diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2017-08-06 21:58:35 +0300 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2017-08-06 23:24:20 +0300 |
commit | 34ee8e03f58c4c51c3aa29f553e06570d0654db2 (patch) | |
tree | 05b191c778a7b871e339bdf6c6017606404a917e /src/fseccomp/seccomp.c | |
parent | private-lib fixes (diff) | |
download | firejail-34ee8e03f58c4c51c3aa29f553e06570d0654db2.tar.gz firejail-34ee8e03f58c4c51c3aa29f553e06570d0654db2.tar.zst firejail-34ee8e03f58c4c51c3aa29f553e06570d0654db2.zip |
Seccomp: system call grouping and call numbers
Diffstat (limited to 'src/fseccomp/seccomp.c')
-rw-r--r-- | src/fseccomp/seccomp.c | 317 |
1 files changed, 10 insertions, 307 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index a30a9e00b..a3db46aad 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -25,319 +25,24 @@ | |||
25 | #include <sys/types.h> | 25 | #include <sys/types.h> |
26 | 26 | ||
27 | static void add_default_list(int fd, int allow_debuggers) { | 27 | static void add_default_list(int fd, int allow_debuggers) { |
28 | #ifdef SYS_mount | 28 | int r; |
29 | filter_add_blacklist(fd, SYS_mount, 0); | 29 | if (!allow_debuggers) |
30 | #endif | 30 | r = syscall_check_list("@default-nodebuggers", filter_add_blacklist, fd, 0); |
31 | #ifdef SYS_umount2 | 31 | else |
32 | filter_add_blacklist(fd, SYS_umount2, 0); | 32 | r = syscall_check_list("@default", filter_add_blacklist, fd, 0); |
33 | #endif | ||
34 | 33 | ||
35 | if (!allow_debuggers) { | 34 | assert(r == 0); |
36 | #ifdef SYS_ptrace | ||
37 | filter_add_blacklist(fd, SYS_ptrace, 0); | ||
38 | #endif | ||
39 | } | ||
40 | |||
41 | #ifdef SYS_kexec_load | ||
42 | filter_add_blacklist(fd, SYS_kexec_load, 0); | ||
43 | #endif | ||
44 | #ifdef SYS_kexec_file_load | ||
45 | filter_add_blacklist(fd, SYS_kexec_file_load, 0); | ||
46 | #endif | ||
47 | #ifdef SYS_open_by_handle_at | ||
48 | filter_add_blacklist(fd, SYS_open_by_handle_at, 0); | ||
49 | #endif | ||
50 | #ifdef SYS_name_to_handle_at | ||
51 | filter_add_blacklist(fd, SYS_name_to_handle_at, 0); | ||
52 | #endif | ||
53 | #ifdef SYS_init_module | ||
54 | filter_add_blacklist(fd, SYS_init_module, 0); | ||
55 | #endif | ||
56 | #ifdef SYS_finit_module | ||
57 | filter_add_blacklist(fd, SYS_finit_module, 0); | ||
58 | #endif | ||
59 | #ifdef SYS_create_module | ||
60 | filter_add_blacklist(fd, SYS_create_module, 0); | ||
61 | #endif | ||
62 | #ifdef SYS_delete_module | ||
63 | filter_add_blacklist(fd, SYS_delete_module, 0); | ||
64 | #endif | ||
65 | #ifdef SYS_iopl | ||
66 | filter_add_blacklist(fd, SYS_iopl, 0); | ||
67 | #endif | ||
68 | #ifdef SYS_ioperm | ||
69 | filter_add_blacklist(fd, SYS_ioperm, 0); | ||
70 | #endif | ||
71 | #ifdef SYS_ioprio_set | ||
