cleanup seccomp run files

author: netblue30 <netblue30@yahoo.com> 2018-04-12 12:45:43 -0400
committer: netblue30 <netblue30@yahoo.com> 2018-04-12 12:45:43 -0400
commit: 38276c9c64c8a0e086f2fb84402c5105c1483216 (patch)
tree: 98f2bbafeef4bb1bdad64795607e961109eb1880
parent: AppArmor: disable MAC related capabilities (diff)
download: firejail-38276c9c64c8a0e086f2fb84402c5105c1483216.tar.gz
firejail-38276c9c64c8a0e086f2fb84402c5105c1483216.tar.zst
firejail-38276c9c64c8a0e086f2fb84402c5105c1483216.zip
4 files changed, 131 insertions, 6 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 709ce96b6..5c7f73fc1 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -997,6 +997,10 @@ int sandbox(void* sandbox_arg) {
                seccomp_load(RUN_SECCOMP_PROTOCOL);     // install filter
                protocol_filter_save(); // save filter in RUN_PROTOCOL_CFG
        }
+        else {
+                int rv = unlink(RUN_SECCOMP_PROTOCOL);
+                (void) rv;
+        }
 #endif
        // if a keep list is available, disregard the drop list
@@ -1005,13 +1009,21 @@ int sandbox(void* sandbox_arg) {
                        seccomp_filter_keep();
                else
                        seccomp_filter_drop();
-        }
-        if (arg_debug) {
+                // clean unused filters
-                printf("\nSeccomp files:\n");
+#if defined(__LP64__)
-                int rv = system("ls -l /run/firejail/mnt/seccomp*\n");
+                int rv = unlink(RUN_SECCOMP_64);
+#endif
+#if defined(__ILP32__)
+                int rv = unlink(RUN_SECCOMP_32);
+#endif
+                (void) rv;
+        }
+        else { // clean seccomp files under /run/firejail/mnt
+                int rv = unlink(RUN_SECCOMP_CFG);
+                rv |= unlink(RUN_SECCOMP_64);
+                rv |= unlink(RUN_SECCOMP_32);
                (void) rv;
-                printf("\n");
        }
        if (arg_memory_deny_write_execute) {
@@ -1019,6 +1031,17 @@ int sandbox(void* sandbox_arg) {
                        printf("Install memory write&execute filter\n");
                seccomp_load(RUN_SECCOMP_MDWX); // install filter
        }
+        else {
+                int rv = unlink(RUN_SECCOMP_MDWX);
+                (void) rv;
+        }
+        if (arg_debug) {
+                printf("\nSeccomp files:\n");
+                int rv = system("ls -l /run/firejail/mnt/seccomp*\n");
+                (void) rv;
+                printf("\n");
+        }
 #endif
        //****************************************
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index fed1f7ba7..cc2b08542 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -153,12 +153,13 @@ int sbox_run(unsigned filter, int num, ...) {
                for (i = 3; i < max; i++)
                        close(i); // close open files
+#if 0
                if (arg_debug) {
                        printf("sbox file descriptors:\n");
                        int rv = system("ls -l /proc/self/fd");
                        (void) rv;
                }
+#endif
                umask(027);
                // apply filters
diff --git a/test/filters/filters.sh b/test/filters/filters.sh
index 45b1d0459..12f13606b 100755
--- a/test/filters/filters.sh
+++ b/test/filters/filters.sh
@@ -28,6 +28,9 @@ fi
 echo "TESTING: debug options (test/filters/debug.exp)"
 ./debug.exp
+echo "TESTING: seccomp run files (test/filters/seccomp-run-files.exp)"
+./seccomp-run-files.exp
 echo "TESTING: noroot (test/filters/noroot.exp)"
 ./noroot.exp
diff --git a/test/filters/seccomp-run-files.exp b/test/filters/seccomp-run-files.exp
new file mode 100755
index 000000000..a72b9aef7
--- /dev/null
+++ b/test/filters/seccomp-run-files.exp
@@ -0,0 +1,98 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2018 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "firejail --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "/run/firejail/mnt/seccomp seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "/run/firejail/mnt/seccomp.32 seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "/run/firejail/mnt/seccomp.protocol seccomp filter"
+}
+after 100
+send -- "ls -l /run/firejail/mnt | grep seccomp | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "4"
+}
+send -- "exit\r"
+sleep 1
+send --  "firejail --ignore=seccomp --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "/run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 5\n";exit}
+        "/run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 6\n";exit}
+        "/run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 7\n";exit}
+        "/run/firejail/mnt/seccomp.protocol seccomp filter"
+}
+after 100
+send -- "ls -l /run/firejail/mnt | grep seccomp | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "1"
+}
+send -- "exit\r"
+sleep 1
+send --  "firejail --ignore=protocol --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "/run/firejail/mnt/seccomp seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "/run/firejail/mnt/seccomp.32 seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "/run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 12\n";exit}
+        "monitoring"
+}
+after 100
+send -- "ls -l /run/firejail/mnt | grep seccomp | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "3"
+}
+send -- "exit\r"
+sleep 1
+send --  "firejail --memory-deny-write-execute --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "/run/firejail/mnt/seccomp.mdwx seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        "/run/firejail/mnt/seccomp seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        "/run/firejail/mnt/seccomp.32 seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 17\n";exit}
+        "/run/firejail/mnt/seccomp.protocol seccomp filter"
+}
+after 100
+send -- "ls -l /run/firejail/mnt | grep seccomp | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 18\n";exit}
+        "5"
+}
+send -- "exit\r"
+sleep 1
+puts "all done\n"
author	netblue30 <netblue30@yahoo.com>	2018-04-12 12:45:43 -0400
committer	netblue30 <netblue30@yahoo.com>	2018-04-12 12:45:43 -0400
commit	38276c9c64c8a0e086f2fb84402c5105c1483216 (patch)
tree	98f2bbafeef4bb1bdad64795607e961109eb1880
parent	AppArmor: disable MAC related capabilities (diff)
download	firejail-38276c9c64c8a0e086f2fb84402c5105c1483216.tar.gz firejail-38276c9c64c8a0e086f2fb84402c5105c1483216.tar.zst firejail-38276c9c64c8a0e086f2fb84402c5105c1483216.zip

