diff options
| author |  Topi Miettinen <toiwoton@gmail.com> | 2017-08-19 13:54:28 +0300 |
|---|---|---|
| committer | Topi Miettinen <toiwoton@gmail.com> | 2017-08-19 14:01:37 +0300 |
| commit | 85bb547e4054ab147d393bf437998ad76043783a (patch) | |
| tree | f18a85f2767fedf3d9b5b1fa3b3996c8cc027a9c /src/firejail/seccomp.c | |
| parent | Merge branch 'master' of https://github.com/netblue30/firejail (diff) | |
| download | firejail-85bb547e4054ab147d393bf437998ad76043783a.tar.gz firejail-85bb547e4054ab147d393bf437998ad76043783a.tar.zst firejail-85bb547e4054ab147d393bf437998ad76043783a.zip | |
Postpone installation of seccomp filters just before execve
Diffstat (limited to 'src/firejail/seccomp.c')
| -rw-r--r-- | src/firejail/seccomp.c | 49 |
1 files changed, 34 insertions, 15 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 516c97fa0..e855ce7ed 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
| @@ -23,6 +23,13 @@ | |||
| 23 | #include "../include/seccomp.h" | 23 | #include "../include/seccomp.h" |
| 24 | #include <sys/mman.h> | 24 | #include <sys/mman.h> |
| 25 | 25 | ||
| 26 | typedef struct filter_list { | ||
| 27 | struct filter_list *next; | ||
| 28 | struct sock_fprog prog; | ||
| 29 | } FilterList; | ||
| 30 | |||
| 31 | static FilterList *filter_list_head = NULL; | ||
| 32 | |||
| 26 | static int err_printed = 0; | 33 | static int err_printed = 0; |
| 27 | 34 | ||
| 28 | char *seccomp_check_list(const char *str) { | 35 | char *seccomp_check_list(const char *str) { |
| @@ -52,6 +59,24 @@ char *seccomp_check_list(const char *str) { | |||
| 52 | return rv; | 59 | return rv; |
| 53 | } | 60 | } |
| 54 | 61 | ||
| 62 | // install seccomp filters | ||
| 63 | int seccomp_install_filters(void) { | ||
| 64 | int r = 0; | ||
| 65 | FilterList *fl = filter_list_head; | ||
| 66 | if (fl) { | ||
| 67 | prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); | ||
| 68 | |||
| 69 | for (; fl; fl = fl->next) { | ||
| 70 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog)) { | ||
| 71 | if (!err_printed) | ||
| 72 | fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); | ||
| 73 | err_printed = 1; | ||
| 74 | r = 1; | ||
| 75 | } | ||
| 76 | } | ||
| 77 | } | ||
| 78 | return r; | ||
| 79 | } | ||
| 55 | 80 | ||
| 56 | int seccomp_load(const char *fname) { | 81 | int seccomp_load(const char *fname) { |
| 57 | assert(fname); | 82 | assert(fname); |
| @@ -77,22 +102,16 @@ int seccomp_load(const char *fname) { | |||
| 77 | // close file | 102 | // close file |
| 78 | close(fd); | 103 | close(fd); |
| 79 | 104 | ||
| 80 | // install filter | 105 | FilterList *fl = malloc(sizeof(FilterList)); |
| 81 | struct sock_fprog prog = { | 106 | if (!fl) { |
| 82 | .len = entries, | 107 | fprintf(stderr, "Error: cannot allocate memory\n"); |
| 83 | .filter = filter, | 108 | exit(1); |
| 84 | }; | ||
| 85 | int r = 0; | ||
| 86 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { | ||
| 87 | if (!err_printed) | ||
| 88 | fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); | ||
| 89 | err_printed = 1; | ||
| 90 | r = 1; | ||
| 91 | } | 109 | } |
| 92 | 110 | fl->next = filter_list_head; | |
| 93 | munmap(filter, size); | 111 | fl->prog.len = entries; |
| 94 | return r; | 112 | fl->prog.filter = filter; |
| 95 | 113 | filter_list_head = fl; | |
| 114 | return 0; | ||
| 96 | errexit: | 115 | errexit: |
| 97 | fprintf(stderr, "Error: cannot read %s\n", fname); | 116 | fprintf(stderr, "Error: cannot read %s\n", fname); |
| 98 | exit(1); | 117 | exit(1); |