qswiki/sandbox/sandbox-linux.cpp

76 baris
2.0 KiB
C++
Mentah Pandangan Normal Riwayat

#include <vector>
#include <initializer_list>
#include <string.h>
#include <sched.h>
#include <unistd.h>
#include <fstream>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#include <filesystem>
#include <sys/mount.h>
#include <sys/capability.h>
#define HAVE_LANDLOCK 0
#include <exile.h>
#include "../logger.h"
#include "../utils.h"
#include "../random.h"
#include "sandbox-linux.h"
/* TODO: make a whitelist approach. So far we simply blacklist
* obvious systemcalls. To whitelist, we need to analyse our
* dependencies (http library, sqlite wrapper, sqlite lib etc.) */
bool SandboxLinux::supported()
{
std::fstream stream;
stream.open("/proc/sys/kernel/unprivileged_userns_clone");
if(stream.is_open())
{
std::string str;
stream >> str;
if(str[0] == '0')
{
Logger::error() << "Please write '1' to /proc/sys/kernel/unprivileged_userns_clone in order to enable "
"sandboxing support on this system";
return false;
}
}
return true;
}
bool SandboxLinux::enable(std::vector<std::string> fsPaths)
{
std::sort(fsPaths.begin(), fsPaths.end(),
[](const std::string &a, const std::string &b) { return a.length() < b.length(); });
struct exile_policy *policy = exile_init_policy();
2021-09-23 12:44:35 +02:00
if(policy == NULL)
{
Logger::error() << "Failed to init sandboxing policy (worker) ";
return false;
}
for(unsigned int i = 0; i < fsPaths.size(); i++)
{
2021-12-29 11:13:47 +01:00
exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_ALL_WRITE, fsPaths[i].c_str());
}
2021-09-23 12:44:35 +02:00
policy->drop_caps = 1;
policy->not_dumpable = 1;
policy->no_new_privs = 1;
policy->mount_path_policies_to_chroot = 1;
2021-12-29 11:13:47 +01:00
policy->vow_promises = EXILE_SYSCALL_VOW_STDIO | EXILE_SYSCALL_VOW_WPATH | EXILE_SYSCALL_VOW_CPATH |
EXILE_SYSCALL_VOW_RPATH | EXILE_SYSCALL_VOW_INET | EXILE_SYSCALL_VOW_UNIX |
EXILE_SYSCALL_VOW_THREAD;
2021-09-23 12:44:35 +02:00
if(exile_enable_policy(policy) != 0)
{
Logger::error() << "Sandbox: Activation of seccomp blacklist failed!";
exile_free_policy(policy);
return false;
}
exile_free_policy(policy);
return true;
}