diff options
author | 2015-10-26 10:14:40 -0400 | |
---|---|---|
committer | 2015-10-26 10:14:40 -0400 | |
commit | 4c9c303a7c338719c0989693f7b8375ca2d9f8a9 (patch) | |
tree | 91d43e9ef27c476044c1de4e88060f06ef537a3c | |
parent | support ignore command in profile files (diff) | |
download | firejail-4c9c303a7c338719c0989693f7b8375ca2d9f8a9.tar.gz firejail-4c9c303a7c338719c0989693f7b8375ca2d9f8a9.tar.zst firejail-4c9c303a7c338719c0989693f7b8375ca2d9f8a9.zip |
allow 32bit calls to bypass the seccomp filter
-rw-r--r-- | src/firejail/seccomp.c | 99 | ||||
-rw-r--r-- | src/firejail/seccomp.h | 122 |
2 files changed, 123 insertions, 98 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index c313ec938..29c87b18b 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -18,106 +18,9 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | 20 | ||
21 | /* default seccomp filter | ||
22 | // seccomp | ||
23 | struct sock_filter filter[] = { | ||
24 | VALIDATE_ARCHITECTURE, | ||
25 | EXAMINE_SYSCALL, | ||
26 | BLACKLIST(SYS_mount), // mount/unmount filesystems | ||
27 | BLACKLIST(SYS_umount2), | ||
28 | BLACKLIST(SYS_ptrace), // trace processes | ||
29 | BLACKLIST(SYS_kexec_load), // loading a different kernel | ||
30 | BLACKLIST(SYS_open_by_handle_at), // open by handle | ||
31 | BLACKLIST(SYS_init_module), // kernel module handling | ||
32 | #ifdef SYS_finit_module // introduced in 2013 | ||
33 | BLACKLIST(SYS_finit_module), | ||
34 | #endif | ||
35 | BLACKLIST(SYS_delete_module), | ||
36 | BLACKLIST(SYS_iopl), // io permisions | ||
37 | #ifdef SYS_ioperm | ||
38 | BLACKLIST(SYS_ioperm), | ||
39 | #endif | ||
40 | SYS_iopl | ||
41 | BLACKLIST(SYS_iopl), // io permisions | ||
42 | #endif | ||
43 | #ifdef SYS_ni_syscall), // new io permisions call on arm devices | ||
44 | BLACKLIST(SYS_ni_syscall), | ||
45 | #endif | ||
46 | BLACKLIST(SYS_swapon), // swap on/off | ||
47 | BLACKLIST(SYS_swapoff), | ||
48 | BLACKLIST(SYS_syslog), // kernel printk control | ||
49 | RETURN_ALLOW | ||
50 | }; | ||
51 | */ | ||
52 | #ifdef HAVE_SECCOMP | 21 | #ifdef HAVE_SECCOMP |
53 | #include "firejail.h" | 22 | #include "firejail.h" |
54 | #include <errno.h> | 23 | #include "seccomp.h" |
55 | #include <linux/filter.h> | ||
56 | #include <sys/syscall.h> | ||
57 | #include <linux/capability.h> | ||
58 | #include <linux/audit.h> | ||
59 | #include <sys/stat.h> | ||
60 | #include <fcntl.h> | ||
61 | |||
62 | #include <sys/prctl.h> | ||
63 | #ifndef PR_SET_NO_NEW_PRIVS | ||
64 | # define PR_SET_NO_NEW_PRIVS 38 | ||
65 | #endif | ||
66 | |||
67 | #if HAVE_SECCOMP_H | ||
68 | #include <linux/seccomp.h> | ||
69 | #else | ||
70 | #define SECCOMP_MODE_FILTER 2 | ||
71 | #define SECCOMP_RET_KILL 0x00000000U | ||
72 | #define SECCOMP_RET_TRAP 0x00030000U | ||
73 | #define SECCOMP_RET_ALLOW 0x7fff0000U | ||
74 | #define SECCOMP_RET_ERRNO 0x00050000U | ||
75 | #define SECCOMP_RET_DATA 0x0000ffffU | ||
76 | struct seccomp_data { | ||
77 | int nr; | ||
78 | __u32 arch; | ||
79 | __u64 instruction_pointer; | ||
80 | __u64 args[6]; | ||
81 | }; | ||
82 | #endif | ||
83 | |||
84 | #if defined(__i386__) | ||
85 | # define ARCH_NR AUDIT_ARCH_I386 | ||
86 | #elif defined(__x86_64__) | ||
87 | # define ARCH_NR AUDIT_ARCH_X86_64 | ||
88 | #elif defined(__arm__) | ||
89 | # define ARCH_NR AUDIT_ARCH_ARM | ||
90 | #else | ||
91 | # warning "Platform does not support seccomp filter yet" | ||
92 | # define ARCH_NR 0 | ||
93 | #endif | ||
94 | |||
95 | |||
96 | #define VALIDATE_ARCHITECTURE \ | ||
97 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | ||
98 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ | ||
99 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) | ||
100 | |||
101 | #define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ | ||
102 | (offsetof(struct seccomp_data, nr))) | ||
103 | |||
104 | #define BLACKLIST(syscall_nr) \ | ||
105 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \ | ||
106 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) | ||
107 | |||
108 | #define WHITELIST(syscall_nr) \ | ||
109 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \ | ||
110 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | ||
111 | |||
112 | #define BLACKLIST_ERRNO(syscall_nr, nr) \ | ||
113 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \ | ||
114 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr) | ||
115 | |||
