diff options
author | smitsohu <smitsohu@gmail.com> | 2021-06-20 13:29:48 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2021-06-20 13:29:48 +0200 |
commit | 533242ac32590a47e76fc1ef5bfe48f32e1f131f (patch) | |
tree | f3275b56b720c80e6c0057244ef82c87d3ac8ae9 | |
parent | Fix seahorse-adventures + CI (diff) | |
download | firejail-533242ac32590a47e76fc1ef5bfe48f32e1f131f.tar.gz firejail-533242ac32590a47e76fc1ef5bfe48f32e1f131f.tar.zst firejail-533242ac32590a47e76fc1ef5bfe48f32e1f131f.zip |
augment seccomp lists in firejail.config
-rw-r--r-- | etc/firejail.config | 4 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 5 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 11 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 5 | ||||
-rw-r--r-- | src/man/firejail.txt | 6 |
6 files changed, 29 insertions, 3 deletions
diff --git a/etc/firejail.config b/etc/firejail.config index c671efef9..4b59f8955 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -101,6 +101,10 @@ | |||
101 | # Enable or disable seccomp support, default enabled. | 101 | # Enable or disable seccomp support, default enabled. |
102 | # seccomp yes | 102 | # seccomp yes |
103 | 103 | ||
104 | # Add rules to the default seccomp filter. Same syntax as for --seccomp= | ||
105 | # None by default; this is an example. | ||
106 | # seccomp-filter-add !chroot,kcmp,mincore | ||
107 | |||
104 | # Seccomp error action, kill, log or errno (EPERM, ENOSYS etc) | 108 | # Seccomp error action, kill, log or errno (EPERM, ENOSYS etc) |
105 | # seccomp-error-action EPERM | 109 | # seccomp-error-action EPERM |
106 | 110 | ||
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 6726abdc8..12b5fc683 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -35,6 +35,7 @@ char *xvfb_extra_params = ""; | |||
35 | char *netfilter_default = NULL; | 35 | char *netfilter_default = NULL; |
36 | unsigned long join_timeout = 5000000; // microseconds | 36 | unsigned long join_timeout = 5000000; // microseconds |
37 | char *config_seccomp_error_action_str = "EPERM"; | 37 | char *config_seccomp_error_action_str = "EPERM"; |
38 | char *config_seccomp_filter_add = NULL; | ||
38 | char **whitelist_reject_topdirs = NULL; | 39 | char **whitelist_reject_topdirs = NULL; |
39 | 40 | ||
40 | int checkcfg(int val) { | 41 | int checkcfg(int val) { |
@@ -222,6 +223,10 @@ int checkcfg(int val) { | |||
222 | else if (strncmp(ptr, "join-timeout ", 13) == 0) | 223 | else if (strncmp(ptr, "join-timeout ", 13) == 0) |
223 | join_timeout = strtoul(ptr + 13, NULL, 10) * 1000000; // seconds to microseconds | 224 | join_timeout = strtoul(ptr + 13, NULL, 10) * 1000000; // seconds to microseconds |
224 | 225 | ||
226 | // add rules to default seccomp filter | ||
227 | else if (strncmp(ptr, "seccomp-filter-add ", 19) == 0) | ||
228 | config_seccomp_filter_add = seccomp_check_list(ptr + 19); | ||
229 | |||
225 | // seccomp error action | 230 | // seccomp error action |
226 | else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) { | 231 | else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) { |
227 | if (strcmp(ptr + 21, "kill") == 0) | 232 | if (strcmp(ptr + 21, "kill") == 0) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 1da70fd54..60d178f1e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -789,6 +789,7 @@ extern char *xvfb_extra_params; | |||
789 | extern char *netfilter_default; | 789 | extern char *netfilter_default; |
790 | extern unsigned long join_timeout; | 790 | extern unsigned long join_timeout; |
791 | extern char *config_seccomp_error_action_str; | 791 | extern char *config_seccomp_error_action_str; |
792 | extern char *config_seccomp_filter_add; | ||
792 | extern char **whitelist_reject_topdirs; | 793 | extern char **whitelist_reject_topdirs; |
793 | 794 | ||
794 | int checkcfg(int val); | 795 | int checkcfg(int val); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 089d80a68..d46a56627 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -961,7 +961,7 @@ void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, b | |||
