Vertaa committeja

...

3 Commitit

Tekijä SHA1 Viesti Päivämäärä
6eb47daf84 README: Update Debian section 2022-03-28 19:25:55 +02:00
8bf87717a5 vows: ioctl: Make TIOCSTI illegal even when IOCTL vow is set 2022-03-28 19:14:02 +02:00
bcaefffbe8 Improve various error messages 2022-03-28 19:04:28 +02:00
2 muutettua tiedostoa jossa 9 lisäystä ja 8 poistoa

Näytä tiedosto

@ -184,7 +184,7 @@ TODO:
## Requirements
Kernel >=3.17
While mostly transparent to users of this API, kernel >= 5.13 is required to take advantage of Landlock and furthermore it depends on distro-provided kernels being reasonable and enabling it by default. In practise, this means that Landlock probably won't be used for now, and exile.h will use a combination of namespaces, bind mounts and chroot as fallbacks.
While mostly transparent to users of this API, kernel >= 5.13 is required to take advantage of Landlock. Furthermore, it depends on distro-provided kernels being reasonable and enabling it by default. In practise, this means that Landlock probably won't be used for now, and exile.h will use a combination of namespaces, bind mounts and chroot as fallbacks.
## FAQ
@ -194,12 +194,12 @@ While mostly transparent to users of this API, kernel >= 5.13 is required to tak
No.
### It doesn't work on Debian!
You can thank a Debian-specific kernel patch for that. In the future,
the library may check against that. Execute
### It doesn't work on my Debian version!
You can thank a Debian-specific kernel patch for that. Execute
`echo 1 > /proc/sys/kernel/unprivileged_userns_clone` to disable that patch for now.
Note that newer releases should not cause this problem any longer, as [explained](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#linux-user-namespaces) in the Debian release notes.
### Examples
- looqs: https://gitea.quitesimple.org/crtxcr/looqs
- qswiki: https://gitea.quitesimple.org/crtxcr/qswiki

Näytä tiedosto

@ -430,6 +430,7 @@ int get_vow_argfilter(long syscall, uint64_t vow_promises, struct sock_filter *f
struct exile_syscall_filter ioctl_filter[] = {
EXILE_SYSCALL_FILTER_LOAD_ARG(1),
{ EXILE_SYSCALL_VOW_IOCTL, EXILE_BPF_NO_MATCH_SET(TIOCSTI), 1 },
{ EXILE_SYSCALL_VOW_IOCTL, EXILE_BPF_RETURN_MATCHING, 1 },
{ EXILE_SYSCALL_VOW_STDIO, EXILE_BPF_MATCH(FIONREAD), 1},
{ EXILE_SYSCALL_VOW_STDIO, EXILE_BPF_MATCH(FIONBIO), 1},
@ -643,7 +644,7 @@ int (exile_append_path_policies)(struct exile_policy *exile_policy, unsigned int
int fd = open(path, O_PATH);
if(fd == -1)
{
EXILE_LOG_ERROR("Failed to open the specified path: %s\n", strerror(errno));
EXILE_LOG_ERROR("Failed to open %s: %s\n", path, strerror(errno));
exile_policy->exile_flags |= EXILE_FLAG_ADD_PATH_POLICY_FAIL;
return -1;
}
@ -851,7 +852,7 @@ static int create_chroot_dirs(const char *chroot_target_path, struct exile_path_
ret = mkpath(path_inside_chroot, 0700, baseisfile);
if(ret < 0)
{
EXILE_LOG_ERROR("Error creating directory structure while mounting paths to chroot. %s\n", strerror(errno));
EXILE_LOG_ERROR("Error creating directory structure %s while mounting paths to chroot: %s\n", path_inside_chroot, strerror(errno));
free(path_inside_chroot);
return ret;
}
@ -1350,7 +1351,7 @@ static int check_policy_sanity(struct exile_policy *policy)
{
if(path_policy_needs_landlock(path_policy))
{
EXILE_LOG_ERROR("A path policy needs landlock, but landlock is not available. Fallback not possible\n");
EXILE_LOG_ERROR("A path policy (%s) needs landlock, but landlock is not available. Fallback not possible\n", path_policy->path);
return -1;
}
path_policy = path_policy->next;