diff options
author | smitsohu <smitsohu@gmail.com> | 2021-06-26 16:37:13 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-06-26 16:37:13 +0200 |
commit | 46712f70d9dcc4f5be23d474846c2ff9d88db0d3 (patch) | |
tree | cb27faaaf17cdd1dc708a9173e10d24331e4abfd | |
parent | Merge pull request #4374 from smitsohu/euid (diff) | |
parent | RELNOTES (diff) | |
download | firejail-46712f70d9dcc4f5be23d474846c2ff9d88db0d3.tar.gz firejail-46712f70d9dcc4f5be23d474846c2ff9d88db0d3.tar.zst firejail-46712f70d9dcc4f5be23d474846c2ff9d88db0d3.zip |
Merge pull request #4340 from smitsohu/kcmp
augment seccomp lists in firejail.config
-rw-r--r-- | RELNOTES | 4 | ||||
-rw-r--r-- | etc/firejail.config | 4 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 5 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 11 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 5 | ||||
-rw-r--r-- | src/man/firejail.txt | 53 |
7 files changed, 60 insertions, 23 deletions
@@ -1,6 +1,10 @@ | |||
1 | firejail (0.9.65) baseline; urgency=low | 1 | firejail (0.9.65) baseline; urgency=low |
2 | * deprecated --audit options, relpaced by jailcheck utility | 2 | * deprecated --audit options, relpaced by jailcheck utility |
3 | * deprecated follow-symlink-as-user from firejail.config | 3 | * deprecated follow-symlink-as-user from firejail.config |
4 | * new firejail.config settings: private-bin, private-etc | ||
5 | * new firejail.config settings: private-opt, private-srv | ||
6 | * new firejail.config settings: whitelist-disable-topdir | ||
7 | * new firejail.config settings: seccomp-filter-add | ||
4 | * rename --noautopulse to keep-config-pulse | 8 | * rename --noautopulse to keep-config-pulse |
5 | * filtering environment variables | 9 | * filtering environment variables |
6 | * zsh completion | 10 | * zsh completion |
diff --git a/etc/firejail.config b/etc/firejail.config index f5b3d5efa..43db49422 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -113,6 +113,10 @@ | |||
113 | # Enable or disable seccomp support, default enabled. | 113 | # Enable or disable seccomp support, default enabled. |
114 | # seccomp yes | 114 | # seccomp yes |
115 | 115 | ||
116 | # Add rules to the default seccomp filter. Same syntax as for --seccomp= | ||
117 | # None by default; this is an example. | ||
118 | # seccomp-filter-add !chroot,kcmp,mincore | ||
119 | |||
116 | # Seccomp error action, kill, log or errno (EPERM, ENOSYS etc) | 120 | # Seccomp error action, kill, log or errno (EPERM, ENOSYS etc) |
117 | # seccomp-error-action EPERM | 121 | # seccomp-error-action EPERM |
118 | 122 | ||
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index f3ab0a6d8..1e9f4b641 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -35,6 +35,7 @@ char *xvfb_extra_params = ""; | |||
35 | char *netfilter_default = NULL; | 35 | char *netfilter_default = NULL; |
36 | unsigned long join_timeout = 5000000; // microseconds | 36 | unsigned long join_timeout = 5000000; // microseconds |
37 | char *config_seccomp_error_action_str = "EPERM"; | 37 | char *config_seccomp_error_action_str = "EPERM"; |
38 | char *config_seccomp_filter_add = NULL; | ||
38 | char **whitelist_reject_topdirs = NULL; | 39 | char **whitelist_reject_topdirs = NULL; |
39 | 40 | ||
40 | int checkcfg(int val) { | 41 | int checkcfg(int val) { |
@@ -225,6 +226,10 @@ int checkcfg(int val) { | |||
225 | else if (strncmp(ptr, "join-timeout ", 13) == 0) | 226 | else if (strncmp(ptr, "join-timeout ", 13) == 0) |
226 | join_timeout = strtoul(ptr + 13, NULL, 10) * 1000000; // seconds to microseconds | 227 | join_timeout = strtoul(ptr + 13, NULL, 10) * 1000000; // seconds to microseconds |
227 | 228 | ||
