Graf commitů

Vybrat větve

Skrýt pull requesty

WIP/cpp

WIP/enosys

master

next

#11

#13

#20

#22

#24

#25

#30

#31

#5

#7

Černobílé Barva

• 4cfdead5d0 no_fs: Use landlock if possible master Albert S. 2024-05-26 20:12:18 +02:00
• bbc8193ea9 Handle newer landlock ABI versions for filesystem isolation Albert S. 2024-05-26 20:03:20 +02:00
• c9fdeb4a1d enter_namespaces(): Add missing newline at error messages Albert S. 2024-05-26 19:31:14 +02:00
• 3732524bfa exile_init_policy(): Don't unshare network namespaces by default Albert S. 2024-05-26 19:28:00 +02:00
• 4059c1a093 landlock_prepare_ruleset(): zero-init landlock structs Albert S. 2024-05-24 13:25:01 +02:00
• 44b9a17bec Allow specifying uid/gid to map in user namespace Albert S 2022-12-27 13:25:12 +01:00
• f662398ac3 test: test_launch_get(): Fix typo and remove redundant call Albert S 2022-12-27 13:14:39 +01:00
• 7b859d0aed exile_launch_get(): Remove redundant seek Albert S 2022-12-26 18:36:17 +01:00
• 5cd0a36ced test.sh: Fix regression causing status code to be lost Albert S 2022-12-26 18:27:54 +01:00
• 618f223491 enter_namespaces(): Fix uid/gid mapping Albert S 2022-12-26 16:38:17 +01:00
• 01c5cbf701 test.sh: Make it more portable Albert S 2022-12-20 10:50:37 +01:00
• 769f729dc5 README.md: Update Albert S 2022-10-26 10:27:31 +02:00
• 40d23af355 concat_path(): Add missing free() calls next Albert S 2022-10-23 19:54:21 +02:00
• b5f83499f3 exile_append_syscall_policy(): Add missing free() Albert S 2022-10-23 19:52:56 +02:00
• ff60ec227d perform_mounts(): Fix potential leak and fix iteration Albert S 2022-10-23 19:48:33 +02:00
• e711a1d53a exile_landlock_is_available(): Fix availability check Albert S 2022-08-16 23:01:06 +02:00
• 6628bf4fb7 README: Update and minor improvements Albert S 2022-08-16 22:50:34 +02:00
• 3fa73b0b97 Close file fds by default, introduce policy->keep_fds_open Albert S 2022-07-17 11:28:43 +02:00
• 8f38dc4480 check_policy_sanity(): Allow vows and syscall policies Albert S 2022-06-09 09:48:25 +02:00
• 42d44b0cc1 README.md: Minor improvements throughout the file WIP/enosys Albert S 2022-06-06 14:07:24 +02:00
• bd3641981c Introduce EXILE_SYSCALL_DENY_RET_NOSYS for syscalls like clone3() Albert S 2022-06-06 10:07:11 +02:00
• bbbdfc44da exile.hpp: do_clone(): free stack memory Albert S 2022-05-29 19:25:53 +02:00
• 2dc61828f1 README: Clarify limitations Albert S 2022-04-29 21:24:09 +02:00
• cdc265cedf c++: exile_launch(): Correct std::enable_if logic if type is a ptr Albert S 2022-04-29 21:16:11 +02:00
• 91858efa51 vows map: Add memfd_create, rseq Albert S 2022-04-22 08:37:34 +02:00
• 88995d214d README.md: Minor improvements (typos, rephrasing) Albert S 2022-04-07 00:04:52 +02:00
• 6eb47daf84 README: Update Debian section Albert S 2022-03-28 19:25:55 +02:00
• 8bf87717a5 vows: ioctl: Make TIOCSTI illegal even when IOCTL vow is set Albert S 2022-03-28 19:14:00 +02:00
• bcaefffbe8 Improve various error messages Albert S 2022-03-28 19:04:28 +02:00
• ed5098f2c6 README: Begin demo section Albert S 2022-03-17 17:10:38 +01:00
• ea66ef76eb exile_flags_to_landlock(): Cover more with ALL_WRITE, except devices Albert S 2022-03-17 15:42:57 +01:00
• 66def7a28f append_syscall_to_bpf(): Check for unlikely case of too many sock_filters Albert S 2022-03-17 15:17:28 +01:00
• dbf8e87440 exile.hpp: Mark do_clone inline, not static Albert S 2022-03-14 22:45:06 +01:00
