major cleanup

author: netblue30 <netblue30@yahoo.com> 2016-11-02 07:49:01 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-11-02 07:49:01 -0400
commit: 72b93c5761b5e42c5742e192f46bac1696c36f4c (patch)
tree: 3951e01a771ea3e8f11b8364991bb47f752f011f /src/fseccomp/seccomp.c
parent: fixed /run/firejail/mnt problem introduced recently (diff)
download: firejail-72b93c5761b5e42c5742e192f46bac1696c36f4c.tar.gz
firejail-72b93c5761b5e42c5742e192f46bac1696c36f4c.tar.zst
firejail-72b93c5761b5e42c5742e192f46bac1696c36f4c.zip
1 files changed, 292 insertions, 0 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
new file mode 100644
index 000000000..cc6edc8ca
--- /dev/null
+++ b/src/fseccomp/seccomp.c
@@ -0,0 +1,292 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fseccomp.h"
+#include "../include/seccomp.h"
+#include <sys/syscall.h>
+static void add_default_list(int fd, int allow_debuggers) {
+#ifdef SYS_mount
+        filter_add_blacklist(fd, SYS_mount, 0);
+#endif
+#ifdef SYS_umount2
+        filter_add_blacklist(fd, SYS_umount2, 0);
+#endif
+        if (!allow_debuggers) {
+#ifdef SYS_ptrace
+                filter_add_blacklist(fd, SYS_ptrace, 0);
+#endif
+        }
+#ifdef SYS_kexec_load
+        filter_add_blacklist(fd, SYS_kexec_load, 0);
+#endif
+#ifdef SYS_kexec_file_load
+        filter_add_blacklist(fd, SYS_kexec_file_load, 0);
+#endif
+#ifdef SYS_open_by_handle_at
+        filter_add_blacklist(fd, SYS_open_by_handle_at, 0);
+#endif
+#ifdef SYS_name_to_handle_at
+        filter_add_blacklist(fd, SYS_name_to_handle_at, 0);
+#endif
+#ifdef SYS_init_module
+        filter_add_blacklist(fd, SYS_init_module, 0);
+#endif
+#ifdef SYS_finit_module
+        filter_add_blacklist(fd, SYS_finit_module, 0);
+#endif
+#ifdef SYS_create_module
+        filter_add_blacklist(fd, SYS_create_module, 0);
+#endif
+#ifdef SYS_delete_module
+        filter_add_blacklist(fd, SYS_delete_module, 0);
+#endif
+#ifdef SYS_iopl
+        filter_add_blacklist(fd, SYS_iopl, 0);
+#endif
+#ifdef  SYS_ioperm
+        filter_add_blacklist(fd, SYS_ioperm, 0);
+#endif
+#ifdef  SYS_ioprio_set
+        filter_add_blacklist(fd, SYS_ioprio_set, 0);
+#endif
+#ifdef SYS_ni_syscall
+        filter_add_blacklist(fd, SYS_ni_syscall, 0);
+#endif
+#ifdef SYS_swapon
+        filter_add_blacklist(fd, SYS_swapon, 0);
+#endif
+#ifdef SYS_swapoff
+        filter_add_blacklist(fd, SYS_swapoff, 0);
+#endif
+#ifdef SYS_syslog
+        filter_add_blacklist(fd, SYS_syslog, 0);
+#endif
+        if (!allow_debuggers) {
+#ifdef SYS_process_vm_readv
+                filter_add_blacklist(fd, SYS_process_vm_readv, 0);
+#endif
+        }
+#ifdef SYS_process_vm_writev
+        filter_add_blacklist(fd, SYS_process_vm_writev, 0);
+#endif
+        // mknod removed in 0.9.29 - it brakes Zotero extension
+        //#ifdef SYS_mknod
+        //              filter_add_blacklist(SYS_mknod, 0);
+        //#endif
+#ifdef SYS_sysfs
+        filter_add_blacklist(fd, SYS_sysfs, 0);
+#endif
+#ifdef SYS__sysctl
+        filter_add_blacklist(fd, SYS__sysctl, 0);
+#endif
+#ifdef SYS_adjtimex
+        filter_add_blacklist(fd, SYS_adjtimex, 0);
+#endif
+#ifdef  SYS_clock_adjtime
+        filter_add_blacklist(fd, SYS_clock_adjtime, 0);
+#endif
+#ifdef SYS_lookup_dcookie
+        filter_add_blacklist(fd, SYS_lookup_dcookie, 0);
+#endif
+#ifdef  SYS_perf_event_open
+        filter_add_blacklist(fd, SYS_perf_event_open, 0);
+#endif
+#ifdef  SYS_fanotify_init
+        filter_add_blacklist(fd, SYS_fanotify_init, 0);
+#endif
+#ifdef SYS_kcmp