229 | // add rules to default seccomp filter | ||
230 | else if (strncmp(ptr, "seccomp-filter-add ", 19) == 0) | ||
231 | config_seccomp_filter_add = seccomp_check_list(ptr + 19); | ||
232 | |||
228 | // seccomp error action | 233 | // seccomp error action |
229 | else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) { | 234 | else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) { |
230 | if (strcmp(ptr + 21, "kill") == 0) | 235 | if (strcmp(ptr + 21, "kill") == 0) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index af2777347..9971d30b6 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -810,6 +810,7 @@ extern char *xvfb_extra_params; | |||
810 | extern char *netfilter_default; | 810 | extern char *netfilter_default; |
811 | extern unsigned long join_timeout; | 811 | extern unsigned long join_timeout; |
812 | extern char *config_seccomp_error_action_str; | 812 | extern char *config_seccomp_error_action_str; |
813 | extern char *config_seccomp_filter_add; | ||
813 | extern char **whitelist_reject_topdirs; | 814 | extern char **whitelist_reject_topdirs; |
814 | 815 | ||
815 | int checkcfg(int val); | 816 | int checkcfg(int val); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index b376095f1..374afed11 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -967,7 +967,7 @@ void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, b | |||
967 | static int check_postexec(const char *list) { | 967 | static int check_postexec(const char *list) { |
968 | char *prelist, *postlist; | 968 | char *prelist, *postlist; |
969 | 969 | ||
970 | if (list) { | 970 | if (list && list[0]) { |
971 | syscalls_in_list(list, "@default-keep", -1, &prelist, &postlist, true); | 971 | syscalls_in_list(list, "@default-keep", -1, &prelist, &postlist, true); |
972 | if (postlist) | 972 | if (postlist) |
973 | return 1; | 973 | return 1; |
@@ -2895,6 +2895,15 @@ int main(int argc, char **argv, char **envp) { | |||
2895 | // check network configuration options - it will exit if anything went wrong | 2895 | // check network configuration options - it will exit if anything went wrong |
2896 | net_check_cfg(); | 2896 | net_check_cfg(); |
2897 | 2897 | ||
2898 | // customization of default seccomp filter | ||
2899 | if (config_seccomp_filter_add) { | ||
2900 | if (arg_seccomp && !cfg.seccomp_list_keep && !cfg.seccomp_list_drop) | ||
2901 | profile_list_augment(&cfg.seccomp_list, config_seccomp_filter_add); | ||
2902 | |||
2903 | if (arg_seccomp32 && !cfg.seccomp_list_keep32 && !cfg.seccomp_list_drop32) | ||
2904 | profile_list_augment(&cfg.seccomp_list32, config_seccomp_filter_add); | ||
2905 | } | ||
2906 | |||
2898 | if (arg_seccomp) | 2907 | if (arg_seccomp) |
2899 | arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop); | 2908 | arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop); |
2900 | 2909 | ||
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 9670fe816..3d9bf9082 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -208,7 +208,8 @@ int seccomp_filter_drop(bool native) { | |||
208 | // - seccomp | 208 | // - seccomp |
209 | if (cfg.seccomp_list_drop == NULL) { | 209 | if (cfg.seccomp_list_drop == NULL) { |
210 | // default seccomp if error action is not changed | 210 | // default seccomp if error action is not changed |
211 | if (cfg.seccomp_list == NULL && arg_seccomp_error_action == DEFAULT_SECCOMP_ERROR_ACTION) { | 211 | if ((cfg.seccomp_list == NULL || cfg.seccomp_list[0] == '\0') |
212 | && arg_seccomp_error_action == DEFAULT_SECCOMP_ERROR_ACTION) { | ||
212 | if (arg_seccomp_block_secondary) | 213 | if (arg_seccomp_block_secondary) |
213 | seccomp_filter_block_secondary(); | 214 | seccomp_filter_block_secondary(); |
