Comparar comentimentos
3 Cometimentos
ed5098f2c6
...
6eb47daf84
Autor(a) | SHA1 | Data | |
---|---|---|---|
6eb47daf84 | |||
8bf87717a5 | |||
bcaefffbe8 |
10
README.md
10
README.md
@ -184,7 +184,7 @@ TODO:
|
||||
## Requirements
|
||||
Kernel >=3.17
|
||||
|
||||
While mostly transparent to users of this API, kernel >= 5.13 is required to take advantage of Landlock and furthermore it depends on distro-provided kernels being reasonable and enabling it by default. In practise, this means that Landlock probably won't be used for now, and exile.h will use a combination of namespaces, bind mounts and chroot as fallbacks.
|
||||
While mostly transparent to users of this API, kernel >= 5.13 is required to take advantage of Landlock. Furthermore, it depends on distro-provided kernels being reasonable and enabling it by default. In practise, this means that Landlock probably won't be used for now, and exile.h will use a combination of namespaces, bind mounts and chroot as fallbacks.
|
||||
|
||||
|
||||
## FAQ
|
||||
@ -194,12 +194,12 @@ While mostly transparent to users of this API, kernel >= 5.13 is required to tak
|
||||
|
||||
No.
|
||||
|
||||
### It doesn't work on Debian!
|
||||
|
||||
You can thank a Debian-specific kernel patch for that. In the future,
|
||||
the library may check against that. Execute
|
||||
### It doesn't work on my Debian version!
|
||||
You can thank a Debian-specific kernel patch for that. Execute
|
||||
`echo 1 > /proc/sys/kernel/unprivileged_userns_clone` to disable that patch for now.
|
||||
|
||||
Note that newer releases should not cause this problem any longer, as [explained](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#linux-user-namespaces) in the Debian release notes.
|
||||
|
||||
### Examples
|
||||
- looqs: https://gitea.quitesimple.org/crtxcr/looqs
|
||||
- qswiki: https://gitea.quitesimple.org/crtxcr/qswiki
|
||||
|
7
exile.c
7
exile.c
@ -430,6 +430,7 @@ int get_vow_argfilter(long syscall, uint64_t vow_promises, struct sock_filter *f
|
||||
|
||||
struct exile_syscall_filter ioctl_filter[] = {
|
||||
EXILE_SYSCALL_FILTER_LOAD_ARG(1),
|
||||
{ EXILE_SYSCALL_VOW_IOCTL, EXILE_BPF_NO_MATCH_SET(TIOCSTI), 1 },
|
||||
{ EXILE_SYSCALL_VOW_IOCTL, EXILE_BPF_RETURN_MATCHING, 1 },
|
||||
{ EXILE_SYSCALL_VOW_STDIO, EXILE_BPF_MATCH(FIONREAD), 1},
|
||||
{ EXILE_SYSCALL_VOW_STDIO, EXILE_BPF_MATCH(FIONBIO), 1},
|
||||
@ -643,7 +644,7 @@ int (exile_append_path_policies)(struct exile_policy *exile_policy, unsigned int
|
||||
int fd = open(path, O_PATH);
|
||||
if(fd == -1)
|
||||
{
|
||||
EXILE_LOG_ERROR("Failed to open the specified path: %s\n", strerror(errno));
|
||||
EXILE_LOG_ERROR("Failed to open %s: %s\n", path, strerror(errno));
|
||||
exile_policy->exile_flags |= EXILE_FLAG_ADD_PATH_POLICY_FAIL;
|
||||
return -1;
|
||||
}
|
||||
@ -851,7 +852,7 @@ static int create_chroot_dirs(const char *chroot_target_path, struct exile_path_
|
||||
ret = mkpath(path_inside_chroot, 0700, baseisfile);
|
||||
if(ret < 0)
|
||||
{
|
||||
EXILE_LOG_ERROR("Error creating directory structure while mounting paths to chroot. %s\n", strerror(errno));
|
||||
EXILE_LOG_ERROR("Error creating directory structure %s while mounting paths to chroot: %s\n", path_inside_chroot, strerror(errno));
|
||||
free(path_inside_chroot);
|
||||
return ret;
|
||||
}
|
||||
@ -1350,7 +1351,7 @@ static int check_policy_sanity(struct exile_policy *policy)
|
||||
{
|
||||
if(path_policy_needs_landlock(path_policy))
|
||||
{
|
||||
EXILE_LOG_ERROR("A path policy needs landlock, but landlock is not available. Fallback not possible\n");
|
||||
EXILE_LOG_ERROR("A path policy (%s) needs landlock, but landlock is not available. Fallback not possible\n", path_policy->path);
|
||||
return -1;
|
||||
}
|
||||
path_policy = path_policy->next;
|
||||
|
Carregando…
Criar uma nova questão referindo esta
Bloquear um utilizador