Improve seccomp architecture support

author: Topi Miettinen <toiwoton@gmail.com> 2017-09-10 10:34:42 +0300
committer: Topi Miettinen <toiwoton@gmail.com> 2017-09-10 10:34:42 +0300
commit: c3acf2d222589bf9d94cacfe180ab38fa46c9cb1 (patch)
tree: 6b073d1b72e7c378c78a6f063c78facbd8831bcb
parent: Merge pull request #1542 from hawkeye116477/master (diff)
download: firejail-c3acf2d222589bf9d94cacfe180ab38fa46c9cb1.tar.gz
firejail-c3acf2d222589bf9d94cacfe180ab38fa46c9cb1.tar.zst
firejail-c3acf2d222589bf9d94cacfe180ab38fa46c9cb1.zip
2 files changed, 32 insertions, 0 deletions
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c
index d0692b2ef..69b6e5271 100644
--- a/src/fseccomp/syscall.c
+++ b/src/fseccomp/syscall.c
@@ -274,6 +274,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_vserver
          "vserver"
 #endif
+#if !defined(SYS__sysctl) && !defined(SYS_afs_syscall) && !defined(SYS_bdflush) && !defined(SYS_break) && !defined(SYS_create_module) && !defined(SYS_ftime) && !defined(SYS_get_kernel_syms) && !defined(SYS_getpmsg) && !defined(SYS_gtty) && !defined(SYS_lock) && !defined(SYS_mpx) && !defined(SYS_prof) && !defined(SYS_profil) && !defined(SYS_putpmsg) && !defined(SYS_query_module) && !defined(SYS_security) && !defined(SYS_sgetmask) && !defined(SYS_ssetmask) && !defined(SYS_stty) && !defined(SYS_sysfs) && !defined(SYS_tuxcall) && !defined(SYS_ulimit) && !defined(SYS_uselib) && !defined(SYS_ustat) && !defined(SYS_vserver)
+          "__dummy_syscall__" // workaround for arm64 which doesn't have any of above defined and empty syscall lists are not allowed
+#endif
        },
        { .name = "@privileged", .list =
          "@clock,"
@@ -334,6 +337,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_s390_mmio_write
          "s390_mmio_write"
 #endif
+#if !defined(SYS_ioperm) && !defined(SYS_iopl) && !defined(SYS_pciconfig_iobase) && !defined(SYS_pciconfig_read) && !defined(SYS_pciconfig_write) && !defined(SYS_s390_mmio_read) && !defined(SYS_s390_mmio_write)
+          "__dummy_syscall__" // workaround for s390x which doesn't have any of above defined and empty syscall lists are not allowed
+#endif
        },
        { .name = "@reboot", .list =
 #ifdef SYS_kexec_load
diff --git a/src/include/seccomp.h b/src/include/seccomp.h
index 133b6ce72..b8bfce96b 100644
--- a/src/include/seccomp.h
+++ b/src/include/seccomp.h
@@ -149,9 +149,35 @@ struct seccomp_data {
 # define ARCH_NR        AUDIT_ARCH_S390
 # define ARCH_32        AUDIT_ARCH_S390
 # define ARCH_64        AUDIT_ARCH_S390X
+#elif defined(__sh64__) && __BYTE_ORDER == __BIG_ENDIAN
+# define ARCH_NR        AUDIT_ARCH_SH64
+# define ARCH_32        AUDIT_ARCH_SH
+# define ARCH_64        AUDIT_ARCH_SH64
+#elif defined(__sh64__) && __BYTE_ORDER == __LITTLE_ENDIAN
+# define ARCH_NR        AUDIT_ARCH_SHEL64
+# define ARCH_32        AUDIT_ARCH_SHEL
+# define ARCH_64        AUDIT_ARCH_SHEL64
+#elif defined(__sh__) && __BYTE_ORDER == __BIG_ENDIAN
+# define ARCH_NR        AUDIT_ARCH_SH
+# define ARCH_32        AUDIT_ARCH_SH
+# define ARCH_64        AUDIT_ARCH_SH64
+#elif defined(__sh__) && __BYTE_ORDER == __LITTLE_ENDIAN
+# define ARCH_NR        AUDIT_ARCH_SHEL
+# define ARCH_32        AUDIT_ARCH_SHEL
+# define ARCH_64        AUDIT_ARCH_SHEL64
+#elif defined(__sparc64__)
+# define ARCH_NR        AUDIT_ARCH_SPARC64
+# define ARCH_32        AUDIT_ARCH_SPARC
+# define ARCH_64        AUDIT_ARCH_SPARC64
+#elif defined(__sparc__)
+# define ARCH_NR        AUDIT_ARCH_SPARC
+# define ARCH_32        AUDIT_ARCH_SPARC
+# define ARCH_64        AUDIT_ARCH_SPARC64
 #else
 # warning "Platform does not support seccomp filter yet"
 # define ARCH_NR        0
+# define ARCH_32        0
+# define ARCH_64        0
 #endif
 #define VALIDATE_ARCHITECTURE \
author	Topi Miettinen <toiwoton@gmail.com>	2017-09-10 10:34:42 +0300
committer	Topi Miettinen <toiwoton@gmail.com>	2017-09-10 10:34:42 +0300
commit	c3acf2d222589bf9d94cacfe180ab38fa46c9cb1 (patch)
tree	6b073d1b72e7c378c78a6f063c78facbd8831bcb
parent	Merge pull request #1542 from hawkeye116477/master (diff)
download	firejail-c3acf2d222589bf9d94cacfe180ab38fa46c9cb1.tar.gz firejail-c3acf2d222589bf9d94cacfe180ab38fa46c9cb1.tar.zst firejail-c3acf2d222589bf9d94cacfe180ab38fa46c9cb1.zip

diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index d0692b2ef..69b6e5271 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c
@@ -274,6 +274,9 @@ static const SyscallGroupList sysgroups[] = {
274	#ifdef SYS_vserver	274	#ifdef SYS_vserver
275	"vserver"	275	"vserver"
276	#endif	276	#endif
		277	#if !defined(SYS__sysctl) && !defined(SYS_afs_syscall) && !defined(SYS_bdflush) && !defined(SYS_break) && !defined(SYS_create_module) && !defined(SYS_ftime) && !defined(SYS_get_kernel_syms) && !defined(SYS_getpmsg) && !defined(SYS_gtty) && !defined(SYS_lock) && !defined(SYS_mpx) && !defined(SYS_prof) && !defined(SYS_profil) && !defined(SYS_putpmsg) && !defined(SYS_query_module) && !defined(SYS_security) && !defined(SYS_sgetmask) && !defined(SYS_ssetmask) && !defined(SYS_stty) && !defined(SYS_sysfs) && !defined(SYS_tuxcall) && !defined(SYS_ulimit) && !defined(SYS_uselib) && !defined(SYS_ustat) && !defined(SYS_vserver)
		278	"__dummy_syscall__" // workaround for arm64 which doesn't have any of above defined and empty syscall lists are not allowed
		279	#endif
277	},	280	},
278	{ .name = "@privileged", .list =	281	{ .name = "@privileged", .list =
279	"@clock,"	282	"@clock,"
@@ -334,6 +337,9 @@ static const SyscallGroupList sysgroups[] = {
334	#ifdef SYS_s390_mmio_write	337	#ifdef SYS_s390_mmio_write
335	"s390_mmio_write"	338	"s390_mmio_write"
336	#endif	339	#endif
		340	#if !defined(SYS_ioperm) && !defined(SYS_iopl) && !defined(SYS_pciconfig_iobase) && !defined(SYS_pciconfig_read) && !defined(SYS_pciconfig_write) && !defined(SYS_s390_mmio_read) && !defined(SYS_s390_mmio_write)
		341	"__dummy_syscall__" // workaround for s390x which doesn't have any of above defined and empty syscall lists are not allowed
		342	#endif
337	},	343	},
338	{ .name = "@reboot", .list =	344	{ .name = "@reboot", .list =
339	#ifdef SYS_kexec_load	345	#ifdef SYS_kexec_load


diff --git a/src/include/seccomp.h b/src/include/seccomp.h index 133b6ce72..b8bfce96b 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h
@@ -149,9 +149,35 @@ struct seccomp_data {
149	# define ARCH_NR AUDIT_ARCH_S390	149	# define ARCH_NR AUDIT_ARCH_S390
150	# define ARCH_32 AUDIT_ARCH_S390	150	# define ARCH_32 AUDIT_ARCH_S390
151	# define ARCH_64 AUDIT_ARCH_S390X	151	# define ARCH_64 AUDIT_ARCH_S390X
		152	#elif defined(__sh64__) && __BYTE_ORDER == __BIG_ENDIAN
		153	# define ARCH_NR AUDIT_ARCH_SH64
		154	# define ARCH_32 AUDIT_ARCH_SH
		155	# define ARCH_64 AUDIT_ARCH_SH64
		156	#elif defined(__sh64__) && __BYTE_ORDER == __LITTLE_ENDIAN
		157	# define ARCH_NR AUDIT_ARCH_SHEL64
		158	# define ARCH_32 AUDIT_ARCH_SHEL
		159	# define ARCH_64 AUDIT_ARCH_SHEL64
		160	#elif defined(__sh__) && __BYTE_ORDER == __BIG_ENDIAN
		161	# define ARCH_NR AUDIT_ARCH_SH
		162	# define ARCH_32 AUDIT_ARCH_SH
		163	# define ARCH_64 AUDIT_ARCH_SH64
		164	#elif defined(__sh__) && __BYTE_ORDER == __LITTLE_ENDIAN
		165	# define ARCH_NR AUDIT_ARCH_SHEL
		166	# define ARCH_32 AUDIT_ARCH_SHEL
		167	# define ARCH_64 AUDIT_ARCH_SHEL64
		168	#elif defined(__sparc64__)
		169	# define ARCH_NR AUDIT_ARCH_SPARC64
		170	# define ARCH_32 AUDIT_ARCH_SPARC
		171	# define ARCH_64 AUDIT_ARCH_SPARC64
		172	#elif defined(__sparc__)
		173	# define ARCH_NR AUDIT_ARCH_SPARC
		174	# define ARCH_32 AUDIT_ARCH_SPARC
		175	# define ARCH_64 AUDIT_ARCH_SPARC64
152	#else	176	#else
153	# warning "Platform does not support seccomp filter yet"	177	# warning "Platform does not support seccomp filter yet"
154	# define ARCH_NR 0	178	# define ARCH_NR 0
		179	# define ARCH_32 0
		180	# define ARCH_64 0
155	#endif	181	#endif
156		182
157	#define VALIDATE_ARCHITECTURE \	183	#define VALIDATE_ARCHITECTURE \