214 | else { | 215 | else { |
@@ -261,7 +262,7 @@ int seccomp_filter_drop(bool native) { | |||
261 | } | 262 | } |
262 | 263 | ||
263 | // build the seccomp filter as a regular user | 264 | // build the seccomp filter as a regular user |
264 | if (list) | 265 | if (list && list[0]) |
265 | if (arg_allow_debuggers) | 266 | if (arg_allow_debuggers) |
266 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, | 267 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, |
267 | PATH_FSECCOMP, command, "drop", filter, postexec_filter, list, "allow-debuggers"); | 268 | PATH_FSECCOMP, command, "drop", filter, postexec_filter, list, "allow-debuggers"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d18811316..0462705c0 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -2178,7 +2178,7 @@ $ firejail \-\-net=eth0 \-\-scan | |||
2178 | .TP | 2178 | .TP |
2179 | \fB\-\-seccomp | 2179 | \fB\-\-seccomp |
2180 | Enable seccomp filter and blacklist the syscalls in the default list, | 2180 | Enable seccomp filter and blacklist the syscalls in the default list, |
2181 | which is @default-nodebuggers unless allow-debuggers is specified, | 2181 | which is @default-nodebuggers unless \-\-allow-debuggers is specified, |
2182 | then it is @default. | 2182 | then it is @default. |
2183 | 2183 | ||
2184 | .br | 2184 | .br |
@@ -2189,18 +2189,13 @@ system call groups are defined: @aio, @basic-io, @chown, @clock, | |||
2189 | @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, | 2189 | @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, |
2190 | @resources, @setuid, @swap, @sync, @system-service and @timer. | 2190 | @resources, @setuid, @swap, @sync, @system-service and @timer. |
2191 | More information about groups can be found in /usr/share/doc/firejail/syscalls.txt | 2191 | More information about groups can be found in /usr/share/doc/firejail/syscalls.txt |
2192 | 2192 | .br | |
2193 | In addition, a system call can be specified by its number instead of | ||
2194 | name with prefix $, so for example $165 would be equal to mount on i386. | ||
2195 | Exceptions can be allowed with prefix !. | ||
2196 | 2193 | ||
2197 | .br | 2194 | .br |
2198 | System architecture is strictly imposed only if flag | 2195 | System architecture is strictly imposed only if flag |
2199 | \-\-seccomp.block-secondary is used. The filter is applied at run time | 2196 | \-\-seccomp.block-secondary is used. The filter is applied at run time |
2200 | only if the correct architecture was detected. For the case of I386 | 2197 | only if the correct architecture was detected. For the case of I386 |
2201 | and AMD64 both 32-bit and 64-bit filters are installed. On a 64 bit | 2198 | and AMD64 both 32-bit and 64-bit filters are installed. |
2202 | architecture, an additional filter for 32 bit system calls can be | ||
2203 | installed with \-\-seccomp.32. | ||
2204 | .br | 2199 | .br |
2205 | 2200 | ||
2206 | .br | 2201 | .br |
@@ -2211,11 +2206,18 @@ Firejail will print seccomp violations to the audit log if the kernel was compil | |||
2211 | Example: | 2206 | Example: |
2212 | .br | 2207 | .br |
2213 | $ firejail \-\-seccomp | 2208 | $ firejail \-\-seccomp |
2209 | .br | ||
2210 | |||
2211 | .br | ||
2212 | The default list can be customized, see \-\-seccomp= for a description. It can be customized | ||
2213 | also globally in /etc/firejail/firejail.config file. | ||
2214 | |||
2214 | .TP | 2215 | .TP |
2215 | \fB\-\-seccomp=syscall,@group,!syscall2 | 2216 | \fB\-\-seccomp=syscall,@group,!syscall2 |
2216 | Enable seccomp filter, whitelist "syscall2", but blacklist the default | 2217 | Enable seccomp filter, blacklist the default list and the syscalls or syscall groups |