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 709ce96b6..5c7f73fc1 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -997,6 +997,10 @@ int sandbox(void* sandbox_arg) {
997	seccomp_load(RUN_SECCOMP_PROTOCOL); // install filter	997	seccomp_load(RUN_SECCOMP_PROTOCOL); // install filter
998	protocol_filter_save(); // save filter in RUN_PROTOCOL_CFG	998	protocol_filter_save(); // save filter in RUN_PROTOCOL_CFG
999	}	999	}
		1000	else {
		1001	int rv = unlink(RUN_SECCOMP_PROTOCOL);
		1002	(void) rv;
		1003	}
1000	#endif	1004	#endif
1001		1005
1002	// if a keep list is available, disregard the drop list	1006	// if a keep list is available, disregard the drop list
@@ -1005,13 +1009,21 @@ int sandbox(void* sandbox_arg) {
1005	seccomp_filter_keep();	1009	seccomp_filter_keep();
1006	else	1010	else
1007	seccomp_filter_drop();	1011	seccomp_filter_drop();
1008	}
1009		1012
1010	if (arg_debug) {	1013	// clean unused filters
1011	printf("\nSeccomp files:\n");	1014	#if defined(__LP64__)
1012	int rv = system("ls -l /run/firejail/mnt/seccomp*\n");	1015	int rv = unlink(RUN_SECCOMP_64);
		1016	#endif
		1017	#if defined(__ILP32__)
		1018	int rv = unlink(RUN_SECCOMP_32);
		1019	#endif
		1020	(void) rv;
		1021	}
		1022	else { // clean seccomp files under /run/firejail/mnt
		1023	int rv = unlink(RUN_SECCOMP_CFG);
		1024	rv \|= unlink(RUN_SECCOMP_64);
		1025	rv \|= unlink(RUN_SECCOMP_32);
1013	(void) rv;	1026	(void) rv;
1014	printf("\n");
1015	}	1027	}
1016		1028
1017	if (arg_memory_deny_write_execute) {	1029	if (arg_memory_deny_write_execute) {
@@ -1019,6 +1031,17 @@ int sandbox(void* sandbox_arg) {
1019	printf("Install memory write&execute filter\n");	1031	printf("Install memory write&execute filter\n");
1020	seccomp_load(RUN_SECCOMP_MDWX); // install filter	1032	seccomp_load(RUN_SECCOMP_MDWX); // install filter
1021	}	1033	}
		1034	else {
		1035	int rv = unlink(RUN_SECCOMP_MDWX);
		1036	(void) rv;
		1037	}
		1038
		1039	if (arg_debug) {
		1040	printf("\nSeccomp files:\n");
		1041	int rv = system("ls -l /run/firejail/mnt/seccomp*\n");
		1042	(void) rv;
		1043	printf("\n");
		1044	}
1022	#endif	1045	#endif
1023		1046
1024	//****************************************	1047	//****************************************


diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index fed1f7ba7..cc2b08542 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c
@@ -153,12 +153,13 @@ int sbox_run(unsigned filter, int num, ...) {
153	for (i = 3; i < max; i++)	153	for (i = 3; i < max; i++)
154	close(i); // close open files	154	close(i); // close open files
155		155
		156	#if 0
156	if (arg_debug) {	157	if (arg_debug) {
157	printf("sbox file descriptors:\n");	158	printf("sbox file descriptors:\n");
158	int rv = system("ls -l /proc/self/fd");	159	int rv = system("ls -l /proc/self/fd");
159	(void) rv;	160	(void) rv;
160	}	161	}
161		162	#endif
162	umask(027);	163	umask(027);
163		164
164	// apply filters	165	// apply filters