72 | filter_add_blacklist(fd, SYS_ioprio_set, 0); | ||
73 | #endif | ||
74 | #ifdef SYS_ni_syscall | ||
75 | filter_add_blacklist(fd, SYS_ni_syscall, 0); | ||
76 | #endif | ||
77 | #ifdef SYS_swapon | ||
78 | filter_add_blacklist(fd, SYS_swapon, 0); | ||
79 | #endif | ||
80 | #ifdef SYS_swapoff | ||
81 | filter_add_blacklist(fd, SYS_swapoff, 0); | ||
82 | #endif | ||
83 | #ifdef SYS_syslog | ||
84 | filter_add_blacklist(fd, SYS_syslog, 0); | ||
85 | #endif | ||
86 | |||
87 | if (!allow_debuggers) { | ||
88 | #ifdef SYS_process_vm_readv | ||
89 | filter_add_blacklist(fd, SYS_process_vm_readv, 0); | ||
90 | #endif | ||
91 | } | ||
92 | |||
93 | #ifdef SYS_process_vm_writev | ||
94 | filter_add_blacklist(fd, SYS_process_vm_writev, 0); | ||
95 | #endif | ||
96 | //#ifdef SYS_mknod - emoved in 0.9.29 - it breaks Zotero extension | 35 | //#ifdef SYS_mknod - emoved in 0.9.29 - it breaks Zotero extension |
97 | // filter_add_blacklist(SYS_mknod, 0); | 36 | // filter_add_blacklist(SYS_mknod, 0); |
98 | //#endif | 37 | //#endif |
99 | #ifdef SYS_sysfs | ||
100 | filter_add_blacklist(fd, SYS_sysfs, 0); | ||
101 | #endif | ||
102 | #ifdef SYS__sysctl | ||
103 | filter_add_blacklist(fd, SYS__sysctl, 0); | ||
104 | #endif | ||
105 | #ifdef SYS_adjtimex | ||
106 | filter_add_blacklist(fd, SYS_adjtimex, 0); | ||
107 | #endif | ||
108 | #ifdef SYS_clock_adjtime | ||
109 | filter_add_blacklist(fd, SYS_clock_adjtime, 0); | ||
110 | #endif | ||
111 | #ifdef SYS_lookup_dcookie | ||
112 | filter_add_blacklist(fd, SYS_lookup_dcookie, 0); | ||
113 | #endif | ||
114 | #ifdef SYS_perf_event_open | ||
115 | filter_add_blacklist(fd, SYS_perf_event_open, 0); | ||
116 | #endif | ||
117 | #ifdef SYS_fanotify_init | ||
118 | filter_add_blacklist(fd, SYS_fanotify_init, 0); | ||
119 | #endif | ||
120 | #ifdef SYS_kcmp | ||
121 | filter_add_blacklist(fd, SYS_kcmp, 0); | ||
122 | #endif | ||
123 | #ifdef SYS_add_key | ||
124 | filter_add_blacklist(fd, SYS_add_key, 0); | ||
125 | #endif | ||
126 | #ifdef SYS_request_key | ||
127 | filter_add_blacklist(fd, SYS_request_key, 0); | ||
128 | #endif | ||
129 | #ifdef SYS_keyctl | ||
130 | filter_add_blacklist(fd, SYS_keyctl, 0); | ||
131 | #endif | ||
132 | #ifdef SYS_uselib | ||
133 | filter_add_blacklist(fd, SYS_uselib, 0); | ||
134 | #endif | ||
135 | #ifdef SYS_acct | ||
136 | filter_add_blacklist(fd, SYS_acct, 0); | ||
137 | #endif | ||
138 | #ifdef SYS_modify_ldt | ||
139 | filter_add_blacklist(fd, SYS_modify_ldt, 0); | ||
140 | #endif | ||
141 | #ifdef SYS_pivot_root | ||
142 | filter_add_blacklist(fd, SYS_pivot_root, 0); | ||
143 | #endif | ||
144 | #ifdef SYS_io_setup | ||
145 | filter_add_blacklist(fd, SYS_io_setup, 0); | ||
146 | #endif | ||
147 | #ifdef SYS_io_destroy | ||
