-
4cfdead5d0
no_fs: Use landlock if possible
master
Albert S.
2024-05-26 20:12:18 +02:00
-
bbc8193ea9
Handle newer landlock ABI versions for filesystem isolation
Albert S.
2024-05-26 20:03:20 +02:00
-
c9fdeb4a1d
enter_namespaces(): Add missing newline at error messages
Albert S.
2024-05-26 19:31:14 +02:00
-
3732524bfa
exile_init_policy(): Don't unshare network namespaces by default
Albert S.
2024-05-26 19:28:00 +02:00
-
4059c1a093
landlock_prepare_ruleset(): zero-init landlock structs
Albert S.
2024-05-24 13:25:01 +02:00
-
44b9a17bec
Allow specifying uid/gid to map in user namespace
Albert S
2022-12-27 13:25:12 +01:00
-
f662398ac3
test: test_launch_get(): Fix typo and remove redundant call
Albert S
2022-12-27 13:14:39 +01:00
-
7b859d0aed
exile_launch_get(): Remove redundant seek
Albert S
2022-12-26 18:36:17 +01:00
-
5cd0a36ced
test.sh: Fix regression causing status code to be lost
Albert S
2022-12-26 18:27:54 +01:00
-
618f223491
enter_namespaces(): Fix uid/gid mapping
Albert S
2022-12-26 16:38:17 +01:00
-
01c5cbf701
test.sh: Make it more portable
Albert S
2022-12-20 10:50:37 +01:00
-
769f729dc5
README.md: Update
Albert S
2022-10-26 10:27:31 +02:00
-
40d23af355
concat_path(): Add missing free() calls
next
Albert S
2022-10-23 19:54:21 +02:00
-
b5f83499f3
exile_append_syscall_policy(): Add missing free()
Albert S
2022-10-23 19:52:56 +02:00
-
ff60ec227d
perform_mounts(): Fix potential leak and fix iteration
Albert S
2022-10-23 19:48:33 +02:00
-
e711a1d53a
exile_landlock_is_available(): Fix availability check
Albert S
2022-08-16 23:01:06 +02:00
-
6628bf4fb7
README: Update and minor improvements
Albert S
2022-08-16 22:50:34 +02:00
-
3fa73b0b97
Close file fds by default, introduce policy->keep_fds_open
Albert S
2022-07-17 11:28:43 +02:00
-
8f38dc4480
check_policy_sanity(): Allow vows and syscall policies
Albert S
2022-06-09 09:48:25 +02:00
-
42d44b0cc1
README.md: Minor improvements throughout the file
WIP/enosys
Albert S
2022-06-06 14:07:24 +02:00
-
bd3641981c
Introduce EXILE_SYSCALL_DENY_RET_NOSYS for syscalls like clone3()
Albert S
2022-06-06 10:07:11 +02:00
-
bbbdfc44da
exile.hpp: do_clone(): free stack memory
Albert S
2022-05-29 19:25:53 +02:00
-
2dc61828f1
README: Clarify limitations
Albert S
2022-04-29 21:24:09 +02:00
-
cdc265cedf
c++: exile_launch(): Correct std::enable_if logic if type is a ptr
Albert S
2022-04-29 21:16:11 +02:00
-
91858efa51
vows map: Add memfd_create, rseq
Albert S
2022-04-22 08:37:34 +02:00
-
88995d214d
README.md: Minor improvements (typos, rephrasing)
Albert S
2022-04-07 00:04:52 +02:00
-
6eb47daf84
README: Update Debian section
Albert S
2022-03-28 19:25:55 +02:00
-
8bf87717a5
vows: ioctl: Make TIOCSTI illegal even when IOCTL vow is set
Albert S
2022-03-28 19:14:00 +02:00
-
bcaefffbe8
Improve various error messages
Albert S
2022-03-28 19:04:28 +02:00
-
ed5098f2c6
README: Begin demo section
Albert S
2022-03-17 17:10:38 +01:00
-
ea66ef76eb
exile_flags_to_landlock(): Cover more with ALL_WRITE, except devices
Albert S
2022-03-17 15:42:57 +01:00
-
66def7a28f
append_syscall_to_bpf(): Check for unlikely case of too many sock_filters
Albert S
2022-03-17 15:17:28 +01:00
-
dbf8e87440
exile.hpp: Mark do_clone inline, not static
Albert S
2022-03-14 22:45:06 +01:00
-
98421fab90
Makefile: Build exile.o separately, link it in all tests
