diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2017-08-19 23:22:38 +0300 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2017-08-19 23:33:11 +0300 |
commit | d01216de45884300c87e7d3ccb70e53ebb461449 (patch) | |
tree | 480519f5849df4c6048a7f62ec97f96e51174c3e /src/firejail/seccomp.c | |
parent | Merge update after #1483 (diff) | |
download | firejail-d01216de45884300c87e7d3ccb70e53ebb461449.tar.gz firejail-d01216de45884300c87e7d3ccb70e53ebb461449.tar.zst firejail-d01216de45884300c87e7d3ccb70e53ebb461449.zip |
Feature: switch/config option to block secondary architectures
Add a feature for a new (opt-in) command line switch and config file
option to block secondary architectures entirely. Also block changing
Linux execution domain with personality() system call for the primary
architecture.
Closes #1479
Diffstat (limited to 'src/firejail/seccomp.c')
-rw-r--r-- | src/firejail/seccomp.c | 35 |
1 files changed, 29 insertions, 6 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index e855ce7ed..aaf53b2a1 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -118,7 +118,7 @@ errexit: | |||
118 | } | 118 | } |
119 | 119 | ||
120 | // i386 filter installed on amd64 architectures | 120 | // i386 filter installed on amd64 architectures |
121 | void seccomp_filter_32(void) { | 121 | static void seccomp_filter_32(void) { |
122 | if (seccomp_load(RUN_SECCOMP_I386) == 0) { | 122 | if (seccomp_load(RUN_SECCOMP_I386) == 0) { |
123 | if (arg_debug) | 123 | if (arg_debug) |
124 | printf("Dual i386/amd64 seccomp filter configured\n"); | 124 | printf("Dual i386/amd64 seccomp filter configured\n"); |
@@ -126,13 +126,20 @@ void seccomp_filter_32(void) { | |||
126 | } | 126 | } |
127 | 127 | ||
128 | // amd64 filter installed on i386 architectures | 128 | // amd64 filter installed on i386 architectures |
129 | void seccomp_filter_64(void) { | 129 | static void seccomp_filter_64(void) { |
130 | if (seccomp_load(RUN_SECCOMP_AMD64) == 0) { | 130 | if (seccomp_load(RUN_SECCOMP_AMD64) == 0) { |
131 | if (arg_debug) | 131 | if (arg_debug) |
132 | printf("Dual i386/amd64 seccomp filter configured\n"); | 132 | printf("Dual i386/amd64 seccomp filter configured\n"); |
133 | } | 133 | } |
134 | } | 134 | } |
135 | 135 | ||
136 | static void seccomp_filter_block_secondary(void) { | ||
137 | if (seccomp_load(RUN_SECCOMP_BLOCK_SECONDARY) == 0) { | ||
138 | if (arg_debug) | ||
139 | printf("Secondary arch blocking seccomp filter configured\n"); | ||
140 | } | ||
141 | } | ||
142 | |||
136 | // drop filter for seccomp option | 143 | // drop filter for seccomp option |
137 | int seccomp_filter_drop(int enforce_seccomp) { | 144 | int seccomp_filter_drop(int enforce_seccomp) { |
138 | // if we have multiple seccomp commands, only one of them is executed | 145 | // if we have multiple seccomp commands, only one of them is executed |
@@ -143,21 +150,29 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
143 | if (cfg.seccomp_list_drop == NULL) { | 150 | if (cfg.seccomp_list_drop == NULL) { |
144 | // default seccomp | 151 | // default seccomp |
145 | if (cfg.seccomp_list == NULL) { | 152 | if (cfg.seccomp_list == NULL) { |
153 | if (arg_seccomp_block_secondary) | ||
154 | seccomp_filter_block_secondary(); | ||
155 | else { | ||
146 | #if defined(__x86_64__) | 156 | #if defined(__x86_64__) |
147 | seccomp_filter_32(); | 157 | seccomp_filter_32(); |
148 | #endif | 158 | #endif |
149 | #if defined(__i386__) | 159 | #if defined(__i386__) |
150 | seccomp_filter_64(); | 160 | seccomp_filter_64(); |
151 | #endif | 161 | #endif |
162 | } | ||
152 | } | 163 | } |
153 | // default seccomp filter with additional drop list | 164 | // default seccomp filter with additional drop list |
154 | else { // cfg.seccomp_list != NULL | 165 | else { // cfg.seccomp_list != NULL |
166 | if (arg_seccomp_block_secondary) | ||
167 | seccomp_filter_block_secondary(); | ||
168 | else { | ||
155 | #if defined(__x86_64__) | 169 | #if defined(__x86_64__) |
156 | seccomp_filter_32(); | 170 | seccomp_filter_32(); |
157 | #endif | 171 | #endif |
158 | #if defined(__i386__) | 172 | #if defined(__i386__) |
159 | seccomp_filter_64(); | 173 | seccomp_filter_64(); |
160 | #endif | 174 | #endif |
175 | } | ||
161 | if (arg_debug) | 176 | if (arg_debug) |
162 | printf("Build default+drop seccomp filter\n"); | 177 | printf("Build default+drop seccomp filter\n"); |
163 | 178 | ||
@@ -175,7 +190,10 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
175 | } | 190 | } |
176 | 191 | ||
177 | // drop list without defaults - secondary filters are not installed | 192 | // drop list without defaults - secondary filters are not installed |
193 | // except when secondary architectures are explicitly blocked | ||
178 | else { // cfg.seccomp_list_drop != NULL | 194 | else { // cfg.seccomp_list_drop != NULL |
195 | if (arg_seccomp_block_secondary) | ||
196 | seccomp_filter_block_secondary(); | ||
179 | if (arg_debug) | 197 | if (arg_debug) |
180 | printf("Build drop seccomp filter\n"); | 198 | printf("Build drop seccomp filter\n"); |
181 | 199 | ||
@@ -216,6 +234,11 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
216 | 234 | ||
217 | // keep filter for seccomp option | 235 | // keep filter for seccomp option |
218 | int seccomp_filter_keep(void) { | 236 | int seccomp_filter_keep(void) { |
237 | // secondary filters are not installed except when secondary | ||
238 | // architectures are explicitly blocked | ||
239 | if (arg_seccomp_block_secondary) | ||
240 | seccomp_filter_block_secondary(); | ||
241 | |||
219 | if (arg_debug) | 242 | if (arg_debug) |
220 | printf("Build drop seccomp filter\n"); | 243 | printf("Build drop seccomp filter\n"); |
221 | 244 | ||