playground

Sandbox, container or whatever utilities for linux.
git clone https://pi.duncano.de/git/playground.git
Log | Files | Refs | README

commit f803dcee366b2b0120a7ae065da5b6d3fd2ad669
parent a1c3a92d76c43a2fa6190a606c408bb99aed57da
Author: Duncaen <mail@duncano.de>
Date:   Sun, 19 Feb 2017 19:04:55 +0100

move headers and man pages into separate directories

Diffstat:
Makefile | 8++++----
include/newns.h | 0
include/pledge.h | 55+++++++++++++++++++++++++++++++++++++++++++++++++++++++
include/pledge_syscalls.h | 289++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
man/newns.1 | 0
man/newns.2 | 0
man/pledge.1 | 95+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
man/pledge.2 | 0
newns.1 | 0
newns.2 | 0
newns.h | 0
pledge.1 | 95-------------------------------------------------------------------------------
pledge.2 | 0
pledge.h | 55-------------------------------------------------------
14 files changed, 443 insertions(+), 154 deletions(-)

diff --git a/Makefile b/Makefile @@ -1,5 +1,5 @@ .error : This Makefile needs GNU make -CFLAGS+=-std=c99 -g -O2 -fstack-protector-strong +CFLAGS+=-std=c99 -g -O2 -fstack-protector-strong -Iinclude CFLAGS+=-Wall -Wextra -Wwrite-strings -Wno-switch -Wno-extended-offsetof -pedantic CPPFLAGS+=-D_DEFAULT_SOURCE -D_FORTIFY_SOURCE=2 @@ -20,8 +20,8 @@ $(PROGS) : % : %.o $(LIBS:=.a) : %.a : %.o $(LIBS:=.so) : %.so : %.o -libpledge.o : pledge_syscalls.h -libpledge.o pledge.o : pledge.h +libpledge.o : include/pledge_syscalls.h +libpledge.o pledge.o : include/pledge.h pledge: libpledge.a # newns: libnewns.a @@ -45,7 +45,7 @@ install: all $(DESTDIR)$(LIBDIR) \ $(DESTDIR)$(INCDIR) install -m0644 libpledge.a libpledge.so $(DESTDIR)$(LIBDIR) - install -m0644 pledge.h $(DESTDIR)$(INCDIR) + install -m0644 include/pledge.h $(DESTDIR)$(INCDIR) install -m0755 pledge $(DESTDIR)$(BINDIR) # install -m0755 newns $(DESTDIR)$(BINDIR) # install -m0644 libnewns.a libnewns.so $(DESTDIR)$(LIBDIR) diff --git a/include/newns.h b/include/newns.h diff --git a/include/pledge.h b/include/pledge.h @@ -0,0 +1,55 @@ +#define PLEDGED 0x1000000000000000ULL +#define PLEDGE_ALWAYS 0xffffffffffffffffULL +#define PLEDGE_DEBUG 0x0000000000000001ULL +#define PLEDGE_VERBOSE 0x0000000000000002ULL +#define PLEDGE_IOCTL 0x0000000000000010ULL +#define PLEDGE_RPATH 0x0000000000000020ULL +#define PLEDGE_WPATH 0x0000000000000040ULL +#define PLEDGE_CPATH 0x0000000000000080ULL +#define PLEDGE_STDIO 0x0000000000000100ULL +#define PLEDGE_CHOWN 0x0000000000000200ULL +#define PLEDGE_DPATH 0x0000000000000400ULL +#define PLEDGE_DRM 0x0000000000000800ULL +#define PLEDGE_EXEC 0x0000000000001000ULL +#define PLEDGE_FATTR 0x0000000000002000ULL +#define