+        filter_add_blacklist(fd, SYS_kcmp, 0);
+#endif
+#ifdef SYS_add_key
+        filter_add_blacklist(fd, SYS_add_key, 0);
+#endif
+#ifdef SYS_request_key
+        filter_add_blacklist(fd, SYS_request_key, 0);
+#endif
+#ifdef SYS_keyctl
+        filter_add_blacklist(fd, SYS_keyctl, 0);
+#endif
+#ifdef SYS_uselib
+        filter_add_blacklist(fd, SYS_uselib, 0);
+#endif
+#ifdef SYS_acct
+        filter_add_blacklist(fd, SYS_acct, 0);
+#endif
+#ifdef SYS_modify_ldt
+        filter_add_blacklist(fd, SYS_modify_ldt, 0);
+#endif
+#ifdef SYS_pivot_root
+        filter_add_blacklist(fd, SYS_pivot_root, 0);
+#endif
+#ifdef SYS_io_setup
+        filter_add_blacklist(fd, SYS_io_setup, 0);
+#endif
+#ifdef SYS_io_destroy
+        filter_add_blacklist(fd, SYS_io_destroy, 0);
+#endif
+#ifdef SYS_io_getevents
+        filter_add_blacklist(fd, SYS_io_getevents, 0);
+#endif
+#ifdef SYS_io_submit
+        filter_add_blacklist(fd, SYS_io_submit, 0);
+#endif
+#ifdef SYS_io_cancel
+        filter_add_blacklist(fd, SYS_io_cancel, 0);
+#endif
+#ifdef SYS_remap_file_pages
+        filter_add_blacklist(fd, SYS_remap_file_pages, 0);
+#endif
+#ifdef SYS_mbind
+        filter_add_blacklist(fd, SYS_mbind, 0);
+#endif
+#ifdef SYS_get_mempolicy
+        filter_add_blacklist(fd, SYS_get_mempolicy, 0);
+#endif
+#ifdef SYS_set_mempolicy
+        filter_add_blacklist(fd, SYS_set_mempolicy, 0);
+#endif
+#ifdef SYS_migrate_pages
+        filter_add_blacklist(fd, SYS_migrate_pages, 0);
+#endif
+#ifdef SYS_move_pages
+        filter_add_blacklist(fd, SYS_move_pages, 0);
+#endif
+#ifdef SYS_vmsplice
+        filter_add_blacklist(fd, SYS_vmsplice, 0);
+#endif
+#ifdef SYS_chroot
+        filter_add_blacklist(fd, SYS_chroot, 0);
+#endif
+#ifdef SYS_tuxcall
+        filter_add_blacklist(fd, SYS_tuxcall, 0);
+#endif
+#ifdef SYS_reboot
+        filter_add_blacklist(fd, SYS_reboot, 0);
+#endif
+#ifdef SYS_nfsservctl
+        filter_add_blacklist(fd, SYS_nfsservctl, 0);
+#endif
+#ifdef SYS_get_kernel_syms
+        filter_add_blacklist(fd, SYS_get_kernel_syms, 0);
+#endif
+}
+// default list
+void seccomp_default(const char *fname, int allow_debuggers) {
+        assert(fname);
+        // open file
+        int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        if (fd < 0) {
+                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+                exit(1);
+        }
+        // build filter
+        filter_init(fd);
+        add_default_list(fd, allow_debuggers);
+        filter_end_blacklist(fd);
+        
+        // close file
+        close(fd);
+}
+// drop list
+void seccomp_drop(const char *fname, char *list, int allow_debuggers) {
+        assert(fname);
+        (void) allow_debuggers; // todo: to implemnet it
+        // open file
+        int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        if (fd < 0) {
+                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+                exit(1);
+        }
+        // build filter
+        filter_init(fd);
+        if (syscall_check_list(list, filter_add_blacklist, fd, 0)) {
+                fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
+                exit(1);
+        }
+        filter_end_blacklist(fd);
+        
+        // close file
+        close(fd);
+}
+// default+drop
+void seccomp_default_drop(const char *fname, char *list, int allow_debuggers) {
+        assert(fname);
+        // open file
+        int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        if (fd < 0) {
