sandbox: adjust to latest qssb.h
Tento commit je obsažen v:
rodič
f26fd19fb4
revize
67eb8b6428
@ -26,16 +26,26 @@
|
|||||||
bool SandboxLinux::enableForInit()
|
bool SandboxLinux::enableForInit()
|
||||||
{
|
{
|
||||||
umask(0027);
|
umask(0027);
|
||||||
struct qssb_policy policy = {0};
|
struct qssb_policy *policy = qssb_init_policy();
|
||||||
int blacklisted_syscalls[] = {QSSB_SYS(execveat), QSSB_SYS(execve), -1};
|
if(policy == NULL)
|
||||||
policy.blacklisted_syscalls = blacklisted_syscalls;
|
|
||||||
policy.no_new_privs = 1;
|
|
||||||
int result = qssb_enable_policy(&policy);
|
|
||||||
if(result != 0)
|
|
||||||
{
|
{
|
||||||
Logger::error() << "Failed to install sandboxing policy (init): " << result;
|
Logger::error() << "Failed to init sandboxing policy (init)";
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
policy->namespace_options = QSSB_UNSHARE_USER;
|
||||||
|
policy->drop_caps = 0;
|
||||||
|
qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(execveat));
|
||||||
|
qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(execve));
|
||||||
|
qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
|
||||||
|
|
||||||
|
int result = qssb_enable_policy(policy);
|
||||||
|
if(result != 0)
|
||||||
|
{
|
||||||
|
Logger::error() << "Failed to enable sandboxing policy (init): " << result;
|
||||||
|
qssb_free_policy(policy);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
qssb_free_policy(policy);
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -44,28 +54,34 @@ bool SandboxLinux::enablePreWorker(std::vector<std::string> fsPaths)
|
|||||||
std::sort(fsPaths.begin(), fsPaths.end(),
|
std::sort(fsPaths.begin(), fsPaths.end(),
|
||||||
[](const std::string &a, const std::string &b) { return a.length() < b.length(); });
|
[](const std::string &a, const std::string &b) { return a.length() < b.length(); });
|
||||||
|
|
||||||
struct qssb_path_policy *policies = new qssb_path_policy[fsPaths.size()];
|
struct qssb_policy *policy = qssb_init_policy();
|
||||||
|
if(policy == NULL)
|
||||||
|
{
|
||||||
|
Logger::error() << "Failed to init sandboxing policy (pre)";
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
for(unsigned int i = 0; i < fsPaths.size(); i++)
|
for(unsigned int i = 0; i < fsPaths.size(); i++)
|
||||||
{
|
{
|
||||||
policies[i].next = policies + (i + 1);
|
qssb_append_path_policy(policy, QSSB_FS_ALLOW_READ | QSSB_FS_ALLOW_WRITE, fsPaths[i].c_str());
|
||||||
policies[i].mountpoint = fsPaths[i].c_str();
|
|
||||||
policies[i].policy = QSSB_MOUNT_ALLOW_READ | QSSB_MOUNT_ALLOW_WRITE;
|
|
||||||
}
|
}
|
||||||
policies[fsPaths.size() - 1].next = NULL;
|
|
||||||
|
|
||||||
struct qssb_policy policy = {0};
|
policy->namespace_options = QSSB_UNSHARE_MOUNT;
|
||||||
policy.path_policies = policies;
|
policy->drop_caps = 0;
|
||||||
policy.namespace_options |= QSSB_UNSHARE_MOUNT;
|
policy->mount_path_policies_to_chroot = 1;
|
||||||
policy.namespace_options |= QSSB_UNSHARE_USER;
|
|
||||||
int blacklisted_syscalls[] = {QSSB_SYS(execveat), QSSB_SYS(execve), -1};
|
qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(execveat));
|
||||||
policy.blacklisted_syscalls = blacklisted_syscalls;
|
qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(execve));
|
||||||
int result = qssb_enable_policy(&policy);
|
qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
|
||||||
|
|
||||||
|
int result = qssb_enable_policy(policy);
|
||||||
if(result != 0)
|
if(result != 0)
|
||||||
{
|
{
|
||||||
Logger::error() << "Failed to install sandboxing policy (preworker): %i" << result;
|
Logger::error() << "Failed to install sandboxing policy (preworker): %i" << result;
|
||||||
|
qssb_free_policy(policy);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
delete[] policies;
|
qssb_free_policy(policy);
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -88,30 +104,35 @@ bool SandboxLinux::supported()
|
|||||||
}
|
}
|
||||||
bool SandboxLinux::enableForWorker()
|
bool SandboxLinux::enableForWorker()
|
||||||
{
|
{
|
||||||
struct qssb_policy policy = {0};
|
struct qssb_policy *policy = qssb_init_policy();
|
||||||
policy.drop_caps = 1;
|
if(policy == NULL)
|
||||||
policy.not_dumpable = 1;
|
{
|
||||||
policy.no_new_privs = 1;
|
Logger::error() << "Failed to init sandboxing policy (worker) ";
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
policy->drop_caps = 1;
|
||||||
|
policy->not_dumpable = 1;
|
||||||
|
policy->no_new_privs = 1;
|
||||||
|
policy->namespace_options = 0;
|
||||||
|
|
||||||
/* TODO: as said, a whitelist approach is better. As such, this list is bound to be incomplete in the
|
/* TODO: as said, a whitelist approach is better. As such, this list is bound to be incomplete in the
|
||||||
* sense that more could be listed here and some critical ones are probably missing */
|
* sense that more could be listed here and some critical ones are probably missing */
|
||||||
int blacklisted_syscalls[] = {QSSB_SYS(setuid),
|
|
||||||
QSSB_SYS(connect),
|
/* TODO: use qssb groups */
|
||||||
QSSB_SYS(chroot),
|
long blacklisted_syscalls[] = {QSSB_SYS(setuid), QSSB_SYS(connect), QSSB_SYS(chroot), QSSB_SYS(pivot_root),
|
||||||
QSSB_SYS(pivot_root),
|
QSSB_SYS(mount), QSSB_SYS(setns), QSSB_SYS(unshare), QSSB_SYS(ptrace),
|
||||||
QSSB_SYS(mount),
|
QSSB_SYS(personality), QSSB_SYS(prctl)};
|
||||||
QSSB_SYS(setns),
|
|
||||||
QSSB_SYS(unshare),
|
qssb_append_syscalls_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, blacklisted_syscalls,
|
||||||
QSSB_SYS(ptrace),
|
sizeof(blacklisted_syscalls) / sizeof(blacklisted_syscalls[0]));
|
||||||
QSSB_SYS(personality),
|
qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
|
||||||
QSSB_SYS(prctl),
|
|
||||||
-1};
|
if(qssb_enable_policy(policy) != 0)
|
||||||
policy.blacklisted_syscalls = blacklisted_syscalls;
|
|
||||||
if(qssb_enable_policy(&policy) != 0)
|
|
||||||
{
|
{
|
||||||
Logger::error() << "Sandbox: Activation of seccomp blacklist failed!";
|
Logger::error() << "Sandbox: Activation of seccomp blacklist failed!";
|
||||||
|
qssb_free_policy(policy);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
qssb_free_policy(policy);
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
Načítá se…
Odkázat v novém úkolu
Zablokovat Uživatele