Albert S
2022-03-14 22:30:53 +01:00
-
70c3fef500
exile.h: Retire static child_read/write_pipe vars
Albert S
2022-03-14 22:26:22 +01:00
-
69829374c7
exile.h: Move definitions to new file exile.c
Albert S
2022-03-14 21:31:56 +01:00
-
005851c645
exile.h: Add extern "C" guards
Albert S
2022-03-13 20:23:15 +01:00
-
95fa11e928
c++: Add explicit exile_launch() std::basic_string variant
Albert S
2022-02-04 21:46:41 +01:00
-
97e2025758
c++: Retire exile_launch_trivial(), use std::enable_if
Albert S
2022-01-30 10:39:40 +01:00
-
8cfb73568a
Makefile: Add 'tests' target, depend on headers too to rebuild on changes of those
Albert S
2022-01-29 23:39:36 +01:00
-
e7a5ba7f7f
test.sh: Also run C++ tests
Albert S
2022-01-29 23:36:30 +01:00
-
e52eda186b
Add test.cpp to test C++ API
Albert S
2022-01-29 23:28:55 +01:00
-
90ed5bbae9
Begin C++ API: Add exile.hpp with exile_launch() wrappers
Albert S
2022-01-29 23:05:27 +01:00
-
48b6de9036
struct syscall_vow_map: change 'str' to const char*
Albert S
2022-01-29 23:10:24 +01:00
-
93acb13929
test: Introduce LOG(), avoid inconsistent printf/fprintf
Albert S
2022-01-17 22:48:29 +01:00
-
9247a6636b
Introduce exile_vows_from_str()
Albert S
2022-01-17 22:42:26 +01:00
-
73dae3a102
append_syscall_to_bpf(): Check for unlikely case of too many sock_filters
WIP/cpp
Albert S
2022-03-17 15:17:28 +01:00
-
f2ca26010a
exile.hpp: Mark do_clone inline, not static
Albert S
2022-03-14 22:45:06 +01:00
-
0f39ee7061
Makefile: Build exile.o separately, link it in all tests
Albert S
2022-03-14 22:30:53 +01:00
-
41bd6e8f10
exile.h: Retire static child_read/write_pipe vars
Albert S
2022-03-14 22:26:22 +01:00
-
7f083909e6
exile.h: Move definitions to new file exile.c
Albert S
2022-03-14 21:31:56 +01:00
-
732623fc6f
exile.h: Add extern "C" guards
Albert S
2022-03-13 20:23:15 +01:00
-
dcfbe641f9
c++: Add explicit exile_launch() std::basic_string variant
Albert S
2022-02-04 21:46:41 +01:00
-
72a3b041d9
c++: Retire exile_launch_trivial(), use std::enable_if
Albert S
2022-01-30 10:39:40 +01:00
-
c57ba807d7
Makefile: Add 'tests' target, depend on headers too to rebuild on changes of those
Albert S
2022-01-29 23:39:36 +01:00
-
6f19c53acf
test.sh: Also run C++ tests
Albert S
2022-01-29 23:36:30 +01:00
-
99d26480d7
Add test.cpp to test C++ API
Albert S
2022-01-29 23:28:55 +01:00
-
f13cff754c
Begin C++ API: Add exile.hpp with exile_launch() wrappers
Albert S
2022-01-29 23:05:27 +01:00
-
278ae31e2e
fixup! Introduce exile_vows_from_str()
Albert S
2022-01-30 10:45:05 +01:00
-
5ef54a08b4
struct syscall_vow_map: change 'str' to const char*
Albert S
2022-01-29 23:10:24 +01:00
-
29b5864dd3
test: Introduce LOG(), avoid inconsistent printf/fprintf
Albert S
2022-01-17 22:48:29 +01:00
-
0a4e4850f9
Introduce exile_vows_from_str()
Albert S
2022-01-17 22:42:26 +01:00
-
-
4a3ac8e0bc
exile_launch(): Improve handling/logging of errors
Albert S
2022-01-16 21:28:21 +01:00
-
ed54575b89
exile_launch(): Open another pipe to also write to child
Albert S
2022-01-16 21:18:10 +01:00
-
0caff45600
EXILE_LOG_ERROR: Prepend function name
Albert S
2022-01-16 20:59:26 +01:00
-
080c0e53c2
test: test_mkpath(): Cleanup before run and on success
Albert S
2022-01-15 19:39:31 +01:00
-
4adc13215b
exile_append_path_policies(): Add sentinel macro, making *policy() version redundant
