diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2020-03-27 14:22:20 +0200 |
---|---|---|
committer | Topi Miettinen <topimiettinen@users.noreply.github.com> | 2020-04-06 16:30:20 +0000 |
commit | 3f27e8483158e50050f839db343bda7a522f686d (patch) | |
tree | d8dad893d71220ff97aa7744fe7e62900075e521 /src/firejail/main.c | |
parent | cleanup, fixes, more profstats (diff) | |
download | firejail-3f27e8483158e50050f839db343bda7a522f686d.tar.gz firejail-3f27e8483158e50050f839db343bda7a522f686d.tar.zst firejail-3f27e8483158e50050f839db343bda7a522f686d.zip |
Allow changing error action in seccomp filters
Let user specify the action when seccomp filters trigger:
- errno name like EPERM (default) or ENOSYS: return errno and let the process continue.
- 'kill': kill the process as previous versions
The default action is EPERM, but killing can still be specified with
syscall:kill syntax or globally with seccomp-error-action=kill. The
action can be also overridden /etc/firejail/firejail.config file.
Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
only alternative is to allow a system call.
Diffstat (limited to 'src/firejail/main.c')
-rw-r--r-- | src/firejail/main.c | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index 9bff960cb..d01725c95 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -21,6 +21,7 @@ | |||
21 | #include "../include/pid.h" | 21 | #include "../include/pid.h" |
22 | #include "../include/firejail_user.h" | 22 | #include "../include/firejail_user.h" |
23 | #include "../include/syscall.h" | 23 | #include "../include/syscall.h" |
24 | #include "../include/seccomp.h" | ||
24 | #define _GNU_SOURCE | 25 | #define _GNU_SOURCE |
25 | #include <sys/utsname.h> | 26 | #include <sys/utsname.h> |
26 | #include <sched.h> | 27 | #include <sched.h> |
@@ -76,6 +77,7 @@ int arg_seccomp = 0; // enable default seccomp filter | |||
76 | int arg_seccomp32 = 0; // enable default seccomp filter for 32 bit arch | 77 | int arg_seccomp32 = 0; // enable default seccomp filter for 32 bit arch |
77 | int arg_seccomp_postexec = 0; // need postexec ld.preload library? | 78 | int arg_seccomp_postexec = 0; // need postexec ld.preload library? |
78 | int arg_seccomp_block_secondary = 0; // block any secondary architectures | 79 | int arg_seccomp_block_secondary = 0; // block any secondary architectures |
80 | int arg_seccomp_error_action = 0; | ||
79 | 81 | ||
80 | int arg_caps_default_filter = 0; // enable default capabilities filter | 82 | int arg_caps_default_filter = 0; // enable default capabilities filter |
81 | int arg_caps_drop = 0; // drop list | 83 | int arg_caps_drop = 0; // drop list |
@@ -349,6 +351,9 @@ static void init_cfg(int argc, char **argv) { | |||
349 | sandbox_pid = getpid(); | 351 | sandbox_pid = getpid(); |
350 | time_t t = time(NULL); | 352 | time_t t = time(NULL); |
351 | srand(t ^ sandbox_pid); | 353 | srand(t ^ sandbox_pid); |
354 | |||
355 | arg_seccomp_error_action = EPERM; | ||
356 | cfg.seccomp_error_action = "EPERM"; | ||
352 | } | 357 | } |
353 | 358 | ||
354 | static void check_network(Bridge *br) { | 359 | static void check_network(Bridge *br) { |
@@ -973,6 +978,13 @@ void filter_add_errno(int fd, int syscall, int arg, void *ptrarg, bool native) { | |||
973 | (void) ptrarg; | 978 | (void) ptrarg; |
974 | (void) native; | 979 | (void) native; |
975 | } | 980 | } |
981 | void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, bool native) { | ||
982 | (void) fd; | ||
983 | (void) syscall; | ||
984 | (void) arg; | ||
985 | (void) ptrarg; | ||
986 | (void) native; | ||
987 | } | ||
976 | 988 | ||
977 | #ifdef HAVE_SECCOMP | 989 | #ifdef HAVE_SECCOMP |
978 | static int check_postexec(const char *list) { | 990 | static int check_postexec(const char *list) { |
@@ -1398,6 +1410,26 @@ int main(int argc, char **argv, char **envp) { | |||
1398 | else | 1410 | else |
1399 | exit_err_feature("seccomp"); | 1411 | exit_err_feature("seccomp"); |
1400 | } | 1412 | } |
1413 | else if (strncmp(argv[i], "--seccomp-error-action=", 23) == 0) { | ||
1414 | if (checkcfg(CFG_SECCOMP)) { | ||
1415 | int config_seccomp_error_action = checkcfg(CFG_SECCOMP_ERROR_ACTION); | ||
1416 | if (config_seccomp_error_action == -1) { | ||
1417 | if (strcmp(argv[i] + 23, "kill") == 0) | ||
1418 | arg_seccomp_error_action = SECCOMP_RET_KILL; | ||
1419 | else { | ||
1420 | arg_seccomp_error_action = errno_find_name(argv[i] + 23); | ||
1421 | if (arg_seccomp_error_action == -1) | ||
1422 | errExit("seccomp-error-action: unknown errno"); | ||
1423 | } | ||
1424 | cfg.seccomp_error_action = strdup(argv[i] + 23); | ||
1425 | if (!cfg.seccomp_error_action) | ||
1426 | errExit("strdup"); | ||
1427 | } else | ||
1428 | exit_err_feature("seccomp-error-action"); | ||
1429 | |||
1430 | } else | ||
1431 | exit_err_feature("seccomp"); | ||
1432 | } | ||
1401 | #endif | 1433 | #endif |
1402 | else if (strcmp(argv[i], "--caps") == 0) { | 1434 | else if (strcmp(argv[i], "--caps") == 0) { |
1403 | arg_caps_default_filter = 1; | 1435 | arg_caps_default_filter = 1; |