crtxcr/exile.h
1
0
Fork 0
Code Issues 14 Pull Requests 1 Releases Wiki Activity

WIP pledge/low-level seccomp arg filter interface #22

Closed
crtxcr wants to merge 0 commits from WIP/argsfilter into master
pull from: WIP/argsfilter
merge into: crtxcr:master
Conversation 2 Commits - Files Changed -
crtxcr commented 2021-11-21 15:29:20 +01:00
Owner
Copy Link
No description provided.
crtxcr force-pushed WIP/argsfilter from 89749bd03b to 371c6a94b6 2021-11-30 18:33:22 +01:00 Compare
crtxcr force-pushed WIP/argsfilter from 371c6a94b6 to ac3e84ed16 2021-12-01 23:55:57 +01:00 Compare
crtxcr commented 2021-12-02 10:17:27 +01:00
Author
Owner
Copy Link

Test for blacklist:

  • syscall without args
  • syscall with args
  • syscall without args
Test for blacklist: - syscall without args - syscall with args - syscall without args
crtxcr changed title from WIP low-level seccomp arg filter interface to WIP pledge/low-level seccomp arg filter interface 2021-12-05 17:32:21 +01:00
crtxcr force-pushed WIP/argsfilter from 7bfa7f5961 to 08a2445c26 2021-12-19 20:27:13 +01:00 Compare
crtxcr force-pushed WIP/argsfilter from fa473601d3 to eca3b3d622 2021-12-20 16:16:06 +01:00 Compare
crtxcr force-pushed WIP/argsfilter from eca3b3d622 to c7991ceefa 2021-12-20 17:30:51 +01:00 Compare
crtxcr force-pushed WIP/argsfilter from 9a95ad0c6a to 34b58c5b32 2021-12-24 16:22:28 +01:00 Compare
crtxcr force-pushed WIP/argsfilter from 45f5f16bb8 to d742397b52 2021-12-26 18:16:07 +01:00 Compare
crtxcr force-pushed WIP/argsfilter from beeae95fe1 to 72ee3b3d74 2021-12-27 00:44:44 +01:00 Compare
crtxcr force-pushed WIP/argsfilter from 72ee3b3d74 to a7a9c6962a 2021-12-27 12:00:41 +01:00 Compare
crtxcr force-pushed WIP/argsfilter from 3e4ae74203 to ca0f82790c 2021-12-27 12:36:32 +01:00 Compare
crtxcr added 2 commits 2021-12-27 14:18:15 +01:00 
Some distros put sys/capability.h into libcap-dev or
similiar, which is a bit unforunate, we don't need
libcap-dev or anything like that.

Since we anyway only used the capget()/capset(), we can
just define a simple wrapper and call the syscall directly
and therefore avoid above mentioned issue.
crtxcr added 1 commit 2021-12-27 14:26:47 +01:00
crtxcr added 1 commit 2021-12-27 17:03:42 +01:00 
We cannot assume that landlock is enabled if we can compile it.
Even if it's enabled in the kernel it may still not be loaded.

We fill fallback to chroot/bind-mounts if we can.

If we can't (because path policies have landlock-specific options),
we can't do that either.

Closes: #21
crtxcr commented 2021-12-27 17:14:56 +01:00
Author
Owner
Copy Link

Merged

Merged
crtxcr closed this pull request 2021-12-27 17:14:56 +01:00

Pull request closed

This pull request cannot be reopened because the branch was deleted.
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
wontfix

This won't be fixed

No Label
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: crtxcr/exile.h#22
No description provided.
Delete Branch "WIP/argsfilter"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?