sandbox: Sync iwth qssb.h upstream: Use whitelisting and groups

This commit is contained in:
Albert S. 2021-11-14 21:53:52 +01:00
parent bbe74a2c50
commit 4f6bcd27b4
2 changed files with 19 additions and 12 deletions

View File

@ -60,18 +60,25 @@ bool SandboxLinux::enable(std::vector<std::string> fsPaths)
policy->not_dumpable = 1;
policy->no_new_privs = 1;
policy->mount_path_policies_to_chroot = 1;
/* TODO: as said, a whitelist approach is better. As such, this list is bound to be incomplete in the
* sense that more could be listed here and some critical ones are probably missing */
/* TODO: use qssb groups */
long blacklisted_syscalls[] = {QSSB_SYS(setuid), QSSB_SYS(connect), QSSB_SYS(chroot), QSSB_SYS(pivot_root),
QSSB_SYS(mount), QSSB_SYS(setns), QSSB_SYS(unshare), QSSB_SYS(ptrace),
QSSB_SYS(personality), QSSB_SYS(prctl), QSSB_SYS(execveat), QSSB_SYS(execve),
QSSB_SYS(fork)};
qssb_append_syscalls_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, blacklisted_syscalls,
sizeof(blacklisted_syscalls) / sizeof(blacklisted_syscalls[0]));
qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
if(qssb_append_group_syscall_policy(policy, QSSB_SYSCALL_ALLOW, QSSB_SYSCGROUP_DEFAULT_ALLOW) != 0)
{
Logger::error() << "Sandbox: Failed to add whitelist!";
qssb_free_policy(policy);
return false;
}
if(qssb_append_group_syscall_policy(policy, QSSB_SYSCALL_ALLOW, QSSB_SYSCGROUP_SOCKET | QSSB_SYSCGROUP_FUTEX | QSSB_SYSCGROUP_PATH | QSSB_SYSCGROUP_SCHED) != 0)
{
Logger::error() << "Sandbox: Failed to add socket group!";
qssb_free_policy(policy);
return false;
}
if(qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS) != 0)
{
Logger::error() << "Sandbox: Default policy";
qssb_free_policy(policy);
return false;
}
if(qssb_enable_policy(policy) != 0)
{
Logger::error() << "Sandbox: Activation of seccomp blacklist failed!";

@ -1 +1 @@
Subproject commit 0d7c5bd6d437ae95a4900aab6b7b6cc207acbd1b
Subproject commit d847d0f996679c77741b85959988dd9e65d63b97