diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2017-08-30 23:03:22 +0300 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2017-08-30 23:03:22 +0300 |
commit | a3e734279d04b8fd9a96367361fac4a80bbac61d (patch) | |
tree | 8ee408ceee1bd342056eb569527bff5e90cdcab9 | |
parent | removed alsa tests from travis (diff) | |
download | firejail-a3e734279d04b8fd9a96367361fac4a80bbac61d.tar.gz firejail-a3e734279d04b8fd9a96367361fac4a80bbac61d.tar.zst firejail-a3e734279d04b8fd9a96367361fac4a80bbac61d.zip |
Improve cross-platform build
-rw-r--r-- | src/fseccomp/seccomp.c | 30 |
1 files changed, 21 insertions, 9 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index 7262bc2ca..e14a473fe 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -191,6 +191,21 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) { | |||
191 | close(fd); | 191 | close(fd); |
192 | } | 192 | } |
193 | 193 | ||
194 | #if defined(__x86_64__) || defined(__aarch64__) || defined(__powerpc64__) | ||
195 | # define filter_syscall SYS_mmap | ||
196 | # undef block_syscall | ||
197 | #elif defined(__i386__) | ||
198 | # define filter_syscall SYS_mmap2 | ||
199 | # define block_syscall SYS_mmap | ||
200 | #elif defined(__arm__) | ||
201 | # define filter_syscall SYS_mmap2 | ||
202 | # undef block_syscall | ||
203 | #else | ||
204 | # warning "Platform does not support seccomp memory-deny-write-execute filter yet" | ||
205 | # undef filter_syscall | ||
206 | # undef block_syscall | ||
207 | #endif | ||
208 | |||
194 | void memory_deny_write_execute(const char *fname) { | 209 | void memory_deny_write_execute(const char *fname) { |
195 | // open file | 210 | // open file |
196 | int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | 211 | int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
@@ -203,22 +218,19 @@ void memory_deny_write_execute(const char *fname) { | |||
203 | 218 | ||
204 | // build filter | 219 | // build filter |
205 | static const struct sock_filter filter[] = { | 220 | static const struct sock_filter filter[] = { |
206 | #ifdef __i386__ | 221 | #ifdef block_syscall |
207 | // block old multiplexing mmap syscall for i386 | 222 | // block old multiplexing mmap syscall for i386 |
208 | BLACKLIST(SYS_mmap), | 223 | BLACKLIST(block_syscall), |
209 | #endif | 224 | #endif |
225 | #ifdef filter_syscall | ||
210 | // block mmap(,,x|PROT_WRITE|PROT_EXEC) so W&X memory can't be created | 226 | // block mmap(,,x|PROT_WRITE|PROT_EXEC) so W&X memory can't be created |
211 | #ifdef __i386__ | 227 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, filter_syscall, 0, 5), |
212 | // mmap2 is used for mmap on i386 these days | ||
213 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap2, 0, 5), | ||
214 | #else | ||
215 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap, 0, 5), | ||
216 | #endif | ||
217 | EXAMINE_ARGUMENT(2), | 228 | EXAMINE_ARGUMENT(2), |
218 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_WRITE|PROT_EXEC), | 229 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_WRITE|PROT_EXEC), |
219 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1), | 230 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1), |
220 | KILL_PROCESS, | 231 | KILL_PROCESS, |
221 | RETURN_ALLOW, | 232 | RETURN_ALLOW, |
233 | #endif | ||
222 | 234 | ||
223 | // block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable | 235 | // block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable |
224 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5), | 236 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5), |
@@ -228,7 +240,7 @@ void memory_deny_write_execute(const char *fname) { | |||
228 | KILL_PROCESS, | 240 | KILL_PROCESS, |
229 | RETURN_ALLOW, | 241 | RETURN_ALLOW, |
230 | 242 | ||
231 | // shmat is not implemented as a syscall on some platforms (i386, possibly arm) | 243 | // shmat is not implemented as a syscall on some platforms (i386, powerpc64, powerpc64le) |
232 | #ifdef SYS_shmat | 244 | #ifdef SYS_shmat |
233 | // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created | 245 | // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created |
234 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5), | 246 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5), |