diff options
author | netblue30 <netblue30@yahoo.com> | 2016-07-09 09:48:17 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-07-09 09:48:17 -0400 |
commit | fb2406ff02ea1e4fe6a5d5840e5e24ad303330aa (patch) | |
tree | 26424cc5b400f46d68134b3eef7bfb397bee39b3 | |
parent | fixes (diff) | |
download | firejail-fb2406ff02ea1e4fe6a5d5840e5e24ad303330aa.tar.gz firejail-fb2406ff02ea1e4fe6a5d5840e5e24ad303330aa.tar.zst firejail-fb2406ff02ea1e4fe6a5d5840e5e24ad303330aa.zip |
seccomp filter update
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 18 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 10 | ||||
-rw-r--r-- | src/man/firejail.txt | 4 | ||||
-rw-r--r-- | todo | 4 |
5 files changed, 23 insertions, 14 deletions
@@ -4,6 +4,7 @@ firejail (0.9.41) baseline; urgency=low | |||
4 | * Sandbox auditing support (--audit) | 4 | * Sandbox auditing support (--audit) |
5 | * include /dev/snd in --private-dev | 5 | * include /dev/snd in --private-dev |
6 | * added mkfile profile command | 6 | * added mkfile profile command |
7 | * seccomp filter updated | ||
7 | * compile time and run time support to disable whitelists | 8 | * compile time and run time support to disable whitelists |
8 | * compile time support to disable global configuration file | 9 | * compile time support to disable global configuration file |
9 | * some profiles have been converted to private-bin | 10 | * some profiles have been converted to private-bin |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 7108b5a05..efe24a211 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -334,12 +334,15 @@ void seccomp_filter_32(void) { | |||
334 | BLACKLIST(52), // umount2 | 334 | BLACKLIST(52), // umount2 |
335 | BLACKLIST(26), // ptrace | 335 | BLACKLIST(26), // ptrace |
336 | BLACKLIST(283), // kexec_load | 336 | BLACKLIST(283), // kexec_load |
337 | BLACKLIST(341), // name_to_handle_at | ||
337 | BLACKLIST(342), // open_by_handle_at | 338 | BLACKLIST(342), // open_by_handle_at |
339 | BLACKLIST(127), // create_module | ||
338 | BLACKLIST(128), // init_module | 340 | BLACKLIST(128), // init_module |
339 | BLACKLIST(350), // finit_module | 341 | BLACKLIST(350), // finit_module |
340 | BLACKLIST(129), // delete_module | 342 | BLACKLIST(129), // delete_module |
341 | BLACKLIST(110), // iopl | 343 | BLACKLIST(110), // iopl |
342 | BLACKLIST(101), // ioperm | 344 | BLACKLIST(101), // ioperm |
345 | BLACKLIST(289), // ioprio_set | ||
343 | BLACKLIST(87), // swapon | 346 | BLACKLIST(87), // swapon |
344 | BLACKLIST(115), // swapoff | 347 | BLACKLIST(115), // swapoff |
345 | BLACKLIST(103), // syslog | 348 | BLACKLIST(103), // syslog |
@@ -376,6 +379,7 @@ void seccomp_filter_32(void) { | |||
376 | BLACKLIST(88), // reboot | 379 | BLACKLIST(88), // reboot |
377 | BLACKLIST(169), // nfsservctl | 380 | BLACKLIST(169), // nfsservctl |
378 | BLACKLIST(130), // get_kernel_syms | 381 | BLACKLIST(130), // get_kernel_syms |
382 | |||
379 | RETURN_ALLOW | 383 | RETURN_ALLOW |
380 | }; | 384 | }; |
381 | 385 | ||
@@ -403,11 +407,14 @@ void seccomp_filter_64(void) { | |||
403 | BLACKLIST(101), // ptrace | 407 | BLACKLIST(101), // ptrace |
404 | BLACKLIST(246), // kexec_load | 408 | BLACKLIST(246), // kexec_load |
405 | BLACKLIST(304), // open_by_handle_at | 409 | BLACKLIST(304), // open_by_handle_at |
410 | BLACKLIST(303), // name_to_handle_at | ||
411 | BLACKLIST(174), // create_module | ||
406 | BLACKLIST(175), // init_module | 412 | BLACKLIST(175), // init_module |
407 | BLACKLIST(313), // finit_module | 413 | BLACKLIST(313), // finit_module |
408 | BLACKLIST(176), // delete_module | 414 | BLACKLIST(176), // delete_module |
409 | BLACKLIST(172), // iopl | 415 | BLACKLIST(172), // iopl |
410 | BLACKLIST(173), // ioperm | 416 | BLACKLIST(173), // ioperm |
417 | BLACKLIST(251), // ioprio_set | ||
411 | BLACKLIST(167), // swapon | 418 | BLACKLIST(167), // swapon |
412 | BLACKLIST(168), // swapoff | 419 | BLACKLIST(168), // swapoff |
413 | BLACKLIST(103), // syslog | 420 | BLACKLIST(103), // syslog |
@@ -445,6 +452,7 @@ void seccomp_filter_64(void) { | |||
445 | BLACKLIST(169), // reboot | 452 | BLACKLIST(169), // reboot |
446 | BLACKLIST(180), // nfsservctl | 453 | BLACKLIST(180), // nfsservctl |
447 | BLACKLIST(177), // get_kernel_syms | 454 | BLACKLIST(177), // get_kernel_syms |
455 | |||
448 | RETURN_ALLOW | 456 | RETURN_ALLOW |
449 | }; | 457 | }; |
450 | 458 | ||
@@ -493,12 +501,18 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
493 | #ifdef SYS_open_by_handle_at | 501 | #ifdef SYS_open_by_handle_at |
494 | filter_add_blacklist(SYS_open_by_handle_at, 0); | 502 | filter_add_blacklist(SYS_open_by_handle_at, 0); |
495 | #endif | 503 | #endif |
504 | #ifdef SYS_name_to_handle_at | ||
505 | filter_add_blacklist(SYS_name_to_handle_at, 0); | ||
506 | #endif | ||
496 | #ifdef SYS_init_module | 507 | #ifdef SYS_init_module |