Albert S
2022-01-15 19:32:12 +01:00
-
bf29edf213
Update README with most recent draft
Albert S
2022-01-15 12:24:42 +01:00
-
68bfd7e66c
Update copyright header
Albert S
2022-01-14 23:41:01 +01:00
-
58bc50db61
test: Begin testing exile_launch*()
Albert S
2022-01-14 23:38:42 +01:00
-
1e63fa75ef
Introduce exile_launch*(): Simplifies launching functions protected by policy
Albert S
2022-01-14 23:34:56 +01:00
-
6c44c88397
create_chroot_dirs(): Correct comment
Albert S
2022-01-14 23:29:37 +01:00
-
3780509078
Introduce flags indicating errors to catch non-checked return codes
Albert S
2022-01-08 16:39:12 +01:00
-
fd4dfb12f0
vow: Add prlimit64(),arch_prctl()
Albert S
2022-01-08 15:21:46 +01:00
-
a9e6b3ee67
chroot: Create all paths first, then mount
Albert S
2022-01-08 15:04:15 +01:00
-
3b61e90761
test: Add mkpath() test
Albert S
2022-01-08 12:51:04 +01:00
-
0e27b19999
Handle files for bind-mounts too, rename mkdir_structure() to mkpath()
Albert S
2022-01-08 12:21:54 +01:00
-
ff70142e04
exile_flags_to_landlock(): Only add flags for a path that a reasonable
Albert S
2022-01-08 12:19:31 +01:00
-
4824c6eaa9
check_policy_sanity(): Traverse path_policy list only if no landlock available
Albert S
2021-12-29 00:29:14 +01:00
-
9048a3b4fe
append_syscall_to_bpf(): Improve readability
Albert S
2021-12-28 23:04:18 +01:00
-
0b54e73ff4
Rework get_vow_argfilter() for readability and easiness
Albert S
2021-12-28 22:51:43 +01:00
-
b2306299d5
vow: fix clone filter broken by ca0f8279
Albert S
2021-12-28 13:17:20 +01:00
-
55b43fdaac
Rename our 'pledge' mechanism to 'vow'
Albert S
2021-12-28 10:56:48 +01:00
-
6420ca1b40
Add landlock runtime detection
Albert S
2021-12-27 16:51:06 +01:00
-
98c76089de
Handle new 5.16 syscall: futex_waitv
Albert S
2021-12-27 14:26:37 +01:00
-
631980b775
Include linux/capability.h instead of sys/capability.h
Albert S
2021-12-27 14:15:48 +01:00
-
0be081c55d
Merge get_pledge_argfilter() with get_pledge_argfilter()
Albert S
2021-12-27 14:11:58 +01:00
-
ca0f82790c
Use some macros to increase readabiltiy of BPF rules
Albert S
2021-12-27 12:30:27 +01:00
-
77adf09d34
test: Add tests for exile_pledge()
Albert S
2021-12-27 12:00:31 +01:00
-
bcab0377f1
Add exile_pledge(): A convenience wrapper
Albert S
2021-12-27 11:59:16 +01:00
-
b469a82eec
pledge: Allow NO_NEW_PRIVS prctls
Albert S
2021-12-27 11:50:21 +01:00
-
6711b394d9
pledge: Add EXILE_SYSCALL_PLEDGE_SECCOMP_INSTALL to allow adding further seccomp filters
Albert S
2021-12-27 11:02:52 +01:00
-
9abbc7510c
Introduce exile_create_policy(): Creates an clean/empty policy.
Albert S
2021-12-27 10:41:51 +01:00
-
029762e894
pledge: Add EXILE_SYSCALL_PLEDGE_IOCTL to allow ioctl() without argfilters
Albert S
2021-12-26 19:38:02 +01:00
-
6b513f8339
pledge: Add prctl() default filter
Albert S
2021-12-26 19:34:16 +01:00
-
d2357ac676
pledge: Introduce clone() filter and EXILE_SYSCALL_PLEDGE_THREAD
Albert S
2021-12-26 17:57:16 +01:00
-
0b0dda0de1
pledge: Begin filter for setsockopt() args
Albert S
2021-12-22 10:17:48 +01:00
-
7115ef8b4d
Begin an pledge()-like implementation
Albert S
2021-12-05 17:28:58 +01:00
-
15a6850023
Begin low-level seccomp arg filter interface
Albert S
2021-11-21 15:28:46 +01:00
-
48deab0dde
exile_enable_policy(): Only chdir() post chroot()
Albert S
2021-12-27 10:01:37 +01:00