Compare commits
No commits in common. "ebe043c08d47e3ca44eea2763daa09dfb39e0ec3" and "215032f32c84548e1344f3d70fb0291d2e79d6da" have entirely different histories.
ebe043c08d
...
215032f32c
34
qssb.h
34
qssb.h
@ -250,8 +250,8 @@ static int qssb_entry_append(struct qssb_allocated_entry *entry, void *data, siz
|
|||||||
if(remaining < bytes)
|
if(remaining < bytes)
|
||||||
{
|
{
|
||||||
size_t expandval = QSSB_ENTRY_ALLOC_SIZE > bytes ? QSSB_ENTRY_ALLOC_SIZE : bytes;
|
size_t expandval = QSSB_ENTRY_ALLOC_SIZE > bytes ? QSSB_ENTRY_ALLOC_SIZE : bytes;
|
||||||
size_t sizenew = 0;
|
size_t sizenew = entry->size + expandval;
|
||||||
if(__builtin_add_overflow(entry->size, expandval, &sizenew))
|
if(sizenew < entry->size)
|
||||||
{
|
{
|
||||||
QSSB_LOG_ERROR("overflow in qssb_entry_append\n");
|
QSSB_LOG_ERROR("overflow in qssb_entry_append\n");
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
@ -273,13 +273,7 @@ static int qssb_entry_append(struct qssb_allocated_entry *entry, void *data, siz
|
|||||||
|
|
||||||
static int qssb_append_syscall(struct qssb_allocated_entry *entry, long *syscalls, size_t n)
|
static int qssb_append_syscall(struct qssb_allocated_entry *entry, long *syscalls, size_t n)
|
||||||
{
|
{
|
||||||
size_t bytes = 0;
|
return qssb_entry_append(entry, syscalls, n * sizeof(long));
|
||||||
if(__builtin_mul_overflow(n, sizeof(long), &bytes))
|
|
||||||
{
|
|
||||||
QSSB_LOG_ERROR("Overflow while trying to add system calls\n");
|
|
||||||
return -EINVAL;
|
|
||||||
}
|
|
||||||
return qssb_entry_append(entry, syscalls, bytes);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static int is_valid_syscall_policy(unsigned int policy)
|
static int is_valid_syscall_policy(unsigned int policy)
|
||||||
@ -567,7 +561,7 @@ static int mount_to_chroot(const char *chroot_target_path, struct qssb_path_poli
|
|||||||
ret = mount(NULL, path_inside_chroot, NULL, mount_flags | MS_REMOUNT, NULL);
|
ret = mount(NULL, path_inside_chroot, NULL, mount_flags | MS_REMOUNT, NULL);
|
||||||
if(ret < 0 )
|
if(ret < 0 )
|
||||||
{
|
{
|
||||||
QSSB_LOG_ERROR("Error: Failed to remount %s: %s\n", path_inside_chroot, strerror(errno));
|
QSSB_LOG_ERROR("Error: Failed to remount %s: %s", path_inside_chroot, strerror(errno));
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -670,7 +664,7 @@ static int drop_caps()
|
|||||||
|
|
||||||
if(res == -1 && errno != EINVAL)
|
if(res == -1 && errno != EINVAL)
|
||||||
{
|
{
|
||||||
QSSB_LOG_ERROR("Failed to drop the capability bounding set!\n");
|
QSSB_LOG_ERROR("Failed to drop the capability bounding set!");
|
||||||
return -errno;
|
return -errno;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -749,24 +743,12 @@ static int qssb_enable_syscall_policy(struct qssb_policy *policy)
|
|||||||
{
|
{
|
||||||
if(!is_valid_syscall_policy(current_policy->policy))
|
if(!is_valid_syscall_policy(current_policy->policy))
|
||||||
{
|
{
|
||||||
QSSB_LOG_ERROR("invalid syscall policy specified\n");
|
QSSB_LOG_ERROR("invalid syscall policy specified");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
long *syscalls = NULL;
|
long *syscalls = NULL;
|
||||||
size_t n = 0;
|
size_t n = 0;
|
||||||
get_syscall_array(current_policy, &syscalls, &n);
|
get_syscall_array(current_policy, &syscalls, &n);
|
||||||
|
|
||||||
unsigned short int newsize;
|
|
||||||
if(__builtin_add_overflow(current_filter_index, n, &newsize))
|
|
||||||
{
|
|
||||||
QSSB_LOG_ERROR("Overflow when trying to add new system calls\n");
|
|
||||||
return -EINVAL;
|
|
||||||
}
|
|
||||||
if(newsize > (sizeof(filter)/sizeof(filter[0]))-1)
|
|
||||||
{
|
|
||||||
QSSB_LOG_ERROR("Too many system calls added\n");
|
|
||||||
return -EINVAL;
|
|
||||||
}
|
|
||||||
append_syscalls_to_bpf(syscalls, n, current_policy->policy, filter, ¤t_filter_index);
|
append_syscalls_to_bpf(syscalls, n, current_policy->policy, filter, ¤t_filter_index);
|
||||||
current_policy = current_policy->next;
|
current_policy = current_policy->next;
|
||||||
}
|
}
|
||||||
@ -872,7 +854,7 @@ static int landlock_prepare_ruleset(struct qssb_path_policy *policies)
|
|||||||
ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
|
ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
|
||||||
if (ruleset_fd < 0)
|
if (ruleset_fd < 0)
|
||||||
{
|
{
|
||||||
QSSB_LOG_ERROR("Failed to create landlock ruleset\n");
|
QSSB_LOG_ERROR("Failed to create landlock ruleset");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
struct qssb_path_policy *policy = policies;
|
struct qssb_path_policy *policy = policies;
|
||||||
@ -942,7 +924,7 @@ static int check_policy_sanity(struct qssb_policy *policy)
|
|||||||
}
|
}
|
||||||
if(policy->no_fs == 1)
|
if(policy->no_fs == 1)
|
||||||
{
|
{
|
||||||
QSSB_LOG_ERROR("If path_policies are specified, no_fs cannot be set to 1\n");
|
QSSB_LOG_ERROR("If path_policies are specified, no_fs cannot be set to 1");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user