PLEDGE_FLOCK 0x0000000000004000ULL +#define PLEDGE_GETPW 0x0000000000008000ULL +#define PLEDGE_INET 0x0000000000010000ULL +#define PLEDGE_PROC 0x0000000000020000ULL +#define PLEDGE_ID 0x0000000000040000ULL +#define PLEDGE_SETTIME 0x0000000000080000ULL +#define PLEDGE_UNIX 0x0000000000100000ULL +#define PLEDGE_CHOWNUID 0x0000000000200000ULL +#define PLEDGE_EMUL 0x0000000000400000ULL +#define PLEDGE_IPC 0x0000000000800000ULL +#define PLEDGE_MOUNT 0x0000000001000000ULL +#define PLEDGE_KEY 0x0000000002000000ULL +#define PLEDGE_KERN 0x0000000004000000ULL + +#define _FLAG_DROPPED(x) \ + ((oldflags&(x)) && (~flags&(x))) + +#define _FILTER_CHOWN \ + (!oldflags && !(flags&PLEDGE_CHOWNUID)) || _FLAG_DROPPED(PLEDGE_CHOWNUID) + +#define _FILTER_PRCTL \ + _FLAG_DROPPED(PLEDGE_PROC) + +#define _FILTER_SOCKET \ + (!oldflags && !(flags&PLEDGE_INET)^!(flags&PLEDGE_UNIX)) || \ + _FLAG_DROPPED(PLEDGE_INET) ^ _FLAG_DROPPED(PLEDGE_UNIX) + +#define _FILTER_KILL \ + (!oldflags && !(flags&PLEDGE_PROC)) || _FLAG_DROPPED(PLEDGE_PROC) + +#define _FILTER_FCNTL \ + !(oldflags && flags&PLEDGE_PROC) || _FLAG_DROPPED(PLEDGE_PROC) + +#define _FILTER_IOCTL_ALWAYS \ + !oldflags + +struct sock_fprog *pledge_whitelist(uint64_t); +struct sock_fprog *pledge_blacklist(uint64_t, uint64_t); +struct sock_fprog *pledge_filter(uint64_t, uint64_t); +uint64_t pledge_flags(const char *); +int pledge(const char *, const char *[]); diff --git a/include/pledge_syscalls.h b/include/pledge_syscalls.h @@ -0,0 +1,289 @@ +const uint64_t pledge_syscalls[] = { + /**/ + [SYS_exit] = PLEDGE_ALWAYS, + [SYS_exit_group] = PLEDGE_ALWAYS, + [SYS_seccomp] = PLEDGE_ALWAYS, + [SYS_prctl] = PLEDGE_ALWAYS | PLEDGE_PROC, + + [SYS_arch_prctl] = PLEDGE_STDIO, + [SYS_getuid] = PLEDGE_STDIO, + [SYS_geteuid] = PLEDGE_STDIO, + [SYS_getresuid] = PLEDGE_STDIO, + [SYS_getgid] = PLEDGE_STDIO, + [SYS_getegid] = PLEDGE_STDIO, + [SYS_getresgid] = PLEDGE_STDIO, + [SYS_getgroups] = PLEDGE_STDIO, + [SYS_getpgrp] = PLEDGE_STDIO, + [SYS_getpgid] = PLEDGE_STDIO, + [SYS_getppid] = PLEDGE_STDIO, + [SYS_getsid] = PLEDGE_STDIO, + [SYS_getrlimit] = PLEDGE_STDIO, + [SYS_gettimeofday] = PLEDGE_STDIO, + [SYS_getrusage] = PLEDGE_STDIO, + [SYS_clock_getres] = PLEDGE_STDIO, + [SYS_clock_gettime] = PLEDGE_STDIO, + [SYS_clock_nanosleep] = PLEDGE_STDIO, + [SYS_getpid] = PLEDGE_STDIO, + [SYS_uname] = PLEDGE_STDIO, + [SYS_sysinfo] = PLEDGE_STDIO, + [SYS_madvise] = PLEDGE_STDIO, +#if defined(SYS_fadvise64) && SYS_fadvise64 != SYS_fadvise + [SYS_fadvise64] = PLEDGE_STDIO, +#endif + [SYS_mmap] = PLEDGE_STDIO, +#if defined(SYS_mmap2) + [SYS_mmap2] = PLEDGE_STDIO, +#endif + [SYS_mprotect] = PLEDGE_STDIO, + [SYS_munmap] = PLEDGE_STDIO, + [SYS_msync] = PLEDGE_STDIO, + [SYS_brk] = PLEDGE_STDIO, + [SYS_umask] = PLEDGE_STDIO, + [SYS_read] = PLEDGE_STDIO, +#if defined(SYS_read64) && SYS_read64 != SYS_read + [SYS_read64] = PLEDGE_STDIO, +#endif + [SYS_readv] = PLEDGE_STDIO, +#if defined(SYS_pread64) && SYS_pread64 != SYS_pread + [SYS_pread64] = PLEDGE_STDIO, +#endif + [SYS_preadv] = PLEDGE_STDIO, + [SYS_write] = PLEDGE_STDIO, +#if defined(SYS_write64) && SYS_write64 != SYS_write + [SYS_write64] = PLEDGE_STDIO, +#endif +#if defined(SYS_pwrite64) && SYS_pwrite64 != SYS_pwrite + [SYS_pwrite64] = PLEDGE_STDIO, +#endif + [SYS_writev] = PLEDGE_STDIO, + [SYS_pwritev] = PLEDGE_STDIO, + [SYS_recvmsg] = PLEDGE_STDIO, + [SYS_recvfrom] = PLEDGE_STDIO, + [SYS_ftruncate] = PLEDGE_STDIO, + [SYS_futex] = PLEDGE_STDIO, + [SYS_lseek] = PLEDGE_STDIO, + [SYS_sendto] = PLEDGE_STDIO, + [SYS_sendmsg] = PLEDGE_STDIO, + [SYS_nanosleep] = PLEDGE_STDIO, + [SYS_sigaltstack] = PLEDGE_STDIO, + [SYS_rt_sigprocmask] = PLEDGE_STDIO, + [SYS_rt_sigsuspend] = PLEDGE_STDIO, + [SYS_rt_sigaction] = PLEDGE_STDIO, + [SYS_rt_sigreturn] = PLEDGE_STDIO, + [SYS_rt_sigpending] = PLEDGE_STDIO, +#ifdef SYS_sigreturn + [SYS_sigreturn] +#endif + [SYS_getitimer] = PLEDGE_STDIO, + [SYS_setitimer] = PLEDGE_STDIO, + [SYS_alarm] = PLEDGE_STDIO, + [SYS_pause] = PLEDGE_STDIO, + [SYS_time] = PLEDGE_STDIO, + + /* events,poll */ +#ifdef SYS__newselect + [SYS__newselect] = PLEDGE_STDIO, +#endif + [SYS_epoll_create1] = PLEDGE_STDIO, + [SYS_epoll_create] = PLEDGE_STDIO, + [SYS_epoll_ctl] = PLEDGE_STDIO, + [SYS_epoll_ctl_old] = PLEDGE_STDIO, + [SYS_epoll_pwait] = PLEDGE_STDIO, + [SYS_epoll_wait] = PLEDGE_STDIO, + [SYS_epoll_wait_old] = PLEDGE_STDIO, + [SYS_eventfd2] = PLEDGE_STDIO, + [SYS_eventfd] = PLEDGE_STDIO, + [SYS_poll] = PLEDGE_STDIO, + [SYS_ppoll] = PLEDGE_STDIO, + [SYS_pselect6] = PLEDGE_STDIO, + [SYS_select] = PLEDGE_STDIO, + + [SYS_fstat] = PLEDGE_STDIO, + [SYS_fsync] = PLEDGE_STDIO, + [SYS_setsockopt] = PLEDGE_STDIO, + [SYS_getsockopt] = PLEDGE_STDIO, + [SYS_fcntl] = PLEDGE_STDIO, + [SYS_close] = PLEDGE_STDIO, + [SYS_tee] = PLEDGE_STDIO, + [SYS_splice] = PLEDGE_STDIO, + [SYS_dup] = PLEDGE_STDIO, + [SYS_dup2] = PLEDGE_STDIO, + [SYS_dup3] = PLEDGE_STDIO, + [SYS_shutdown] = PLEDGE_STDIO, + [SYS_fchdir] = PLEDGE_STDIO, + [SYS_pipe] = PLEDGE_STDIO, + [SYS_pipe2] = PLEDGE_STDIO, + [SYS_socketpair] = PLEDGE_STDIO, + [SYS_wait4] = PLEDGE_STDIO, + [SYS_kill] = PLEDGE_STDIO, + [SYS_ioctl] = PLEDGE_STDIO, + [SYS_open] = PLEDGE_STDIO, + [SYS_stat] = PLEDGE_STDIO, +#if defined(SYS_stat64) && SYS_stat64 != SYS_stat + [SYS_stat64] = PLEDGE_STDIO, +#endif + [SYS_access] = PLEDGE_STDIO, + [SYS_readlink] = PLEDGE_STDIO, + + /* ipc */ + [SYS_memfd_create] = PLEDGE_IPC, + [SYS_mq_getsetattr] = PLEDGE_IPC, + [SYS_mq_notify] = PLEDGE_IPC, + [SYS_mq_open] = PLEDGE_IPC, + [SYS_mq_timedreceive] = PLEDGE_IPC, + [SYS_mq_timedsend] = PLEDGE_IPC, + [SYS_mq_unlink] = PLEDGE_IPC, + [SYS_msgctl] = PLEDGE_IPC, + [SYS_msgget] = PLEDGE_IPC, + [SYS_msgrcv] = PLEDGE_IPC, + [SYS_msgsnd] = PLEDGE_IPC, + [SYS_process_vm_readv] = PLEDGE_IPC, + [SYS_process_vm_writev] = PLEDGE_IPC, + [SYS_semctl] = PLEDGE_IPC, + [SYS_semget] = PLEDGE_IPC, + [SYS_semop] = PLEDGE_IPC, + [SYS_semtimedop] = PLEDGE_IPC, + [SYS_shmat] = PLEDGE_IPC, + [SYS_shmctl] = PLEDGE_IPC, + [SYS_shmdt] = PLEDGE_IPC, + [SYS_shmget] = PLEDGE_IPC, + + [SYS_adjtimex] = PLEDGE_SETTIME, + [SYS_clock_adjtime] = PLEDGE_SETTIME, + [SYS_clock_settime] = PLEDGE_SETTIME, + [SYS_settimeofday] = PLEDGE_SETTIME, +#ifdef SYS_stime + [SYS_stime] = PLEDGE_SETTIME, +#endif + + [SYS_chdir] = PLEDGE_RPATH, + [SYS_openat] = PLEDGE_RPATH | PLEDGE_WPATH, + [SYS_newfstatat] = PLEDGE_RPATH | PLEDGE_WPATH, + [SYS_faccessat] = PLEDGE_RPATH | PLEDGE_WPATH, + [SYS_getcwd] = PLEDGE_RPATH | PLEDGE_WPATH, + [SYS_readlinkat] = PLEDGE_RPATH | PLEDGE_WPATH, + [SYS_lstat] = PLEDGE_RPATH | PLEDGE_WPATH, +#if defined(SYS_lstat64) && SYS_lstat64 != SYS_lstat + [SYS_lstat64] = PLEDGE_STDIO, +#endif + [SYS_truncate] = PLEDGE_WPATH, +#if defined(SYS_truncate64) && SYS_truncate64 != SYS_truncate + [SYS_truncate64] = PLEDGE_STDIO, +#endif + [SYS_rename] = PLEDGE_RPATH | PLEDGE_CPATH, + [SYS_rmdir] = PLEDGE_CPATH, + [SYS_renameat] = PLEDGE_CPATH, + [SYS_renameat2] = PLEDGE_CPATH, + [SYS_link] = PLEDGE_CPATH, + [SYS_linkat] = PLEDGE_CPATH, + [SYS_lremovexattr] = PLEDGE_CPATH, + [SYS_lsetxattr] = PLEDGE_CPATH, + [SYS_symlink] = PLEDGE_CPATH, + [SYS_unlink] = PLEDGE_CPATH, + [SYS_unlinkat] = PLEDGE_CPATH, + [SYS_mkdir] = PLEDGE_CPATH, + [SYS_mkdirat] = PLEDGE_CPATH, + + [SYS_getdents] = PLEDGE_RPATH, +#if defined(SYS_getdents64) && SYS_getdents64 != SYS_getdents + [SYS_getdents64] = PLEDGE_RPATH, +#endif + [SYS_statfs] = PLEDGE_RPATH, + [SYS_fstatfs] = PLEDGE_RPATH, + [SYS_listxattr] = PLEDGE_RPATH, + [SYS_llistxattr] = PLEDGE_RPATH, + + [SYS_utimes] = PLEDGE_FATTR, + [SYS_utimensat] = PLEDGE_FATTR, + [SYS_chmod] = PLEDGE_FATTR, + [SYS_fchmod] = PLEDGE_FATTR, + [SYS_fchmodat] = PLEDGE_FATTR, + + [SYS_chown] = PLEDGE_CHOWN, + [SYS_fchownat] = PLEDGE_CHOWN, + [SYS_lchown] = PLEDGE_CHOWN, + [SYS_fchown] = PLEDGE_CHOWN, + + [SYS_clone] = PLEDGE_PROC, + [SYS_fork] = PLEDGE_PROC, + [SYS_setns] = PLEDGE_PROC, + [SYS_setpgid] = PLEDGE_PROC, + [SYS_setsid] = PLEDGE_PROC, + [SYS_sched_get_priority_max] = PLEDGE_PROC, + [SYS_sched_get_priority_min] = PLEDGE_PROC, + [SYS_sched_getaffinity] = PLEDGE_PROC, + [SYS_sched_getattr] = PLEDGE_PROC, + [SYS_sched_getparam] = PLEDGE_PROC, + [SYS_sched_getscheduler] = PLEDGE_PROC, + [SYS_sched_rr_get_interval] = PLEDGE_PROC, + [SYS_sched_setaffinity] = PLEDGE_PROC, + [SYS_sched_setattr] = PLEDGE_PROC, + [SYS_sched_setparam] = PLEDGE_PROC, + [SYS_sched_setscheduler] = PLEDGE_PROC, + [SYS_sched_yield] = PLEDGE_PROC, + [SYS_set_tid_address] = PLEDGE_PROC, + [SYS_set_robust_list] = PLEDGE_PROC, + [SYS_get_robust_list] = PLEDGE_PROC, + [SYS_unshare] = PLEDGE_PROC, + [SYS_vfork] = PLEDGE_PROC, + + [SYS_setrlimit] = PLEDGE_PROC | PLEDGE_ID, + [SYS_prlimit64] = PLEDGE_PROC | PLEDGE_ID, + [SYS_getpriority] = PLEDGE_PROC | PLEDGE_ID, + [SYS_setpriority] = PLEDGE_PROC | PLEDGE_ID, + + [SYS_setuid] = PLEDGE_ID, + [SYS_setreuid] = PLEDGE_ID, + [SYS_setresuid] = PLEDGE_ID, + [SYS_setgid] = PLEDGE_ID, + [SYS_setregid] = PLEDGE_ID, + [SYS_setresgid] = PLEDGE_ID, + [SYS_setgroups] = PLEDGE_ID, + + [SYS_execve] = PLEDGE_EXEC, + [SYS_execveat] = PLEDGE_EXEC, + + [SYS_socket] = PLEDGE_INET | PLEDGE_UNIX, + [SYS_connect] = PLEDGE_INET | PLEDGE_UNIX, + [SYS_bind] = PLEDGE_INET | PLEDGE_UNIX, + [SYS_getsockname] = PLEDGE_INET | PLEDGE_UNIX, + + [SYS_listen] = PLEDGE_INET | PLEDGE_UNIX, + [SYS_accept4] = PLEDGE_INET | PLEDGE_UNIX, + [SYS_accept] = PLEDGE_INET | PLEDGE_UNIX, + [SYS_getpeername] = PLEDGE_INET | PLEDGE_UNIX, + + [SYS_flock] = PLEDGE_FLOCK, + + [SYS_modify_ldt] = PLEDGE_EMUL, +#ifdef SYS_subpage_prot + [SYS_subpage_prot] = PLEDGE_EMUL, +#endif +#ifdef SYS_switch_edian + [SYS_switch_edian] = PLEDGE_EMUL, +#endif +#ifdef SYS_vm86 + [SYS_vm86] = PLEDGE_EMUL, +#endif +#ifdef SYS_vm86old + [SYS_vm86old] = PLEDGE_EMUL, +#endif + + [SYS_chroot] = PLEDGE_MOUNT, + [SYS_mount] = PLEDGE_MOUNT, + [SYS_pivot_root] = PLEDGE_MOUNT, + [SYS_swapoff] = PLEDGE_MOUNT, + [SYS_swapon] = PLEDGE_MOUNT, + [SYS_umount2] = PLEDGE_MOUNT, +#ifdef SYS_umount + [SYS_umount] = PLEDGE_MOUNT, +#endif + + [SYS_add_key] = PLEDGE_KEY, + [SYS_keyctl] = PLEDGE_KEY, + [SYS_request_key] = PLEDGE_KEY, + + [SYS_delete_module] = PLEDGE_KERN, + [SYS_finit_module] = PLEDGE_KERN, + [SYS_init_module] = PLEDGE_KERN, +}; diff --git a/man/newns.1 b/man/newns.1 diff --git a/man/newns.2 b/man/newns.2 diff --git a/man/pledge.1 b/man/pledge.1 @@ -0,0 +1,95 @@ +.Dd February 19, 2017 +.Dt PLEDGE 1 +.Os +.Sh NAME +.Nm pledge +.Nd execute commands with restricted syscalls +.Sh SYNOPSIS +.Nm +.Op Fl dv +.Op Fl p Ar promises +.Ar command +.Op Ar args +.Sh DESCRIPTION +The +.Nm +utility executes the given +.Ar command +with restricted access to syscalls using +.Xr seccomp 2 . +The +.Ar promises +argument specifies the groups of syscalls the command is allowed to used. +If the