This website requires JavaScript.
ce7eb57998
enter_namespaces(): Fix error message
Albert S
2021-12-27 00:49:09 +01:00
3407fded04
Add EXILE_FS_ALLOW_ALL_{READ,WRITE}
Albert S
2021-12-24 16:20:14 +01:00
1b4c5477a5
rename to exile.h
Albert S
2021-11-30 17:57:48 +01:00
756b0fb421
rename qssb.h to exile.h
Albert S
2021-11-30 17:40:36 +01:00
d150c2ecd9
Don't add any seccomp rules by default
Albert S
2021-11-20 20:21:51 +01:00
435bcefa48
test: Skip landlock specific tests if unavailble during compile time
Albert S
2021-11-20 17:03:04 +01:00
2a4cee2ece
test: Use xqssb_enable_policy() throughout where reasonable
Albert S
2021-11-20 16:56:19 +01:00
d847d0f996
qssb_append_group_syscall_policy(): Make QSSB_SYSCGROUP_NONE an invalid group
Albert S
2021-11-14 21:46:38 +01:00
1a2443db18
qssb_append_syscalls_policy(): Fix mem leak on failure
Albert S
2021-11-09 10:02:56 +01:00
db17e58deb
Assign syscalls into groups. Add whitelist mode (default).
Albert S
2021-09-19 15:23:41 +02:00
265a19d351
Assign syscalls into groups. Add whitelist mode (default).
Albert S
2021-09-19 15:23:41 +02:00
0d7c5bd6d4
append_syscall_to_bpf(): Explicit type cast to fix (C++) warnings
Albert S
2021-10-25 18:18:01 +02:00
55e1f42ca8
check_policy_sanity(): Initialize last_policy
Albert S
2021-10-03 21:25:37 +02:00
11d64c6fcf
enter_namespaces(): Check fopen/fprintf errors
Albert S
2021-09-12 20:00:03 +02:00
ebe043c08d
Fix missing \n in some error outputs
Albert S
2021-09-12 19:50:05 +02:00
8bc0d1e73a
Use overflow-safe operator builtins
Albert S
2021-09-12 19:41:07 +02:00
215032f32c
enable_no_fs(): Fix corresponding test by adding missing default policy
Albert S
2021-09-06 21:43:50 +02:00
411e00715d
Rename qssb_append_default_syscall_policy() to better distinguish it from qssb_append_syscall_default_policy()
Albert S
2021-09-05 17:24:42 +02:00
8a9b1730de
test: Remove argc,argv from tests as there was no use for them
Albert S
2021-09-05 16:53:39 +02:00
b2b501d97e
test: Refactor: Put seccomp tests into child processes ; Simplfy .sh
Albert S
2021-09-05 16:48:27 +02:00
26f391f736
test: implement test_seccomp_errno()
Albert S
2021-09-05 12:31:16 +02:00
68fd1a0a87
test: test_seccomp_blacklisted_call_permitted(): Add missing default policy
Albert S
2021-09-05 12:30:12 +02:00
b0d0beab22
README.md: Update
Albert S
2021-08-16 23:33:36 +02:00
c44ce85628
test: Add test ensuring seccomp ends with default rule, minor fixes
Albert S
2021-08-16 23:32:27 +02:00
25d8ed9bca
check_policy_sanity(): Add syscall policy checks
Albert S
2021-08-16 23:33:25 +02:00
e389140436
test.sh: Log exit code, print yes/no instead of 1/0
Albert S
2021-08-16 23:08:16 +02:00
f6af1bb78f
policy: Add disable_syscall_filter policy. Add defaults only on enable.
Albert S
2021-08-15 18:31:13 +02:00
9192ec3aa4
Rewrite syscall policy logic
Albert S
2021-08-12 21:58:45 +02:00
51844ea3ab
bpf: Deny x32 system calls for now
Albert S
2021-08-12 12:25:12 +02:00
66c6d28dcd
bpf: Check arch value
Albert S
2021-08-12 11:57:12 +02:00
5cd45c09b7
bpf: Use SECCOMP_RET_KILL_PROCESS instead SECCOMP_RET_KILL
Albert S
2021-08-12 11:40:29 +02:00
fa06287b13
Use new qssb_append_*_syscall functions, remove old fields
Albert S
2021-08-11 20:54:40 +02:00
68694723fe
Begin qssb_append_*_syscall family of functions
Albert S
2021-08-11 19:14:06 +02:00
4a4d551e75
Introduce "no_fs" and "no_new_fd" options.
