1
|
|
||||||
|
|
||||||
for line in lines:
|
|
||||||
if line[0] == '#':
|
|
||||||
continue
|
|
||||||
|
|
||||||
splitted = line.split(' ')
|
|
||||||
if len(splitted) < 2:
|
|
||||||
print("Misformated line:", line)
|
|
||||||
sys.exit(1)
|
|
||||||
|
|
||||||
currentsyscall = splitted[0]
|
|
||||||
currentgroups = splitted[1].split(',')
|
|
||||||
|
|
||||||
flags = splitted[2] if len(splitted) > 2 else ""
|
|
||||||
if any( not s or s.isspace() for s in currentgroups ):
|
|
||||||
print("Misformated line (empty values):", line)
|
|
||||||
sys.exit(1)
|
|
||||||
groupnames.update(currentgroups)
|
|
||||||
|
|
||||||
genifndef = re.match(r"genifndef\((\d+)*\)", flags)
|
|
||||||
if genifndef:
|
|
||||||
ifndef[currentsyscall] = genifndef.groups(1)[0]
|
|
||||||
|
|
||||||
array_line = "{QSSB_SYS(%s), %s}," % (currentsyscall, '|'.join(currentgroups))
|
|
||||||
print(array_line)
|
|
||||||
|
|
||||||
print_ifndefs()
|
|
||||||
print_defines(groupnames)
|
|
||||||
|
|
@ -1,363 +0,0 @@
|
|||||||
# Assign system calls to groups. In the future, may also include simple arg filtering.
|
|
||||||
read QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
write QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
open QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
close QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
stat QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
fstat QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
lstat QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
poll QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
lseek QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
mmap QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
mprotect QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
munmap QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
brk QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
rt_sigaction QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
rt_sigprocmask QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
rt_sigreturn QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
ioctl QSSB_SYSCGROUP_IOCTL,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
pread64 QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
pwrite64 QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
readv QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
writev QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
access QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
pipe QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
select QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
sched_yield QSSB_SYSCGROUP_SCHED,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
mremap QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
msync QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
mincore QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
madvise QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
shmget QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
shmat QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
shmctl QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
dup QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
dup2 QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
pause QSSB_SYSCGROUP_PAUSE,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
nanosleep QSSB_SYSCGROUP_TIMER,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
getitimer QSSB_SYSCGROUP_TIMER,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
alarm QSSB_SYSCGROUP_TIMER,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
setitimer QSSB_SYSCGROUP_TIMER,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
getpid QSSB_SYSCGROUP_PROCESS,QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
sendfile QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
socket QSSB_SYSCGROUP_SOCKET
|
|
||||||
connect QSSB_SYSCGROUP_SOCKET
|
|
||||||
accept QSSB_SYSCGROUP_SOCKET
|
|
||||||
sendto QSSB_SYSCGROUP_SOCKET
|
|
||||||
recvfrom QSSB_SYSCGROUP_SOCKET
|
|
||||||
sendmsg QSSB_SYSCGROUP_SOCKET
|
|
||||||
recvmsg QSSB_SYSCGROUP_SOCKET
|
|
||||||
shutdown QSSB_SYSCGROUP_SOCKET
|
|
||||||
bind QSSB_SYSCGROUP_SOCKET
|
|
||||||
listen QSSB_SYSCGROUP_SOCKET
|
|
||||||
getsockname QSSB_SYSCGROUP_SOCKET
|
|
||||||
getpeername QSSB_SYSCGROUP_SOCKET
|
|
||||||
socketpair QSSB_SYSCGROUP_SOCKET,QSSB_SYSCGROUP_IPC
|
|
||||||
setsockopt QSSB_SYSCGROUP_SOCKET
|
|
||||||
getsockopt QSSB_SYSCGROUP_SOCKET
|
|
||||||
clone QSSB_SYSCGROUP_CLONE,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
fork QSSB_SYSCGROUP_CLONE,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
vfork QSSB_SYSCGROUP_CLONE,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
execve QSSB_SYSCGROUP_CLONE,QSSB_SYSCGROUP_EXEC
|
|
||||||
exit QSSB_SYSCGROUP_PROCESS,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
wait4 QSSB_SYSCGROUP_EXEC
|
|
||||||
kill QSSB_SYSCGROUP_KILL
|
|
||||||
uname QSSB_SYSCGROUP_SYS,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
semget QSSB_SYSCGROUP_SHM,QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
semop QSSB_SYSCGROUP_SHM,QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
semctl QSSB_SYSCGROUP_SHM,QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
shmdt QSSB_SYSCGROUP_SHM,QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
msgget QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
msgsnd QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
msgrcv QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
msgctl QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
fcntl QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
flock QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
fsync QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
fdatasync QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
truncate QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
ftruncate QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
getdents QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
getcwd QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
chdir QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
fchdir QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
rename QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
mkdir QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
rmdir QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
creat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
link QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
unlink QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
symlink QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
readlink QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
chmod QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
fchmod QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
chown QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
fchown QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
lchown QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
umask QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
gettimeofday QSSB_SYSCGROUP_TIME,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
getrlimit QSSB_SYSCGROUP_RES,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
getrusage QSSB_SYSCGROUP_RES,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
sysinfo QSSB_SYSCGROUP_SYS,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
times QSSB_SYSCGROUP_TIME,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
ptrace QSSB_SYSCGROUP_PTRACE,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
getuid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
syslog QSSB_SYSCGROUP_SYS
|
|
||||||
getgid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
setuid QSSB_SYSCGROUP_ID
