This website requires JavaScript.
435bcefa48
test: Skip landlock specific tests if unavailble during compile time
Albert S.
2021-11-20 17:03:04 +0100
2a4cee2ece
test: Use xqssb_enable_policy() throughout where reasonable
Albert S.
2021-11-20 16:56:19 +0100
d847d0f996
qssb_append_group_syscall_policy(): Make QSSB_SYSCGROUP_NONE an invalid group
Albert S.
2021-11-14 21:46:38 +0100
1a2443db18
qssb_append_syscalls_policy(): Fix mem leak on failure
Albert S.
2021-11-09 10:02:56 +0100
db17e58deb
Assign syscalls into groups. Add whitelist mode (default).
Albert S.
2021-09-19 15:23:41 +0200
265a19d351
Assign syscalls into groups. Add whitelist mode (default).
Albert S.
2021-09-19 15:23:41 +0200
0d7c5bd6d4
append_syscall_to_bpf(): Explicit type cast to fix (C++) warnings
Albert S.
2021-10-25 18:18:01 +0200
55e1f42ca8
check_policy_sanity(): Initialize last_policy
Albert S.
2021-10-03 21:25:37 +0200
11d64c6fcf
enter_namespaces(): Check fopen/fprintf errors
Albert S.
2021-09-12 20:00:03 +0200
ebe043c08d
Fix missing \n in some error outputs
Albert S.
2021-09-12 19:50:05 +0200
8bc0d1e73a
Use overflow-safe operator builtins
Albert S.
2021-09-12 19:41:07 +0200
215032f32c
enable_no_fs(): Fix corresponding test by adding missing default policy
Albert S.
2021-09-06 21:43:50 +0200
411e00715d
Rename qssb_append_default_syscall_policy() to better distinguish it from qssb_append_syscall_default_policy()
Albert S.
2021-09-05 17:24:42 +0200
8a9b1730de
test: Remove argc,argv from tests as there was no use for them
Albert S.
2021-09-05 16:53:39 +0200
b2b501d97e
test: Refactor: Put seccomp tests into child processes ; Simplfy .sh
Albert S.
2021-09-05 16:48:27 +0200
26f391f736
test: implement test_seccomp_errno()
Albert S.
2021-09-05 12:31:16 +0200
68fd1a0a87
test: test_seccomp_blacklisted_call_permitted(): Add missing default policy
Albert S.
2021-09-05 12:30:12 +0200
b0d0beab22
README.md: Update
Albert S.
2021-08-16 23:33:36 +0200
c44ce85628
test: Add test ensuring seccomp ends with default rule, minor fixes
Albert S.
2021-08-16 23:32:27 +0200
25d8ed9bca
check_policy_sanity(): Add syscall policy checks
Albert S.
2021-08-16 23:33:25 +0200
e389140436
test.sh: Log exit code, print yes/no instead of 1/0
Albert S.
2021-08-16 23:08:16 +0200
f6af1bb78f
policy: Add disable_syscall_filter policy. Add defaults only on enable.
Albert S.
2021-08-15 18:31:13 +0200
9192ec3aa4
Rewrite syscall policy logic
Albert S.
2021-08-12 21:58:45 +0200
51844ea3ab
bpf: Deny x32 system calls for now
Albert S.
2021-08-12 12:25:12 +0200
66c6d28dcd
bpf: Check arch value
Albert S.
2021-08-12 11:57:12 +0200
5cd45c09b7
bpf: Use SECCOMP_RET_KILL_PROCESS instead SECCOMP_RET_KILL
Albert S.
2021-08-12 11:40:29 +0200
fa06287b13
Use new qssb_append_*_syscall functions, remove old fields
Albert S.
2021-08-11 20:54:40 +0200
68694723fe
Begin qssb_append_*_syscall family of functions
Albert S.
2021-08-11 19:14:06 +0200
4a4d551e75
Introduce "no_fs" and "no_new_fd" options.
Albert S.
2021-08-09 20:29:18 +0200
57238b535c
Expand disallowed system calls
Albert S.
2021-08-10 16:57:44 +0200
b4e8116c20
seccomp_enable_whitelist(): Fix comment
Albert S.
2021-08-10 16:55:58 +0200
75f607bc35
qssb_append_path_policies(): Add explicit type cast for c++
Albert S.
2021-08-07 12:05:58 +0200
a585db7778
qssb_free_policy(): Allow passing NULL
Albert S.
2021-06-08 12:35:07 +0200
55ec51ba21
Improve and add functions comments
Albert S.
2021-05-22 21:07:35 +0200
ade022ba62
update README
Albert S.
2021-05-22 20:51:09 +0200
c57c79fa36
test: Log output of individual tests
Albert S.
2021-06-06 09:27:45 +0200
5138d88b12
test: Count succeeded/failed tests
Albert S.
2021-06-06 09:02:30 +0200
b8d6c78780
test: Rename fail(), echogreen()
Albert S.
2021-06-06 08:57:24 +0200
a7c04537f7
Rename allowed_syscalls to whitelisted_syscalls for consistency
Albert S.
