diff options
| author |  Topi Miettinen <toiwoton@gmail.com> | 2019-08-25 18:37:05 +0300 |
|---|---|---|
| committer | Topi Miettinen <toiwoton@gmail.com> | 2019-08-25 18:37:05 +0300 |
| commit | 39f9b1a2229f8624f92bdcf823ef755c15e28de2 (patch) | |
| tree | c15cdcdd4abbccfdfbed58764de45827ff2e503c /src/fseccomp/seccomp_file.c | |
| parent | Merge pull request #2921 from rusty-snake/allow-common-devel.inc (diff) | |
| download | firejail-39f9b1a2229f8624f92bdcf823ef755c15e28de2.tar.gz firejail-39f9b1a2229f8624f92bdcf823ef755c15e28de2.tar.zst firejail-39f9b1a2229f8624f92bdcf823ef755c15e28de2.zip | |
Allow exceptions to seccomp lists
Prefix ! can be used to make exceptions to system call blacklists and
whitelists used by seccomp, seccomp.drop and seccomp.keep.
Closes #1366
Diffstat (limited to 'src/fseccomp/seccomp_file.c')
| -rw-r--r-- | src/fseccomp/seccomp_file.c | 48 |
1 files changed, 40 insertions, 8 deletions
diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c index 2e1f317ed..266ef0c55 100644 --- a/src/fseccomp/seccomp_file.c +++ b/src/fseccomp/seccomp_file.c | |||
| @@ -60,26 +60,58 @@ void filter_init(int fd) { | |||
| 60 | write_to_file(fd, filter, sizeof(filter)); | 60 | write_to_file(fd, filter, sizeof(filter)); |
| 61 | } | 61 | } |
| 62 | 62 | ||
| 63 | void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg) { | 63 | static void write_whitelist(int fd, int syscall) { |
| 64 | (void) arg; | ||
| 65 | (void) ptrarg; | ||
| 66 | |||
| 67 | struct sock_filter filter[] = { | 64 | struct sock_filter filter[] = { |
| 68 | WHITELIST(syscall) | 65 | WHITELIST(syscall) |
| 69 | }; | 66 | }; |
| 70 | write_to_file(fd, filter, sizeof(filter)); | 67 | write_to_file(fd, filter, sizeof(filter)); |
| 71 | } | 68 | } |
| 72 | 69 | ||
| 73 | void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg) { | 70 | static void write_blacklist(int fd, int syscall) { |
| 74 | (void) arg; | ||
| 75 | (void) ptrarg; | ||
| 76 | |||
| 77 | struct sock_filter filter[] = { | 71 | struct sock_filter filter[] = { |
| 78 | BLACKLIST(syscall) | 72 | BLACKLIST(syscall) |
| 79 | }; | 73 | }; |
| 80 | write_to_file(fd, filter, sizeof(filter)); | 74 | write_to_file(fd, filter, sizeof(filter)); |
| 81 | } | 75 | } |
| 82 | 76 | ||
| 77 | void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg) { | ||
| 78 | (void) arg; | ||
| 79 | (void) ptrarg; | ||
| 80 | |||
| 81 | if (syscall >= 0) { | ||
| 82 | write_whitelist(fd, syscall); | ||
| 83 | } | ||
| 84 | } | ||
| 85 | |||
| 86 | // handle seccomp list exceptions (seccomp x,y,!z) | ||
| 87 | void filter_add_whitelist_for_excluded(int fd, int syscall, int arg, void *ptrarg) { | ||
| 88 | (void) arg; | ||
| 89 | (void) ptrarg; | ||
| 90 | |||
| 91 | if (syscall < 0) { | ||
| 92 | write_whitelist(fd, -syscall); | ||
| 93 | } | ||
| 94 | } | ||
| 95 | |||
| 96 | void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg) { | ||
| 97 | (void) arg; | ||
| 98 | (void) ptrarg; | ||
| 99 | |||
| 100 | if (syscall >= 0) { | ||
| 101 | write_blacklist(fd, syscall); | ||
| 102 | } | ||
| 103 | } | ||
| 104 | |||
| 105 | // handle seccomp list exceptions (seccomp x,y,!z) | ||
| 106 | void filter_add_blacklist_for_excluded(int fd, int syscall, int arg, void *ptrarg) { | ||
| 107 | (void) arg; | ||
| 108 | (void) ptrarg; | ||
| 109 | |||
| 110 | if (syscall < 0) { | ||
| 111 | write_blacklist(fd, -syscall); | ||
| 112 | } | ||
| 113 | } | ||
| 114 | |||
| 83 | void filter_add_errno(int fd, int syscall, int arg, void *ptrarg) { | 115 | void filter_add_errno(int fd, int syscall, int arg, void *ptrarg) { |
| 84 | (void) ptrarg; | 116 | (void) ptrarg; |
| 85 | struct sock_filter filter[] = { | 117 | struct sock_filter filter[] = { |