• 98421fab90 Makefile: Build exile.o separately, link it in all tests Albert S 2022-03-14 22:30:53 +01:00
• 70c3fef500 exile.h: Retire static child_read/write_pipe vars Albert S 2022-03-14 22:26:22 +01:00
• 69829374c7 exile.h: Move definitions to new file exile.c Albert S 2022-03-14 21:31:56 +01:00
• 005851c645 exile.h: Add extern "C" guards Albert S 2022-03-13 20:23:15 +01:00
• 95fa11e928 c++: Add explicit exile_launch() std::basic_string variant Albert S 2022-02-04 21:46:41 +01:00
• 97e2025758 c++: Retire exile_launch_trivial(), use std::enable_if Albert S 2022-01-30 10:39:40 +01:00
• 8cfb73568a Makefile: Add 'tests' target, depend on headers too to rebuild on changes of those Albert S 2022-01-29 23:39:36 +01:00
• e7a5ba7f7f test.sh: Also run C++ tests Albert S 2022-01-29 23:36:30 +01:00
• e52eda186b Add test.cpp to test C++ API Albert S 2022-01-29 23:28:55 +01:00
• 90ed5bbae9 Begin C++ API: Add exile.hpp with exile_launch() wrappers Albert S 2022-01-29 23:05:27 +01:00
• 48b6de9036 struct syscall_vow_map: change 'str' to const char* Albert S 2022-01-29 23:10:24 +01:00
• 93acb13929 test: Introduce LOG(), avoid inconsistent printf/fprintf Albert S 2022-01-17 22:48:29 +01:00
• 9247a6636b Introduce exile_vows_from_str() Albert S 2022-01-17 22:42:26 +01:00
• 73dae3a102 append_syscall_to_bpf(): Check for unlikely case of too many sock_filters WIP/cpp Albert S 2022-03-17 15:17:28 +01:00
• f2ca26010a exile.hpp: Mark do_clone inline, not static Albert S 2022-03-14 22:45:06 +01:00
• 0f39ee7061 Makefile: Build exile.o separately, link it in all tests Albert S 2022-03-14 22:30:53 +01:00
• 41bd6e8f10 exile.h: Retire static child_read/write_pipe vars Albert S 2022-03-14 22:26:22 +01:00
• 7f083909e6 exile.h: Move definitions to new file exile.c Albert S 2022-03-14 21:31:56 +01:00
• 732623fc6f exile.h: Add extern "C" guards Albert S 2022-03-13 20:23:15 +01:00
• dcfbe641f9 c++: Add explicit exile_launch() std::basic_string variant Albert S 2022-02-04 21:46:41 +01:00
• 72a3b041d9 c++: Retire exile_launch_trivial(), use std::enable_if Albert S 2022-01-30 10:39:40 +01:00
• c57ba807d7 Makefile: Add 'tests' target, depend on headers too to rebuild on changes of those Albert S 2022-01-29 23:39:36 +01:00
• 6f19c53acf test.sh: Also run C++ tests Albert S 2022-01-29 23:36:30 +01:00
• 99d26480d7 Add test.cpp to test C++ API Albert S 2022-01-29 23:28:55 +01:00
• f13cff754c Begin C++ API: Add exile.hpp with exile_launch() wrappers Albert S 2022-01-29 23:05:27 +01:00
• 278ae31e2e fixup! Introduce exile_vows_from_str() Albert S 2022-01-30 10:45:05 +01:00
• 5ef54a08b4 struct syscall_vow_map: change 'str' to const char* Albert S 2022-01-29 23:10:24 +01:00
• 29b5864dd3 test: Introduce LOG(), avoid inconsistent printf/fprintf Albert S 2022-01-17 22:48:29 +01:00
• 0a4e4850f9 Introduce exile_vows_from_str() Albert S 2022-01-17 22:42:26 +01:00
• 4a3ac8e0bc exile_launch(): Improve handling/logging of errors Albert S 2022-01-16 21:28:21 +01:00
• ed54575b89 exile_launch(): Open another pipe to also write to child Albert S 2022-01-16 21:18:10 +01:00
• 0caff45600 EXILE_LOG_ERROR: Prepend function name Albert S 2022-01-16 20:59:26 +01:00
• 080c0e53c2 test: test_mkpath(): Cleanup before run and on success Albert S 2022-01-15 19:39:31 +01:00