+                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+                exit(1);
+        }
+        // build filter
+        filter_init(fd);
+        add_default_list(fd, allow_debuggers);
+        if (syscall_check_list(list, filter_add_blacklist, fd, 0)) {
+                fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
+                exit(1);
+        }
+        filter_end_blacklist(fd);
+        
+        // close file
+        close(fd);
+}
+void seccomp_keep(const char *fname, char *list) {
+        // open file
+        int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        if (fd < 0) {
+                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+                exit(1);
+        }
+        // build filter
+        filter_init(fd);
+        // these 4 syscalls are used by firejail after the seccomp filter is initialized
+        filter_add_whitelist(fd, SYS_setuid, 0);
+        filter_add_whitelist(fd, SYS_setgid, 0);
+        filter_add_whitelist(fd, SYS_setgroups, 0);
+        filter_add_whitelist(fd, SYS_dup, 0);
+        filter_add_whitelist(fd, SYS_prctl, 0);
+        
+        if (syscall_check_list(list, filter_add_whitelist, fd, 0)) {
+                fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
+                exit(1);
+        }
+        
+        filter_end_whitelist(fd);
+        
+        // close file
+        close(fd);
+}
author	netblue30 <netblue30@yahoo.com>	2016-11-02 07:49:01 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-11-02 07:49:01 -0400
commit	72b93c5761b5e42c5742e192f46bac1696c36f4c (patch)
tree	3951e01a771ea3e8f11b8364991bb47f752f011f /src/fseccomp/seccomp.c
parent	fixed /run/firejail/mnt problem introduced recently (diff)
download	firejail-72b93c5761b5e42c5742e192f46bac1696c36f4c.tar.gz firejail-72b93c5761b5e42c5742e192f46bac1696c36f4c.tar.zst firejail-72b93c5761b5e42c5742e192f46bac1696c36f4c.zip

diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c new file mode 100644 index 000000000..cc6edc8ca --- /dev/null +++ b/src/fseccomp/seccomp.c
@@ -0,0 +1,292 @@
	1	/*
	2	* Copyright (C) 2014-2016 Firejail Authors
	3	*
	4	* This file is part of firejail project
	5	*
	6	* This program is free software; you can redistribute it and/or modify
	7	* it under the terms of the GNU General Public License as published by
	8	* the Free Software Foundation; either version 2 of the License, or
	9	* (at your option) any later version.
	10	*
	11	* This program is distributed in the hope that it will be useful,
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	* GNU General Public License for more details.
	15	*
	16	* You should have received a copy of the GNU General Public License along
	17	* with this program; if not, write to the Free Software Foundation, Inc.,
	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
	19	*/
	20	#include "fseccomp.h"
	21	#include "../include/seccomp.h"
	22	#include <sys/syscall.h>
	23
	24	static void add_default_list(int fd, int allow_debuggers) {
	25	#ifdef SYS_mount
	26	filter_add_blacklist(fd, SYS_mount, 0);
	27	#endif
	28	#ifdef SYS_umount2
	29	filter_add_blacklist(fd, SYS_umount2, 0);
	30	#endif
	31
	32	if (!allow_debuggers) {
	33	#ifdef SYS_ptrace
	34	filter_add_blacklist(fd, SYS_ptrace, 0);
	35	#endif
	36	}
	37
	38	#ifdef SYS_kexec_load
	39	filter_add_blacklist(fd, SYS_kexec_load, 0);
	40	#endif
	41	#ifdef SYS_kexec_file_load
	42	filter_add_blacklist(fd, SYS_kexec_file_load, 0);
	43	#endif
	44	#ifdef SYS_open_by_handle_at