148 | filter_add_blacklist(fd, SYS_io_destroy, 0); | ||
149 | #endif | ||
150 | #ifdef SYS_io_getevents | ||
151 | filter_add_blacklist(fd, SYS_io_getevents, 0); | ||
152 | #endif | ||
153 | #ifdef SYS_io_submit | ||
154 | filter_add_blacklist(fd, SYS_io_submit, 0); | ||
155 | #endif | ||
156 | #ifdef SYS_io_cancel | ||
157 | filter_add_blacklist(fd, SYS_io_cancel, 0); | ||
158 | #endif | ||
159 | #ifdef SYS_remap_file_pages | ||
160 | filter_add_blacklist(fd, SYS_remap_file_pages, 0); | ||
161 | #endif | ||
162 | #ifdef SYS_mbind | ||
163 | filter_add_blacklist(fd, SYS_mbind, 0); | ||
164 | #endif | ||
165 | |||
166 | // breaking Firefox nightly when playing youtube videos | 38 | // breaking Firefox nightly when playing youtube videos |
167 | // TODO: test again when firefox sandbox is finally released | 39 | // TODO: test again when firefox sandbox is finally released |
168 | //#ifdef SYS_get_mempolicy | 40 | //#ifdef SYS_get_mempolicy |
169 | // filter_add_blacklist(fd, SYS_get_mempolicy, 0); | 41 | // filter_add_blacklist(fd, SYS_get_mempolicy, 0); |
170 | //#endif | 42 | //#endif |
171 | |||
172 | #ifdef SYS_set_mempolicy | ||
173 | filter_add_blacklist(fd, SYS_set_mempolicy, 0); | ||
174 | #endif | ||
175 | #ifdef SYS_migrate_pages | ||
176 | filter_add_blacklist(fd, SYS_migrate_pages, 0); | ||
177 | #endif | ||
178 | #ifdef SYS_move_pages | ||
179 | filter_add_blacklist(fd, SYS_move_pages, 0); | ||
180 | #endif | ||
181 | #ifdef SYS_vmsplice | ||
182 | filter_add_blacklist(fd, SYS_vmsplice, 0); | ||
183 | #endif | ||
184 | #ifdef SYS_chroot | ||
185 | filter_add_blacklist(fd, SYS_chroot, 0); | ||
186 | #endif | ||
187 | #ifdef SYS_tuxcall | ||
188 | filter_add_blacklist(fd, SYS_tuxcall, 0); | ||
189 | #endif | ||
190 | #ifdef SYS_reboot | ||
191 | filter_add_blacklist(fd, SYS_reboot, 0); | ||
192 | #endif | ||
193 | #ifdef SYS_nfsservctl | ||
194 | filter_add_blacklist(fd, SYS_nfsservctl, 0); | ||
195 | #endif | ||
196 | #ifdef SYS_get_kernel_syms | ||
197 | filter_add_blacklist(fd, SYS_get_kernel_syms, 0); | ||
198 | #endif | ||
199 | |||
200 | // 0.9.45 | ||
201 | #ifdef SYS_bpf | ||
202 | filter_add_blacklist(fd, SYS_bpf, 0); | ||
203 | #endif | ||
204 | #ifdef SYS_clock_settime | ||
205 | filter_add_blacklist(fd, SYS_clock_settime, 0); | ||
206 | #endif | ||
207 | //#ifdef SYS_clone - in use by Firejail | ||
208 | // filter_add_blacklist(fd, SYS_clone, 0); | ||
209 | //#endif | ||
210 | #ifdef SYS_personality | ||
211 | filter_add_blacklist(fd, SYS_personality, 0); | ||
212 | #endif | ||
213 | #ifdef SYS_process_vm_writev | ||
214 | filter_add_blacklist(fd, SYS_process_vm_writev, 0); | ||
215 | #endif | ||
216 | #ifdef SYS_query_module | ||
217 | filter_add_blacklist(fd, SYS_query_module, 0); | ||