command uses a syscall from a group that is not promised it is killed +by a +.Dv SIGSYS +signal. +.Pp +The +.Ar exec +and +.Ar stdio +.Ar promises +are enabled by default. +.Pp +The options are as follows: +.Bl -tag -width Ds +.It Fl d +Debug mode, uses +.Dv SECCOMP_RET_TRAP +instead of +.Dv SECCOMP_RET_KILL +on promise violations, see +.Xr seccomp 2 . +.It Fl p Ar promises +A space separated list of promises. +See +.Sx PROMISES +for a complete list of available promises. +.It Fl v +Verbose mode. +.El +.Sh PROMISES +See +.Xr pledge 2 +for a more complete description of each promise. +.Bl -tag -width Ds +.It Ar stdio +Allows most basic syscalls. +.It Ar rpath +Read-only operations on the filesystem. +.It Ar wpath +Write operations on the filesystem. +.It Ar cpath +Allows the creation of new files and directories. +.It Ar inet +.Dv AF_INET +and +.Dv AF_INET6 +sockets. +.It Ar fattr +Change file attributes. +.It Ar chmod +Change file modes. +.It Ar flock +File locking. +.It Ar unix +.Dv AF_UNIX +sockets. +.It Ar proc +Process relationship operations. +.It Ar exec +Start new processes. +.It Ar id +Syscalls that can change the rights of a process. +.El +.Sh EXIT STATUS +.Ex -std +.Sh SEE ALSO +.Xr pledge 2 , +.Xr seccomp 2 , +.Xr syscalls 2 +.Sh AUTHORS +.An Duncan Overbruck Aq Mt mail@duncano.de +.Sh LICENSE +TBA diff --git a/man/pledge.2 b/man/pledge.2 diff --git a/newns.1 b/newns.1 diff --git a/newns.2 b/newns.2 diff --git a/newns.h b/newns.h diff --git a/pledge.1 b/pledge.1 @@ -1,95 +0,0 @@ -.Dd February 19, 2017 -.Dt PLEDGE 1 -.Os -.Sh NAME -.Nm pledge -.Nd execute commands with restricted syscalls -.Sh SYNOPSIS -.Nm -.Op Fl dv -.Op Fl p Ar promises -.Ar command -.Op Ar args -.Sh DESCRIPTION -The -.Nm -utility executes the given -.Ar command -with restricted access to syscalls using -.Xr seccomp 2 . -The -.Ar promises -argument specifies the groups of syscalls the command is allowed to used. -If the command uses a syscall from a group that is not promised it is killed -by a -.Dv SIGSYS -signal. -.Pp -The -.Ar exec -and -.Ar stdio -.Ar promises -are enabled by default. -.Pp -The options are as follows: -.Bl -tag -width Ds -.It Fl d -Debug mode, uses -.Dv SECCOMP_RET_TRAP -instead of -.Dv SECCOMP_RET_KILL -on promise violations, see -.Xr seccomp 2 . -.It Fl p Ar promises -A space separated list of promises. -See -.Sx PROMISES -for a complete list of available promises. -.It Fl v -Verbose mode. -.El -.Sh PROMISES -See -.Xr pledge 2 -for a more complete description of each promise. -.Bl -tag -width Ds -.It Ar stdio -Allows most basic syscalls. -.It Ar rpath -Read-only operations on the filesystem. -.It Ar wpath -Write operations on the