major cleanup

author: netblue30 <netblue30@yahoo.com> 2016-11-02 07:49:01 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-11-02 07:49:01 -0400
commit: 72b93c5761b5e42c5742e192f46bac1696c36f4c (patch)
tree: 3951e01a771ea3e8f11b8364991bb47f752f011f /src/fseccomp/seccomp_file.c
parent: fixed /run/firejail/mnt problem introduced recently (diff)
download: firejail-72b93c5761b5e42c5742e192f46bac1696c36f4c.tar.gz
firejail-72b93c5761b5e42c5742e192f46bac1696c36f4c.tar.zst
firejail-72b93c5761b5e42c5742e192f46bac1696c36f4c.zip
1 files changed, 108 insertions, 0 deletions
diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c
new file mode 100644
index 000000000..10ef9dd31
--- /dev/null
+++ b/src/fseccomp/seccomp_file.c
@@ -0,0 +1,108 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fseccomp.h"
+#include "../include/seccomp.h"
+#include <sys/syscall.h>
+static void write_to_file(int fd, void *data, int size) {
+        assert(data);
+        assert(size);
+        
+        int written = 0;
+        while (written < size) {
+                int rv = write(fd, (unsigned char *) data + written, size - written);
+                if (rv == -1) {
+                        fprintf(stderr, "Error fseccomp: cannot write seccomp file\n");
+                        exit(1);
+                }
+                written += rv;
+        }
+}
+void filter_init(int fd) {
+#if defined(__x86_64__)
+#define X32_SYSCALL_BIT 0x40000000
+        struct sock_filter filter[] = {
+                VALIDATE_ARCHITECTURE,
+                EXAMINE_SYSCALL,
+                // handle X32 ABI
+                BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0),
+                BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0),
+                RETURN_ERRNO(EPERM)
+        };
+#else
+        struct sock_filter filter[] = {
+                VALIDATE_ARCHITECTURE,
+                EXAMINE_SYSCALL
+        };
+#endif
+#if 0
+{
+        int i;
+        unsigned char *ptr = (unsigned char *) &filter[0];
+        for (i = 0; i < sizeof(filter); i++, ptr++)
+                printf("%x, ", (*ptr) & 0xff);
+        printf("\n");
+}
+#endif
+        write_to_file(fd, filter, sizeof(filter));
+}
+void filter_add_whitelist(int fd, int syscall, int arg) {
+        (void) arg;
+        
+        struct sock_filter filter[] = {
+                WHITELIST(syscall)
+        };
+        write_to_file(fd, filter, sizeof(filter));
+}
+void filter_add_blacklist(int fd, int syscall, int arg) {
+        (void) arg;
+        
+        struct sock_filter filter[] = {
+                BLACKLIST(syscall)
+        };
+        write_to_file(fd, filter, sizeof(filter));
+}
+void filter_add_errno(int fd, int syscall, int arg) {
+        struct sock_filter filter[] = {
+                BLACKLIST_ERRNO(syscall, arg)
+        };
+        write_to_file(fd, filter, sizeof(filter));
+}
+void filter_end_blacklist(int fd) {
+        struct sock_filter filter[] = {
+                RETURN_ALLOW
+        };
+        write_to_file(fd, filter, sizeof(filter));
+}
+void filter_end_whitelist(int fd) {
+        struct sock_filter filter[] = {
+                KILL_PROCESS
+        };
+        write_to_file(fd, filter, sizeof(filter));
+}
author	netblue30 <netblue30@yahoo.com>	2016-11-02 07:49:01 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-11-02 07:49:01 -0400
commit	72b93c5761b5e42c5742e192f46bac1696c36f4c (patch)
tree	3951e01a771ea3e8f11b8364991bb47f752f011f /src/fseccomp/seccomp_file.c
parent	fixed /run/firejail/mnt problem introduced recently (diff)
download	firejail-72b93c5761b5e42c5742e192f46bac1696c36f4c.tar.gz firejail-72b93c5761b5e42c5742e192f46bac1696c36f4c.tar.zst firejail-72b93c5761b5e42c5742e192f46bac1696c36f4c.zip

diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c new file mode 100644 index 000000000..10ef9dd31 --- /dev/null +++ b/src/fseccomp/seccomp_file.c
@@ -0,0 +1,108 @@
	1	/*
	2	* Copyright (C) 2014-2016 Firejail Authors
	3	*
	4	* This file is part of firejail project
	5	*
	6	* This program is free software; you can redistribute it and/or modify
	7	* it under the terms of the GNU General Public License as published by
	8	* the Free Software Foundation; either version 2 of the License, or
	9	* (at your option) any later version.
