seccomp fixes

author: netblue30 <netblue30@yahoo.com> 2016-02-12 11:52:07 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-02-12 11:52:07 -0500
commit: 63b1b45bfa893d329ddcb34773e3a0b653435f44 (patch)
tree: 54d8ca64565892cce0a53451a79d9c4b9a9cf453 /src/firejail/seccomp.c
parent: set sandbox nice value (diff)
download: firejail-63b1b45bfa893d329ddcb34773e3a0b653435f44.tar.gz
firejail-63b1b45bfa893d329ddcb34773e3a0b653435f44.tar.zst
firejail-63b1b45bfa893d329ddcb34773e3a0b653435f44.zip
1 files changed, 74 insertions, 9 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index b0c960754..57f483b1c 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -324,7 +324,7 @@ static void read_seccomp_file(const char *fname) {
                filter_debug();
 }
-// i386t filter installed on amd64 architectures
+// i386 filter installed on amd64 architectures
 void seccomp_filter_32(void) {
        // hardcoded syscall values
        struct sock_filter filter[] = {
@@ -373,7 +373,6 @@ void seccomp_filter_32(void) {
                BLACKLIST(317), // move_pages
                BLACKLIST(316), // vmsplice
                BLACKLIST(61),  // chroot
-                BLACKLIST(243), // set_thread_area
                BLACKLIST(88), // reboot
                BLACKLIST(169), // nfsservctl
                BLACKLIST(130), // get_kernel_syms
@@ -393,6 +392,76 @@ void seccomp_filter_32(void) {
        }
 }
+// amd64 filter installed on i386 architectures
+void seccomp_filter_64(void) {
+        // hardcoded syscall values
+        struct sock_filter filter[] = {
+                VALIDATE_ARCHITECTURE_64,
+                EXAMINE_SYSCALL,
+                BLACKLIST(165), // mount
+                BLACKLIST(166), // umount2
+                BLACKLIST(101), // ptrace
+                BLACKLIST(246), // kexec_load
+                BLACKLIST(304), // open_by_handle_at
+                BLACKLIST(175), // init_module
+                BLACKLIST(313), // finit_module
+                BLACKLIST(176), // delete_module
+                BLACKLIST(172), // iopl
+                BLACKLIST(173), // ioperm
+                BLACKLIST(167), // swapon
+                BLACKLIST(168), // swapoff
+                BLACKLIST(103), // syslog
+                BLACKLIST(310), // process_vm_readv
+                BLACKLIST(311), // process_vm_writev
+                BLACKLIST(139), // sysfs
+                BLACKLIST(156), // _sysctl
+                BLACKLIST(159), // adjtimex
+                BLACKLIST(305), // clock_adjtime
+                BLACKLIST(212), // lookup_dcookie
+                BLACKLIST(298), // perf_event_open
+                BLACKLIST(300), // fanotify_init
+                BLACKLIST(312), // kcmp
+                BLACKLIST(248), // add_key
+                BLACKLIST(249), // request_key
+                BLACKLIST(250), // keyctl
+                BLACKLIST(134), // uselib
+                BLACKLIST(163), // acct
+                BLACKLIST(154), // modify_ldt
+                BLACKLIST(155), // pivot_root
+                BLACKLIST(206), // io_setup
+                BLACKLIST(207), // io_destroy
+                BLACKLIST(208), // io_getevents
+                BLACKLIST(209), // io_submit
+                BLACKLIST(210), // io_cancel
+                BLACKLIST(216), // remap_file_pages
+                BLACKLIST(237), // mbind
+                BLACKLIST(239), // get_mempolicy
+                BLACKLIST(238), // set_mempolicy
+                BLACKLIST(256), // migrate_pages