2021-06-05 20:15:09 +0200
85c01899a9
Start implementing tests
Albert S.
2021-06-05 14:07:11 +0200
0b13f551f4
Fix stray = in #define
Albert S.
2021-06-05 14:03:42 +0200
bb07b95993
Fix stray semicolon
Albert S.
2021-06-05 11:55:50 +0200
d070268fca
Add more system calls to blacklist
Albert S.
2021-05-29 23:15:04 +0200
d6f4a37de8
Remove unused qssb_end_policy()
Albert S.
2021-05-22 22:36:01 +0200
afb429e124
qssb_policy: Remove unused syscall_default_policy member
Albert S.
2021-05-22 22:35:12 +0200
045b7b9b2c
Improve and add functions comments
Albert S.
2021-05-22 21:07:35 +0200
4b8aa4b7e1
update README
Albert S.
2021-05-22 20:51:09 +0200
946492c28e
qssb_free_policy(): free path policies
Albert S.
2021-05-15 21:26:28 +0200
ad9c391e3f
QSSB_FS_ALLOW_WRITE does not imply ALLOW_READ anymore
Albert S.
2021-05-15 20:41:19 +0200
fcebed557c
Add qssb_append_path_polic{ies,y}: Convenience function to add path policies
Albert S.
2021-05-15 20:40:11 +0200
bb02e40101
Begin landlock support
Albert S.
2021-05-13 18:21:37 +0200
7e2d4139cb
Begin check_policy_sanity(): Checks whether policy is reasonable
Albert S.
2021-05-09 12:57:14 +0200
6e6812e13d
Introduce mount_path_policies_to_chroot option, changing path_policy enforcement logic
Albert S.
2021-05-09 12:29:03 +0200
edf144bbc7
Allow overriding HAVE_LANDLOCK irrespectible of kernel verison
Albert S.
2021-05-09 12:27:34 +0200
67e1afc904
Remove unused policy flag QSSB_FS_ALLOW_NOTHING
Albert S.
2021-05-09 12:21:15 +0200
2c94fe8225
qssb_path_policy: rename 'mountpoint' to 'path', make 'policy' unsigned
Albert S.
2021-05-09 11:56:44 +0200
4674638e9a
Add landlock policy flags if landlock is supported
Albert S.
2021-05-09 11:55:58 +0200
8697fd8b84
qssb.h: Add copyright header
Albert S.
2021-05-09 10:02:31 +0200
ed6a2a1067
Rename general QSSB_MOUNT* flags to QSSB_FS*
Albert S.
2021-05-09 09:35:17 +0200
9df2e9ee90
seccomp_enable(): Replace param types with correct unsigned int versions
Albert S.
2021-04-18 13:24:49 +0200
23f697bcc9
Update README.md: Update example projects links, minor improvements
Albert S.
2020-09-26 17:21:28 +0200
763c65c3fe
qssb_enable_policy: check for empty str instead of NULL ptr
Albert S.
2020-09-26 16:09:43 +0200
dbdb35db37
Remove wrong static keywords from some qssb_*_policy functions
Albert S.
2020-04-13 23:00:33 +0200
0a851790b8
change chroot_target_path from pointer to array
Albert S.
2020-04-13 22:50:30 +0200
60776be416
only chdir to / by default when actually chrooting and no dir given
Albert S.
2019-12-07 23:44:55 +0100
ff2bc24c6b
only create chroot directory when path policies are available
Albert S.
2019-12-07 23:26:27 +0100
7547644013
silence multiple compiler warnings
Albert S.
2019-11-17 15:13:25 +0100
8f104a231c
bugfix: qssb_enable_policy: pointer to stack-local variable
Albert S.
2019-11-17 12:45:01 +0100
fbf51e095f
introduce path policies, replacing readonly/writable paths vars
Albert S.
2019-11-16 21:17:38 +0100
1b8504c052
updated README
Albert S.
2019-11-15 21:53:26 +0100
6f1b27ee51
qssb_init_policy: explicit cast (for C++)
Albert S.
2019-11-15 21:40:56 +0100
ee6bd18027
begin a default blacklist of syscalls
Albert S.
2019-11-15 21:17:33 +0100
8298a30e7c
make PATH_MAX consistent across all buffers throughout the code
Albert S.
2019-11-10 12:29:46 +0100
338e578350
seccomp_enable: fix unused default_action parameter
Albert S.
2019-11-10 12:10:37 +0100
069349eaf6
generate a random directory for chroot if none given
Albert S.
2019-11-10 12:08:35 +0100
1de1ae0b32
introduce bitmasks indicating which namespaces to unshare
Albert S.
2019-11-09 21:13:40 +0100
bad600b3a8
set #defines only if not set already
Albert S.
2019-11-09 20:55:03 +0100
a7c6ef6c57
bind mount recursively
Albert S.
2019-11-09 16:27:54 +0100
7a2cf18c19
check drop_caps() return value ; silence compiler warning
Albert S.
2019-11-09 15:47:08 +0100
200cd7878c
Initial commit
Albert S.
2019-10-13 17:57:12 +0200