README: Update Debian section

vows: ioctl: Make TIOCSTI illegal even when IOCTL vow is set
Improve various error messages
2022-03-28 19:25:55 +02:00 · 2022-03-28 19:14:02 +02:00 · 2022-03-28 19:04:28 +02:00
--- a/README.md
+++ b/README.md
@@ -184,7 +184,7 @@ TODO:
 ## Requirements
 Kernel >=3.17

-While mostly transparent to users of this API, kernel >= 5.13 is required to take advantage of Landlock and furthermore it depends on distro-provided kernels being reasonable and enabling it by default. In practise, this means that Landlock probably won't be used for now, and exile.h will use a combination of namespaces, bind mounts and chroot as fallbacks.
+While mostly transparent to users of this API, kernel >= 5.13 is required to take advantage of Landlock. Furthermore, it depends on distro-provided kernels being reasonable and enabling it by default. In practise, this means that Landlock probably won't be used for now, and exile.h will use a combination of namespaces, bind mounts and chroot as fallbacks.


 ## FAQ
@@ -194,12 +194,12 @@ While mostly transparent to users of this API, kernel >= 5.13 is required to tak

 No.

-### It doesn't work on Debian!
-
-You can thank a Debian-specific kernel patch for that. In the future,
-the library may check against that. Execute
+### It doesn't work on my Debian version!
+You can thank a Debian-specific kernel patch for that. Execute
 `echo 1 > /proc/sys/kernel/unprivileged_userns_clone` to disable that patch for now.

+Note that newer releases should not cause this problem any longer, as [explained](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#linux-user-namespaces) in the Debian release notes.
+
 ### Examples
  - looqs: https://gitea.quitesimple.org/crtxcr/looqs
  - qswiki: https://gitea.quitesimple.org/crtxcr/qswiki
--- a/exile.c
+++ b/exile.c
@@ -430,6 +430,7 @@ int get_vow_argfilter(long syscall, uint64_t vow_promises, struct sock_filter *f

 	struct exile_syscall_filter ioctl_filter[] = {
 		EXILE_SYSCALL_FILTER_LOAD_ARG(1),
+		{ EXILE_SYSCALL_VOW_IOCTL, EXILE_BPF_NO_MATCH_SET(TIOCSTI), 1 },
 		{ EXILE_SYSCALL_VOW_IOCTL, EXILE_BPF_RETURN_MATCHING, 1 },
 		{ EXILE_SYSCALL_VOW_STDIO, EXILE_BPF_MATCH(FIONREAD), 1},
 		{ EXILE_SYSCALL_VOW_STDIO, EXILE_BPF_MATCH(FIONBIO), 1},
@@ -643,7 +644,7 @@ int (exile_append_path_policies)(struct exile_policy *exile_policy, unsigned int
 		int fd = open(path, O_PATH);
 		if(fd == -1)
 		{
-			EXILE_LOG_ERROR("Failed to open the specified path: %s\n", strerror(errno));
+			EXILE_LOG_ERROR("Failed to open %s: %s\n", path, strerror(errno));
 			exile_policy->exile_flags |= EXILE_FLAG_ADD_PATH_POLICY_FAIL;
 			return -1;
 		}
@@ -851,7 +852,7 @@ static int create_chroot_dirs(const char *chroot_target_path, struct exile_path_
 		ret = mkpath(path_inside_chroot, 0700, baseisfile);
 		if(ret < 0)
 		{
-			EXILE_LOG_ERROR("Error creating directory structure while mounting paths to chroot. %s\n", strerror(errno));
+			EXILE_LOG_ERROR("Error creating directory structure %s while mounting paths to chroot: %s\n", path_inside_chroot, strerror(errno));
 			free(path_inside_chroot);
 			return ret;
 		}
@@ -1350,7 +1351,7 @@ static int check_policy_sanity(struct exile_policy *policy)
 		{
 			if(path_policy_needs_landlock(path_policy))
 			{
-				EXILE_LOG_ERROR("A path policy needs landlock, but landlock is not available. Fallback not possible\n");
+				EXILE_LOG_ERROR("A path policy (%s) needs landlock, but landlock is not available. Fallback not possible\n", path_policy->path);
 				return -1;
 			}
 			path_policy = path_policy->next;
作者	SHA1	备注	提交日期
Albert S	6eb47daf84	README: Update Debian section	2022-03-28 19:25:55 +02:00
Albert S	8bf87717a5	vows: ioctl: Make TIOCSTI illegal even when IOCTL vow is set	2022-03-28 19:14:02 +02:00
Albert S	bcaefffbe8	Improve various error messages	2022-03-28 19:04:28 +02:00