diff options
| author |  Topi Miettinen <toiwoton@gmail.com> | 2020-03-14 00:07:06 +0200 |
|---|---|---|
| committer |  Topi Miettinen <topimiettinen@users.noreply.github.com> | 2020-03-28 11:24:25 +0000 |
| commit | 88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3 (patch) | |
| tree | 6b4d2a805a2900755bfc857586a10948b3c8395e /src/fseccomp/protocol.c | |
| parent | Added compatibility with BetterDiscord (#3300) (diff) | |
| download | firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.tar.gz firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.tar.zst firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.zip | |
seccomp: allow defining separate filters for 32-bit arch
System calls (names and numbers) are not exactly the same for 32 bit
and 64 bit architectures. Let's allow defining separate filters for
32-bit arch using seccomp.32, seccomp.32.drop, seccomp.32.keep. This
is useful for mixed 64/32 bit application environments like Steam and
Wine.
Implement protocol and mdwx filtering also for 32 bit arch. It's still
better to block secondary archs completely if not needed.
Lists of supported system calls are also updated.
Warn if preload libraries would be needed due to trace, tracelog or
postexecseccomp (seccomp.drop=execve etc), because a 32-bit dynamic
linker does not understand the 64 bit preload libraries.
Closes #3267.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Diffstat (limited to 'src/fseccomp/protocol.c')
| -rw-r--r-- | src/fseccomp/protocol.c | 21 |
1 files changed, 17 insertions, 4 deletions
diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c index 7a21eb2c2..b8b30f488 100644 --- a/src/fseccomp/protocol.c +++ b/src/fseccomp/protocol.c | |||
| @@ -122,10 +122,23 @@ void protocol_build_filter(const char *prlist, const char *fname) { | |||
| 122 | 122 | ||
| 123 | // header | 123 | // header |
| 124 | struct sock_filter filter_start[] = { | 124 | struct sock_filter filter_start[] = { |
| 125 | VALIDATE_ARCHITECTURE, | 125 | #if defined __x86_64__ |
| 126 | EXAMINE_SYSCALL, | 126 | /* check for native arch */ |
| 127 | ONLY(SYS_socket), | 127 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), |
| 128 | EXAMINE_ARGUMENT(0) | 128 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1 + 2 + 1, 0), |
| 129 | /* i386 filter */ | ||
| 130 | EXAMINE_SYSCALL, // 1 | ||
| 131 | // checking SYS_socket only: filtering SYS_socketcall not possible with seccomp | ||
| 132 | ONLY(359), // 1 + 2 | ||
| 133 | BPF_JUMP(BPF_JMP+BPF_JA+BPF_K, (3 + 1 + 2), 0, 0), // 1 + 2 + 1 | ||
| 134 | #else | ||
| 135 | #warning 32 bit protocol filter not implemented yet for your architecture | ||
| 136 | #endif | ||
| 137 | VALIDATE_ARCHITECTURE, // 3 | ||
| 138 | EXAMINE_SYSCALL, // 3 + 1 | ||
| 139 | ONLY(SYS_socket), // 3 + 1 + 2 | ||
| 140 | |||
| 141 | EXAMINE_ARGUMENT(0) // 3 + 1 + 2 + 1 | ||
| 129 | }; | 142 | }; |
| 130 | memcpy(ptr, &filter_start[0], sizeof(filter_start)); | 143 | memcpy(ptr, &filter_start[0], sizeof(filter_start)); |
| 131 | ptr += sizeof(filter_start); | 144 | ptr += sizeof(filter_start); |