diff options
| author |  Topi Miettinen <toiwoton@gmail.com> | 2017-07-28 13:50:10 +0300 |
|---|---|---|
| committer | Topi Miettinen <toiwoton@gmail.com> | 2017-07-28 14:06:30 +0300 |
| commit | 9a3344f9a569de5a2b619ff9ebc01cbd195ee1d0 (patch) | |
| tree | b060bcf0ef7da262225c2cdf3812b58e6005ecf9 /src/fseccomp/seccomp_print.c | |
| parent | network testing (diff) | |
| download | firejail-9a3344f9a569de5a2b619ff9ebc01cbd195ee1d0.tar.gz firejail-9a3344f9a569de5a2b619ff9ebc01cbd195ee1d0.tar.zst firejail-9a3344f9a569de5a2b619ff9ebc01cbd195ee1d0.zip | |
Improve seccomp printing
Diffstat (limited to 'src/fseccomp/seccomp_print.c')
| -rw-r--r-- | src/fseccomp/seccomp_print.c | 40 |
1 files changed, 25 insertions, 15 deletions
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c index 67555e554..e10585a15 100644 --- a/src/fseccomp/seccomp_print.c +++ b/src/fseccomp/seccomp_print.c | |||
| @@ -69,9 +69,14 @@ void filter_print(const char *fname) { | |||
| 69 | load_seccomp(fname); | 69 | load_seccomp(fname); |
| 70 | 70 | ||
| 71 | // start filter | 71 | // start filter |
| 72 | struct sock_filter start[] = { | 72 | const struct sock_filter start[] = { |
| 73 | VALIDATE_ARCHITECTURE, | 73 | VALIDATE_ARCHITECTURE, |
| 74 | #if defined(__x86_64__) | ||
| 75 | EXAMINE_SYSCALL, | ||
| 76 | HANDLE_X32 | ||
| 77 | #else | ||
| 74 | EXAMINE_SYSCALL | 78 | EXAMINE_SYSCALL |
| 79 | #endif | ||
| 75 | }; | 80 | }; |
| 76 | 81 | ||
| 77 | // print sizes | 82 | // print sizes |
| @@ -80,7 +85,10 @@ void filter_print(const char *fname) { | |||
| 80 | // test the start of the filter | 85 | // test the start of the filter |
| 81 | if (memcmp(&start[0], filter, sizeof(start)) == 0) { | 86 | if (memcmp(&start[0], filter, sizeof(start)) == 0) { |
| 82 | printf(" VALIDATE_ARCHITECTURE\n"); | 87 | printf(" VALIDATE_ARCHITECTURE\n"); |
| 83 | printf(" EXAMINE_SYSCAL\n"); | 88 | printf(" EXAMINE_SYSCALL\n"); |
| 89 | #if defined(__x86_64__) | ||
| 90 | printf(" HANDLE_X32\n"); | ||
| 91 | #endif | ||
| 84 | } | 92 | } |
| 85 | else { | 93 | else { |
| 86 | printf("Invalid seccomp filter %s\n", fname); | 94 | printf("Invalid seccomp filter %s\n", fname); |
| @@ -88,34 +96,36 @@ void filter_print(const char *fname) { | |||
| 88 | } | 96 | } |
| 89 | 97 | ||
| 90 | // loop trough blacklists | 98 | // loop trough blacklists |
| 91 | int i = 4; | 99 | int i = sizeof(start) / sizeof(struct sock_filter); |
| 92 | while (i < filter_cnt) { | 100 | while (i < filter_cnt) { |
| 93 | // minimal parsing! | 101 | // minimal parsing! |
| 94 | unsigned char *ptr = (unsigned char *) &filter[i]; | 102 | struct sock_filter *s = (struct sock_filter *) &filter[i]; |
| 95 | int *nr = (int *) (ptr + 4); | 103 | if (s->code == BPF_JMP+BPF_JEQ+BPF_K && (s + 1)->code == BPF_RET+BPF_K && (s + 1)->k == SECCOMP_RET_ALLOW ) { |
| 96 | if (*ptr == 0x15 && *(ptr +14) == 0xff && *(ptr + 15) == 0x7f ) { | 104 | printf(" WHITELIST %d %s\n", s->k, syscall_find_nr(s->k)); |
| 97 | printf(" WHITELIST %d %s\n", *nr, syscall_find_nr(*nr)); | ||
| 98 | i += 2; | 105 | i += 2; |
| 99 | } | 106 | } |
| 100 | else if (*ptr == 0x15 && *(ptr +14) == 0 && *(ptr + 15) == 0) { | 107 | else if (s->code == BPF_JMP+BPF_JEQ+BPF_K && (s + 1)->code == BPF_RET+BPF_K && (s + 1)->k == SECCOMP_RET_KILL ) { |
| 101 | printf(" BLACKLIST %d %s\n", *nr, syscall_find_nr(*nr)); | 108 | printf(" BLACKLIST %d %s\n", s->k, syscall_find_nr(s->k)); |
| 102 | i += 2; | 109 | i += 2; |
| 103 | } | 110 | } |
| 104 | else if (*ptr == 0x15 && *(ptr +14) == 0x5 && *(ptr + 15) == 0) { | 111 | else if (s->code == BPF_JMP+BPF_JEQ+BPF_K && (s + 1)->code == BPF_RET+BPF_K && ((s + 1)->k & ~SECCOMP_RET_DATA) == SECCOMP_RET_ERRNO) { |
| 105 | int err = *(ptr + 13) << 8 | *(ptr + 12); | 112 | printf(" BLACKLIST_ERRNO %d %s %d %s\n", s->k, syscall_find_nr(s->k), (s + 1)->k & SECCOMP_RET_DATA, errno_find_nr((s + 1)->k & SECCOMP_RET_DATA)); |
| 106 | printf(" ERRNO %d %s %d %s\n", *nr, syscall_find_nr(*nr), err, errno_find_nr(err)); | ||
| 107 | i += 2; | 113 | i += 2; |
| 108 | } | 114 | } |
| 109 | else if (*ptr == 0x06 && *(ptr +6) == 0 && *(ptr + 7) == 0 ) { | 115 | else if (s->code == BPF_RET+BPF_K && (s->k & ~SECCOMP_RET_DATA) == SECCOMP_RET_ERRNO) { |
| 116 | printf(" RETURN_ERRNO %d %s\n", s->k & SECCOMP_RET_DATA, errno_find_nr(s->k & SECCOMP_RET_DATA)); | ||
| 117 | i++; | ||
| 118 | } | ||
| 119 | else if (s->code == BPF_RET+BPF_K && s->k == SECCOMP_RET_KILL) { | ||
| 110 | printf(" KILL_PROCESS\n"); | 120 | printf(" KILL_PROCESS\n"); |
| 111 | i++; | 121 | i++; |
| 112 | } | 122 | } |
| 113 | else if (*ptr == 0x06 && *(ptr +6) == 0xff && *(ptr + 7) == 0x7f ) { | 123 | else if (s->code == BPF_RET+BPF_K && s->k == SECCOMP_RET_ALLOW) { |
| 114 | printf(" RETURN_ALLOW\n"); | 124 | printf(" RETURN_ALLOW\n"); |
| 115 | i++; | 125 | i++; |
| 116 | } | 126 | } |
| 117 | else { | 127 | else { |
| 118 | printf(" UNKNOWN ENTRY!!!\n"); | 128 | printf(" UNKNOWN ENTRY %x!\n", s->code); |
| 119 | i++; | 129 | i++; |
| 120 | } | 130 | } |
| 121 | } | 131 | } |