diff options
author | netblue30 <netblue30@yahoo.com> | 2017-08-20 11:11:50 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-08-20 11:11:50 -0400 |
commit | 02302cb0ceed6689d0b3cca3609df258b8c86e28 (patch) | |
tree | c8d137215c80378d6aa8d35d6500414f3ef6e1ce | |
parent | Merge branch 'master' of https://github.com/netblue30/firejail (diff) | |
download | firejail-02302cb0ceed6689d0b3cca3609df258b8c86e28.tar.gz firejail-02302cb0ceed6689d0b3cca3609df258b8c86e28.tar.zst firejail-02302cb0ceed6689d0b3cca3609df258b8c86e28.zip |
enhancement: print all seccomp filters under --debug
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | src/firejail/sbox.c | 3 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 26 |
3 files changed, 21 insertions, 9 deletions
@@ -7,6 +7,7 @@ firejail (0.9.49) baseline; urgency=low | |||
7 | * feature: private /lib directory (--private-lib) | 7 | * feature: private /lib directory (--private-lib) |
8 | * feature: disable CDROM/DVD drive (--nodvd) | 8 | * feature: disable CDROM/DVD drive (--nodvd) |
9 | * feature: disable DVD devices (--notv) | 9 | * feature: disable DVD devices (--notv) |
10 | * enhancement: print all seccomp filters under --debug | ||
10 | * enhancement: /proc/sys mounting | 11 | * enhancement: /proc/sys mounting |
11 | * enhancement: default seccomp list update | 12 | * enhancement: default seccomp list update |
12 | * enhancement: rework IP address assingment for --net options | 13 | * enhancement: rework IP address assingment for --net options |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 9b6d64646..8f96f8fca 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -205,9 +205,6 @@ int sbox_run(unsigned filter, int num, ...) { | |||
205 | if (arg_quiet) | 205 | if (arg_quiet) |
206 | setenv("FIREJAIL_QUIET", "yes", 1); | 206 | setenv("FIREJAIL_QUIET", "yes", 1); |
207 | 207 | ||
208 | #ifdef HAVE_SECCOMP | ||
209 | seccomp_install_filters(); | ||
210 | #endif | ||
211 | if (arg[0]) // get rid of scan-build warning | 208 | if (arg[0]) // get rid of scan-build warning |
212 | execvp(arg[0], arg); | 209 | execvp(arg[0], arg); |
213 | else | 210 | else |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index aaf53b2a1..f0b25c8cc 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -26,6 +26,7 @@ | |||
26 | typedef struct filter_list { | 26 | typedef struct filter_list { |
27 | struct filter_list *next; | 27 | struct filter_list *next; |
28 | struct sock_fprog prog; | 28 | struct sock_fprog prog; |
29 | const char *fname; | ||
29 | } FilterList; | 30 | } FilterList; |
30 | 31 | ||
31 | static FilterList *filter_list_head = NULL; | 32 | static FilterList *filter_list_head = NULL; |
@@ -67,6 +68,10 @@ int seccomp_install_filters(void) { | |||
67 | prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); | 68 | prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); |
68 | 69 | ||
69 | for (; fl; fl = fl->next) { | 70 | for (; fl; fl = fl->next) { |
71 | assert(fl->fname); | ||
72 | if (arg_debug) | ||
73 | printf("Installing %s seccomp filter\n", fl->fname); | ||
74 | |||
70 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog)) { | 75 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog)) { |
71 | if (!err_printed) | 76 | if (!err_printed) |
72 | fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); | 77 | fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); |
@@ -92,7 +97,7 @@ int seccomp_load(const char *fname) { | |||
92 | goto errexit; | 97 | goto errexit; |
93 | unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter); | 98 | unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter); |
94 | if (arg_debug) | 99 | if (arg_debug) |
95 | printf("configuring %d seccomp entries from %s\n", entries, fname); | 100 | printf("configuring %d seccomp entries in %s\n", entries, fname); |
96 | 101 | ||
97 | // read filter | 102 | // read filter |
98 | struct sock_filter *filter = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0); | 103 | struct sock_filter *filter = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0); |
@@ -110,7 +115,16 @@ int seccomp_load(const char *fname) { | |||
110 | fl->next = filter_list_head; | 115 | fl->next = filter_list_head; |
111 | fl->prog.len = entries; | 116 | fl->prog.len = entries; |
112 | fl->prog.filter = filter; | 117 | fl->prog.filter = filter; |
118 | fl->fname = strdup(fname); | ||
119 | if (fl->fname == NULL) | ||
120 | errExit("strdup"); | ||
113 | filter_list_head = fl; | 121 | filter_list_head = fl; |
122 | |||
123 | if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) { | ||
124 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, | ||
125 | PATH_FSECCOMP, "print", fname); | ||
126 | } | ||
127 | |||
114 | return 0; | 128 | return 0; |
115 | errexit: | 129 | errexit: |
116 | fprintf(stderr, "Error: cannot read %s\n", fname); | 130 | fprintf(stderr, "Error: cannot read %s\n", fname); |
@@ -221,12 +235,12 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
221 | } | 235 | } |
222 | 236 | ||
223 | if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) { | 237 | if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) { |
224 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, | ||
225 | PATH_FSECCOMP, "print", RUN_SECCOMP_CFG); | ||
226 | struct stat st; | 238 | struct stat st; |
227 | if (stat(RUN_SECCOMP_POSTEXEC, &st) != -1 && st.st_size != 0) | 239 | if (stat(RUN_SECCOMP_POSTEXEC, &st) != -1 && st.st_size != 0) { |
228 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, | 240 | printf("configuring postexec seccomp filter in %s\n", RUN_SECCOMP_POSTEXEC); |
229 | PATH_FSECCOMP, "print", RUN_SECCOMP_POSTEXEC); | 241 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, |
242 | PATH_FSECCOMP, "print", RUN_SECCOMP_POSTEXEC); | ||
243 | } | ||
230 | } | 244 | } |
231 | 245 | ||
232 | return 0; | 246 | return 0; |