|
|
||||||
setgid QSSB_SYSCGROUP_ID
|
|
||||||
geteuid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
getegid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
setpgid QSSB_SYSCGROUP_ID
|
|
||||||
getppid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
getpgrp QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
setsid QSSB_SYSCGROUP_ID
|
|
||||||
setreuid QSSB_SYSCGROUP_ID
|
|
||||||
setregid QSSB_SYSCGROUP_ID
|
|
||||||
getgroups QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
setgroups QSSB_SYSCGROUP_ID
|
|
||||||
setresuid QSSB_SYSCGROUP_ID
|
|
||||||
getresuid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
setresgid QSSB_SYSCGROUP_ID
|
|
||||||
getresgid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
getpgid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
setfsuid QSSB_SYSCGROUP_ID
|
|
||||||
setfsgid QSSB_SYSCGROUP_ID
|
|
||||||
getsid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
capget QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
capset QSSB_SYSCGROUP_ID
|
|
||||||
rt_sigpending QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
rt_sigtimedwait QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
rt_sigqueueinfo QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
rt_sigsuspend QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
sigaltstack QSSB_SYSCGROUP_THREAD,QSSB_SYSCGROUP_SIGNAL
|
|
||||||
utime QSSB_SYSCGROUP_TIME,QSSB_SYSCGROUP_FS
|
|
||||||
mknod QSSB_SYSCGROUP_DEV,QSSB_SYSCGROUP_FS
|
|
||||||
uselib QSSB_SYSCGROUP_LIB,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
personality QSSB_SYSCGROUP_PROCESS
|
|
||||||
ustat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_STAT,QSSB_SYSCGROUP_FS
|
|
||||||
statfs QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_STAT,QSSB_SYSCGROUP_FS
|
|
||||||
fstatfs QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_STAT,QSSB_SYSCGROUP_FS
|
|
||||||
sysfs QSSB_SYSCGROUP_SYS,QSSB_SYSCGROUP_FS
|
|
||||||
getpriority QSSB_SYSCGROUP_SCHED
|
|
||||||
setpriority QSSB_SYSCGROUP_SCHED
|
|
||||||
sched_setparam QSSB_SYSCGROUP_SCHED
|
|
||||||
sched_getparam QSSB_SYSCGROUP_SCHED
|
|
||||||
sched_setscheduler QSSB_SYSCGROUP_SCHED
|
|
||||||
sched_getscheduler QSSB_SYSCGROUP_SCHED
|
|
||||||
sched_get_priority_max QSSB_SYSCGROUP_SCHED
|
|
||||||
sched_get_priority_min QSSB_SYSCGROUP_SCHED
|
|
||||||
sched_rr_get_interval QSSB_SYSCGROUP_SCHED
|
|
||||||
mlock QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
munlock QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
mlockall QSSB_SYSCGROUP_MEMORY
|
|
||||||
munlockall QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
vhangup QSSB_SYSCGROUP_TTY
|
|
||||||
modify_ldt QSSB_SYSCGROUP_PROCESS
|
|
||||||
pivot_root QSSB_SYSCGROUP_CHROOT
|
|
||||||
_sysctl QSSB_SYSCGROUP_SYS
|
|
||||||
prctl QSSB_SYSCGROUP_PROCESS
|
|
||||||
arch_prctl QSSB_SYSCGROUP_PROCESS
|
|
||||||
adjtimex QSSB_SYSCGROUP_CLOCK
|
|
||||||
setrlimit QSSB_SYSCGROUP_RES
|
|
||||||
chroot QSSB_SYSCGROUP_CHROOT,QSSB_SYSCGROUP_FS
|
|
||||||
sync QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
acct QSSB_SYSCGROUP_PROCESS
|
|
||||||
settimeofday QSSB_SYSCGROUP_TIME
|
|
||||||
mount QSSB_SYSCGROUP_MOUNT,QSSB_SYSCGROUP_FS
|
|
||||||
umount2 QSSB_SYSCGROUP_UMOUNT,QSSB_SYSCGROUP_FS
|
|
||||||
swapon QSSB_SYSCGROUP_SWAP
|
|
||||||
swapoff QSSB_SYSCGROUP_SWAP
|
|
||||||
reboot QSSB_SYSCGROUP_POWER
|
|
||||||
sethostname QSSB_SYSCGROUP_HOST
|
|
||||||
setdomainname QSSB_SYSCGROUP_HOST
|
|
||||||
iopl QSSB_SYSCGROUP_IOPL
|
|
||||||
ioperm QSSB_SYSCGROUP_IOPL
|
|
||||||
create_module QSSB_SYSCGROUP_KMOD
|
|
||||||
init_module QSSB_SYSCGROUP_KMOD
|
|
||||||
delete_module QSSB_SYSCGROUP_KMOD
|
|
||||||
get_kernel_syms QSSB_SYSCGROUP_KMOD
|
|
||||||
query_module QSSB_SYSCGROUP_KMOD
|
|
||||||
quotactl QSSB_SYSCGROUP_QUOTA
|
|
||||||
nfsservctl QSSB_SYSCGROUP_NONE
|
|
||||||
getpmsg QSSB_SYSCGROUP_UNIMPLEMENTED
|
|
||||||
putpmsg QSSB_SYSCGROUP_UNIMPLEMENTED
|
|
||||||
afs_syscall QSSB_SYSCGROUP_UNIMPLEMENTED
|
|
||||||
tuxcall QSSB_SYSCGROUP_UNIMPLEMENTED
|
|
||||||
security QSSB_SYSCGROUP_UNIMPLEMENTED
|
|
||||||
gettid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_THREAD
|
|
||||||
readahead QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_FS
|
|
||||||
setxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
|
|
||||||
lsetxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
|
|
||||||
fsetxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
|
|
||||||
getxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
lgetxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
fgetxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
listxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
|
|
||||||
llistxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
|
|
||||||
flistxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
|
|
||||||
removexattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
|
|
||||||
lremovexattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
|
|
||||||
fremovexattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
|
|
||||||
tkill QSSB_SYSCGROUP_THREAD,QSSB_SYSCGROUP_SIGNAL
|
|
||||||
time QSSB_SYSCGROUP_TIME
|
|
||||||
futex QSSB_SYSCGROUP_THREAD,QSSB_SYSCGROUP_FUTEX
|
|
||||||
sched_setaffinity QSSB_SYSCGROUP_SCHED
|
|
||||||
sched_getaffinity QSSB_SYSCGROUP_SCHED
|
|
||||||
set_thread_area QSSB_SYSCGROUP_THREAD
|
|
||||||
io_setup QSSB_SYSCGROUP_IO
|
|
||||||
io_destroy QSSB_SYSCGROUP_IO
|
|
||||||
io_getevents QSSB_SYSCGROUP_IO
|
|
||||||
io_submit QSSB_SYSCGROUP_IO
|
|
||||||
io_cancel QSSB_SYSCGROUP_IO
|
|
||||||
get_thread_area QSSB_SYSCGROUP_THREAD
|
|
||||||
lookup_dcookie QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_FS
|
|
||||||
epoll_create QSSB_SYSCGROUP_STDIO
|
|
||||||
epoll_ctl_old QSSB_SYSCGROUP_STDIO
|
|
||||||
epoll_wait_old QSSB_SYSCGROUP_STDIO
|
|
||||||
remap_file_pages QSSB_SYSCGROUP_NONE
|
|
||||||
getdents64 QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_FS
|
|
||||||
set_tid_address QSSB_SYSCGROUP_THREAD
|
|
||||||
restart_syscall QSSB_SYSCGROUP_SYSCALL
|
|
||||||
semtimedop QSSB_SYSCGROUP_SEM
|
|
||||||
fadvise64 QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_FD
|
|
||||||
timer_create QSSB_SYSCGROUP_TIMER
|
|
||||||
timer_settime QSSB_SYSCGROUP_TIMER
|
|
||||||
timer_gettime QSSB_SYSCGROUP_TIMER
|
|
||||||
timer_getoverrun QSSB_SYSCGROUP_TIMER
|
|
||||||
timer_delete QSSB_SYSCGROUP_TIMER
|
|
||||||
clock_settime QSSB_SYSCGROUP_TIME
|
|
||||||
clock_gettime QSSB_SYSCGROUP_TIME
|
|
||||||
clock_getres QSSB_SYSCGROUP_TIME
|
|
||||||
clock_nanosleep QSSB_SYSCGROUP_TIME
|
|
||||||
exit_group QSSB_SYSCGROUP_EXIT,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
epoll_wait QSSB_SYSCGROUP_FD
|
|
||||||
epoll_ctl QSSB_SYSCGROUP_FD
|
|
||||||
tgkill QSSB_SYSCGROUP_SIGNAL,QSSB_SYSCGROUP_THREAD
|
|
||||||
utimes QSSB_SYSCGROUP_PATH
|
|
||||||
vserver QSSB_SYSCGROUP_UNIMPLEMENTED
|
|
||||||
mbind QSSB_SYSCGROUP_MEMORY
|
|
||||||
set_mempolicy QSSB_SYSCGROUP_MEMORY
|
|
||||||
get_mempolicy QSSB_SYSCGROUP_MEMORY
|
|
||||||
mq_open QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC
|
|
||||||
mq_unlink QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC
|
|
||||||
mq_timedsend QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC
|
|
||||||
mq_timedreceive QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC
|
|
||||||
mq_notify QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC
|
|
||||||
mq_getsetattr QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC
|
|
||||||
kexec_load QSSB_SYSCGROUP_KEXEC
|
|
||||||
waitid QSSB_SYSCGROUP_SIGNAL
|
|
||||||
add_key QSSB_SYSCGROUP_KEYS
|
|
||||||
request_key QSSB_SYSCGROUP_KEYS
|
|
||||||