2217 | list and the syscalls or syscall groups specified by the | 2218 | specified by the command, but don't blacklist "syscall2". On a 64 bit |
2218 | command. | 2219 | architecture, an additional filter for 32 bit system calls can be |
2220 | installed with \-\-seccomp.32. | ||
2219 | .br | 2221 | .br |
2220 | 2222 | ||
2221 | .br | 2223 | .br |
@@ -2225,6 +2227,13 @@ $ firejail \-\-seccomp=utime,utimensat,utimes firefox | |||
2225 | .br | 2227 | .br |
2226 | $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk | 2228 | $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk |
2227 | .br | 2229 | .br |
2230 | $ firejail '\-\-seccomp=@ipc,!pipe,!pipe2' audacious | ||
2231 | .br | ||
2232 | |||
2233 | .br | ||
2234 | Syscalls can be specified by their number if prefix $ is added, | ||
2235 | so for example $165 would be equal to mount on i386. | ||
2236 | .br | ||
2228 | 2237 | ||
2229 | .br | 2238 | .br |
2230 | Instead of dropping the syscall by returning EPERM, another error | 2239 | Instead of dropping the syscall by returning EPERM, another error |
@@ -2237,6 +2246,7 @@ by using \fBsyscall:kill\fR syntax, or the attempt may be logged with | |||
2237 | 2246 | ||
2238 | .br | 2247 | .br |
2239 | Example: | 2248 | Example: |
2249 | .br | ||
2240 | $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes | 2250 | $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes |
2241 | .br | 2251 | .br |
2242 | Parent pid 10662, child pid 10663 | 2252 | Parent pid 10662, child pid 10663 |
@@ -2245,9 +2255,13 @@ Child process initialized | |||
2245 | .br | 2255 | .br |
2246 | $ touch testfile | 2256 | $ touch testfile |
2247 | .br | 2257 | .br |
2258 | $ ls testfile | ||
2259 | .br | ||
2260 | testfile | ||
2261 | .br | ||
2248 | $ rm testfile | 2262 | $ rm testfile |
2249 | .br | 2263 | .br |
2250 | rm: cannot remove `testfile': Operation not permitted | 2264 | rm: cannot remove `testfile': No such file or directory |
2251 | .br | 2265 | .br |
2252 | 2266 | ||
2253 | .br | 2267 | .br |
@@ -2260,7 +2274,7 @@ filters. | |||
2260 | .br | 2274 | .br |
2261 | Example: | 2275 | Example: |
2262 | .br | 2276 | .br |
2263 | $ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash | 2277 | $ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve sh |
2264 | .br | 2278 | .br |
2265 | Parent pid 32751, child pid 32752 | 2279 | Parent pid 32751, child pid 32752 |
2266 | .br | 2280 | .br |
@@ -2272,8 +2286,7 @@ Child process initialized in 46.44 ms | |||
2272 | .br | 2286 | .br |
2273 | $ ls | 2287 | $ ls |
2274 | .br | 2288 | .br |
2275 | Bad system call | 2289 | Operation not permitted |
2276 | .br | ||
2277 | 2290 | ||
2278 | .TP | 2291 | .TP |
2279 | \fB\-\-seccomp.block-secondary | 2292 | \fB\-\-seccomp.block-secondary |
@@ -2317,15 +2330,15 @@ Child process initialized | |||
2317 | .br | 2330 | .br |
2318 | $ touch testfile | 2331 | $ touch testfile |
2319 | .br | 2332 | .br |
2333 | $ ls testfile | ||
2334 | .br | ||
2335 | testfile | ||
2336 | .br | ||
2320 | $ rm testfile | 2337 | $ rm testfile |
2321 | .br | 2338 | .br |
2322 | rm: cannot remove `testfile': Operation not permitted | 2339 | rm: cannot remove `testfile': No such file or directory |
2323 | .br | 2340 | .br |
2324 | 2341 | ||
2325 | |||
2326 | |||
2327 | |||
2328 | |||
2329 | .TP | 2342 | .TP |
2330 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 | 2343 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 |
2331 | Enable seccomp filter, blacklist all syscall not listed and "syscall2". | 2344 | Enable seccomp filter, blacklist all syscall not listed and "syscall2". |