diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2020-03-14 00:07:06 +0200 |
---|---|---|
committer | Topi Miettinen <topimiettinen@users.noreply.github.com> | 2020-03-28 11:24:25 +0000 |
commit | 88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3 (patch) | |
tree | 6b4d2a805a2900755bfc857586a10948b3c8395e /src/fsec-print | |
parent | Added compatibility with BetterDiscord (#3300) (diff) | |
download | firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.tar.gz firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.tar.zst firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.zip |
seccomp: allow defining separate filters for 32-bit arch
System calls (names and numbers) are not exactly the same for 32 bit
and 64 bit architectures. Let's allow defining separate filters for
32-bit arch using seccomp.32, seccomp.32.drop, seccomp.32.keep. This
is useful for mixed 64/32 bit application environments like Steam and
Wine.
Implement protocol and mdwx filtering also for 32 bit arch. It's still
better to block secondary archs completely if not needed.
Lists of supported system calls are also updated.
Warn if preload libraries would be needed due to trace, tracelog or
postexecseccomp (seccomp.drop=execve etc), because a 32-bit dynamic
linker does not understand the 64 bit preload libraries.
Closes #3267.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Diffstat (limited to 'src/fsec-print')
-rw-r--r-- | src/fsec-print/Makefile.in | 4 | ||||
-rw-r--r-- | src/fsec-print/fsec_print.h | 4 | ||||
-rw-r--r-- | src/fsec-print/main.c | 3 | ||||
-rw-r--r-- | src/fsec-print/syscall_list.c | 47 |
4 files changed, 6 insertions, 52 deletions
diff --git a/src/fsec-print/Makefile.in b/src/fsec-print/Makefile.in index f717af788..a30ff4ba3 100644 --- a/src/fsec-print/Makefile.in +++ b/src/fsec-print/Makefile.in | |||
@@ -5,8 +5,8 @@ include ../common.mk | |||
5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h |
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
7 | 7 | ||
8 | fsec-print: $(OBJS) ../lib/libnetlink.o | 8 | fsec-print: $(OBJS) ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 10 | ||
11 | clean:; rm -fr *.o fsec-print *.gcov *.gcda *.gcno *.plist | 11 | clean:; rm -fr *.o fsec-print *.gcov *.gcda *.gcno *.plist |
12 | 12 | ||
diff --git a/src/fsec-print/fsec_print.h b/src/fsec-print/fsec_print.h index 0237fd020..337199288 100644 --- a/src/fsec-print/fsec_print.h +++ b/src/fsec-print/fsec_print.h | |||
@@ -21,12 +21,10 @@ | |||
21 | #define FSEC_PRINT_H | 21 | #define FSEC_PRINT_H |
22 | #include "../include/common.h" | 22 | #include "../include/common.h" |
23 | #include "../include/seccomp.h" | 23 | #include "../include/seccomp.h" |
24 | #include "../include/syscall.h" | ||
24 | #include <sys/mman.h> | 25 | #include <sys/mman.h> |
25 | 26 | ||
26 | // print.c | 27 | // print.c |
27 | void print(struct sock_filter *filter, int entries); | 28 | void print(struct sock_filter *filter, int entries); |
28 | 29 | ||
29 | // syscall_list.c | ||
30 | const char *syscall_find_nr(int nr); | ||
31 | |||
32 | #endif | 30 | #endif |
diff --git a/src/fsec-print/main.c b/src/fsec-print/main.c index 728308dac..7bb4fd0cd 100644 --- a/src/fsec-print/main.c +++ b/src/fsec-print/main.c | |||
@@ -24,6 +24,9 @@ static void usage(void) { | |||
24 | printf("\tfsec-print file - disassemble seccomp filter\n"); | 24 | printf("\tfsec-print file - disassemble seccomp filter\n"); |
25 | } | 25 | } |
26 | 26 | ||
27 | int arg_quiet = 0; | ||
28 | void filter_add_errno(int fd, int syscall, int arg, void *ptrarg, bool native) {} | ||
29 | |||
27 | int main(int argc, char **argv) { | 30 | int main(int argc, char **argv) { |
28 | #if 0 | 31 | #if 0 |
29 | { | 32 | { |
diff --git a/src/fsec-print/syscall_list.c b/src/fsec-print/syscall_list.c deleted file mode 100644 index 274908cef..000000000 --- a/src/fsec-print/syscall_list.c +++ /dev/null | |||
@@ -1,47 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2020 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "fsec_print.h" | ||
21 | #include <sys/syscall.h> | ||
22 | |||
23 | typedef struct { | ||
24 | const char * const name; | ||
25 | int nr; | ||
26 | } SyscallEntry; | ||
27 | |||
28 | static const SyscallEntry syslist[] = { | ||
29 | // | ||
30 | // code generated using tools/extract-syscall | ||
31 | // | ||
32 | #include "../include/syscall.h" | ||
33 | // | ||
34 | // end of generated code | ||
35 | // | ||
36 | }; // end of syslist | ||
37 | |||
38 | const char *syscall_find_nr(int nr) { | ||
39 | int i; | ||
40 | int elems = sizeof(syslist) / sizeof(syslist[0]); | ||
41 | for (i = 0; i < elems; i++) { | ||
42 | if (nr == syslist[i].nr) | ||
43 | return syslist[i].name; | ||
44 | } | ||
45 | |||
46 | return NULL; | ||
47 | } | ||