961 | static int check_postexec(const char *list) { | 961 | static int check_postexec(const char *list) { |
962 | char *prelist, *postlist; | 962 | char *prelist, *postlist; |
963 | 963 | ||
964 | if (list) { | 964 | if (list && list[0]) { |
965 | syscalls_in_list(list, "@default-keep", -1, &prelist, &postlist, true); | 965 | syscalls_in_list(list, "@default-keep", -1, &prelist, &postlist, true); |
966 | if (postlist) | 966 | if (postlist) |
967 | return 1; | 967 | return 1; |
@@ -2855,6 +2855,15 @@ int main(int argc, char **argv, char **envp) { | |||
2855 | // check network configuration options - it will exit if anything went wrong | 2855 | // check network configuration options - it will exit if anything went wrong |
2856 | net_check_cfg(); | 2856 | net_check_cfg(); |
2857 | 2857 | ||
2858 | // customization of default seccomp filter | ||
2859 | if (config_seccomp_filter_add) { | ||
2860 | if (arg_seccomp && !cfg.seccomp_list_keep && !cfg.seccomp_list_drop) | ||
2861 | profile_list_augment(&cfg.seccomp_list, config_seccomp_filter_add); | ||
2862 | |||
2863 | if (arg_seccomp32 && !cfg.seccomp_list_keep32 && !cfg.seccomp_list_drop32) | ||
2864 | profile_list_augment(&cfg.seccomp_list32, config_seccomp_filter_add); | ||
2865 | } | ||
2866 | |||
2858 | if (arg_seccomp) | 2867 | if (arg_seccomp) |
2859 | arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop); | 2868 | arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop); |
2860 | 2869 | ||
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 9670fe816..3d9bf9082 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -208,7 +208,8 @@ int seccomp_filter_drop(bool native) { | |||
208 | // - seccomp | 208 | // - seccomp |
209 | if (cfg.seccomp_list_drop == NULL) { | 209 | if (cfg.seccomp_list_drop == NULL) { |
210 | // default seccomp if error action is not changed | 210 | // default seccomp if error action is not changed |
211 | if (cfg.seccomp_list == NULL && arg_seccomp_error_action == DEFAULT_SECCOMP_ERROR_ACTION) { | 211 | if ((cfg.seccomp_list == NULL || cfg.seccomp_list[0] == '\0') |
212 | && arg_seccomp_error_action == DEFAULT_SECCOMP_ERROR_ACTION) { | ||
212 | if (arg_seccomp_block_secondary) | 213 | if (arg_seccomp_block_secondary) |
213 | seccomp_filter_block_secondary(); | 214 | seccomp_filter_block_secondary(); |
214 | else { | 215 | else { |
@@ -261,7 +262,7 @@ int seccomp_filter_drop(bool native) { | |||
261 | } | 262 | } |
262 | 263 | ||
263 | // build the seccomp filter as a regular user | 264 | // build the seccomp filter as a regular user |
264 | if (list) | 265 | if (list && list[0]) |
265 | if (arg_allow_debuggers) | 266 | if (arg_allow_debuggers) |
266 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, | 267 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, |
267 | PATH_FSECCOMP, command, "drop", filter, postexec_filter, list, "allow-debuggers"); | 268 | PATH_FSECCOMP, command, "drop", filter, postexec_filter, list, "allow-debuggers"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 3212a88e4..7d7a1eb31 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -2209,6 +2209,12 @@ Firejail will print seccomp violations to the audit log if the kernel was compil | |||
2209 | Example: | 2209 | Example: |
2210 | .br | 2210 | .br |
2211 | $ firejail \-\-seccomp | 2211 | $ firejail \-\-seccomp |
2212 | .br | ||
2213 | |||
2214 | .br | ||
2215 | The default list can be customized, see \-\-seccomp= for a description. It can be customized | ||
2216 | also globally in /etc/firejail/firejail.config file. | ||
2217 | |||
2212 | .TP | 2218 | .TP |
2213 | \fB\-\-seccomp=syscall,@group,!syscall2 | 2219 | \fB\-\-seccomp=syscall,@group,!syscall2 |
2214 | Enable seccomp filter, whitelist "syscall2", but blacklist the default | 2220 | Enable seccomp filter, whitelist "syscall2", but blacklist the default |