	45	filter_add_blacklist(fd, SYS_open_by_handle_at, 0);
	46	#endif
	47	#ifdef SYS_name_to_handle_at
	48	filter_add_blacklist(fd, SYS_name_to_handle_at, 0);
	49	#endif
	50	#ifdef SYS_init_module
	51	filter_add_blacklist(fd, SYS_init_module, 0);
	52	#endif
	53	#ifdef SYS_finit_module
	54	filter_add_blacklist(fd, SYS_finit_module, 0);
	55	#endif
	56	#ifdef SYS_create_module
	57	filter_add_blacklist(fd, SYS_create_module, 0);
	58	#endif
	59	#ifdef SYS_delete_module
	60	filter_add_blacklist(fd, SYS_delete_module, 0);
	61	#endif
	62	#ifdef SYS_iopl
	63	filter_add_blacklist(fd, SYS_iopl, 0);
	64	#endif
	65	#ifdef SYS_ioperm
	66	filter_add_blacklist(fd, SYS_ioperm, 0);
	67	#endif
	68	#ifdef SYS_ioprio_set
	69	filter_add_blacklist(fd, SYS_ioprio_set, 0);
	70	#endif
	71	#ifdef SYS_ni_syscall
	72	filter_add_blacklist(fd, SYS_ni_syscall, 0);
	73	#endif
	74	#ifdef SYS_swapon
	75	filter_add_blacklist(fd, SYS_swapon, 0);
	76	#endif
	77	#ifdef SYS_swapoff
	78	filter_add_blacklist(fd, SYS_swapoff, 0);
	79	#endif
	80	#ifdef SYS_syslog
	81	filter_add_blacklist(fd, SYS_syslog, 0);
	82	#endif
	83
	84	if (!allow_debuggers) {
	85	#ifdef SYS_process_vm_readv
	86	filter_add_blacklist(fd, SYS_process_vm_readv, 0);
	87	#endif
	88	}
	89
	90	#ifdef SYS_process_vm_writev
	91	filter_add_blacklist(fd, SYS_process_vm_writev, 0);
	92	#endif
	93
	94	// mknod removed in 0.9.29 - it brakes Zotero extension
	95	//#ifdef SYS_mknod
	96	// filter_add_blacklist(SYS_mknod, 0);
	97	//#endif
	98
	99	#ifdef SYS_sysfs
	100	filter_add_blacklist(fd, SYS_sysfs, 0);
	101	#endif
	102	#ifdef SYS__sysctl
	103	filter_add_blacklist(fd, SYS__sysctl, 0);
	104	#endif
	105	#ifdef SYS_adjtimex
	106	filter_add_blacklist(fd, SYS_adjtimex, 0);
	107	#endif
	108	#ifdef SYS_clock_adjtime
	109	filter_add_blacklist(fd, SYS_clock_adjtime, 0);
	110	#endif
	111	#ifdef SYS_lookup_dcookie
	112	filter_add_blacklist(fd, SYS_lookup_dcookie, 0);
	113	#endif
	114	#ifdef SYS_perf_event_open
	115	filter_add_blacklist(fd, SYS_perf_event_open, 0);
	116	#endif
	117	#ifdef SYS_fanotify_init
	118	filter_add_blacklist(fd, SYS_fanotify_init, 0);
	119	#endif
	120	#ifdef SYS_kcmp
	121	filter_add_blacklist(fd, SYS_kcmp, 0);
	122	#endif
	123	#ifdef SYS_add_key
	124	filter_add_blacklist(fd, SYS_add_key, 0);
	125	#endif
	126	#ifdef SYS_request_key
	127	filter_add_blacklist(fd, SYS_request_key, 0);
	128	#endif
	129	#ifdef SYS_keyctl
	130	filter_add_blacklist(fd, SYS_keyctl, 0);
	131	#endif
	132	#ifdef SYS_uselib
	133	filter_add_blacklist(fd, SYS_uselib, 0);
	134	#endif
	135	#ifdef SYS_acct
	136	filter_add_blacklist(fd, SYS_acct, 0);
	137	#endif
	138	#ifdef SYS_modify_ldt
	139	filter_add_blacklist(fd, SYS_modify_ldt, 0);
	140	#endif
	141	#ifdef SYS_pivot_root
	142	filter_add_blacklist(fd, SYS_pivot_root, 0);
	143	#endif
	144	#ifdef SYS_io_setup
	145	filter_add_blacklist(fd, SYS_io_setup, 0);
	146	#endif
	147	#ifdef SYS_io_destroy
	148	filter_add_blacklist(fd, SYS_io_destroy, 0);
	149	#endif
	150	#ifdef SYS_io_getevents
	151	filter_add_blacklist(fd, SYS_io_getevents, 0);
	152	#endif
	153	#ifdef SYS_io_submit
	154	filter_add_blacklist(fd, SYS_io_submit, 0);
	155	#endif
	156	#ifdef SYS_io_cancel
	157	filter_add_blacklist(fd, SYS_io_cancel, 0);
	158	#endif
	159	#ifdef SYS_remap_file_pages
	160	filter_add_blacklist(fd, SYS_remap_file_pages, 0);
	161	#endif
	162	#ifdef SYS_mbind
	163	filter_add_blacklist(fd, SYS_mbind, 0);
	164	#endif
	165	#ifdef SYS_get_mempolicy
	166	filter_add_blacklist(fd, SYS_get_mempolicy, 0);
	167	#endif
	168	#ifdef SYS_set_mempolicy