+                BLACKLIST(279), // move_pages
+                BLACKLIST(278), // vmsplice
+                BLACKLIST(161), // chroot
+                BLACKLIST(184), // tuxcall
+                BLACKLIST(169), // reboot
+                BLACKLIST(180), // nfsservctl
+                BLACKLIST(177), // get_kernel_syms
+                RETURN_ALLOW
+        };
+        struct sock_fprog prog = {
+                .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
+                .filter = filter,
+        };
+        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+                ;
+        }
+        else if (arg_debug) {
+                printf("Dual i386/amd64 seccomp filter configured\n");
+        }
+}
 // drop filter for seccomp option
 int seccomp_filter_drop(int enforce_seccomp) {
        filter_init();
@@ -402,6 +471,9 @@ int seccomp_filter_drop(int enforce_seccomp) {
 #if defined(__x86_64__)
                seccomp_filter_32();
 #endif
+#if defined(__i386__)
+                seccomp_filter_64();
+#endif
 #ifdef SYS_mount                
                filter_add_blacklist(SYS_mount, 0);
@@ -563,14 +635,7 @@ int seccomp_filter_drop(int enforce_seccomp) {
 // CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(clone), 1,
 //     SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)));
-// 32bit
-//              filter_add_blacklist(SYS_personality, 0); // test wine
-//              filter_add_blacklist(SYS_set_thread_area, 0); // test wine
 // 0.9.39
-#ifdef SYS_set_thread_area
-                filter_add_blacklist(SYS_set_thread_area, 0);
-#endif
 #ifdef SYS_tuxcall
                filter_add_blacklist(SYS_tuxcall, 0);
 #endif
author	netblue30 <netblue30@yahoo.com>	2016-02-12 11:52:07 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-02-12 11:52:07 -0500
commit	63b1b45bfa893d329ddcb34773e3a0b653435f44 (patch)
tree	54d8ca64565892cce0a53451a79d9c4b9a9cf453 /src/firejail/seccomp.c
parent	set sandbox nice value (diff)
download	firejail-63b1b45bfa893d329ddcb34773e3a0b653435f44.tar.gz firejail-63b1b45bfa893d329ddcb34773e3a0b653435f44.tar.zst firejail-63b1b45bfa893d329ddcb34773e3a0b653435f44.zip

diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index b0c960754..57f483b1c 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c
@@ -324,7 +324,7 @@ static void read_seccomp_file(const char *fname) {
324	filter_debug();	324	filter_debug();
325	}	325	}
326		326
327	// i386t filter installed on amd64 architectures	327	// i386 filter installed on amd64 architectures
328	void seccomp_filter_32(void) {	328	void seccomp_filter_32(void) {
329	// hardcoded syscall values	329	// hardcoded syscall values
330	struct sock_filter filter[] = {	330	struct sock_filter filter[] = {
@@ -373,7 +373,6 @@ void seccomp_filter_32(void) {
373	BLACKLIST(317), // move_pages	373	BLACKLIST(317), // move_pages
374	BLACKLIST(316), // vmsplice	374	BLACKLIST(316), // vmsplice
375	BLACKLIST(61), // chroot	375	BLACKLIST(61), // chroot
376	BLACKLIST(243), // set_thread_area
377	BLACKLIST(88), // reboot	376	BLACKLIST(88), // reboot
378	BLACKLIST(169), // nfsservctl	377	BLACKLIST(169), // nfsservctl
379	BLACKLIST(130), // get_kernel_syms	378	BLACKLIST(130), // get_kernel_syms
@@ -393,6 +392,76 @@ void seccomp_filter_32(void) {
393	}	392	}
394	}	393	}
395		394
		395	// amd64 filter installed on i386 architectures
		396	void seccomp_filter_64(void) {
		397	// hardcoded syscall values
		398	struct sock_filter filter[] = {
		399	VALIDATE_ARCHITECTURE_64,