	10	*
	11	* This program is distributed in the hope that it will be useful,
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	* GNU General Public License for more details.
	15	*
	16	* You should have received a copy of the GNU General Public License along
	17	* with this program; if not, write to the Free Software Foundation, Inc.,
	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
	19	*/
	20	#include "fseccomp.h"
	21	#include "../include/seccomp.h"
	22	#include <sys/syscall.h>
	23
	24	static void write_to_file(int fd, void *data, int size) {
	25	assert(data);
	26	assert(size);
	27
	28	int written = 0;
	29	while (written < size) {
	30	int rv = write(fd, (unsigned char *) data + written, size - written);
	31	if (rv == -1) {
	32	fprintf(stderr, "Error fseccomp: cannot write seccomp file\n");
	33	exit(1);
	34	}
	35	written += rv;
	36	}
	37	}
	38
	39	void filter_init(int fd) {
	40	#if defined(__x86_64__)
	41	#define X32_SYSCALL_BIT 0x40000000
	42	struct sock_filter filter[] = {
	43	VALIDATE_ARCHITECTURE,
	44	EXAMINE_SYSCALL,
	45	// handle X32 ABI
	46	BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0),
	47	BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0),
	48	RETURN_ERRNO(EPERM)
	49	};
	50	#else
	51	struct sock_filter filter[] = {
	52	VALIDATE_ARCHITECTURE,
	53	EXAMINE_SYSCALL
	54	};
	55	#endif
	56
	57	#if 0
	58	{
	59	int i;
	60	unsigned char ptr = (unsigned char ) &filter[0];
	61	for (i = 0; i < sizeof(filter); i++, ptr++)
	62	printf("%x, ", (*ptr) & 0xff);
	63	printf("\n");
	64	}
	65	#endif
	66
	67	write_to_file(fd, filter, sizeof(filter));
	68	}
	69
	70	void filter_add_whitelist(int fd, int syscall, int arg) {
	71	(void) arg;
	72
	73	struct sock_filter filter[] = {
	74	WHITELIST(syscall)
	75	};
	76	write_to_file(fd, filter, sizeof(filter));
	77	}
	78
	79	void filter_add_blacklist(int fd, int syscall, int arg) {
	80	(void) arg;
	81
	82	struct sock_filter filter[] = {
	83	BLACKLIST(syscall)
	84	};
	85	write_to_file(fd, filter, sizeof(filter));
	86	}
	87
	88	void filter_add_errno(int fd, int syscall, int arg) {
	89	struct sock_filter filter[] = {
	90	BLACKLIST_ERRNO(syscall, arg)
	91	};
	92	write_to_file(fd, filter, sizeof(filter));
	93	}
	94
	95	void filter_end_blacklist(int fd) {
	96	struct sock_filter filter[] = {
	97	RETURN_ALLOW
	98	};
	99	write_to_file(fd, filter, sizeof(filter));
	100	}
	101
	102	void filter_end_whitelist(int fd) {
	103	struct sock_filter filter[] = {
	104	KILL_PROCESS
	105	};
	106	write_to_file(fd, filter, sizeof(filter));
	107	}
	108