	169	filter_add_blacklist(fd, SYS_set_mempolicy, 0);
	170	#endif
	171	#ifdef SYS_migrate_pages
	172	filter_add_blacklist(fd, SYS_migrate_pages, 0);
	173	#endif
	174	#ifdef SYS_move_pages
	175	filter_add_blacklist(fd, SYS_move_pages, 0);
	176	#endif
	177	#ifdef SYS_vmsplice
	178	filter_add_blacklist(fd, SYS_vmsplice, 0);
	179	#endif
	180	#ifdef SYS_chroot
	181	filter_add_blacklist(fd, SYS_chroot, 0);
	182	#endif
	183	#ifdef SYS_tuxcall
	184	filter_add_blacklist(fd, SYS_tuxcall, 0);
	185	#endif
	186	#ifdef SYS_reboot
	187	filter_add_blacklist(fd, SYS_reboot, 0);
	188	#endif
	189	#ifdef SYS_nfsservctl
	190	filter_add_blacklist(fd, SYS_nfsservctl, 0);
	191	#endif
	192	#ifdef SYS_get_kernel_syms
	193	filter_add_blacklist(fd, SYS_get_kernel_syms, 0);
	194	#endif
	195	}
	196
	197	// default list
	198	void seccomp_default(const char *fname, int allow_debuggers) {
	199	assert(fname);
	200
	201	// open file
	202	int fd = open(fname, O_CREAT\|O_WRONLY\|O_TRUNC, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH);
	203	if (fd < 0) {
	204	fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
	205	exit(1);
	206	}
	207
	208	// build filter
	209	filter_init(fd);
	210	add_default_list(fd, allow_debuggers);
	211	filter_end_blacklist(fd);
	212
	213	// close file
	214	close(fd);
	215	}
	216
	217	// drop list
	218	void seccomp_drop(const char fname, char list, int allow_debuggers) {
	219	assert(fname);
	220	(void) allow_debuggers; // todo: to implemnet it
	221
	222	// open file
	223	int fd = open(fname, O_CREAT\|O_WRONLY\|O_TRUNC, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH);
	224	if (fd < 0) {
	225	fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
	226	exit(1);
	227	}
	228
	229	// build filter
	230	filter_init(fd);
	231	if (syscall_check_list(list, filter_add_blacklist, fd, 0)) {
	232	fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
	233	exit(1);
	234	}
	235	filter_end_blacklist(fd);
	236
	237	// close file
	238	close(fd);
	239	}
	240
	241	// default+drop
	242	void seccomp_default_drop(const char fname, char list, int allow_debuggers) {
	243	assert(fname);
	244
	245	// open file
	246	int fd = open(fname, O_CREAT\|O_WRONLY\|O_TRUNC, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH);
	247	if (fd < 0) {
	248	fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
	249	exit(1);
	250	}
	251
	252	// build filter
	253	filter_init(fd);
	254	add_default_list(fd, allow_debuggers);
	255	if (syscall_check_list(list, filter_add_blacklist, fd, 0)) {
	256	fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
	257	exit(1);
	258	}
	259	filter_end_blacklist(fd);
	260
	261	// close file
	262	close(fd);
	263	}
	264
	265	void seccomp_keep(const char fname, char list) {
	266	// open file
	267	int fd = open(fname, O_CREAT\|O_WRONLY\|O_TRUNC, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH);
	268	if (fd < 0) {
	269	fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
	270	exit(1);
	271	}
	272
	273	// build filter
	274	filter_init(fd);
	275	// these 4 syscalls are used by firejail after the seccomp filter is initialized
	276	filter_add_whitelist(fd, SYS_setuid, 0);
	277	filter_add_whitelist(fd, SYS_setgid, 0);
	278	filter_add_whitelist(fd, SYS_setgroups, 0);
	279	filter_add_whitelist(fd, SYS_dup, 0);
	280	filter_add_whitelist(fd, SYS_prctl, 0);
	281
	282	if (syscall_check_list(list, filter_add_whitelist, fd, 0)) {
	283	fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
	284	exit(1);
	285	}
	286
	287	filter_end_whitelist(fd);
	288
	289	// close file
	290	close(fd);
	291	}
	292