keyctl QSSB_SYSCGROUP_KEYS
|
|
||||||
ioprio_set QSSB_SYSCGROUP_PRIO
|
|
||||||
ioprio_get QSSB_SYSCGROUP_PRIO
|
|
||||||
inotify_init QSSB_SYSCGROUP_INOTIFY
|
|
||||||
inotify_add_watch QSSB_SYSCGROUP_INOTIFY
|
|
||||||
inotify_rm_watch QSSB_SYSCGROUP_INOTIFY
|
|
||||||
migrate_pages QSSB_SYSCGROUP_PROCESS
|
|
||||||
openat QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
mkdirat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
mknodat QSSB_SYSCGROUP_DEV,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
fchownat QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
futimesat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
newfstatat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
unlinkat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
renameat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
linkat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
symlinkat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
readlinkat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
fchmodat QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
faccessat QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
pselect6 QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
ppoll QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
|
|
||||||
unshare QSSB_SYSCGROUP_NS,QSSB_SYSCGROUP_FS
|
|
||||||
set_robust_list QSSB_SYSCGROUP_FUTEX
|
|
||||||
get_robust_list QSSB_SYSCGROUP_FUTEX
|
|
||||||
splice QSSB_SYSCGROUP_FD
|
|
||||||
tee QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
sync_file_range QSSB_SYSCGROUP_FD
|
|
||||||
vmsplice QSSB_SYSCGROUP_FD
|
|
||||||
move_pages QSSB_SYSCGROUP_PROCESS
|
|
||||||
utimensat QSSB_SYSCGROUP_PATH
|
|
||||||
epoll_pwait QSSB_SYSCGROUP_STDIO
|
|
||||||
signalfd QSSB_SYSCGROUP_SIGNAL
|
|
||||||
timerfd_create QSSB_SYSCGROUP_TIMER
|
|
||||||
eventfd QSSB_SYSCGROUP_FD
|
|
||||||
fallocate QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_FD
|
|
||||||
timerfd_settime QSSB_SYSCGROUP_TIMER
|
|
||||||
timerfd_gettime QSSB_SYSCGROUP_TIMER
|
|
||||||
accept4 QSSB_SYSCGROUP_SOCKET
|
|
||||||
signalfd4 QSSB_SYSCGROUP_FD
|
|
||||||
eventfd2 QSSB_SYSCGROUP_FD
|
|
||||||
epoll_create1 QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
dup3 QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
pipe2 QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
inotify_init1 QSSB_SYSCGROUP_INOTIFY
|
|
||||||
preadv QSSB_SYSCGROUP_STDIO
|
|
||||||
pwritev QSSB_SYSCGROUP_STDIO
|
|
||||||
rt_tgsigqueueinfo QSSB_SYSCGROUP_RT
|
|
||||||
perf_event_open QSSB_SYSCGROUP_PERF
|
|
||||||
recvmmsg QSSB_SYSCGROUP_SOCKET
|
|
||||||
fanotify_init QSSB_SYSCGROUP_FANOTIFY
|
|
||||||
fanotify_mark QSSB_SYSCGROUP_FANOTIFY
|
|
||||||
prlimit64 QSSB_SYSCGROUP_RES
|
|
||||||
name_to_handle_at QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_FS
|
|
||||||
open_by_handle_at QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_FS
|
|
||||||
clock_adjtime QSSB_SYSCGROUP_CLOCK
|
|
||||||
syncfs QSSB_SYSCGROUP_FD
|
|
||||||
sendmmsg QSSB_SYSCGROUP_SOCKET
|
|
||||||
setns QSSB_SYSCGROUP_NS
|
|
||||||
getcpu QSSB_SYSCGROUP_SCHED
|
|
||||||
#maybe IPC, but feels wrong
|
|
||||||
process_vm_readv QSSB_SYSCGROUP_NONE
|
|
||||||
process_vm_writev QSSB_SYSCGROUP_NONE
|
|
||||||
kcmp QSSB_SYSCGROUP_NONE
|
|
||||||
finit_module QSSB_SYSCGROUP_KMOD
|
|
||||||
sched_setattr QSSB_SYSCGROUP_SCHED
|
|
||||||
sched_getattr QSSB_SYSCGROUP_SCHED,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
renameat2 QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
seccomp QSSB_SYSCGROUP_NONE
|
|
||||||
getrandom QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
memfd_create QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
kexec_file_load QSSB_SYSCGROUP_KEXEC
|
|
||||||
bpf QSSB_SYSCGROUP_NONE
|
|
||||||
execveat QSSB_SYSCGROUP_EXEC
|
|
||||||
userfaultfd QSSB_SYSCGROUP_NONE
|
|
||||||
membarrier QSSB_SYSCGROUP_NONE
|
|
||||||
mlock2 QSSB_SYSCGROUP_MEMORY
|
|
||||||
copy_file_range QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
|
|
||||||
preadv2 QSSB_SYSCGROUP_STDIO
|
|
||||||
pwritev2 QSSB_SYSCGROUP_STDIO
|
|
||||||
#Those are newer than 5.10, wrap them in ifndef so we can compile on old systems
|
|
||||||
pkey_mprotect QSSB_SYSCGROUP_PKEY genifndef(329)
|
|
||||||
pkey_alloc QSSB_SYSCGROUP_PKEY genifndef(330)
|
|
||||||
pkey_free QSSB_SYSCGROUP_PKEY genifndef(331)
|
|
||||||
statx QSSB_SYSCGROUP_STAT,QSSB_SYSCGROUP_DEFAULT_ALLOW genifndef(332)
|
|
||||||
io_pgetevents QSSB_SYSCGROUP_NONE genifndef(333)
|
|
||||||
rseq QSSB_SYSCGROUP_THREAD genifndef(334)
|
|
||||||
pidfd_send_signal QSSB_SYSCGROUP_PIDFD genifndef(424)
|
|
||||||
io_uring_setup QSSB_SYSCGROUP_IOURING genifndef(425)
|
|
||||||
io_uring_enter QSSB_SYSCGROUP_IOURING genifndef(426)
|
|
||||||
io_uring_register QSSB_SYSCGROUP_IOURING genifndef(427)
|
|
||||||
open_tree QSSB_SYSCGROUP_NEWMOUNT genifndef(428)
|
|
||||||
move_mount QSSB_SYSCGROUP_NEWMOUNT genifndef(429)
|
|
||||||
fsopen QSSB_SYSCGROUP_NEWMOUNT genifndef(430)
|
|
||||||
fsconfig QSSB_SYSCGROUP_NEWMOUNT genifndef(431)
|
|
||||||
fsmount QSSB_SYSCGROUP_NEWMOUNT genifndef(432)
|
|
||||||
fspick QSSB_SYSCGROUP_NEWMOUNT genifndef(433)
|
|
||||||
pidfd_open QSSB_SYSCGROUP_PIDFD genifndef(434)
|
|
||||||
clone3 QSSB_SYSCGROUP_CLONE,QSSB_SYSCGROUP_DEFAULT_ALLOW genifndef(435)
|
|
||||||
close_range QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW genifndef(436)
|
|
||||||
openat2 QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW genifndef(437)
|
|
||||||
pidfd_getfd QSSB_SYSCGROUP_PIDFD genifndef(438)
|
|
||||||
faccessat2 QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW genifndef(439)
|
|
||||||
process_madvise QSSB_SYSCGROUP_MEMORY genifndef(440)
|
|
||||||
epoll_pwait2 QSSB_SYSCGROUP_STDIO genifndef(441)
|
|
||||||
mount_setattr QSSB_SYSCGROUP_NONE genifndef(442)
|
|
||||||
quotactl_fd QSSB_SYSCGROUP_QUOTA genifndef(443)
|
|
||||||
landlock_create_ruleset QSSB_SYSCGROUP_LANDLOCK genifndef(444)
|
|
||||||
landlock_add_rule QSSB_SYSCGROUP_LANDLOCK genifndef(445)
|
|
||||||
landlock_restrict_self QSSB_SYSCGROUP_LANDLOCK genifndef(446)
|
|
||||||
memfd_secret QSSB_SYSCGROUP_NONE genifndef(447)
|
|
||||||
process_mrelease QSSB_SYSCGROUP_NONE genifndef(448)
|
|
621
qssb.h
621
qssb.h
@ -60,10 +60,12 @@
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
||||||
#if defined(__x86_64__)
|
#if defined(__i386__)
|
||||||
|
#define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
|
||||||
|
#elif defined(__x86_64__)
|
||||||
#define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
|
#define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
|
||||||
#else
|
#else
|
||||||
#error Seccomp support has not been tested for qssb.h for this platform yet
|
#warning Seccomp support has not been tested for qssb.h for this platform yet
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#define SYSCALL(nr, jt) \
|
#define SYSCALL(nr, jt) \
|
||||||
@ -82,7 +84,7 @@
|
|||||||
#define QSSB_TEMP_DIR "/tmp"
|
#define QSSB_TEMP_DIR "/tmp"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#define QSSB_SYS(x) __NR_##x
|
#define QSSB_SYS(x) (__NR_##x)
|
||||||
|
|
||||||
#define QSSB_FS_ALLOW_READ 1<<0
|
#define QSSB_FS_ALLOW_READ 1<<0
|
||||||
#define QSSB_FS_ALLOW_WRITE (1<<1)
|
#define QSSB_FS_ALLOW_WRITE (1<<1)
|
||||||
@ -134,534 +136,53 @@ static inline int landlock_restrict_self(const int ruleset_fd,
|
|||||||
#endif
|
#endif
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(__x86_64__)
|
/* Most exploits have more need for those syscalls than the
|
||||||
#ifndef __NR_pkey_mprotect
|
* exploited programs. In cases they are needed, this list should be
|
||||||
#define __NR_pkey_mprotect 329
|
* filtered or simply not used.
