allow 32bit calls to bypass the seccomp filter

2 files changed, 123 insertions, 98 deletions

diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index c313ec938..29c87b18b 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -18,106 +18,9 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 
-/* default seccomp filter
-        // seccomp
-        struct sock_filter filter[] = {
-                VALIDATE_ARCHITECTURE,
-                EXAMINE_SYSCALL,
-                BLACKLIST(SYS_mount),  // mount/unmount filesystems
-                BLACKLIST(SYS_umount2),
-                BLACKLIST(SYS_ptrace), // trace processes
-                BLACKLIST(SYS_kexec_load), // loading a different kernel
-                BLACKLIST(SYS_open_by_handle_at), // open by handle
-                BLACKLIST(SYS_init_module), // kernel module handling
-#ifdef SYS_finit_module // introduced in 2013
-                BLACKLIST(SYS_finit_module),
-#endif
-                BLACKLIST(SYS_delete_module),
-                BLACKLIST(SYS_iopl), // io permisions
-#ifdef SYS_ioperm
-                BLACKLIST(SYS_ioperm),
-#endif
-SYS_iopl
-                BLACKLIST(SYS_iopl), // io permisions
-#endif
-#ifdef SYS_ni_syscall), // new io permisions call on arm devices
-                BLACKLIST(SYS_ni_syscall),
-#endif
-                BLACKLIST(SYS_swapon), // swap on/off
-                BLACKLIST(SYS_swapoff),
-                BLACKLIST(SYS_syslog), // kernel printk control
-                RETURN_ALLOW
-        };
-*/
 #ifdef HAVE_SECCOMP
 #include "firejail.h"
-#include <errno.h>
-#include <linux/filter.h>
-#include <sys/syscall.h>
-#include <linux/capability.h>
-#include <linux/audit.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-
-#include <sys/prctl.h>
-#ifndef PR_SET_NO_NEW_PRIVS
-# define PR_SET_NO_NEW_PRIVS 38
-#endif
-
-#if HAVE_SECCOMP_H
-#include <linux/seccomp.h>
-#else
-#define SECCOMP_MODE_FILTER     2
-#define SECCOMP_RET_KILL        0x00000000U
-#define SECCOMP_RET_TRAP        0x00030000U
-#define SECCOMP_RET_ALLOW       0x7fff0000U
-#define SECCOMP_RET_ERRNO       0x00050000U
-#define SECCOMP_RET_DATA        0x0000ffffU
-struct seccomp_data {
-    int nr;
-    __u32 arch;
-    __u64 instruction_pointer;
-    __u64 args[6];
-};
-#endif
-
-#if defined(__i386__)
-# define ARCH_NR        AUDIT_ARCH_I386
-#elif defined(__x86_64__)
-# define ARCH_NR        AUDIT_ARCH_X86_64
-#elif defined(__arm__)
-# define ARCH_NR        AUDIT_ARCH_ARM
-#else
-# warning "Platform does not support seccomp filter yet"
-# define ARCH_NR        0
-#endif
-
-
-#define VALIDATE_ARCHITECTURE \
-     BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \
-     BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \
-     BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
-
-#define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS,  \
-                 (offsetof(struct seccomp_data, nr)))
-
-#define BLACKLIST(syscall_nr)   \
-        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1),      \
-        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
-
-#define WHITELIST(syscall_nr) \
-        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \
-        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
-
-#define BLACKLIST_ERRNO(syscall_nr, nr) \
-        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \
-        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr)
-
-#define RETURN_ALLOW \
-        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
-
-#define KILL_PROCESS \
-        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
+#include "seccomp.h"
 
 #define SECSIZE 128 // initial filter size
 static struct sock_filter *sfilter = NULL;
diff --git a/src/firejail/seccomp.h b/src/firejail/seccomp.h
new file mode 100644
index 000000000..19684d4a9
--- /dev/null
+++ b/src/firejail/seccomp.h
@@ -0,0 +1,122 @@
+/*
+ * Copyright (C) 2014, 2015 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+/* default seccomp filter
+        // seccomp
+        struct sock_filter filter[] = {
+                VALIDATE_ARCHITECTURE,
+                EXAMINE_SYSCALL,
+                BLACKLIST(SYS_mount),  // mount/unmount filesystems
+                BLACKLIST(SYS_umount2),
+                BLACKLIST(SYS_ptrace), // trace processes
+                BLACKLIST(SYS_kexec_load), // loading a different kernel
+                BLACKLIST(SYS_open_by_handle_at), // open by handle
+                BLACKLIST(SYS_init_module), // kernel module handling
+#ifdef SYS_finit_module // introduced in 2013
+                BLACKLIST(SYS_finit_module),
+#endif
+                BLACKLIST(SYS_delete_module),
+                BLACKLIST(SYS_iopl), // io permisions
+#ifdef SYS_ioperm
+                BLACKLIST(SYS_ioperm),
+#endif
+SYS_iopl
+                BLACKLIST(SYS_iopl), // io permisions
+#endif
+#ifdef SYS_ni_syscall), // new io permisions call on arm devices
+                BLACKLIST(SYS_ni_syscall),
+#endif
+                BLACKLIST(SYS_swapon), // swap on/off
+                BLACKLIST(SYS_swapoff),
+                BLACKLIST(SYS_syslog), // kernel printk control
+                RETURN_ALLOW
+        };
+*/
+#ifndef SECCOMP_H
+#define SECCOMP_H
+#include <errno.h>
+#include <linux/filter.h>
+#include <sys/syscall.h>
+#include <linux/capability.h>
+#include <linux/audit.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#include <sys/prctl.h>
+#ifndef PR_SET_NO_NEW_PRIVS
+# define PR_SET_NO_NEW_PRIVS 38
+#endif
+
+#if HAVE_SECCOMP_H
+#include <linux/seccomp.h>
+#else
+#define SECCOMP_MODE_FILTER     2
+#define SECCOMP_RET_KILL        0x00000000U
+#define SECCOMP_RET_TRAP        0x00030000U
+#define SECCOMP_RET_ALLOW       0x7fff0000U
+#define SECCOMP_RET_ERRNO       0x00050000U
+#define SECCOMP_RET_DATA        0x0000ffffU
+struct seccomp_data {
+    int nr;
+    __u32 arch;
+    __u64 instruction_pointer;
+    __u64 args[6];
+};
+#endif
+
+#if defined(__i386__)
+# define ARCH_NR        AUDIT_ARCH_I386
+#elif defined(__x86_64__)
+# define ARCH_NR        AUDIT_ARCH_X86_64
+#elif defined(__arm__)
+# define ARCH_NR        AUDIT_ARCH_ARM
+#else
+# warning "Platform does not support seccomp filter yet"
+# define ARCH_NR        0
+#endif
+
+
+#define VALIDATE_ARCHITECTURE \
+     BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \
+     BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \
+     BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
+
+#define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS,  \
+                 (offsetof(struct seccomp_data, nr)))
+
+#define BLACKLIST(syscall_nr)   \
+        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1),      \
+        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
+
+#define WHITELIST(syscall_nr) \
+        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \
+        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
+
+#define BLACKLIST_ERRNO(syscall_nr, nr) \
+        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \
+        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr)
+
+#define RETURN_ALLOW \
+        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
+
+#define KILL_PROCESS \
+        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
+
+#endif
\ No newline at end of file