diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2019-08-25 18:37:05 +0300 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2019-08-25 18:37:05 +0300 |
commit | 39f9b1a2229f8624f92bdcf823ef755c15e28de2 (patch) | |
tree | c15cdcdd4abbccfdfbed58764de45827ff2e503c /src/fseccomp/seccomp_file.c | |
parent | Merge pull request #2921 from rusty-snake/allow-common-devel.inc (diff) | |
download | firejail-39f9b1a2229f8624f92bdcf823ef755c15e28de2.tar.gz firejail-39f9b1a2229f8624f92bdcf823ef755c15e28de2.tar.zst firejail-39f9b1a2229f8624f92bdcf823ef755c15e28de2.zip |
Allow exceptions to seccomp lists
Prefix ! can be used to make exceptions to system call blacklists and
whitelists used by seccomp, seccomp.drop and seccomp.keep.
Closes #1366
Diffstat (limited to 'src/fseccomp/seccomp_file.c')
-rw-r--r-- | src/fseccomp/seccomp_file.c | 48 |
1 files changed, 40 insertions, 8 deletions
diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c index 2e1f317ed..266ef0c55 100644 --- a/src/fseccomp/seccomp_file.c +++ b/src/fseccomp/seccomp_file.c | |||
@@ -60,26 +60,58 @@ void filter_init(int fd) { | |||
60 | write_to_file(fd, filter, sizeof(filter)); | 60 | write_to_file(fd, filter, sizeof(filter)); |
61 | } | 61 | } |
62 | 62 | ||
63 | void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg) { | 63 | static void write_whitelist(int fd, int syscall) { |
64 | (void) arg; | ||
65 | (void) ptrarg; | ||
66 | |||
67 | struct sock_filter filter[] = { | 64 | struct sock_filter filter[] = { |
68 | WHITELIST(syscall) | 65 | WHITELIST(syscall) |
69 | }; | 66 | }; |
70 | write_to_file(fd, filter, sizeof(filter)); | 67 | write_to_file(fd, filter, sizeof(filter)); |
71 | } | 68 | } |
72 | 69 | ||
73 | void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg) { | 70 | static void write_blacklist(int fd, int syscall) { |
74 | (void) arg; | ||
75 | (void) ptrarg; | ||
76 | |||
77 | struct sock_filter filter[] = { | 71 | struct sock_filter filter[] = { |
78 | BLACKLIST(syscall) | 72 | BLACKLIST(syscall) |
79 | }; | 73 | }; |
80 | write_to_file(fd, filter, sizeof(filter)); | 74 | write_to_file(fd, filter, sizeof(filter)); |
81 | } | 75 | } |
82 | 76 | ||
77 | void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg) { | ||
78 | (void) arg; | ||
79 | (void) ptrarg; | ||
80 | |||
81 | if (syscall >= 0) { | ||
82 | write_whitelist(fd, syscall); | ||
83 | } | ||
84 | } | ||
85 | |||
86 | // handle seccomp list exceptions (seccomp x,y,!z) | ||
87 | void filter_add_whitelist_for_excluded(int fd, int syscall, int arg, void *ptrarg) { | ||
88 | (void) arg; | ||
89 | (void) ptrarg; | ||
90 | |||
91 | if (syscall < 0) { | ||
92 | write_whitelist(fd, -syscall); | ||
93 | } | ||
94 | } | ||
95 | |||
96 | void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg) { | ||
97 | (void) arg; | ||
98 | (void) ptrarg; | ||
99 | |||
100 | if (syscall >= 0) { | ||
101 | write_blacklist(fd, syscall); | ||
102 | } | ||
103 | } | ||
104 | |||
105 | // handle seccomp list exceptions (seccomp x,y,!z) | ||
106 | void filter_add_blacklist_for_excluded(int fd, int syscall, int arg, void *ptrarg) { | ||
107 | (void) arg; | ||
108 | (void) ptrarg; | ||
109 | |||
110 | if (syscall < 0) { | ||
111 | write_blacklist(fd, -syscall); | ||
112 | } | ||
113 | } | ||
114 | |||
83 | void filter_add_errno(int fd, int syscall, int arg, void *ptrarg) { | 115 | void filter_add_errno(int fd, int syscall, int arg, void *ptrarg) { |
84 | (void) ptrarg; | 116 | (void) ptrarg; |
85 | struct sock_filter filter[] = { | 117 | struct sock_filter filter[] = { |