filesystem. -.It Ar cpath -Allows the creation of new files and directories. -.It Ar inet -.Dv AF_INET -and -.Dv AF_INET6 -sockets. -.It Ar fattr -Change file attributes. -.It Ar chmod -Change file modes. -.It Ar flock -File locking. -.It Ar unix -.Dv AF_UNIX -sockets. -.It Ar proc -Process relationship operations. -.It Ar exec -Start new processes. -.It Ar id -Syscalls that can change the rights of a process. -.El -.Sh EXIT STATUS -.Ex -std -.Sh SEE ALSO -.Xr pledge 2 , -.Xr seccomp 2 , -.Xr syscalls 2 -.Sh AUTHORS -.An Duncan Overbruck Aq Mt mail@duncano.de -.Sh LICENSE -TBA diff --git a/pledge.2 b/pledge.2 diff --git a/pledge.h b/pledge.h @@ -1,55 +0,0 @@ -#define PLEDGED 0x1000000000000000ULL -#define PLEDGE_ALWAYS 0xffffffffffffffffULL -#define PLEDGE_DEBUG 0x0000000000000001ULL -#define PLEDGE_VERBOSE 0x0000000000000002ULL -#define PLEDGE_IOCTL 0x0000000000000010ULL -#define PLEDGE_RPATH 0x0000000000000020ULL -#define PLEDGE_WPATH 0x0000000000000040ULL -#define PLEDGE_CPATH 0x0000000000000080ULL -#define PLEDGE_STDIO 0x0000000000000100ULL -#define PLEDGE_CHOWN 0x0000000000000200ULL -#define PLEDGE_DPATH 0x0000000000000400ULL -#define PLEDGE_DRM 0x0000000000000800ULL -#define PLEDGE_EXEC 0x0000000000001000ULL -#define PLEDGE_FATTR 0x0000000000002000ULL -#define PLEDGE_FLOCK 0x0000000000004000ULL -#define PLEDGE_GETPW 0x0000000000008000ULL -#define PLEDGE_INET 0x0000000000010000ULL -#define PLEDGE_PROC 0x0000000000020000ULL -#define PLEDGE_ID 0x0000000000040000ULL -#define PLEDGE_SETTIME 0x0000000000080000ULL -#define PLEDGE_UNIX 0x0000000000100000ULL -#define PLEDGE_CHOWNUID 0x0000000000200000ULL -#define PLEDGE_EMUL 0x0000000000400000ULL -#define PLEDGE_IPC 0x0000000000800000ULL -#define PLEDGE_MOUNT 0x0000000001000000ULL -#define PLEDGE_KEY 0x0000000002000000ULL -#define PLEDGE_KERN 0x0000000004000000ULL - -#define _FLAG_DROPPED(x) \ - ((oldflags&(x)) && (~flags&(x))) - -#define _FILTER_CHOWN \ - (!oldflags && !(flags&PLEDGE_CHOWNUID)) || _FLAG_DROPPED(PLEDGE_CHOWNUID) - -#define _FILTER_PRCTL \ - _FLAG_DROPPED(PLEDGE_PROC) - -#define _FILTER_SOCKET \ - (!oldflags && !(flags&PLEDGE_INET)^!(flags&PLEDGE_UNIX)) || \ - _FLAG_DROPPED(PLEDGE_INET) ^ _FLAG_DROPPED(PLEDGE_UNIX) - -#define _FILTER_KILL \ - (!oldflags && !(flags&PLEDGE_PROC)) || _FLAG_DROPPED(PLEDGE_PROC) - -#define _FILTER_FCNTL \ - !(oldflags && flags&PLEDGE_PROC) || _FLAG_DROPPED(PLEDGE_PROC) - -#define _FILTER_IOCTL_ALWAYS \ - !oldflags - -struct sock_fprog *pledge_whitelist(uint64_t); -struct sock_fprog *pledge_blacklist(uint64_t, uint64_t); -struct sock_fprog *pledge_filter(uint64_t, uint64_t); -uint64_t pledge_flags(const char *); -int pledge(const char *, const char *[]);