playground

Sandbox, container or whatever utilities for linux.
git clone https://pi.duncano.de/git/playground.git
Log | Files | Refs | README

commit a1c3a92d76c43a2fa6190a606c408bb99aed57da
parent b430e32c9d7939051ef4bc1ca1fa063572ff89b8
Author: Duncaen <mail@duncano.de>
Date:   Sun, 19 Feb 2017 19:03:46 +0100

libpledge: move filter conditions into pledge.h

Diffstat:
libpledge.c | 13+++++++------
pledge.h | 22++++++++++++++++++++++
2 files changed, 29 insertions(+), 6 deletions(-)

diff --git a/libpledge.c b/libpledge.c @@ -280,12 +280,13 @@ pledge_filter(uint64_t flags, uint64_t oldflags) int allow_prctl, allow_socket, allow_selfkill, allow_fcntl, allow_selfchown, allow_ioctl; len = 0; - allow_selfchown = (!(flags & PLEDGE_CHOWNUID) && (flags & PLEDGE_CHOWN)) || 0; - allow_prctl = !(flags & PLEDGE_PROC) || 0; - allow_socket = (flags & PLEDGE_INET) || (flags & PLEDGE_UNIX) || 0; - allow_selfkill = (!(flags & PLEDGE_PROC)) || 0; - allow_fcntl = (!(flags & PLEDGE_PROC) && (flags & PLEDGE_STDIO)) || 0; - allow_ioctl = (!(flags & PLEDGE_IOCTL)) || 0; + + allow_selfchown = _FILTER_CHOWN; + allow_prctl = _FILTER_PRCTL; + allow_socket = _FILTER_SOCKET; + allow_selfkill = _FILTER_KILL; + allow_fcntl = _FILTER_FCNTL; + allow_ioctl = _FILTER_IOCTL_ALWAYS; /* chown(2), fchown(2), lchown(2), fchownat(2) */ if (allow_selfchown) diff --git a/pledge.h b/pledge.h @@ -26,6 +26,28 @@ #define PLEDGE_KEY 0x0000000002000000ULL #define PLEDGE_KERN 0x0000000004000000ULL +#define _FLAG_DROPPED(x) \ + ((oldflags&(x)) && (~flags&(x))) + +#define _FILTER_CHOWN \ + (!oldflags && !(flags&PLEDGE_CHOWNUID)) || _FLAG_DROPPED(PLEDGE_CHOWNUID) + +#define _FILTER_PRCTL \ + _FLAG_DROPPED(PLEDGE_PROC) + +#define _FILTER_SOCKET \ + (!oldflags && !(flags&PLEDGE_INET)^!(flags&PLEDGE_UNIX)) || \ + _FLAG_DROPPED(PLEDGE_INET) ^ _FLAG_DROPPED(PLEDGE_UNIX) + +#define _FILTER_KILL \ + (!oldflags && !(flags&PLEDGE_PROC)) || _FLAG_DROPPED(PLEDGE_PROC) + +#define _FILTER_FCNTL \ + !(oldflags && flags&PLEDGE_PROC) || _FLAG_DROPPED(PLEDGE_PROC) + +#define _FILTER_IOCTL_ALWAYS \ + !oldflags + struct sock_fprog *pledge_whitelist(uint64_t); struct sock_fprog *pledge_blacklist(uint64_t, uint64_t); struct sock_fprog *pledge_filter(uint64_t, uint64_t);