218 | #endif | ||
219 | //#ifdef SYS_quotactl - in use by Firefox | 43 | //#ifdef SYS_quotactl - in use by Firefox |
220 | // filter_add_blacklist(fd, SYS_quotactl, 0); | 44 | // filter_add_blacklist(fd, SYS_quotactl, 0); |
221 | //#endif | 45 | //#endif |
222 | //#ifdef SYS_setns - in use by Firejail | ||
223 | // filter_add_blacklist(fd, SYS_setns, 0); | ||
224 | //#endif | ||
225 | #ifdef SYS_settimeofday | ||
226 | filter_add_blacklist(fd, SYS_settimeofday, 0); | ||
227 | #endif | ||
228 | #ifdef SYS_stime | ||
229 | filter_add_blacklist(fd, SYS_stime, 0); | ||
230 | #endif | ||
231 | #ifdef SYS_umount | ||
232 | filter_add_blacklist(fd, SYS_umount, 0); | ||
233 | #endif | ||
234 | //#ifdef SYS_unshare - in use by Firejail | ||
235 | // filter_add_blacklist(fd, SYS_unshare, 0); | ||
236 | //#endif | ||
237 | #ifdef SYS_userfaultfd | ||
238 | filter_add_blacklist(fd, SYS_userfaultfd, 0); | ||
239 | #endif | ||
240 | #ifdef SYS_ustat | ||
241 | filter_add_blacklist(fd, SYS_ustat, 0); | ||
242 | #endif | ||
243 | #ifdef SYS_vm86 | ||
244 | filter_add_blacklist(fd, SYS_vm86, 0); | ||
245 | #endif | ||
246 | #ifdef SYS_vm86old | ||
247 | filter_add_blacklist(fd, SYS_vm86old, 0); | ||
248 | #endif | ||
249 | |||
250 | #ifdef SYS_afs_syscall | ||
251 | filter_add_blacklist(fd, SYS_afs_syscall, 0); | ||
252 | #endif | ||
253 | #ifdef SYS_bdflush | ||
254 | filter_add_blacklist(fd, SYS_bdflush, 0); | ||
255 | #endif | ||
256 | #ifdef SYS_break | ||
257 | filter_add_blacklist(fd, SYS_break, 0); | ||
258 | #endif | ||
259 | #ifdef SYS_ftime | ||
260 | filter_add_blacklist(fd, SYS_ftime, 0); | ||
261 | #endif | ||
262 | #ifdef SYS_getpmsg | ||
263 | filter_add_blacklist(fd, SYS_getpmsg, 0); | ||
264 | #endif | ||
265 | #ifdef SYS_gtty | ||
266 | filter_add_blacklist(fd, SYS_gtty, 0); | ||
267 | #endif | ||
268 | #ifdef SYS_lock | ||
269 | filter_add_blacklist(fd, SYS_lock, 0); | ||
270 | #endif | ||
271 | #ifdef SYS_mpx | ||
272 | filter_add_blacklist(fd, SYS_mpx, 0); | ||
273 | #endif | ||
274 | #ifdef SYS_pciconfig_iobase | ||
275 | filter_add_blacklist(fd, SYS_pciconfig_iobase, 0); | ||
276 | #endif | ||
277 | #ifdef SYS_pciconfig_read | ||
278 | filter_add_blacklist(fd, SYS_pciconfig_read, 0); | ||
279 | #endif | ||
280 | #ifdef SYS_pciconfig_write | ||
281 | filter_add_blacklist(fd, SYS_pciconfig_write, 0); | ||
282 | #endif | ||
283 | #ifdef SYS_prof | ||
284 | filter_add_blacklist(fd, SYS_prof, 0); | ||
285 | #endif | ||
286 | #ifdef SYS_profil | ||
287 | filter_add_blacklist(fd, SYS_profil, 0); | ||
288 | #endif | ||
289 | #ifdef SYS_putpmsg | ||
290 | filter_add_blacklist(fd, SYS_putpmsg, 0); | ||
291 | #endif | ||
292 | #ifdef SYS_rtas | ||
293 | filter_add_blacklist(fd, SYS_rtas, 0); | ||
294 | #endif | ||
