aboutsummaryrefslogtreecommitdiffstats
path: root/src/fseccomp/main.c
diff options
context:
space:
mode:
authorLibravatar Topi Miettinen <toiwoton@gmail.com>2020-03-14 00:07:06 +0200
committerLibravatar Topi Miettinen <topimiettinen@users.noreply.github.com>2020-03-28 11:24:25 +0000
commit88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3 (patch)
tree6b4d2a805a2900755bfc857586a10948b3c8395e /src/fseccomp/main.c
parentAdded compatibility with BetterDiscord (#3300) (diff)
downloadfirejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.tar.gz
firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.tar.zst
firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.zip
seccomp: allow defining separate filters for 32-bit arch
System calls (names and numbers) are not exactly the same for 32 bit and 64 bit architectures. Let's allow defining separate filters for 32-bit arch using seccomp.32, seccomp.32.drop, seccomp.32.keep. This is useful for mixed 64/32 bit application environments like Steam and Wine. Implement protocol and mdwx filtering also for 32 bit arch. It's still better to block secondary archs completely if not needed. Lists of supported system calls are also updated. Warn if preload libraries would be needed due to trace, tracelog or postexecseccomp (seccomp.drop=execve etc), because a 32-bit dynamic linker does not understand the 64 bit preload libraries. Closes #3267. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Diffstat (limited to 'src/fseccomp/main.c')
-rw-r--r--src/fseccomp/main.c41
1 files changed, 34 insertions, 7 deletions
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index 82b96f476..b3161a6db 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -23,6 +23,7 @@ int arg_quiet = 0;
23static void usage(void) { 23static void usage(void) {
24 printf("Usage:\n"); 24 printf("Usage:\n");
25 printf("\tfseccomp debug-syscalls\n"); 25 printf("\tfseccomp debug-syscalls\n");
26 printf("\tfseccomp debug-syscalls32\n");
26 printf("\tfseccomp debug-errnos\n"); 27 printf("\tfseccomp debug-errnos\n");
27 printf("\tfseccomp debug-protocols\n"); 28 printf("\tfseccomp debug-protocols\n");
28 printf("\tfseccomp protocol build list file\n"); 29 printf("\tfseccomp protocol build list file\n");
@@ -31,12 +32,20 @@ static void usage(void) {
31 printf("\tfseccomp secondary block file\n"); 32 printf("\tfseccomp secondary block file\n");
32 printf("\tfseccomp default file\n"); 33 printf("\tfseccomp default file\n");
33 printf("\tfseccomp default file allow-debuggers\n"); 34 printf("\tfseccomp default file allow-debuggers\n");
35 printf("\tfseccomp default32 file\n");
36 printf("\tfseccomp default32 file allow-debuggers\n");
34 printf("\tfseccomp drop file1 file2 list\n"); 37 printf("\tfseccomp drop file1 file2 list\n");
35 printf("\tfseccomp drop file1 file2 list allow-debuggers\n"); 38 printf("\tfseccomp drop file1 file2 list allow-debuggers\n");
39 printf("\tfseccomp drop32 file1 file2 list\n");
40 printf("\tfseccomp drop32 file1 file2 list allow-debuggers\n");
36 printf("\tfseccomp default drop file1 file2 list\n"); 41 printf("\tfseccomp default drop file1 file2 list\n");
37 printf("\tfseccomp default drop file1 file2 list allow-debuggers\n"); 42 printf("\tfseccomp default drop file1 file2 list allow-debuggers\n");
43 printf("\tfseccomp default32 drop file1 file2 list\n");
44 printf("\tfseccomp default32 drop file1 file2 list allow-debuggers\n");
38 printf("\tfseccomp keep file1 file2 list\n"); 45 printf("\tfseccomp keep file1 file2 list\n");
46 printf("\tfseccomp keep32 file1 file2 list\n");
39 printf("\tfseccomp memory-deny-write-execute file\n"); 47 printf("\tfseccomp memory-deny-write-execute file\n");
48 printf("\tfseccomp memory-deny-write-execute.32 file\n");
40} 49}
41 50
42int main(int argc, char **argv) { 51int main(int argc, char **argv) {
@@ -64,6 +73,8 @@ printf("\n");
64 } 73 }
65 else if (argc == 2 && strcmp(argv[1], "debug-syscalls") == 0) 74 else if (argc == 2 && strcmp(argv[1], "debug-syscalls") == 0)
66 syscall_print(); 75 syscall_print();