497 | filter_add_blacklist(SYS_init_module, 0); | 508 | filter_add_blacklist(SYS_init_module, 0); |
498 | #endif | 509 | #endif |
499 | #ifdef SYS_finit_module // introduced in 2013 | 510 | #ifdef SYS_finit_module // introduced in 2013 |
500 | filter_add_blacklist(SYS_finit_module, 0); | 511 | filter_add_blacklist(SYS_finit_module, 0); |
501 | #endif | 512 | #endif |
513 | #ifdef SYS_create_module | ||
514 | filter_add_blacklist(SYS_create_module, 0); | ||
515 | #endif | ||
502 | #ifdef SYS_delete_module | 516 | #ifdef SYS_delete_module |
503 | filter_add_blacklist(SYS_delete_module, 0); | 517 | filter_add_blacklist(SYS_delete_module, 0); |
504 | #endif | 518 | #endif |
@@ -508,6 +522,9 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
508 | #ifdef SYS_ioperm | 522 | #ifdef SYS_ioperm |
509 | filter_add_blacklist(SYS_ioperm, 0); | 523 | filter_add_blacklist(SYS_ioperm, 0); |
510 | #endif | 524 | #endif |
525 | #ifdef SYS_ioprio_set | ||
526 | filter_add_blacklist(SYS_ioprio_set, 0); | ||
527 | #endif | ||
511 | #ifdef SYS_ni_syscall // new io permissions call on arm devices | 528 | #ifdef SYS_ni_syscall // new io permissions call on arm devices |
512 | filter_add_blacklist(SYS_ni_syscall, 0); | 529 | filter_add_blacklist(SYS_ni_syscall, 0); |
513 | #endif | 530 | #endif |
@@ -648,6 +665,7 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
648 | #ifdef SYS_get_kernel_syms | 665 | #ifdef SYS_get_kernel_syms |
649 | filter_add_blacklist(SYS_get_kernel_syms, 0); | 666 | filter_add_blacklist(SYS_get_kernel_syms, 0); |
650 | #endif | 667 | #endif |
668 | |||
651 | } | 669 | } |
652 | 670 | ||
653 | // default seccomp filter with additional drop list | 671 | // default seccomp filter with additional drop list |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9c416b0f3..98fa17908 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -224,15 +224,7 @@ first argument to socket system call. Recognized values: \fBunix\fR, | |||
224 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR. | 224 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR. |
225 | .TP | 225 | .TP |
226 | \fBseccomp | 226 | \fBseccomp |
227 | Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows: | 227 | Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. |
228 | mount, umount2, ptrace, kexec_load, kexec_file_load, open_by_handle_at, init_module, finit_module, delete_module, | ||
229 | iopl, ioperm, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, | ||
230 | sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, | ||
231 | add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, | ||
232 | io_destroy, io_getevents, io_submit, io_cancel, | ||
233 | remap_file_pages, mbind, get_mempolicy, set_mempolicy, | ||
234 | migrate_pages, move_pages, vmsplice, perf_event_open, chroot, | ||
235 | tuxcall, reboot, mfsservctl and get_kernel_syms. | ||
236 | .TP | 228 | .TP |
237 | \fBseccomp syscall,syscall,syscall | 229 | \fBseccomp syscall,syscall,syscall |
238 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. | 230 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e915ab6cb..cb555980d 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1206,8 +1206,8 @@ $ firejail \-\-net=eth0 \-\-scan | |||
1206 | .TP | 1206 | .TP |
1207 | \fB\-\-seccomp | 1207 | \fB\-\-seccomp |
1208 | Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows: | 1208 | Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows: |
1209 | mount, umount2, ptrace, kexec_load, kexec_file_load, open_by_handle_at, init_module, finit_module, delete_module, | 1209 | mount, umount2, ptrace, kexec_load, kexec_file_load, name_to_handle_at, open_by_handle_at, create_module, init_module, finit_module, delete_module, |
1210 | iopl, ioperm, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, | 1210 | iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, |
1211 | sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, | 1211 | sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, |
1212 | add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, | 1212 | add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, |
1213 | io_destroy, io_getevents, io_submit, io_cancel, | 1213 | io_destroy, io_getevents, io_submit, io_cancel, |
@@ -164,12 +164,10 @@ $ vblank_mode=0 glxgears | |||
164 | 18. Add nosound in all profiles with private-dev (including server.profile) | 164 | 18. Add nosound in all profiles with private-dev (including server.profile) |
165 | test hedgewars! | 165 | test hedgewars! |
166 | 166 | ||
167 | 19. new syscalls: | 167 | 19. new syscalls in 0.9.41: |
168 | create_module | 168 | create_module |
169 | name_to_handle_at | 169 | name_to_handle_at |
170 | ioprio_set, | 170 | ioprio_set, |
171 | |||
172 | ??? | ||
173 | 146 - sched_get_priority_max | 171 | 146 - sched_get_priority_max |
174 | 147 - sched_get_priority_min | 172 | 147 - sched_get_priority_min |
175 | 204 - sched_getaffinity | 173 | 204 - sched_getaffinity |