Albert S
2021-08-09 20:29:18 +02:00
57238b535c
Expand disallowed system calls
Albert S
2021-08-10 16:57:44 +02:00
b4e8116c20
seccomp_enable_whitelist(): Fix comment
Albert S
2021-08-10 16:55:58 +02:00
75f607bc35
qssb_append_path_policies(): Add explicit type cast for c++
Albert S
2021-08-07 12:05:58 +02:00
a585db7778
qssb_free_policy(): Allow passing NULL
Albert S
2021-06-08 12:35:07 +02:00
55ec51ba21
Improve and add functions comments
Albert S
2021-05-22 21:07:35 +02:00
ade022ba62
update README
Albert S
2021-05-22 20:51:09 +02:00
c57c79fa36
test: Log output of individual tests
Albert S
2021-06-06 09:27:45 +02:00
5138d88b12
test: Count succeeded/failed tests
Albert S
2021-06-06 09:02:30 +02:00
b8d6c78780
test: Rename fail(), echogreen()
Albert S
2021-06-06 08:57:24 +02:00
a7c04537f7
Rename allowed_syscalls to whitelisted_syscalls for consistency
Albert S
2021-06-05 20:15:09 +02:00
85c01899a9
Start implementing tests
Albert S
2021-06-05 14:07:11 +02:00
0b13f551f4
Fix stray = in #define
Albert S
2021-06-05 14:03:42 +02:00
bb07b95993
Fix stray semicolon
Albert S
2021-06-05 11:55:50 +02:00
d070268fca
Add more system calls to blacklist
Albert S
2021-05-29 23:15:04 +02:00
d6f4a37de8
Remove unused qssb_end_policy()
Albert S
2021-05-22 22:36:01 +02:00
afb429e124
qssb_policy: Remove unused syscall_default_policy member
Albert S
2021-05-22 22:35:12 +02:00
045b7b9b2c
Improve and add functions comments
Albert S
2021-05-22 21:07:35 +02:00
4b8aa4b7e1
update README
Albert S
2021-05-22 20:51:09 +02:00
946492c28e
qssb_free_policy(): free path policies
Albert S
2021-05-15 21:26:28 +02:00
ad9c391e3f
QSSB_FS_ALLOW_WRITE does not imply ALLOW_READ anymore
Albert S
2021-05-15 20:41:19 +02:00
fcebed557c
Add qssb_append_path_polic{ies,y}: Convenience function to add path policies
Albert S
2021-05-15 20:40:11 +02:00
bb02e40101
Begin landlock support
Albert S
2021-05-13 18:21:37 +02:00
7e2d4139cb
Begin check_policy_sanity(): Checks whether policy is reasonable
Albert S
2021-05-09 12:57:14 +02:00
6e6812e13d
Introduce mount_path_policies_to_chroot option, changing path_policy enforcement logic
Albert S
2021-05-09 12:29:03 +02:00
edf144bbc7
Allow overriding HAVE_LANDLOCK irrespectible of kernel verison
Albert S
2021-05-09 12:27:34 +02:00
67e1afc904
Remove unused policy flag QSSB_FS_ALLOW_NOTHING
Albert S
2021-05-09 12:21:15 +02:00
2c94fe8225
qssb_path_policy: rename 'mountpoint' to 'path', make 'policy' unsigned
Albert S
2021-05-09 11:56:44 +02:00
4674638e9a
Add landlock policy flags if landlock is supported
Albert S
2021-05-09 11:55:58 +02:00
8697fd8b84
qssb.h: Add copyright header
Albert S
2021-05-09 10:02:31 +02:00
ed6a2a1067
Rename general QSSB_MOUNT* flags to QSSB_FS*
Albert S
2021-05-09 09:35:17 +02:00
9df2e9ee90
seccomp_enable(): Replace param types with correct unsigned int versions
Albert S
2021-04-18 13:24:49 +02:00
23f697bcc9
Update README.md: Update example projects links, minor improvements
Albert S
2020-09-26 17:21:28 +02:00
763c65c3fe
qssb_enable_policy: check for empty str instead of NULL ptr
Albert S
2020-09-26 16:09:43 +02:00
dbdb35db37
Remove wrong static keywords from some qssb_*_policy functions
Albert S
2020-04-13 23:00:33 +02:00
0a851790b8
change chroot_target_path from pointer to array
Albert S
2020-04-13 22:50:30 +02:00
60776be416
only chdir to / by default when actually chrooting and no dir given
Albert S
2019-12-07 23:44:55 +01:00
ff2bc24c6b
only create chroot directory when path policies are available
Albert S
2019-12-07 23:26:27 +01:00
7547644013
silence multiple compiler warnings
Albert S
2019-11-17 15:13:25 +01:00
8f104a231c
bugfix: qssb_enable_policy: pointer to stack-local variable
Albert S
2019-11-17 12:45:01 +01:00
fbf51e095f
introduce path policies, replacing readonly/writable paths vars
Albert S
2019-11-16 21:17:38 +01:00
1b8504c052
updated README
Albert S
2019-11-15 21:53:26 +01:00
6f1b27ee51
qssb_init_policy: explicit cast (for C++)
Albert S
2019-11-15 21:40:56 +01:00
ee6bd18027
begin a default blacklist of syscalls
Albert S
2019-11-15 21:17:33 +01:00
8298a30e7c
make PATH_MAX consistent across all buffers throughout the code
Albert S
2019-11-10 12:29:46 +01:00
338e578350
seccomp_enable: fix unused default_action parameter
Albert S
2019-11-10 12:10:37 +01:00
069349eaf6
generate a random directory for chroot if none given
Albert S
2019-11-10 12:08:35 +01:00
1de1ae0b32
introduce bitmasks indicating which namespaces to unshare
Albert S
2019-11-09 21:13:40 +01:00
bad600b3a8
set #defines only if not set already
Albert S
2019-11-09 20:55:03 +01:00
a7c6ef6c57
bind mount recursively
Albert S
2019-11-09 16:27:54 +01:00
7a2cf18c19
check drop_caps() return value ; silence compiler warning
Albert S
2019-11-09 15:47:08 +01:00
200cd7878c
Initial commit
Albert S
2019-10-13 17:57:12 +02:00
Albert S