diff options
author | netblue30 <netblue30@yahoo.com> | 2015-10-24 09:33:19 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-10-24 09:33:19 -0400 |
commit | d32b4d874d6a57c2b1ec5ba5330a2f8b9cd67e44 (patch) | |
tree | 6da00a58b4bb545f5e852d0081e10081e36a2c64 | |
parent | Merge pull request #89 from g4jc/master (diff) | |
download | firejail-d32b4d874d6a57c2b1ec5ba5330a2f8b9cd67e44.tar.gz firejail-d32b4d874d6a57c2b1ec5ba5330a2f8b9cd67e44.tar.zst firejail-d32b4d874d6a57c2b1ec5ba5330a2f8b9cd67e44.zip |
renamed ERRNO to BLACKLIST_ERRNO in seccomp.c
-rw-r--r-- | src/firejail/seccomp.c | 4 | ||||
-rw-r--r-- | todo | 38 |
2 files changed, 11 insertions, 31 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 5d6bc1de9..c313ec938 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -109,7 +109,7 @@ struct seccomp_data { | |||
109 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \ | 109 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \ |
110 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 110 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
111 | 111 | ||
112 | #define ERRNO(syscall_nr, nr) \ | 112 | #define BLACKLIST_ERRNO(syscall_nr, nr) \ |
113 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \ | 113 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \ |
114 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr) | 114 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr) |
115 | 115 | ||
@@ -290,7 +290,7 @@ static void filter_add_errno(int syscall, int arg) { | |||
290 | filter_realloc(); | 290 | filter_realloc(); |
291 | 291 | ||
292 | struct sock_filter filter[] = { | 292 | struct sock_filter filter[] = { |
293 | ERRNO(syscall, arg) | 293 | BLACKLIST_ERRNO(syscall, arg) |
294 | }; | 294 | }; |
295 | #if 0 | 295 | #if 0 |
296 | { | 296 | { |
@@ -34,35 +34,7 @@ $ | |||
34 | 5. Add IRC clients: KVIrc (KDE), BitchX (CLI), Smuxi, Konversation (KDE), HexChat, Irssi (CLI), WeeChat (CLI) | 34 | 5. Add IRC clients: KVIrc (KDE), BitchX (CLI), Smuxi, Konversation (KDE), HexChat, Irssi (CLI), WeeChat (CLI) |
35 | RSS: Liferea, akregator (KDE), newsbeuter (CLI), rawdog, | 35 | RSS: Liferea, akregator (KDE), newsbeuter (CLI), rawdog, |
36 | 36 | ||
37 | 6. To investigate | 37 | 6. add kexec_file_load to default seccomp filter |
38 | |||
39 | // Restrict the set of allowable network protocol families | ||
40 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
41 | SCMP_A0(SCMP_CMP_GE, AF_NETLINK + 1))); | ||
42 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
43 | SCMP_A0(SCMP_CMP_EQ, AF_AX25))); | ||
44 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
45 | SCMP_A0(SCMP_CMP_EQ, AF_IPX))); | ||
46 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
47 | SCMP_A0(SCMP_CMP_EQ, AF_APPLETALK))); | ||
48 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
49 | SCMP_A0(SCMP_CMP_EQ, AF_NETROM))); | ||
50 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
51 | SCMP_A0(SCMP_CMP_EQ, AF_BRIDGE))); | ||
52 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
53 | SCMP_A0(SCMP_CMP_EQ, AF_ATMPVC))); | ||
54 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
55 | SCMP_A0(SCMP_CMP_EQ, AF_X25))); | ||
56 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
57 | SCMP_A0(SCMP_CMP_EQ, AF_ROSE))); | ||
58 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
59 | SCMP_A0(SCMP_CMP_EQ, AF_DECnet))); | ||
60 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
61 | SCMP_A0(SCMP_CMP_EQ, AF_NETBEUI))); | ||
62 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
63 | SCMP_A0(SCMP_CMP_EQ, AF_SECURITY))); | ||
64 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
65 | SCMP_A0(SCMP_CMP_EQ, AF_KEY))); | ||
66 | 38 | ||
67 | 7. Tests not working on Arch: | 39 | 7. Tests not working on Arch: |
68 | profile_syntax.exp (profile syntax) | 40 | profile_syntax.exp (profile syntax) |
@@ -84,3 +56,11 @@ cat <&3 | |||
84 | c) A list of attacks | 56 | c) A list of attacks |
85 | http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/ | 57 | http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/ |
86 | 58 | ||
59 | 9. protocol filter: AF_UNIX, AF_INET, AF_INET6, AF_NETLINK, AF_PACKET | ||
60 | |||
61 | // Create a raw IP socket with UDP protocol | ||
62 | sd = socket(PF_INET, SOCK_RAW, IPPROTO_UDP); | ||
63 | |||
64 | // open a raw ethernet socket | ||
65 | s = socket(AF_PACKET, SOCK_DGRAM, htons(ETHERTYPE_IP)); | ||
66 | |||