aboutsummaryrefslogtreecommitdiffstats
path: root/src/fseccomp/fseccomp.h
diff options
context:
space:
mode:
authorLibravatar Topi Miettinen <toiwoton@gmail.com>2020-03-14 00:07:06 +0200
committerLibravatar Topi Miettinen <topimiettinen@users.noreply.github.com>2020-03-28 11:24:25 +0000
commit88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3 (patch)
tree6b4d2a805a2900755bfc857586a10948b3c8395e /src/fseccomp/fseccomp.h
parentAdded compatibility with BetterDiscord (#3300) (diff)
downloadfirejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.tar.gz
firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.tar.zst
firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.zip
seccomp: allow defining separate filters for 32-bit arch
System calls (names and numbers) are not exactly the same for 32 bit and 64 bit architectures. Let's allow defining separate filters for 32-bit arch using seccomp.32, seccomp.32.drop, seccomp.32.keep. This is useful for mixed 64/32 bit application environments like Steam and Wine. Implement protocol and mdwx filtering also for 32 bit arch. It's still better to block secondary archs completely if not needed. Lists of supported system calls are also updated. Warn if preload libraries would be needed due to trace, tracelog or postexecseccomp (seccomp.drop=execve etc), because a 32-bit dynamic linker does not understand the 64 bit preload libraries. Closes #3267. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Diffstat (limited to 'src/fseccomp/fseccomp.h')
-rw-r--r--src/fseccomp/fseccomp.h34
1 files changed, 12 insertions, 22 deletions
diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h
index bf55870f2..e8dd083b6 100644
--- a/src/fseccomp/fseccomp.h
+++ b/src/fseccomp/fseccomp.h
@@ -24,21 +24,11 @@
24#include <string.h> 24#include <string.h>
25#include <assert.h> 25#include <assert.h>
26#include "../include/common.h" 26#include "../include/common.h"
27#include "../include/syscall.h"
27 28
28// main.c 29// main.c
29extern int arg_quiet; 30extern int arg_quiet;
30 31
31// syscall.c
32void syscall_print(void);
33int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, int arg, void *ptrarg), int fd, int arg, void *ptrarg);
34const char *syscall_find_nr(int nr);
35void syscalls_in_list(const char *list, const char *slist, int fd, char **prelist, char **postlist);
36
37// errno.c
38void errno_print(void);
39int errno_find_name(const char *name);
40char *errno_find_nr(int nr);
41
42// protocol.c 32// protocol.c
43void protocol_print(void); 33void protocol_print(void);
44void protocol_build_filter(const char *prlist, const char *fname); 34void protocol_build_filter(const char *prlist, const char *fname);
@@ -49,27 +39,27 @@ void seccomp_secondary_32(const char *fname);
49void seccomp_secondary_block(const char *fname); 39void seccomp_secondary_block(const char *fname);
50 40
51// seccomp_file.c 41// seccomp_file.c
52void write_to_file(int fd, const void *data, int size); 42void write_to_file(int fd, const void *data, size_t size);
53void filter_init(int fd); 43void filter_init(int fd, bool native);
54void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg); 44void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg, bool native);
55void filter_add_whitelist_for_excluded(int fd, int syscall, int arg, void *ptrarg); 45void filter_add_whitelist_for_excluded(int fd, int syscall, int arg, void *ptrarg, bool native);
56void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg); 46void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg, bool native);
57void filter_add_blacklist_for_excluded(int fd, int syscall, int arg, void *ptrarg); 47void filter_add_blacklist_for_excluded(int fd, int syscall, int arg, void *ptrarg, bool native);
58void filter_add_errno(int fd, int syscall, int arg, void *ptrarg);
59void filter_end_blacklist(int fd); 48void filter_end_blacklist(int fd);
60void filter_end_whitelist(int fd); 49void filter_end_whitelist(int fd);
61 50
62// seccomp.c 51// seccomp.c
63// default list 52// default list
64void seccomp_default(const char *fname, int allow_debuggers); 53void seccomp_default(const char *fname, int allow_debuggers, bool native);
65// drop list 54// drop list
66void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers); 55void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers, bool native);
67// default+drop list 56// default+drop list
68void seccomp_default_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers); 57void seccomp_default_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers, bool native);
69// whitelisted filter 58// whitelisted filter
70void seccomp_keep(const char *fname1, const char *fname2, char *list); 59void seccomp_keep(const char *fname1, const char *fname2, char *list, bool native);
71// block writable and executable memory 60// block writable and executable memory
72void memory_deny_write_execute(const char *fname); 61void memory_deny_write_execute(const char *fname);
62void memory_deny_write_execute_32(const char *fname);
73 63
74// seccomp_print 64// seccomp_print
75void filter_print(const char *fname); 65void filter_print(const char *fname);
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-23 21:16:31 +0000