|
||||||
#endif
|
*/
|
||||||
#ifndef __NR_pkey_alloc
|
/* TODO: more execv* in some architectures */
|
||||||
#define __NR_pkey_alloc 330
|
/* TODO: add more */
|
||||||
#endif
|
static long default_blacklisted_syscalls[] = {
|
||||||
#ifndef __NR_pkey_free
|
QSSB_SYS(setuid),
|
||||||
#define __NR_pkey_free 331
|
QSSB_SYS(setgid),
|
||||||
#endif
|
QSSB_SYS(chroot),
|
||||||
#ifndef __NR_statx
|
QSSB_SYS(pivot_root),
|
||||||
#define __NR_statx 332
|
QSSB_SYS(mount),
|
||||||
#endif
|
QSSB_SYS(setns),
|
||||||
#ifndef __NR_io_pgetevents
|
QSSB_SYS(unshare),
|
||||||
#define __NR_io_pgetevents 333
|
QSSB_SYS(ptrace),
|
||||||
#endif
|
QSSB_SYS(personality),
|
||||||
#ifndef __NR_rseq
|
QSSB_SYS(execve),
|
||||||
#define __NR_rseq 334
|
QSSB_SYS(process_vm_readv),
|
||||||
#endif
|
QSSB_SYS(process_vm_writev),
|
||||||
#ifndef __NR_pidfd_send_signal
|
QSSB_SYS(userfaultfd),
|
||||||
#define __NR_pidfd_send_signal 424
|
QSSB_SYS(init_module),
|
||||||
#endif
|
QSSB_SYS(finit_module),
|
||||||
#ifndef __NR_io_uring_setup
|
QSSB_SYS(delete_module),
|
||||||
#define __NR_io_uring_setup 425
|
|
||||||
#endif
|
|
||||||
#ifndef __NR_io_uring_enter
|
|
||||||
#define __NR_io_uring_enter 426
|
|
||||||
#endif
|
|
||||||
#ifndef __NR_io_uring_register
|
|
||||||
#define __NR_io_uring_register 427
|
|
||||||
#endif
|
|
||||||
#ifndef __NR_open_tree
|
|
||||||
#define __NR_open_tree 428
|
|
||||||
#endif
|
|
||||||
#ifndef __NR_move_mount
|
|
||||||
#define __NR_move_mount 429
|
|
||||||
#endif
|
|
||||||
#ifndef __NR_fsopen
|
|
||||||
#define __NR_fsopen 430
|
|
||||||
#endif
|
|
||||||
#ifndef __NR_fsconfig
|
|
||||||
#define __NR_fsconfig 431
|
|
||||||
#endif
|
|
||||||
#ifndef __NR_fsmount
|
|
||||||
#define __NR_fsmount 432
|
|
||||||
#endif
|
|
||||||
#ifndef __NR_fspick
|
|
||||||
#define __NR_fspick 433
|
|
||||||
#endif
|
|
||||||
#ifndef __NR_pidfd_open
|
|
||||||
#define __NR_pidfd_open 434
|
|
||||||
#endif
|
|
||||||
#ifndef __NR_clone3
|
|
||||||
#define __NR_clone3 435
|
|
||||||
#endif
|
|
||||||
#ifndef __NR_close_range
|
|
||||||
#define __NR_close_range 436
|
|
||||||
#endif
|
|
||||||
#ifndef __NR_openat2
|
|
||||||
#define __NR_openat2 437
|
|
||||||
#endif
|
|
||||||
#ifndef __NR_pidfd_getfd
|
|
||||||
#define __NR_pidfd_getfd 438
|
|
||||||
#endif
|
|
||||||
#ifndef __NR_faccessat2
|
|
||||||
#define __NR_faccessat2 439
|
|
||||||
#endif
|
|
||||||
#ifndef __NR_process_madvise
|
|
||||||
#define __NR_process_madvise 440
|
|
||||||
#endif
|
|
||||||
#ifndef __NR_epoll_pwait2
|
|
||||||
#define __NR_epoll_pwait2 441
|
|
||||||
#endif
|
|
||||||
#ifndef __NR_mount_setattr
|
|
||||||
#define __NR_mount_setattr 442
|
|
||||||
#endif
|
|
||||||
#ifndef __NR_quotactl_fd
|
|
||||||
#define __NR_quotactl_fd 443
|
|
||||||
#endif
|
|
||||||
#ifndef __NR_landlock_create_ruleset
|
|
||||||
#define __NR_landlock_create_ruleset 444
|
|
||||||
#endif
|
|
||||||
#ifndef __NR_landlock_add_rule
|
|
||||||
#define __NR_landlock_add_rule 445
|
|
||||||
#endif
|
|
||||||
#ifndef __NR_landlock_restrict_self
|
|
||||||
#define __NR_landlock_restrict_self 446
|
|
||||||
#endif
|
|
||||||
#ifndef __NR_memfd_secret
|
|
||||||
#define __NR_memfd_secret 447
|
|
||||||
#endif
|
|
||||||
#ifndef __NR_process_mrelease
|
|
||||||
#define __NR_process_mrelease 448
|
|
||||||
#endif
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#define QSSB_SYSCGROUP_CHROOT ((uint64_t)1<<0)
|
|
||||||
#define QSSB_SYSCGROUP_CLOCK ((uint64_t)1<<1)
|
|
||||||
#define QSSB_SYSCGROUP_CLONE ((uint64_t)1<<2)
|
|
||||||
#define QSSB_SYSCGROUP_DEFAULT_ALLOW ((uint64_t)1<<3)
|
|
||||||
#define QSSB_SYSCGROUP_DEV ((uint64_t)1<<4)
|
|
||||||
#define QSSB_SYSCGROUP_EXEC ((uint64_t)1<<5)
|
|
||||||
#define QSSB_SYSCGROUP_EXIT ((uint64_t)1<<6)
|
|
||||||
#define QSSB_SYSCGROUP_FANOTIFY ((uint64_t)1<<7)
|
|
||||||
#define QSSB_SYSCGROUP_FD ((uint64_t)1<<8)
|
|
||||||
#define QSSB_SYSCGROUP_FS ((uint64_t)1<<9)
|
|
||||||
#define QSSB_SYSCGROUP_FUTEX ((uint64_t)1<<10)
|
|
||||||
#define QSSB_SYSCGROUP_HOST ((uint64_t)1<<11)
|
|
||||||
#define QSSB_SYSCGROUP_ID ((uint64_t)1<<12)
|
|
||||||
#define QSSB_SYSCGROUP_INOTIFY ((uint64_t)1<<13)
|
|
||||||
#define QSSB_SYSCGROUP_IO ((uint64_t)1<<14)
|
|
||||||
#define QSSB_SYSCGROUP_IOCTL ((uint64_t)1<<15)
|
|
||||||
#define QSSB_SYSCGROUP_IOPL ((uint64_t)1<<16)
|
|
||||||
#define QSSB_SYSCGROUP_IOURING ((uint64_t)1<<17)
|
|
||||||
#define QSSB_SYSCGROUP_IPC ((uint64_t)1<<18)
|
|
||||||
#define QSSB_SYSCGROUP_KEXEC ((uint64_t)1<<19)
|
|
||||||
#define QSSB_SYSCGROUP_KEYS ((uint64_t)1<<20)
|
|
||||||
#define QSSB_SYSCGROUP_KILL ((uint64_t)1<<21)
|
|
||||||
#define QSSB_SYSCGROUP_KMOD ((uint64_t)1<<22)
|
|
||||||
#define QSSB_SYSCGROUP_LANDLOCK ((uint64_t)1<<23)
|
|
||||||
#define QSSB_SYSCGROUP_LIB ((uint64_t)1<<24)
|
|
||||||
#define QSSB_SYSCGROUP_MEMORY ((uint64_t)1<<25)
|
|
||||||
#define QSSB_SYSCGROUP_MOUNT ((uint64_t)1<<26)
|
|
||||||
#define QSSB_SYSCGROUP_MQ ((uint64_t)1<<27)
|
|
||||||
#define QSSB_SYSCGROUP_NEWMOUNT ((uint64_t)1<<28)
|
|
||||||
#define QSSB_SYSCGROUP_NONE ((uint64_t)1<<29)
|
|
||||||
#define QSSB_SYSCGROUP_NS ((uint64_t)1<<30)
|
|
||||||
#define QSSB_SYSCGROUP_PATH ((uint64_t)1<<31)
|
|
||||||
#define QSSB_SYSCGROUP_PAUSE ((uint64_t)1<<32)
|
|
||||||
#define QSSB_SYSCGROUP_PERF ((uint64_t)1<<33)
|
|
||||||
#define QSSB_SYSCGROUP_PERMS ((uint64_t)1<<34)
|
|
||||||
#define QSSB_SYSCGROUP_PIDFD ((uint64_t)1<<35)
|
|
||||||
#define QSSB_SYSCGROUP_PKEY ((uint64_t)1<<36)
|
|
||||||
#define QSSB_SYSCGROUP_POWER ((uint64_t)1<<37)
|
|
||||||
#define QSSB_SYSCGROUP_PRIO ((uint64_t)1<<38)
|
|
||||||
#define QSSB_SYSCGROUP_PROCESS ((uint64_t)1<<39)
|
|
||||||
#define QSSB_SYSCGROUP_PTRACE ((uint64_t)1<<40)
|
|
||||||
#define QSSB_SYSCGROUP_QUOTA ((uint64_t)1<<41)
|
|
||||||
#define QSSB_SYSCGROUP_RES ((uint64_t)1<<42)
|
|
||||||
#define QSSB_SYSCGROUP_RT ((uint64_t)1<<43)
|
|
||||||
#define QSSB_SYSCGROUP_SCHED ((uint64_t)1<<44)
|
|
||||||
#define QSSB_SYSCGROUP_SEM ((uint64_t)1<<45)
|
|
||||||
#define QSSB_SYSCGROUP_SHM ((uint64_t)1<<46)
|
|
||||||
#define QSSB_SYSCGROUP_SIGNAL ((uint64_t)1<<47)
|
|
||||||
#define QSSB_SYSCGROUP_SOCKET ((uint64_t)1<<48)
|
|
||||||
#define QSSB_SYSCGROUP_STAT ((uint64_t)1<<49)
|
|
||||||
#define QSSB_SYSCGROUP_STDIO ((uint64_t)1<<50)
|
|
||||||
#define QSSB_SYSCGROUP_SWAP ((uint64_t)1<<51)
|
|
||||||
#define QSSB_SYSCGROUP_SYS ((uint64_t)1<<52)
|
|
||||||
#define QSSB_SYSCGROUP_SYSCALL ((uint64_t)1<<53)
|
|
||||||
#define QSSB_SYSCGROUP_THREAD ((uint64_t)1<<54)
|
|
||||||
#define QSSB_SYSCGROUP_TIME ((uint64_t)1<<55)
|
|
||||||
#define QSSB_SYSCGROUP_TIMER ((uint64_t)1<<56)
|
|
||||||
#define QSSB_SYSCGROUP_TTY ((uint64_t)1<<57)
|
|
||||||
#define QSSB_SYSCGROUP_UMOUNT ((uint64_t)1<<58)
|
|
||||||
#define QSSB_SYSCGROUP_UNIMPLEMENTED ((uint64_t)1<<59)
|
|
||||||
#define QSSB_SYSCGROUP_XATTR ((uint64_t)1<<60)
|
|
||||||
|
|
||||||
struct syscall_group_map
|
|
||||||
{
|
|
||||||
long syscall;
|
|
||||||
uint64_t groupmask;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
struct syscall_group_map sc_group_map[] = {
|
/* TODO: Check for completion
|
||||||
{QSSB_SYS(read), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
* Known blacklisting problem (catch up game, etc.)
