diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2021-01-31 00:15:31 +0200 |
---|---|---|
committer | Topi Miettinen <topimiettinen@users.noreply.github.com> | 2021-02-01 20:09:21 +0000 |
commit | 0040969e439dbddb76bc190900b453b71e895068 (patch) | |
tree | 3d9606b116e47f8702d86fde5194d8c8d22fdde5 /src/fsec-optimize | |
parent | Add profile for avidemux (#3935) (diff) | |
download | firejail-0040969e439dbddb76bc190900b453b71e895068.tar.gz firejail-0040969e439dbddb76bc190900b453b71e895068.tar.zst firejail-0040969e439dbddb76bc190900b453b71e895068.zip |
Seccomp error action fixes
fsec-optimize: Optimize BPF with current seccomp error action, not
just KILL
fseccomp: use correct BPF code for errno action
firejail: honor seccomp error action for X32 and secondary filters,
rebuild filters if the error action is changed
Closes: #3933
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Diffstat (limited to 'src/fsec-optimize')
-rw-r--r-- | src/fsec-optimize/Makefile.in | 2 | ||||
-rw-r--r-- | src/fsec-optimize/main.c | 17 | ||||
-rw-r--r-- | src/fsec-optimize/optimizer.c | 6 |
3 files changed, 21 insertions, 4 deletions
diff --git a/src/fsec-optimize/Makefile.in b/src/fsec-optimize/Makefile.in index b6a28fdd8..cc5ac7e35 100644 --- a/src/fsec-optimize/Makefile.in +++ b/src/fsec-optimize/Makefile.in | |||
@@ -6,7 +6,7 @@ include ../common.mk | |||
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
7 | 7 | ||
8 | fsec-optimize: $(OBJS) ../lib/common.o ../lib/libnetlink.o | 8 | fsec-optimize: $(OBJS) ../lib/common.o ../lib/libnetlink.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 10 | ||
11 | clean:; rm -fr *.o fsec-optimize *.gcov *.gcda *.gcno *.plist | 11 | clean:; rm -fr *.o fsec-optimize *.gcov *.gcda *.gcno *.plist |
12 | 12 | ||
diff --git a/src/fsec-optimize/main.c b/src/fsec-optimize/main.c index 74aebc9e0..c64587068 100644 --- a/src/fsec-optimize/main.c +++ b/src/fsec-optimize/main.c | |||
@@ -18,6 +18,9 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "fsec_optimize.h" | 20 | #include "fsec_optimize.h" |
21 | #include "../include/syscall.h" | ||
22 | |||
23 | int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill | ||
21 | 24 | ||
22 | static void usage(void) { | 25 | static void usage(void) { |
23 | printf("Usage:\n"); | 26 | printf("Usage:\n"); |
@@ -46,6 +49,20 @@ printf("\n"); | |||
46 | 49 | ||
47 | warn_dumpable(); | 50 | warn_dumpable(); |
48 | 51 | ||
52 | char *error_action = getenv("FIREJAIL_SECCOMP_ERROR_ACTION"); | ||
53 | if (error_action) { | ||
54 | if (strcmp(error_action, "kill") == 0) | ||
55 | arg_seccomp_error_action = SECCOMP_RET_KILL; | ||
56 | else if (strcmp(error_action, "log") == 0) | ||
57 | arg_seccomp_error_action = SECCOMP_RET_LOG; | ||
58 | else { | ||
59 | arg_seccomp_error_action = errno_find_name(error_action); | ||
60 | if (arg_seccomp_error_action == -1) | ||
61 | errExit("seccomp-error-action: unknown errno"); | ||
62 | arg_seccomp_error_action |= SECCOMP_RET_ERRNO; | ||
63 | } | ||
64 | } | ||
65 | |||
49 | char *fname = argv[1]; | 66 | char *fname = argv[1]; |
50 | 67 | ||
51 | // open input file | 68 | // open input file |
diff --git a/src/fsec-optimize/optimizer.c b/src/fsec-optimize/optimizer.c index 776beaa75..eb777f13b 100644 --- a/src/fsec-optimize/optimizer.c +++ b/src/fsec-optimize/optimizer.c | |||
@@ -33,7 +33,7 @@ | |||
33 | static inline int is_blacklist(struct sock_filter *bpf) { | 33 | static inline int is_blacklist(struct sock_filter *bpf) { |
34 | if (bpf->code == BPF_JMP + BPF_JEQ + BPF_K && | 34 | if (bpf->code == BPF_JMP + BPF_JEQ + BPF_K && |
35 | (bpf + 1)->code == BPF_RET + BPF_K && | 35 | (bpf + 1)->code == BPF_RET + BPF_K && |
36 | (bpf + 1)->k == SECCOMP_RET_KILL ) | 36 | (bpf + 1)->k == (__u32)arg_seccomp_error_action) |
37 | return 1; | 37 | return 1; |
38 | return 0; | 38 | return 0; |
39 | } | 39 | } |
@@ -89,9 +89,9 @@ static int optimize_blacklists(struct sock_filter *filter, int entries) { | |||
89 | } | 89 | } |
90 | } | 90 | } |
91 | 91 | ||
92 | // step 3: add the new ret KILL, and recalculate entries | 92 | // step 3: add the new ret KILL/LOG/ERRNO, and recalculate entries |
93 | filter_step2[j].code = BPF_RET + BPF_K; | 93 | filter_step2[j].code = BPF_RET + BPF_K; |
94 | filter_step2[j].k = SECCOMP_RET_KILL; | 94 | filter_step2[j].k = arg_seccomp_error_action; |
95 | entries = j + 1; | 95 | entries = j + 1; |
96 | 96 | ||
97 | // step 4: recalculate jumps | 97 | // step 4: recalculate jumps |