summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar shtrophic2024-11-16 13:47:26 +0100
committerGravatar shtrophic2024-11-16 13:47:26 +0100
commit559f23c8080806e95a43a25f917762121fbbeee2 (patch)
tree00c09e2e15345151ea405081194b4ac3ed8cb93b
parentsandboxing port to linux via landlock (diff)
downloadsnac2-559f23c8080806e95a43a25f917762121fbbeee2.tar.gz
snac2-559f23c8080806e95a43a25f917762121fbbeee2.tar.xz
snac2-559f23c8080806e95a43a25f917762121fbbeee2.zip
add distinction between RWC with directories and without, include FS_REFER permission
Diffstat
-rw-r--r--sandbox.c25
1 files changed, 14 insertions, 11 deletions
diff --git a/sandbox.c b/sandbox.c
index f83a947..c8fbdaf 100644
--- a/sandbox.c
+++ b/sandbox.c
@@ -113,13 +113,16 @@ void sbox_enter(const char *basedir)
113 113
114#define LL_R LANDLOCK_ACCESS_FS_READ_FILE 114#define LL_R LANDLOCK_ACCESS_FS_READ_FILE
115#define LL_X LANDLOCK_ACCESS_FS_EXECUTE 115#define LL_X LANDLOCK_ACCESS_FS_EXECUTE
116#define LL_RWC (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_TRUNCATE) 116#define LL_RWCF (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_TRUNCATE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REFER)
117#define LL_UNX (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_SOCK) 117#define LL_RWCD (LL_RWCF | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_REMOVE_DIR)
118#define LL_CON LANDLOCK_ACCESS_NET_CONNECT_TCP 118#define LL_UNIX (LL_R | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_MAKE_SOCK)
119#define LL_BND LANDLOCK_ACCESS_NET_BIND_TCP 119#define LL_CONN LANDLOCK_ACCESS_NET_CONNECT_TCP
120#define LL_BIND LANDLOCK_ACCESS_NET_BIND_TCP
120 121
121#define LANDLOCK_PATH(p, r) do {\ 122#define LANDLOCK_PATH(p, r) do {\
122 path.allowed_access = r;\ 123 path.allowed_access = r;\
124 if (abi < 2)\
125 path.allowed_access &= ~LANDLOCK_ACCESS_FS_REFER;\
123 if (abi < 3)\ 126 if (abi < 3)\
124 path.allowed_access &= ~LANDLOCK_ACCESS_FS_TRUNCATE;\ 127 path.allowed_access &= ~LANDLOCK_ACCESS_FS_TRUNCATE;\
125 path.parent_fd = open(p, O_PATH | O_CLOEXEC);\ 128 path.parent_fd = open(p, O_PATH | O_CLOEXEC);\
@@ -145,9 +148,9 @@ void sbox_enter(const char *basedir)
145 }\ 148 }\
146} while (0) 149} while (0)
147 150
148 LANDLOCK_PATH(basedir, LL_RWC); 151 LANDLOCK_PATH(basedir, LL_RWCD);
149 LANDLOCK_PATH("/tmp", LL_RWC); 152 LANDLOCK_PATH("/tmp", LL_RWCD);
150 LANDLOCK_PATH("/dev/shm", LL_RWC); 153 LANDLOCK_PATH("/dev/shm", LL_RWCF);
151 LANDLOCK_PATH("/etc/resolv.conf", LL_R ); 154 LANDLOCK_PATH("/etc/resolv.conf", LL_R );
152 LANDLOCK_PATH("/etc/hosts", LL_R ); 155 LANDLOCK_PATH("/etc/hosts", LL_R );
153 LANDLOCK_PATH("/etc/ssl/openssl.cnf", LL_R ); 156 LANDLOCK_PATH("/etc/ssl/openssl.cnf", LL_R );
@@ -155,16 +158,16 @@ void sbox_enter(const char *basedir)
155 LANDLOCK_PATH("/usr/share/zoneinfo", LL_R ); 158 LANDLOCK_PATH("/usr/share/zoneinfo", LL_R );
156 159
157 if (*address == '/') 160 if (*address == '/')
158 LANDLOCK_PATH(address, LL_UNX); 161 LANDLOCK_PATH(address, LL_UNIX);
159 162
160 if (abi > 3) { 163 if (abi > 3) {
161 if (*address != '/') { 164 if (*address != '/') {
162 LANDLOCK_PORT( 165 LANDLOCK_PORT(
163 (uint16_t)xs_number_get(xs_dict_get(srv_config, "port")), LL_BND); 166 (uint16_t)xs_number_get(xs_dict_get(srv_config, "port")), LL_BIND);
164 } 167 }
165 168
166 LANDLOCK_PORT(80, LL_CON); 169 LANDLOCK_PORT(80, LL_CONN);
167 LANDLOCK_PORT(443, LL_CON); 170 LANDLOCK_PORT(443, LL_CONN);
168 } 171 }
169 172
170 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { 173 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
HIC SVNT DRACONES