|
||||||
{QSSB_SYS(write), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
*
|
||||||
{QSSB_SYS(open), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
* However, we use it to enhance "no_fs" policy, which does not solely rely
|
||||||
{QSSB_SYS(close), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
* on seccomp anyway */
|
||||||
{QSSB_SYS(stat), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
static long fs_access_syscalls[] = {
|
||||||
{QSSB_SYS(fstat), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
QSSB_SYS(chdir),
|
||||||
{QSSB_SYS(lstat), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
QSSB_SYS(truncate),
|
||||||
{QSSB_SYS(poll), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
QSSB_SYS(stat),
|
||||||
{QSSB_SYS(lseek), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
QSSB_SYS(flock),
|
||||||
{QSSB_SYS(mmap), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
QSSB_SYS(chmod),
|
||||||
{QSSB_SYS(mprotect), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
QSSB_SYS(chown),
|
||||||
{QSSB_SYS(munmap), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
QSSB_SYS(setxattr),
|
||||||
{QSSB_SYS(brk), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
QSSB_SYS(utime),
|
||||||
{QSSB_SYS(rt_sigaction), QSSB_SYSCGROUP_RT|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
QSSB_SYS(ioctl),
|
||||||
{QSSB_SYS(rt_sigprocmask), QSSB_SYSCGROUP_RT|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
QSSB_SYS(fcntl),
|
||||||
{QSSB_SYS(rt_sigreturn), QSSB_SYSCGROUP_RT|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
QSSB_SYS(access),
|
||||||
{QSSB_SYS(ioctl), QSSB_SYSCGROUP_IOCTL|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
QSSB_SYS(open),
|
||||||
{QSSB_SYS(pread64), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
QSSB_SYS(openat),
|
||||||
{QSSB_SYS(pwrite64), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
QSSB_SYS(unlink),
|
||||||
{QSSB_SYS(readv), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(writev), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(access), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(pipe), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(select), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(sched_yield), QSSB_SYSCGROUP_SCHED|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(mremap), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(msync), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(mincore), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(madvise), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(shmget), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(shmat), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(shmctl), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(dup), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(dup2), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(pause), QSSB_SYSCGROUP_PAUSE|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(nanosleep), QSSB_SYSCGROUP_TIMER|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(getitimer), QSSB_SYSCGROUP_TIMER|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(alarm), QSSB_SYSCGROUP_TIMER|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(setitimer), QSSB_SYSCGROUP_TIMER|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(getpid), QSSB_SYSCGROUP_PROCESS|QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(sendfile), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(socket), QSSB_SYSCGROUP_SOCKET},
|
|
||||||
{QSSB_SYS(connect), QSSB_SYSCGROUP_SOCKET},
|
|
||||||
{QSSB_SYS(accept), QSSB_SYSCGROUP_SOCKET},
|
|
||||||
{QSSB_SYS(sendto), QSSB_SYSCGROUP_SOCKET},
|
|
||||||
{QSSB_SYS(recvfrom), QSSB_SYSCGROUP_SOCKET},
|
|
||||||
{QSSB_SYS(sendmsg), QSSB_SYSCGROUP_SOCKET},
|
|
||||||
{QSSB_SYS(recvmsg), QSSB_SYSCGROUP_SOCKET},
|
|
||||||
{QSSB_SYS(shutdown), QSSB_SYSCGROUP_SOCKET},
|
|
||||||
{QSSB_SYS(bind), QSSB_SYSCGROUP_SOCKET},
|
|
||||||
{QSSB_SYS(listen), QSSB_SYSCGROUP_SOCKET},
|
|
||||||
{QSSB_SYS(getsockname), QSSB_SYSCGROUP_SOCKET},
|
|
||||||
{QSSB_SYS(getpeername), QSSB_SYSCGROUP_SOCKET},
|
|
||||||
{QSSB_SYS(socketpair), QSSB_SYSCGROUP_SOCKET|QSSB_SYSCGROUP_IPC},
|
|
||||||
{QSSB_SYS(setsockopt), QSSB_SYSCGROUP_SOCKET},
|
|
||||||
{QSSB_SYS(getsockopt), QSSB_SYSCGROUP_SOCKET},
|
|
||||||
{QSSB_SYS(clone), QSSB_SYSCGROUP_CLONE|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(fork), QSSB_SYSCGROUP_CLONE|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(vfork), QSSB_SYSCGROUP_CLONE|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(execve), QSSB_SYSCGROUP_CLONE|QSSB_SYSCGROUP_EXEC},
|
|
||||||
{QSSB_SYS(exit), QSSB_SYSCGROUP_PROCESS|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(wait4), QSSB_SYSCGROUP_EXEC},
|
|
||||||
{QSSB_SYS(kill), QSSB_SYSCGROUP_KILL},
|
|
||||||
{QSSB_SYS(uname), QSSB_SYSCGROUP_SYS|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(semget), QSSB_SYSCGROUP_SHM|QSSB_SYSCGROUP_IPC|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(semop), QSSB_SYSCGROUP_SHM|QSSB_SYSCGROUP_IPC|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(semctl), QSSB_SYSCGROUP_SHM|QSSB_SYSCGROUP_IPC|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(shmdt), QSSB_SYSCGROUP_SHM|QSSB_SYSCGROUP_IPC|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(msgget), QSSB_SYSCGROUP_IPC|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(msgsnd), QSSB_SYSCGROUP_IPC|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(msgrcv), QSSB_SYSCGROUP_IPC|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(msgctl), QSSB_SYSCGROUP_IPC|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(fcntl), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(flock), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(fsync), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(fdatasync), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(truncate), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(ftruncate), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(getdents), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(getcwd), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(chdir), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(fchdir), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(rename), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(mkdir), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(rmdir), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(creat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(link), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(unlink), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(symlink), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(readlink), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(chmod), QSSB_SYSCGROUP_PERMS|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(fchmod), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(chown), QSSB_SYSCGROUP_PERMS|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(fchown), QSSB_SYSCGROUP_PERMS|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(lchown), QSSB_SYSCGROUP_PERMS|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(umask), QSSB_SYSCGROUP_PERMS|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(gettimeofday), QSSB_SYSCGROUP_TIME|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(getrlimit), QSSB_SYSCGROUP_RES|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(getrusage), QSSB_SYSCGROUP_RES|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(sysinfo), QSSB_SYSCGROUP_SYS|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(times), QSSB_SYSCGROUP_TIME|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(ptrace), QSSB_SYSCGROUP_PTRACE|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(getuid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(syslog), QSSB_SYSCGROUP_SYS},
