diff options
| author |  Topi Miettinen <toiwoton@gmail.com> | 2017-08-13 14:07:31 +0300 |
|---|---|---|
| committer | Topi Miettinen <toiwoton@gmail.com> | 2017-08-13 17:31:07 +0300 |
| commit | 63e9d849f662d1a494c6396d4a439cd4c91dfa7e (patch) | |
| tree | 703cc8c9c0eb5b9e528f025961df7f322f797737 /src/fseccomp/fseccomp.h | |
| parent | merges (diff) | |
| download | firejail-63e9d849f662d1a494c6396d4a439cd4c91dfa7e.tar.gz firejail-63e9d849f662d1a494c6396d4a439cd4c91dfa7e.tar.zst firejail-63e9d849f662d1a494c6396d4a439cd4c91dfa7e.zip | |
Allow any syscall to be blacklisted (#1447)
Allow any syscall to be blacklisted with aid of LD_PRELOAD library,
libpostexecseccomp.so.
Closes: #1447
Diffstat (limited to 'src/fseccomp/fseccomp.h')
| -rw-r--r-- | src/fseccomp/fseccomp.h | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h index 0db670380..144b612ae 100644 --- a/src/fseccomp/fseccomp.h +++ b/src/fseccomp/fseccomp.h | |||
| @@ -30,8 +30,9 @@ extern int arg_quiet; | |||
| 30 | 30 | ||
| 31 | // syscall.c | 31 | // syscall.c |
| 32 | void syscall_print(void); | 32 | void syscall_print(void); |
| 33 | int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, int arg), int fd, int arg); | 33 | int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, int arg, void *ptrarg), int fd, int arg, void *ptrarg); |
| 34 | const char *syscall_find_nr(int nr); | 34 | const char *syscall_find_nr(int nr); |
| 35 | void syscalls_in_list(const char *list, const char *slist, int fd, char **prelist, char **postlist); | ||
| 35 | 36 | ||
| 36 | // errno.c | 37 | // errno.c |
| 37 | void errno_print(void); | 38 | void errno_print(void); |
| @@ -49,9 +50,9 @@ void seccomp_secondary_32(const char *fname); | |||
| 49 | // seccomp_file.c | 50 | // seccomp_file.c |
| 50 | void write_to_file(int fd, const void *data, int size); | 51 | void write_to_file(int fd, const void *data, int size); |
| 51 | void filter_init(int fd); | 52 | void filter_init(int fd); |
| 52 | void filter_add_whitelist(int fd, int syscall, int arg); | 53 | void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg); |
| 53 | void filter_add_blacklist(int fd, int syscall, int arg); | 54 | void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg); |
| 54 | void filter_add_errno(int fd, int syscall, int arg); | 55 | void filter_add_errno(int fd, int syscall, int arg, void *ptrarg); |
| 55 | void filter_end_blacklist(int fd); | 56 | void filter_end_blacklist(int fd); |
| 56 | void filter_end_whitelist(int fd); | 57 | void filter_end_whitelist(int fd); |
| 57 | 58 | ||
| @@ -59,11 +60,11 @@ void filter_end_whitelist(int fd); | |||
| 59 | // default list | 60 | // default list |
| 60 | void seccomp_default(const char *fname, int allow_debuggers); | 61 | void seccomp_default(const char *fname, int allow_debuggers); |
| 61 | // drop list | 62 | // drop list |
| 62 | void seccomp_drop(const char *fname, char *list, int allow_debuggers); | 63 | void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers); |
| 63 | // default+drop list | 64 | // default+drop list |
| 64 | void seccomp_default_drop(const char *fname, char *list, int allow_debuggers); | 65 | void seccomp_default_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers); |
| 65 | // whitelisted filter | 66 | // whitelisted filter |
| 66 | void seccomp_keep(const char *fname, char *list); | 67 | void seccomp_keep(const char *fname1, const char *fname2, char *list); |
| 67 | // block writable and executable memory | 68 | // block writable and executable memory |
| 68 | void memory_deny_write_execute(const char *fname); | 69 | void memory_deny_write_execute(const char *fname); |
| 69 | 70 | ||