116 | #define RETURN_ALLOW \ | ||
117 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | ||
118 | |||
119 | #define KILL_PROCESS \ | ||
120 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) | ||
121 | 24 | ||
122 | #define SECSIZE 128 // initial filter size | 25 | #define SECSIZE 128 // initial filter size |
123 | static struct sock_filter *sfilter = NULL; | 26 | static struct sock_filter *sfilter = NULL; |
diff --git a/src/firejail/seccomp.h b/src/firejail/seccomp.h new file mode 100644 index 000000000..19684d4a9 --- /dev/null +++ b/src/firejail/seccomp.h | |||
@@ -0,0 +1,122 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014, 2015 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | /* default seccomp filter | ||
22 | // seccomp | ||
23 | struct sock_filter filter[] = { | ||
24 | VALIDATE_ARCHITECTURE, | ||
25 | EXAMINE_SYSCALL, | ||
26 | BLACKLIST(SYS_mount), // mount/unmount filesystems | ||
27 | BLACKLIST(SYS_umount2), | ||
28 | BLACKLIST(SYS_ptrace), // trace processes | ||
29 | BLACKLIST(SYS_kexec_load), // loading a different kernel | ||
30 | BLACKLIST(SYS_open_by_handle_at), // open by handle | ||
31 | BLACKLIST(SYS_init_module), // kernel module handling | ||
32 | #ifdef SYS_finit_module // introduced in 2013 | ||
33 | BLACKLIST(SYS_finit_module), | ||
34 | #endif | ||
35 | BLACKLIST(SYS_delete_module), | ||
36 | BLACKLIST(SYS_iopl), // io permisions | ||
37 | #ifdef SYS_ioperm | ||
38 | BLACKLIST(SYS_ioperm), | ||
39 | #endif | ||
40 | SYS_iopl | ||
41 | BLACKLIST(SYS_iopl), // io permisions | ||
42 | #endif | ||
43 | #ifdef SYS_ni_syscall), // new io permisions call on arm devices | ||
44 | BLACKLIST(SYS_ni_syscall), | ||
45 | #endif | ||
46 | BLACKLIST(SYS_swapon), // swap on/off | ||
47 | BLACKLIST(SYS_swapoff), | ||
48 | BLACKLIST(SYS_syslog), // kernel printk control | ||
49 | RETURN_ALLOW | ||
50 | }; | ||
51 | */ | ||
52 | #ifndef SECCOMP_H | ||
53 | #define SECCOMP_H | ||
54 | #include <errno.h> | ||
55 | #include <linux/filter.h> | ||
56 | #include <sys/syscall.h> | ||
57 | #include <linux/capability.h> | ||
58 | #include <linux/audit.h> | ||
59 | #include <sys/stat.h> | ||
60 | #include <fcntl.h> | ||
61 | |||
62 | #include <sys/prctl.h> | ||
63 | #ifndef PR_SET_NO_NEW_PRIVS | ||
64 | # define PR_SET_NO_NEW_PRIVS 38 | ||
65 | #endif | ||
66 | |||
67 | #if HAVE_SECCOMP_H | ||
68 | #include <linux/seccomp.h> | ||
69 | #else | ||
70 | #define SECCOMP_MODE_FILTER 2 | ||
71 | #define SECCOMP_RET_KILL 0x00000000U | ||
72 | #define SECCOMP_RET_TRAP 0x00030000U | ||
73 | #define SECCOMP_RET_ALLOW 0x7fff0000U | ||
74 | #define SECCOMP_RET_ERRNO 0x00050000U | ||
75 | #define SECCOMP_RET_DATA 0x0000ffffU | ||
76 | struct seccomp_data { | ||
77 | int nr; | ||
78 | __u32 arch; | ||
79 | __u64 instruction_pointer; | ||
80 | __u64 args[6]; | ||
81 | }; | ||
82 | #endif | ||
83 | |||
84 | #if defined(__i386__) | ||
85 | # define ARCH_NR AUDIT_ARCH_I386 | ||
86 | #elif defined(__x86_64__) | ||
87 | # define ARCH_NR AUDIT_ARCH_X86_64 | ||
88 | #elif defined(__arm__) | ||
89 | # define ARCH_NR AUDIT_ARCH_ARM | ||
90 | #else | ||
91 | # warning "Platform does not support seccomp filter yet" | ||
92 | # define ARCH_NR 0 | ||
93 | #endif | ||
94 | |||
95 | |||
96 | #define VALIDATE_ARCHITECTURE \ | ||
97 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | ||
98 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ | ||
99 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | ||
100 | |||
101 | #define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ | ||
102 | (offsetof(struct seccomp_data, nr))) | ||
103 | |||
104 | #define BLACKLIST(syscall_nr) \ | ||
105 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \ | ||
106 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) | ||
107 | |||
108 | #define WHITELIST(syscall_nr) \ | ||
109 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \ | ||
110 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | ||
111 | |||
112 | #define BLACKLIST_ERRNO(syscall_nr, nr) \ | ||
113 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \ | ||
114 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr) | ||
115 | |||
116 | #define RETURN_ALLOW \ | ||
117 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | ||
118 | |||
119 | #define KILL_PROCESS \ | ||
120 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) | ||
121 | |||
122 | #endif \ No newline at end of file | ||