|
|
||||||
{QSSB_SYS(getgid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(setuid), QSSB_SYSCGROUP_ID},
|
|
||||||
{QSSB_SYS(setgid), QSSB_SYSCGROUP_ID},
|
|
||||||
{QSSB_SYS(geteuid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(getegid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(setpgid), QSSB_SYSCGROUP_ID},
|
|
||||||
{QSSB_SYS(getppid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(getpgrp), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(setsid), QSSB_SYSCGROUP_ID},
|
|
||||||
{QSSB_SYS(setreuid), QSSB_SYSCGROUP_ID},
|
|
||||||
{QSSB_SYS(setregid), QSSB_SYSCGROUP_ID},
|
|
||||||
{QSSB_SYS(getgroups), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(setgroups), QSSB_SYSCGROUP_ID},
|
|
||||||
{QSSB_SYS(setresuid), QSSB_SYSCGROUP_ID},
|
|
||||||
{QSSB_SYS(getresuid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(setresgid), QSSB_SYSCGROUP_ID},
|
|
||||||
{QSSB_SYS(getresgid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(getpgid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(setfsuid), QSSB_SYSCGROUP_ID},
|
|
||||||
{QSSB_SYS(setfsgid), QSSB_SYSCGROUP_ID},
|
|
||||||
{QSSB_SYS(getsid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(capget), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(capset), QSSB_SYSCGROUP_ID},
|
|
||||||
{QSSB_SYS(rt_sigpending), QSSB_SYSCGROUP_RT|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(rt_sigtimedwait), QSSB_SYSCGROUP_RT|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(rt_sigqueueinfo), QSSB_SYSCGROUP_RT|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(rt_sigsuspend), QSSB_SYSCGROUP_RT|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(sigaltstack), QSSB_SYSCGROUP_THREAD|QSSB_SYSCGROUP_SIGNAL},
|
|
||||||
{QSSB_SYS(utime), QSSB_SYSCGROUP_TIME|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(mknod), QSSB_SYSCGROUP_DEV|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(uselib), QSSB_SYSCGROUP_LIB|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(personality), QSSB_SYSCGROUP_PROCESS},
|
|
||||||
{QSSB_SYS(ustat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_STAT|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(statfs), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_STAT|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(fstatfs), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_STAT|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(sysfs), QSSB_SYSCGROUP_SYS|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(getpriority), QSSB_SYSCGROUP_SCHED},
|
|
||||||
{QSSB_SYS(setpriority), QSSB_SYSCGROUP_SCHED},
|
|
||||||
{QSSB_SYS(sched_setparam), QSSB_SYSCGROUP_SCHED},
|
|
||||||
{QSSB_SYS(sched_getparam), QSSB_SYSCGROUP_SCHED},
|
|
||||||
{QSSB_SYS(sched_setscheduler), QSSB_SYSCGROUP_SCHED},
|
|
||||||
{QSSB_SYS(sched_getscheduler), QSSB_SYSCGROUP_SCHED},
|
|
||||||
{QSSB_SYS(sched_get_priority_max), QSSB_SYSCGROUP_SCHED},
|
|
||||||
{QSSB_SYS(sched_get_priority_min), QSSB_SYSCGROUP_SCHED},
|
|
||||||
{QSSB_SYS(sched_rr_get_interval), QSSB_SYSCGROUP_SCHED},
|
|
||||||
{QSSB_SYS(mlock), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(munlock), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(mlockall), QSSB_SYSCGROUP_MEMORY},
|
|
||||||
{QSSB_SYS(munlockall), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(vhangup), QSSB_SYSCGROUP_TTY},
|
|
||||||
{QSSB_SYS(modify_ldt), QSSB_SYSCGROUP_PROCESS},
|
|
||||||
{QSSB_SYS(pivot_root), QSSB_SYSCGROUP_CHROOT},
|
|
||||||
{QSSB_SYS(_sysctl), QSSB_SYSCGROUP_SYS},
|
|
||||||
{QSSB_SYS(prctl), QSSB_SYSCGROUP_PROCESS},
|
|
||||||
{QSSB_SYS(arch_prctl), QSSB_SYSCGROUP_PROCESS},
|
|
||||||
{QSSB_SYS(adjtimex), QSSB_SYSCGROUP_CLOCK},
|
|
||||||
{QSSB_SYS(setrlimit), QSSB_SYSCGROUP_RES},
|
|
||||||
{QSSB_SYS(chroot), QSSB_SYSCGROUP_CHROOT|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(sync), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(acct), QSSB_SYSCGROUP_PROCESS},
|
|
||||||
{QSSB_SYS(settimeofday), QSSB_SYSCGROUP_TIME},
|
|
||||||
{QSSB_SYS(mount), QSSB_SYSCGROUP_MOUNT|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(umount2), QSSB_SYSCGROUP_UMOUNT|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(swapon), QSSB_SYSCGROUP_SWAP},
|
|
||||||
{QSSB_SYS(swapoff), QSSB_SYSCGROUP_SWAP},
|
|
||||||
{QSSB_SYS(reboot), QSSB_SYSCGROUP_POWER},
|
|
||||||
{QSSB_SYS(sethostname), QSSB_SYSCGROUP_HOST},
|
|
||||||
{QSSB_SYS(setdomainname), QSSB_SYSCGROUP_HOST},
|
|
||||||
{QSSB_SYS(iopl), QSSB_SYSCGROUP_IOPL},
|
|
||||||
{QSSB_SYS(ioperm), QSSB_SYSCGROUP_IOPL},
|
|
||||||
{QSSB_SYS(create_module), QSSB_SYSCGROUP_KMOD},
|
|
||||||
{QSSB_SYS(init_module), QSSB_SYSCGROUP_KMOD},
|
|
||||||
{QSSB_SYS(delete_module), QSSB_SYSCGROUP_KMOD},
|
|
||||||
{QSSB_SYS(get_kernel_syms), QSSB_SYSCGROUP_KMOD},
|
|
||||||
{QSSB_SYS(query_module), QSSB_SYSCGROUP_KMOD},
|
|
||||||
{QSSB_SYS(quotactl), QSSB_SYSCGROUP_QUOTA},
|
|
||||||
{QSSB_SYS(nfsservctl), QSSB_SYSCGROUP_NONE},
|
|
||||||
{QSSB_SYS(getpmsg), QSSB_SYSCGROUP_UNIMPLEMENTED},
|
|
||||||
{QSSB_SYS(putpmsg), QSSB_SYSCGROUP_UNIMPLEMENTED},
|
|
||||||
{QSSB_SYS(afs_syscall), QSSB_SYSCGROUP_UNIMPLEMENTED},
|
|
||||||
{QSSB_SYS(tuxcall), QSSB_SYSCGROUP_UNIMPLEMENTED},
|
|
||||||
{QSSB_SYS(security), QSSB_SYSCGROUP_UNIMPLEMENTED},
|
|
||||||
{QSSB_SYS(gettid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_THREAD},
|
|
||||||
{QSSB_SYS(readahead), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(setxattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(lsetxattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(fsetxattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(getxattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(lgetxattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(fgetxattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(listxattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(llistxattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(flistxattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(removexattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(lremovexattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(fremovexattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(tkill), QSSB_SYSCGROUP_THREAD|QSSB_SYSCGROUP_SIGNAL},
|
|
||||||
{QSSB_SYS(time), QSSB_SYSCGROUP_TIME},
|
|
||||||
{QSSB_SYS(futex), QSSB_SYSCGROUP_THREAD|QSSB_SYSCGROUP_FUTEX},
|
|
||||||
{QSSB_SYS(sched_setaffinity), QSSB_SYSCGROUP_SCHED},
|
|
||||||
{QSSB_SYS(sched_getaffinity), QSSB_SYSCGROUP_SCHED},
|
|
||||||
{QSSB_SYS(set_thread_area), QSSB_SYSCGROUP_THREAD},
|
|
||||||
{QSSB_SYS(io_setup), QSSB_SYSCGROUP_IO},
|
|
||||||
{QSSB_SYS(io_destroy), QSSB_SYSCGROUP_IO},
|
|
||||||
{QSSB_SYS(io_getevents), QSSB_SYSCGROUP_IO},
|
|
||||||
{QSSB_SYS(io_submit), QSSB_SYSCGROUP_IO},
|
|
||||||
{QSSB_SYS(io_cancel), QSSB_SYSCGROUP_IO},
|
|
||||||
{QSSB_SYS(get_thread_area), QSSB_SYSCGROUP_THREAD},
|
|
||||||
{QSSB_SYS(lookup_dcookie), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(epoll_create), QSSB_SYSCGROUP_STDIO},
|
|
||||||
{QSSB_SYS(epoll_ctl_old), QSSB_SYSCGROUP_STDIO},
|
|
||||||
{QSSB_SYS(epoll_wait_old), QSSB_SYSCGROUP_STDIO},
|
|
||||||
{QSSB_SYS(remap_file_pages), QSSB_SYSCGROUP_NONE},
|
|
||||||
{QSSB_SYS(getdents64), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(set_tid_address), QSSB_SYSCGROUP_THREAD},
|
|
||||||
{QSSB_SYS(restart_syscall), QSSB_SYSCGROUP_SYSCALL},
|
|
||||||
{QSSB_SYS(semtimedop), QSSB_SYSCGROUP_SEM},
|
|
||||||