diff --git a/test/filters/filters.sh b/test/filters/filters.sh index 45b1d0459..12f13606b 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh
@@ -28,6 +28,9 @@ fi
28	echo "TESTING: debug options (test/filters/debug.exp)"	28	echo "TESTING: debug options (test/filters/debug.exp)"
29	./debug.exp	29	./debug.exp
30		30
		31	echo "TESTING: seccomp run files (test/filters/seccomp-run-files.exp)"
		32	./seccomp-run-files.exp
		33
31	echo "TESTING: noroot (test/filters/noroot.exp)"	34	echo "TESTING: noroot (test/filters/noroot.exp)"
32	./noroot.exp	35	./noroot.exp
33		36


diff --git a/test/filters/seccomp-run-files.exp b/test/filters/seccomp-run-files.exp new file mode 100755 index 000000000..a72b9aef7 --- /dev/null +++ b/test/filters/seccomp-run-files.exp
@@ -0,0 +1,98 @@
		1	#!/usr/bin/expect -f
		2	# This file is part of Firejail project
		3	# Copyright (C) 2014-2018 Firejail Authors
		4	# License GPL v2
		5
		6	set timeout 10
		7	spawn $env(SHELL)
		8	match_max 100000
		9
		10	send -- "firejail --debug\r"
		11	expect {
		12	timeout {puts "TESTING ERROR 0\n";exit}
		13	"/run/firejail/mnt/seccomp seccomp filter"
		14	}
		15	expect {
		16	timeout {puts "TESTING ERROR 1\n";exit}
		17	"/run/firejail/mnt/seccomp.32 seccomp filter"
		18	}
		19	expect {
		20	timeout {puts "TESTING ERROR 2\n";exit}
		21	"/run/firejail/mnt/seccomp.protocol seccomp filter"
		22	}
		23	after 100
		24	send -- "ls -l /run/firejail/mnt \| grep seccomp \| wc -l\r"
		25	expect {
		26	timeout {puts "TESTING ERROR 3\n";exit}
		27	"4"
		28	}
		29	send -- "exit\r"
		30	sleep 1
		31
		32	send -- "firejail --ignore=seccomp --debug\r"
		33	expect {
		34	timeout {puts "TESTING ERROR 4\n";exit}
		35	"/run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 5\n";exit}
		36	"/run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 6\n";exit}
		37	"/run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 7\n";exit}
		38	"/run/firejail/mnt/seccomp.protocol seccomp filter"
		39	}
		40	after 100
		41	send -- "ls -l /run/firejail/mnt \| grep seccomp \| wc -l\r"
		42	expect {
		43	timeout {puts "TESTING ERROR 8\n";exit}
		44	"1"
		45	}
		46	send -- "exit\r"
		47	sleep 1
		48
		49	send -- "firejail --ignore=protocol --debug\r"
		50	expect {
		51	timeout {puts "TESTING ERROR 9\n";exit}
		52	"/run/firejail/mnt/seccomp seccomp filter"
		53	}
		54	expect {
		55	timeout {puts "TESTING ERROR 10\n";exit}
		56	"/run/firejail/mnt/seccomp.32 seccomp filter"
		57	}
		58	expect {
		59	timeout {puts "TESTING ERROR 11\n";exit}
		60	"/run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 12\n";exit}
		61	"monitoring"
		62	}
		63	after 100
		64	send -- "ls -l /run/firejail/mnt \| grep seccomp \| wc -l\r"
		65	expect {
		66	timeout {puts "TESTING ERROR 13\n";exit}
		67	"3"
		68	}
		69	send -- "exit\r"
		70	sleep 1
		71
		72	send -- "firejail --memory-deny-write-execute --debug\r"
		73	expect {
		74	timeout {puts "TESTING ERROR 14\n";exit}
		75	"/run/firejail/mnt/seccomp.mdwx seccomp filter"
		76	}
		77	expect {
		78	timeout {puts "TESTING ERROR 15\n";exit}
		79	"/run/firejail/mnt/seccomp seccomp filter"
		80	}
		81	expect {
		82	timeout {puts "TESTING ERROR 16\n";exit}
		83	"/run/firejail/mnt/seccomp.32 seccomp filter"
		84	}
		85	expect {
		86	timeout {puts "TESTING ERROR 17\n";exit}
		87	"/run/firejail/mnt/seccomp.protocol seccomp filter"
		88	}
		89	after 100
		90	send -- "ls -l /run/firejail/mnt \| grep seccomp \| wc -l\r"
		91	expect {
		92	timeout {puts "TESTING ERROR 18\n";exit}
		93	"5"
		94	}
		95	send -- "exit\r"
		96	sleep 1
		97
		98	puts "all done\n"