76 else if (argc == 2 && strcmp(argv[1], "debug-syscalls32") == 0)
77 syscall_print_32();
67 else if (argc == 2 && strcmp(argv[1], "debug-errnos") == 0) 78 else if (argc == 2 && strcmp(argv[1], "debug-errnos") == 0)
68 errno_print(); 79 errno_print();
69 else if (argc == 2 && strcmp(argv[1], "debug-protocols") == 0) 80 else if (argc == 2 && strcmp(argv[1], "debug-protocols") == 0)
@@ -75,21 +86,37 @@ printf("\n");
75 else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "block") == 0) 86 else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "block") == 0)
76 seccomp_secondary_block(argv[3]); 87 seccomp_secondary_block(argv[3]);
77 else if (argc == 3 && strcmp(argv[1], "default") == 0) 88 else if (argc == 3 && strcmp(argv[1], "default") == 0)
78 seccomp_default(argv[2], 0); 89 seccomp_default(argv[2], 0, true);
79 else if (argc == 4 && strcmp(argv[1], "default") == 0 && strcmp(argv[3], "allow-debuggers") == 0) 90 else if (argc == 4 && strcmp(argv[1], "default") == 0 && strcmp(argv[3], "allow-debuggers") == 0)
80 seccomp_default(argv[2], 1); 91 seccomp_default(argv[2], 1, true);
92 else if (argc == 3 && strcmp(argv[1], "default32") == 0)
93 seccomp_default(argv[2], 0, false);
94 else if (argc == 4 && strcmp(argv[1], "default32") == 0 && strcmp(argv[3], "allow-debuggers") == 0)
95 seccomp_default(argv[2], 1, false);
81 else if (argc == 5 && strcmp(argv[1], "drop") == 0) 96 else if (argc == 5 && strcmp(argv[1], "drop") == 0)
82 seccomp_drop(argv[2], argv[3], argv[4], 0); 97 seccomp_drop(argv[2], argv[3], argv[4], 0, true);
83 else if (argc == 6 && strcmp(argv[1], "drop") == 0 && strcmp(argv[5], "allow-debuggers") == 0) 98 else if (argc == 6 && strcmp(argv[1], "drop") == 0 && strcmp(argv[5], "allow-debuggers") == 0)
84 seccomp_drop(argv[2], argv[3], argv[4], 1); 99 seccomp_drop(argv[2], argv[3], argv[4], 1, true);
100 else if (argc == 5 && strcmp(argv[1], "drop32") == 0)
101 seccomp_drop(argv[2], argv[3], argv[4], 0, false);
102 else if (argc == 6 && strcmp(argv[1], "drop32") == 0 && strcmp(argv[5], "allow-debuggers") == 0)
103 seccomp_drop(argv[2], argv[3], argv[4], 1, false);
85 else if (argc == 6 && strcmp(argv[1], "default") == 0 && strcmp(argv[2], "drop") == 0) 104 else if (argc == 6 && strcmp(argv[1], "default") == 0 && strcmp(argv[2], "drop") == 0)
86 seccomp_default_drop(argv[3], argv[4], argv[5], 0); 105 seccomp_default_drop(argv[3], argv[4], argv[5], 0, true);
87 else if (argc == 7 && strcmp(argv[1], "default") == 0 && strcmp(argv[2], "drop") == 0 && strcmp(argv[6], "allow-debuggers") == 0) 106 else if (argc == 7 && strcmp(argv[1], "default") == 0 && strcmp(argv[2], "drop") == 0 && strcmp(argv[6], "allow-debuggers") == 0)
88 seccomp_default_drop(argv[3], argv[4], argv[5], 1); 107 seccomp_default_drop(argv[3], argv[4], argv[5], 1, true);
108 else if (argc == 6 && strcmp(argv[1], "default32") == 0 && strcmp(argv[2], "drop") == 0)
109 seccomp_default_drop(argv[3], argv[4], argv[5], 0, false);
110 else if (argc == 7 && strcmp(argv[1], "default32") == 0 && strcmp(argv[2], "drop") == 0 && strcmp(argv[6], "allow-debuggers") == 0)
111 seccomp_default_drop(argv[3], argv[4], argv[5], 1, false);
89 else if (argc == 5 && strcmp(argv[1], "keep") == 0) 112 else if (argc == 5 && strcmp(argv[1], "keep") == 0)
90 seccomp_keep(argv[2], argv[3], argv[4]); 113 seccomp_keep(argv[2], argv[3], argv[4], true);
114 else if (argc == 5 && strcmp(argv[1], "keep32") == 0)
115 seccomp_keep(argv[2], argv[3], argv[4], false);
91 else if (argc == 3 && strcmp(argv[1], "memory-deny-write-execute") == 0) 116 else if (argc == 3 && strcmp(argv[1], "memory-deny-write-execute") == 0)
92 memory_deny_write_execute(argv[2]); 117 memory_deny_write_execute(argv[2]);
118 else if (argc == 3 && strcmp(argv[1], "memory-deny-write-execute.32") == 0)
119 memory_deny_write_execute_32(argv[2]);
93 else { 120 else {
94 fprintf(stderr, "Error fseccomp: invalid arguments\n"); 121 fprintf(stderr, "Error fseccomp: invalid arguments\n");
95 return 1; 122 return 1;
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-03 13:10:11 +0000