{QSSB_SYS(fadvise64), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_FD},
|
|
||||||
{QSSB_SYS(timer_create), QSSB_SYSCGROUP_TIMER},
|
|
||||||
{QSSB_SYS(timer_settime), QSSB_SYSCGROUP_TIMER},
|
|
||||||
{QSSB_SYS(timer_gettime), QSSB_SYSCGROUP_TIMER},
|
|
||||||
{QSSB_SYS(timer_getoverrun), QSSB_SYSCGROUP_TIMER},
|
|
||||||
{QSSB_SYS(timer_delete), QSSB_SYSCGROUP_TIMER},
|
|
||||||
{QSSB_SYS(clock_settime), QSSB_SYSCGROUP_TIME},
|
|
||||||
{QSSB_SYS(clock_gettime), QSSB_SYSCGROUP_TIME},
|
|
||||||
{QSSB_SYS(clock_getres), QSSB_SYSCGROUP_TIME},
|
|
||||||
{QSSB_SYS(clock_nanosleep), QSSB_SYSCGROUP_TIME},
|
|
||||||
{QSSB_SYS(exit_group), QSSB_SYSCGROUP_EXIT|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(epoll_wait), QSSB_SYSCGROUP_FD},
|
|
||||||
{QSSB_SYS(epoll_ctl), QSSB_SYSCGROUP_FD},
|
|
||||||
{QSSB_SYS(tgkill), QSSB_SYSCGROUP_SIGNAL|QSSB_SYSCGROUP_THREAD},
|
|
||||||
{QSSB_SYS(utimes), QSSB_SYSCGROUP_PATH},
|
|
||||||
{QSSB_SYS(vserver), QSSB_SYSCGROUP_UNIMPLEMENTED},
|
|
||||||
{QSSB_SYS(mbind), QSSB_SYSCGROUP_MEMORY},
|
|
||||||
{QSSB_SYS(set_mempolicy), QSSB_SYSCGROUP_MEMORY},
|
|
||||||
{QSSB_SYS(get_mempolicy), QSSB_SYSCGROUP_MEMORY},
|
|
||||||
{QSSB_SYS(mq_open), QSSB_SYSCGROUP_MQ|QSSB_SYSCGROUP_IPC},
|
|
||||||
{QSSB_SYS(mq_unlink), QSSB_SYSCGROUP_MQ|QSSB_SYSCGROUP_IPC},
|
|
||||||
{QSSB_SYS(mq_timedsend), QSSB_SYSCGROUP_MQ|QSSB_SYSCGROUP_IPC},
|
|
||||||
{QSSB_SYS(mq_timedreceive), QSSB_SYSCGROUP_MQ|QSSB_SYSCGROUP_IPC},
|
|
||||||
{QSSB_SYS(mq_notify), QSSB_SYSCGROUP_MQ|QSSB_SYSCGROUP_IPC},
|
|
||||||
{QSSB_SYS(mq_getsetattr), QSSB_SYSCGROUP_MQ|QSSB_SYSCGROUP_IPC},
|
|
||||||
{QSSB_SYS(kexec_load), QSSB_SYSCGROUP_KEXEC},
|
|
||||||
{QSSB_SYS(waitid), QSSB_SYSCGROUP_SIGNAL},
|
|
||||||
{QSSB_SYS(add_key), QSSB_SYSCGROUP_KEYS},
|
|
||||||
{QSSB_SYS(request_key), QSSB_SYSCGROUP_KEYS},
|
|
||||||
{QSSB_SYS(keyctl), QSSB_SYSCGROUP_KEYS},
|
|
||||||
{QSSB_SYS(ioprio_set), QSSB_SYSCGROUP_PRIO},
|
|
||||||
{QSSB_SYS(ioprio_get), QSSB_SYSCGROUP_PRIO},
|
|
||||||
{QSSB_SYS(inotify_init), QSSB_SYSCGROUP_INOTIFY},
|
|
||||||
{QSSB_SYS(inotify_add_watch), QSSB_SYSCGROUP_INOTIFY},
|
|
||||||
{QSSB_SYS(inotify_rm_watch), QSSB_SYSCGROUP_INOTIFY},
|
|
||||||
{QSSB_SYS(migrate_pages), QSSB_SYSCGROUP_PROCESS},
|
|
||||||
{QSSB_SYS(openat), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(mkdirat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(mknodat), QSSB_SYSCGROUP_DEV|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(fchownat), QSSB_SYSCGROUP_PERMS|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(futimesat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(newfstatat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(unlinkat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(renameat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(linkat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(symlinkat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(readlinkat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(fchmodat), QSSB_SYSCGROUP_PERMS|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(faccessat), QSSB_SYSCGROUP_PERMS|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(pselect6), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(ppoll), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(unshare), QSSB_SYSCGROUP_NS|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(set_robust_list), QSSB_SYSCGROUP_FUTEX},
|
|
||||||
{QSSB_SYS(get_robust_list), QSSB_SYSCGROUP_FUTEX},
|
|
||||||
{QSSB_SYS(splice), QSSB_SYSCGROUP_FD},
|
|
||||||
{QSSB_SYS(tee), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(sync_file_range), QSSB_SYSCGROUP_FD},
|
|
||||||
{QSSB_SYS(vmsplice), QSSB_SYSCGROUP_FD},
|
|
||||||
{QSSB_SYS(move_pages), QSSB_SYSCGROUP_PROCESS},
|
|
||||||
{QSSB_SYS(utimensat), QSSB_SYSCGROUP_PATH},
|
|
||||||
{QSSB_SYS(epoll_pwait), QSSB_SYSCGROUP_STDIO},
|
|
||||||
{QSSB_SYS(signalfd), QSSB_SYSCGROUP_SIGNAL},
|
|
||||||
{QSSB_SYS(timerfd_create), QSSB_SYSCGROUP_TIMER},
|
|
||||||
{QSSB_SYS(eventfd), QSSB_SYSCGROUP_FD},
|
|
||||||
{QSSB_SYS(fallocate), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_FD},
|
|
||||||
{QSSB_SYS(timerfd_settime), QSSB_SYSCGROUP_TIMER},
|
|
||||||
{QSSB_SYS(timerfd_gettime), QSSB_SYSCGROUP_TIMER},
|
|
||||||
{QSSB_SYS(accept4), QSSB_SYSCGROUP_SOCKET},
|
|
||||||
{QSSB_SYS(signalfd4), QSSB_SYSCGROUP_FD},
|
|
||||||
{QSSB_SYS(eventfd2), QSSB_SYSCGROUP_FD},
|
|
||||||
{QSSB_SYS(epoll_create1), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(dup3), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(pipe2), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(inotify_init1), QSSB_SYSCGROUP_INOTIFY},
|
|
||||||
{QSSB_SYS(preadv), QSSB_SYSCGROUP_STDIO},
|
|
||||||
{QSSB_SYS(pwritev), QSSB_SYSCGROUP_STDIO},
|
|
||||||
{QSSB_SYS(rt_tgsigqueueinfo), QSSB_SYSCGROUP_RT},
|
|
||||||
{QSSB_SYS(perf_event_open), QSSB_SYSCGROUP_PERF},
|
|
||||||
{QSSB_SYS(recvmmsg), QSSB_SYSCGROUP_SOCKET},
|
|
||||||
{QSSB_SYS(fanotify_init), QSSB_SYSCGROUP_FANOTIFY},
|
|
||||||
{QSSB_SYS(fanotify_mark), QSSB_SYSCGROUP_FANOTIFY},
|
|
||||||
{QSSB_SYS(prlimit64), QSSB_SYSCGROUP_RES},
|
|
||||||
{QSSB_SYS(name_to_handle_at), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(open_by_handle_at), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_FS},
|
|
||||||
{QSSB_SYS(clock_adjtime), QSSB_SYSCGROUP_CLOCK},
|
|
||||||
{QSSB_SYS(syncfs), QSSB_SYSCGROUP_FD},
|
|
||||||
{QSSB_SYS(sendmmsg), QSSB_SYSCGROUP_SOCKET},
|
|
||||||
{QSSB_SYS(setns), QSSB_SYSCGROUP_NS},
|
|
||||||
{QSSB_SYS(getcpu), QSSB_SYSCGROUP_SCHED},
|
|
||||||
{QSSB_SYS(process_vm_readv), QSSB_SYSCGROUP_NONE},
|
|
||||||
{QSSB_SYS(process_vm_writev), QSSB_SYSCGROUP_NONE},
|
|
||||||
{QSSB_SYS(kcmp), QSSB_SYSCGROUP_NONE},
|
|
||||||
{QSSB_SYS(finit_module), QSSB_SYSCGROUP_KMOD},
|
|
||||||
{QSSB_SYS(sched_setattr), QSSB_SYSCGROUP_SCHED},
|
|
||||||
{QSSB_SYS(sched_getattr), QSSB_SYSCGROUP_SCHED|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(renameat2), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(seccomp), QSSB_SYSCGROUP_NONE},
|
|
||||||
{QSSB_SYS(getrandom), QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(memfd_create), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(kexec_file_load), QSSB_SYSCGROUP_KEXEC},
|
|
||||||
{QSSB_SYS(bpf), QSSB_SYSCGROUP_NONE},
|
|
||||||
{QSSB_SYS(execveat), QSSB_SYSCGROUP_EXEC},
|
|
||||||
{QSSB_SYS(userfaultfd), QSSB_SYSCGROUP_NONE},
|
|
||||||
{QSSB_SYS(membarrier), QSSB_SYSCGROUP_NONE},
|
|
||||||
{QSSB_SYS(mlock2), QSSB_SYSCGROUP_MEMORY},
|
|
||||||
{QSSB_SYS(copy_file_range), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(preadv2), QSSB_SYSCGROUP_STDIO},
|
|
||||||
{QSSB_SYS(pwritev2), QSSB_SYSCGROUP_STDIO},
|
|
||||||
{QSSB_SYS(pkey_mprotect), QSSB_SYSCGROUP_PKEY},
|
|
||||||
{QSSB_SYS(pkey_alloc), QSSB_SYSCGROUP_PKEY},
|
|
||||||
{QSSB_SYS(pkey_free), QSSB_SYSCGROUP_PKEY},
|
|
||||||
{QSSB_SYS(statx), QSSB_SYSCGROUP_STAT|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(io_pgetevents), QSSB_SYSCGROUP_NONE},
|
|
||||||
{QSSB_SYS(rseq), QSSB_SYSCGROUP_THREAD},
|
|
||||||
{QSSB_SYS(pidfd_send_signal), QSSB_SYSCGROUP_PIDFD},
|
|
||||||
{QSSB_SYS(io_uring_setup), QSSB_SYSCGROUP_IOURING},
|
|
||||||
{QSSB_SYS(io_uring_enter), QSSB_SYSCGROUP_IOURING},
|
|
||||||
{QSSB_SYS(io_uring_register), QSSB_SYSCGROUP_IOURING},
|
|
||||||
{QSSB_SYS(open_tree), QSSB_SYSCGROUP_NEWMOUNT},
|
|
||||||
{QSSB_SYS(move_mount), QSSB_SYSCGROUP_NEWMOUNT},
|
|
||||||
{QSSB_SYS(fsopen), QSSB_SYSCGROUP_NEWMOUNT},
|
|
||||||
{QSSB_SYS(fsconfig), QSSB_SYSCGROUP_NEWMOUNT},
|
|
||||||
{QSSB_SYS(fsmount), QSSB_SYSCGROUP_NEWMOUNT},
|
|
||||||
{QSSB_SYS(fspick), QSSB_SYSCGROUP_NEWMOUNT},