• 4adc13215b exile_append_path_policies(): Add sentinel macro, making *policy() version redundant Albert S 2022-01-15 19:32:12 +01:00
• bf29edf213 Update README with most recent draft Albert S 2022-01-15 12:24:42 +01:00
• 68bfd7e66c Update copyright header Albert S 2022-01-14 23:41:01 +01:00
• 58bc50db61 test: Begin testing exile_launch*() Albert S 2022-01-14 23:38:42 +01:00
• 1e63fa75ef Introduce exile_launch*(): Simplifies launching functions protected by policy Albert S 2022-01-14 23:34:56 +01:00
• 6c44c88397 create_chroot_dirs(): Correct comment Albert S 2022-01-14 23:29:37 +01:00
• 3780509078 Introduce flags indicating errors to catch non-checked return codes Albert S 2022-01-08 16:39:12 +01:00
• fd4dfb12f0 vow: Add prlimit64(),arch_prctl() Albert S 2022-01-08 15:21:46 +01:00
• a9e6b3ee67 chroot: Create all paths first, then mount Albert S 2022-01-08 15:04:15 +01:00
• 3b61e90761 test: Add mkpath() test Albert S 2022-01-08 12:51:04 +01:00
• 0e27b19999 Handle files for bind-mounts too, rename mkdir_structure() to mkpath() Albert S 2022-01-08 12:21:54 +01:00
• ff70142e04 exile_flags_to_landlock(): Only add flags for a path that a reasonable Albert S 2022-01-08 12:19:31 +01:00
• 4824c6eaa9 check_policy_sanity(): Traverse path_policy list only if no landlock available Albert S 2021-12-29 00:29:14 +01:00
• 9048a3b4fe append_syscall_to_bpf(): Improve readability Albert S 2021-12-28 23:04:18 +01:00
• 0b54e73ff4 Rework get_vow_argfilter() for readability and easiness Albert S 2021-12-28 22:51:43 +01:00
• b2306299d5 vow: fix clone filter broken by ca0f8279 Albert S 2021-12-28 13:17:20 +01:00
• 55b43fdaac Rename our 'pledge' mechanism to 'vow' Albert S 2021-12-28 10:56:48 +01:00
• 6420ca1b40 Add landlock runtime detection Albert S 2021-12-27 16:51:06 +01:00
• 98c76089de Handle new 5.16 syscall: futex_waitv Albert S 2021-12-27 14:26:37 +01:00
• 631980b775 Include linux/capability.h instead of sys/capability.h Albert S 2021-12-27 14:15:48 +01:00
• 0be081c55d Merge get_pledge_argfilter() with get_pledge_argfilter() Albert S 2021-12-27 14:11:58 +01:00
• ca0f82790c Use some macros to increase readabiltiy of BPF rules Albert S 2021-12-27 12:30:27 +01:00
• 77adf09d34 test: Add tests for exile_pledge() Albert S 2021-12-27 12:00:31 +01:00
• bcab0377f1 Add exile_pledge(): A convenience wrapper Albert S 2021-12-27 11:59:16 +01:00
• b469a82eec pledge: Allow NO_NEW_PRIVS prctls Albert S 2021-12-27 11:50:21 +01:00
• 6711b394d9 pledge: Add EXILE_SYSCALL_PLEDGE_SECCOMP_INSTALL to allow adding further seccomp filters Albert S 2021-12-27 11:02:52 +01:00
• 9abbc7510c Introduce exile_create_policy(): Creates an clean/empty policy. Albert S 2021-12-27 10:41:51 +01:00
• 029762e894 pledge: Add EXILE_SYSCALL_PLEDGE_IOCTL to allow ioctl() without argfilters Albert S 2021-12-26 19:38:02 +01:00
• 6b513f8339 pledge: Add prctl() default filter Albert S 2021-12-26 19:34:16 +01:00
• d2357ac676 pledge: Introduce clone() filter and EXILE_SYSCALL_PLEDGE_THREAD Albert S 2021-12-26 17:57:16 +01:00
• 0b0dda0de1 pledge: Begin filter for setsockopt() args Albert S 2021-12-22 10:17:48 +01:00
• 7115ef8b4d Begin an pledge()-like implementation Albert S 2021-12-05 17:28:58 +01:00
• 15a6850023 Begin low-level seccomp arg filter interface Albert S 2021-11-21 15:28:46 +01:00
• 48deab0dde exile_enable_policy(): Only chdir() post chroot() Albert S 2021-12-27 10:01:37 +01:00