dietshasta
/
Sandbox
1
2
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update

main
dietshasta 2025-02-11 19:47:55 +00:00
parent 5aa4069288
commit f819c983fc
2 changed files with 27 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
daemon/Sandbox.cpp
View File

@ -126,33 +126,36 @@ namespace i2p {
scmp_filter_ctx ctx;
/* Initialize seccomp */
ctx = seccomp_init(SCMP_ACT_KILL); // Kill the process if a violation occurs
ctx = seccomp_init(SCMP_ACT_KILL_PROCESS); // Kill the process if a violation occurs
if (ctx == NULL) {
LogPrint(eLogError, "Sandbox: Could not initialize seccomp");
seccomp_release(ctx);
return false;
//LogPrint(eLogError, "Sandbox: Could not initialize seccomp");
std::cerr << "Sandbox: Could not initialize seccomp" << std::endl;
seccomp_release(ctx);
return false;
}
/* Load rules */
for (int i = 0; i < (int)(sizeof(filter)/sizeof(int)); i++) {
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, filter[i], 0);
if (rc != 0) {
LogPrint(eLogError, "Sandbox: Could not add seccomp rule ", i, ": ", strerror(rc));
seccomp_release(ctx);
return false;
//LogPrint(eLogError, "Sandbox: Could not add seccomp rule ", i, ": ", strerror(rc));
std::cerr << "Sandbox: Could not add seccomp rule " << i << ": " << strerror(rc) << std::endl;
seccomp_release(ctx);
return false;
}
}
/* Load filter */
rc = seccomp_load(ctx);
if (rc != 0) {
LogPrint(eLogError, "Sandbox: Could not load seccomp filter: ", strerror(rc));
seccomp_release(ctx);
return false;
//LogPrint(eLogError, "Sandbox: Could not load seccomp filter: ", strerror(rc));
std::cerr << "Sandbox: Could not load seccomp filter: " << strerror(rc) << std::endl;
seccomp_release(ctx);
return false;
}
/* Success */
LogPrint(eLogInfo, "Sandbox: Loaded seccomp filter");
LogPrint(eLogNone, "Sandbox: Loaded seccomp filter");
seccomp_release(ctx);
return true;
}
@ -165,7 +168,8 @@ namespace i2p {
/* Open path file descriptor */
temp.parent_fd = open(path, O_PATH | O_CLOEXEC);
if (temp.parent_fd < 0) {
LogPrint(eLogError, "Sandbox: Failed to open ", path, ": ", strerror(temp.parent_fd));
//LogPrint(eLogError, "Sandbox: Failed to open ", path, ": ", strerror(errno));
std::cerr << "Sandbox: Failed to open " << path << ": " << strerror(errno) << std::endl;
close(temp.parent_fd);
close(ruleset_fd);
return false;
@ -174,7 +178,8 @@ namespace i2p {
/* Add rule */
int rc = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, &temp, 0);
if (rc != 0) {
LogPrint(eLogError, "Sandbox: Failed to add Landlock rule for ", path, ": ", strerror(rc));
//LogPrint(eLogError, "Sandbox: Failed to add Landlock rule for ", path, ": ", strerror(rc));
std::cerr << "Sandbox: Failed to add Landlock rule for " << path << ": " << strerror(rc) << std::endl;
close(temp.parent_fd);
close(ruleset_fd);
return false;
@ -205,14 +210,16 @@ namespace i2p {
/* Check kernel compatibility */
int abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
if (abi < 2) {
LogPrint(eLogError, "Sandbox: Landlock ABI 2 is not supported by this kernel.");
//LogPrint(eLogError, "Sandbox: Landlock ABI 2 is not supported by this kernel.");
std::cerr << "Sandbox: Landlock ABI 2 is not supported by this kernel." << std::endl;
return false;
}
/* Create default ruleset */
int ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
if (ruleset_fd < 0) {
LogPrint(eLogError, "Sandbox: Failed to create Landlock ruleset: ", strerror(ruleset_fd));
//LogPrint(eLogError, "Sandbox: Failed to create Landlock ruleset: ", strerror(ruleset_fd));
std::cerr << "Sandbox: Failed to create Landlock ruleset: " << strerror(ruleset_fd) << std::endl;
close(ruleset_fd);
return false;
}
@ -250,7 +257,8 @@ namespace i2p {
/* Load ruleset */
int rc = landlock_restrict_self(ruleset_fd, 0);
if (rc != 0) {
LogPrint(eLogError, "Sandbox: Failed to load Landlock ruleset: ", strerror(rc));
//LogPrint(eLogError, "Sandbox: Failed to load Landlock ruleset: ", strerror(rc));
std::cerr << "Sandbox: Failed to load Landlock ruleset: " << strerror(rc) << std::endl;
close(ruleset_fd);
return false;
}

5
daemon/i2pd.cpp
View File

@ -30,12 +30,13 @@ int main( int argc, char* argv[] )
{
#ifdef SANDBOX
if(!i2p::sandbox::loadSeccomp())
return EXIT_FAILURE;
return EXIT_FAILURE;
#endif
if (Daemon.init(argc, argv))
{
#ifdef SANDBOX
i2p::sandbox::loadLandlock();
if(!i2p::sandbox::loadLandlock())
return EXIT_FAILURE;
#endif
if (Daemon.start())
Daemon.run ();