		400	EXAMINE_SYSCALL,
		401	BLACKLIST(165), // mount
		402	BLACKLIST(166), // umount2
		403	BLACKLIST(101), // ptrace
		404	BLACKLIST(246), // kexec_load
		405	BLACKLIST(304), // open_by_handle_at
		406	BLACKLIST(175), // init_module
		407	BLACKLIST(313), // finit_module
		408	BLACKLIST(176), // delete_module
		409	BLACKLIST(172), // iopl
		410	BLACKLIST(173), // ioperm
		411	BLACKLIST(167), // swapon
		412	BLACKLIST(168), // swapoff
		413	BLACKLIST(103), // syslog
		414	BLACKLIST(310), // process_vm_readv
		415	BLACKLIST(311), // process_vm_writev
		416	BLACKLIST(139), // sysfs
		417	BLACKLIST(156), // _sysctl
		418	BLACKLIST(159), // adjtimex
		419	BLACKLIST(305), // clock_adjtime
		420	BLACKLIST(212), // lookup_dcookie
		421	BLACKLIST(298), // perf_event_open
		422	BLACKLIST(300), // fanotify_init
		423	BLACKLIST(312), // kcmp
		424	BLACKLIST(248), // add_key
		425	BLACKLIST(249), // request_key
		426	BLACKLIST(250), // keyctl
		427	BLACKLIST(134), // uselib
		428	BLACKLIST(163), // acct
		429	BLACKLIST(154), // modify_ldt
		430	BLACKLIST(155), // pivot_root
		431	BLACKLIST(206), // io_setup
		432	BLACKLIST(207), // io_destroy
		433	BLACKLIST(208), // io_getevents
		434	BLACKLIST(209), // io_submit
		435	BLACKLIST(210), // io_cancel
		436	BLACKLIST(216), // remap_file_pages
		437	BLACKLIST(237), // mbind
		438	BLACKLIST(239), // get_mempolicy
		439	BLACKLIST(238), // set_mempolicy
		440	BLACKLIST(256), // migrate_pages
		441	BLACKLIST(279), // move_pages
		442	BLACKLIST(278), // vmsplice
		443	BLACKLIST(161), // chroot
		444	BLACKLIST(184), // tuxcall
		445	BLACKLIST(169), // reboot
		446	BLACKLIST(180), // nfsservctl
		447	BLACKLIST(177), // get_kernel_syms
		448	RETURN_ALLOW
		449	};
		450
		451	struct sock_fprog prog = {
		452	.len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
		453	.filter = filter,
		454	};
		455
		456	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) \|\| prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
		457	;
		458	}
		459	else if (arg_debug) {
		460	printf("Dual i386/amd64 seccomp filter configured\n");
		461	}
		462	}
		463
		464
396	// drop filter for seccomp option	465	// drop filter for seccomp option
397	int seccomp_filter_drop(int enforce_seccomp) {	466	int seccomp_filter_drop(int enforce_seccomp) {
398	filter_init();	467	filter_init();
@@ -402,6 +471,9 @@ int seccomp_filter_drop(int enforce_seccomp) {
402	#if defined(__x86_64__)	471	#if defined(__x86_64__)
403	seccomp_filter_32();	472	seccomp_filter_32();
404	#endif	473	#endif
		474	#if defined(__i386__)
		475	seccomp_filter_64();
		476	#endif
405		477
406	#ifdef SYS_mount	478	#ifdef SYS_mount
407	filter_add_blacklist(SYS_mount, 0);	479	filter_add_blacklist(SYS_mount, 0);
@@ -563,14 +635,7 @@ int seccomp_filter_drop(int enforce_seccomp) {
563	// CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(clone), 1,	635	// CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(clone), 1,
564	// SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)));	636	// SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)));
565		637
566	// 32bit
567	// filter_add_blacklist(SYS_personality, 0); // test wine
568	// filter_add_blacklist(SYS_set_thread_area, 0); // test wine
569
570	// 0.9.39	638	// 0.9.39
571	#ifdef SYS_set_thread_area
572	filter_add_blacklist(SYS_set_thread_area, 0);
573	#endif
574	#ifdef SYS_tuxcall	639	#ifdef SYS_tuxcall
575	filter_add_blacklist(SYS_tuxcall, 0);	640	filter_add_blacklist(SYS_tuxcall, 0);
576	#endif	641	#endif