|
|
||||||
{QSSB_SYS(pidfd_open), QSSB_SYSCGROUP_PIDFD},
|
|
||||||
{QSSB_SYS(clone3), QSSB_SYSCGROUP_CLONE|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(close_range), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(openat2), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(pidfd_getfd), QSSB_SYSCGROUP_PIDFD},
|
|
||||||
{QSSB_SYS(faccessat2), QSSB_SYSCGROUP_PERMS|QSSB_SYSCGROUP_DEFAULT_ALLOW},
|
|
||||||
{QSSB_SYS(process_madvise), QSSB_SYSCGROUP_MEMORY},
|
|
||||||
{QSSB_SYS(epoll_pwait2), QSSB_SYSCGROUP_STDIO},
|
|
||||||
{QSSB_SYS(mount_setattr), QSSB_SYSCGROUP_NONE},
|
|
||||||
{QSSB_SYS(quotactl_fd), QSSB_SYSCGROUP_QUOTA},
|
|
||||||
{QSSB_SYS(landlock_create_ruleset), QSSB_SYSCGROUP_LANDLOCK},
|
|
||||||
{QSSB_SYS(landlock_add_rule), QSSB_SYSCGROUP_LANDLOCK},
|
|
||||||
{QSSB_SYS(landlock_restrict_self), QSSB_SYSCGROUP_LANDLOCK},
|
|
||||||
{QSSB_SYS(memfd_secret), QSSB_SYSCGROUP_NONE},
|
|
||||||
{QSSB_SYS(process_mrelease), QSSB_SYSCGROUP_NONE}
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
struct qssb_path_policy
|
struct qssb_path_policy
|
||||||
{
|
{
|
||||||
const char *path;
|
const char *path;
|
||||||
@ -796,7 +317,6 @@ int qssb_append_syscalls_policy(struct qssb_policy *qssb_policy, unsigned int sy
|
|||||||
int ret = qssb_append_syscall(&newpolicy->syscall, syscalls, n);
|
int ret = qssb_append_syscall(&newpolicy->syscall, syscalls, n);
|
||||||
if(ret != 0)
|
if(ret != 0)
|
||||||
{
|
{
|
||||||
free(newpolicy);
|
|
||||||
QSSB_LOG_ERROR("Failed to append syscall\n");
|
QSSB_LOG_ERROR("Failed to append syscall\n");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
@ -821,41 +341,6 @@ int qssb_append_syscall_default_policy(struct qssb_policy *qssb_policy, unsigned
|
|||||||
return qssb_append_syscall_policy(qssb_policy, default_policy, QSSB_SYSCALL_MATCH_ALL);
|
return qssb_append_syscall_policy(qssb_policy, default_policy, QSSB_SYSCALL_MATCH_ALL);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void get_group_syscalls(uint64_t mask, long *syscalls, size_t *n)
|
|
||||||
{
|
|
||||||
size_t count = 0;
|
|
||||||
for(unsigned long i = 0; i < sizeof(sc_group_map)/sizeof(sc_group_map[0]); i++)
|
|
||||||
{
|
|
||||||
struct syscall_group_map *current = &sc_group_map[i];
|
|
||||||
if(current->groupmask & mask)
|
|
||||||
{
|
|
||||||
syscalls[count] = current->syscall;
|
|
||||||
++count;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
*n = count;
|
|
||||||
}
|
|
||||||
|
|
||||||
int qssb_append_group_syscall_policy(struct qssb_policy *qssb_policy, unsigned int syscall_policy, uint64_t groupmask)
|
|
||||||
{
|
|
||||||
long syscalls[400] = { 0 };
|
|
||||||
size_t n = 0;
|
|
||||||
|
|
||||||
if(groupmask & QSSB_SYSCGROUP_NONE)
|
|
||||||
{
|
|
||||||
QSSB_LOG_ERROR("Error: 'None' is an illegal group name\n");
|
|
||||||
return -EINVAL;
|
|
||||||
}
|
|
||||||
get_group_syscalls(groupmask, syscalls, &n);
|
|
||||||
if(n == 0)
|
|
||||||
{
|
|
||||||
QSSB_LOG_ERROR("Error: No syscalls found for group mask\n");
|
|
||||||
return -EINVAL;
|
|
||||||
}
|
|
||||||
|
|
||||||
return qssb_append_syscalls_policy(qssb_policy, syscall_policy, syscalls, n);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Creates the default policy
|
/* Creates the default policy
|
||||||
* Must be freed using qssb_free_policy
|
* Must be freed using qssb_free_policy
|
||||||
* @returns: default policy */
|
* @returns: default policy */
|
||||||
@ -1296,6 +781,7 @@ static int qssb_enable_syscall_policy(struct qssb_policy *policy)
|
|||||||
long *syscalls = NULL;
|
long *syscalls = NULL;
|
||||||
size_t n = 0;
|
size_t n = 0;
|
||||||
get_syscall_array(current_policy, &syscalls, &n);
|
get_syscall_array(current_policy, &syscalls, &n);
|
||||||
|
|
||||||
unsigned short int newsize;
|
unsigned short int newsize;
|
||||||
if(__builtin_add_overflow(current_filter_index, n, &newsize))
|
if(__builtin_add_overflow(current_filter_index, n, &newsize))
|
||||||
{
|
{
|
||||||
@ -1569,7 +1055,8 @@ static int enable_no_fs(struct qssb_policy *policy)
|
|||||||
}
|
}
|
||||||
|
|
||||||
//TODO: we don't have to do this if there whitelisted policies, in that case we will be behind the default deny anyway
|
//TODO: we don't have to do this if there whitelisted policies, in that case we will be behind the default deny anyway
|
||||||
int ret = qssb_append_group_syscall_policy(policy, QSSB_SYSCALL_DENY_RET_ERROR, QSSB_SYSCGROUP_FS);
|
size_t fs_access_syscalls_count = sizeof(fs_access_syscalls)/sizeof(fs_access_syscalls[0]);
|
||||||
|
int ret = qssb_append_syscalls_policy(policy, QSSB_SYSCALL_DENY_RET_ERROR, fs_access_syscalls, fs_access_syscalls_count);
|
||||||
if(ret != 0)
|
if(ret != 0)
|
||||||
{
|
{
|
||||||
QSSB_LOG_ERROR("Failed to add system calls to policy\n");
|
QSSB_LOG_ERROR("Failed to add system calls to policy\n");
|
||||||
@ -1585,12 +1072,14 @@ static int enable_no_fs(struct qssb_policy *policy)
|
|||||||
|
|
||||||
static int qssb_append_predefined_standard_syscall_policy(struct qssb_policy *policy)
|
static int qssb_append_predefined_standard_syscall_policy(struct qssb_policy *policy)
|
||||||
{
|
{
|
||||||
int appendresult = qssb_append_group_syscall_policy(policy, QSSB_SYSCALL_ALLOW, QSSB_SYSCGROUP_DEFAULT_ALLOW);
|
size_t blacklisted_syscalls_count = sizeof(default_blacklisted_syscalls)/sizeof(default_blacklisted_syscalls[0]);
|
||||||
|
|
||||||
|
int appendresult = qssb_append_syscalls_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, default_blacklisted_syscalls, blacklisted_syscalls_count);
|
||||||
if(appendresult != 0)
|
if(appendresult != 0)
|
||||||
{
|
{
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
appendresult = qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_DENY_RET_ERROR);
|
appendresult = qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
|
||||||
if(appendresult != 0)
|
if(appendresult != 0)
|
||||||
{
|
{
|
||||||
return 1;
|
return 1;
|
||||||
|
19
test.c
19
test.c
@ -182,24 +182,6 @@ int test_seccomp_errno()
|
|||||||
return test_successful_exit(&do_test_seccomp_errno);
|
return test_successful_exit(&do_test_seccomp_errno);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int test_seccomp_group()
|
|
||||||
{
|
|
||||||
struct qssb_policy *policy = qssb_init_policy();
|
|
||||||
|
|
||||||
qssb_append_group_syscall_policy(policy, QSSB_SYSCALL_DENY_RET_ERROR, QSSB_SYSCGROUP_SOCKET);
|
|
||||||
qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
|
|
||||||
|
|
||||||
xqssb_enable_policy(policy);
|
|
||||||
|
|
||||||
int s = socket(AF_INET,SOCK_STREAM,0);
|
|
||||||
if(s != -1)
|
|
||||||
{
|
|
||||||
printf("Failed: socket was expected to return error\n");
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
int test_landlock()
|
int test_landlock()
|
||||||
{
|
{
|
||||||
struct qssb_policy *policy = qssb_init_policy();
|
struct qssb_policy *policy = qssb_init_policy();
|
||||||
@ -298,7 +280,6 @@ struct dispatcher dispatchers[] = {
|
|||||||
{ "seccomp-x32-kill", &test_seccomp_x32_kill},
|
{ "seccomp-x32-kill", &test_seccomp_x32_kill},
|
||||||
{ "seccomp-require-last-matchall", &test_seccomp_require_last_matchall},
|
{ "seccomp-require-last-matchall", &test_seccomp_require_last_matchall},
|
||||||
{ "seccomp-errno", &test_seccomp_errno},
|
{ "seccomp-errno", &test_seccomp_errno},
|
||||||
{ "seccomp-group", &test_seccomp_group},
|
|
||||||
{ "landlock", &test_landlock},
|
{ "landlock", &test_landlock},
|
||||||
{ "landlock-deny-write", &test_landlock_deny_write },
|
{ "landlock-deny-write", &test_landlock_deny_write },
|
||||||
{ "no_fs", &test_nofs},
|
{ "no_fs", &test_nofs},
|
||||||
|
Laddar…
Referens i nytt ärende
Block a user