295 | #ifdef SYS_s390_runtime_instr | ||
296 | filter_add_blacklist(fd, SYS_s390_runtime_instr, 0); | ||
297 | #endif | ||
298 | #ifdef SYS_s390_mmio_read | ||
299 | filter_add_blacklist(fd, SYS_s390_mmio_read, 0); | ||
300 | #endif | ||
301 | #ifdef SYS_s390_mmio_write | ||
302 | filter_add_blacklist(fd, SYS_s390_mmio_write, 0); | ||
303 | #endif | ||
304 | #ifdef SYS_security | ||
305 | filter_add_blacklist(fd, SYS_security, 0); | ||
306 | #endif | ||
307 | #ifdef SYS_setdomainname | ||
308 | filter_add_blacklist(fd, SYS_setdomainname, 0); | ||
309 | #endif | ||
310 | #ifdef SYS_sethostname | ||
311 | filter_add_blacklist(fd, SYS_sethostname, 0); | ||
312 | #endif | ||
313 | #ifdef SYS_sgetmask | ||
314 | filter_add_blacklist(fd, SYS_sgetmask, 0); | ||
315 | #endif | ||
316 | #ifdef SYS_ssetmask | ||
317 | filter_add_blacklist(fd, SYS_ssetmask, 0); | ||
318 | #endif | ||
319 | #ifdef SYS_stty | ||
320 | filter_add_blacklist(fd, SYS_stty, 0); | ||
321 | #endif | ||
322 | #ifdef SYS_subpage_prot | ||
323 | filter_add_blacklist(fd, SYS_subpage_prot, 0); | ||
324 | #endif | ||
325 | #ifdef SYS_switch_endian | ||
326 | filter_add_blacklist(fd, SYS_switch_endian, 0); | ||
327 | #endif | ||
328 | #ifdef SYS_sys_debug_setcontext | ||
329 | filter_add_blacklist(fd, SYS_sys_debug_setcontext, 0); | ||
330 | #endif | ||
331 | #ifdef SYS_ulimit | ||
332 | filter_add_blacklist(fd, SYS_ulimit, 0); | ||
333 | #endif | ||
334 | #ifdef SYS_vhangup | ||
335 | filter_add_blacklist(fd, SYS_vhangup, 0); | ||
336 | #endif | ||
337 | #ifdef SYS_vserver | ||
338 | filter_add_blacklist(fd, SYS_vserver, 0); | ||
339 | #endif | ||
340 | |||
341 | } | 46 | } |
342 | 47 | ||
343 | // default list | 48 | // default list |
@@ -418,12 +123,10 @@ void seccomp_keep(const char *fname, char *list) { | |||
418 | 123 | ||
419 | // build filter | 124 | // build filter |
420 | filter_init(fd); | 125 | filter_init(fd); |
421 | // these 4 syscalls are used by firejail after the seccomp filter is initialized | 126 | // these syscalls are used by firejail after the seccomp filter is initialized |
422 | filter_add_whitelist(fd, SYS_setuid, 0); | 127 | int r; |
423 | filter_add_whitelist(fd, SYS_setgid, 0); | 128 | r = syscall_check_list("@default-keep", filter_add_whitelist, fd, 0); |
424 | filter_add_whitelist(fd, SYS_setgroups, 0); | 129 | assert(r == 0); |
425 | filter_add_whitelist(fd, SYS_dup, 0); | ||
426 | filter_add_whitelist(fd, SYS_prctl, 0); | ||
427 | 130 | ||
428 | if (syscall_check_list(list, filter_add_whitelist, fd, 0)) { | 131 | if (syscall_check_list(list, filter_add_whitelist, fd, 0)) { |
429 | fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); | 132 | fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); |