major cleanup

author: netblue30 <netblue30@yahoo.com> 2016-11-02 07:49:01 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-11-02 07:49:01 -0400
commit: 72b93c5761b5e42c5742e192f46bac1696c36f4c (patch)
tree: 3951e01a771ea3e8f11b8364991bb47f752f011f /src/fseccomp/seccomp_secondary.c
parent: fixed /run/firejail/mnt problem introduced recently (diff)
download: firejail-72b93c5761b5e42c5742e192f46bac1696c36f4c.tar.gz
firejail-72b93c5761b5e42c5742e192f46bac1696c36f4c.tar.zst
firejail-72b93c5761b5e42c5742e192f46bac1696c36f4c.zip
1 files changed, 183 insertions, 0 deletions
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c
new file mode 100644
index 000000000..a856e5aef
--- /dev/null
+++ b/src/fseccomp/seccomp_secondary.c
@@ -0,0 +1,183 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fseccomp.h"
+#include "../include/seccomp.h"
+#include <sys/syscall.h>
+void seccomp_secondary_64(const char *fname) {
+        // hardcoded syscall values
+        struct sock_filter filter[] = {
+                VALIDATE_ARCHITECTURE_64,
+                EXAMINE_SYSCALL,
+                BLACKLIST(165), // mount
+                BLACKLIST(166), // umount2
+// todo: implement --allow-debuggers            
+                BLACKLIST(101), // ptrace
+                BLACKLIST(246), // kexec_load
+                BLACKLIST(304), // open_by_handle_at
+                BLACKLIST(303), // name_to_handle_at
+                BLACKLIST(174), // create_module
+                BLACKLIST(175), // init_module
+                BLACKLIST(313), // finit_module
+                BLACKLIST(176), // delete_module
+                BLACKLIST(172), // iopl
+                BLACKLIST(173), // ioperm
+                BLACKLIST(251), // ioprio_set
+                BLACKLIST(167), // swapon
+                BLACKLIST(168), // swapoff
+                BLACKLIST(103), // syslog
+                BLACKLIST(310), // process_vm_readv
+                BLACKLIST(311), // process_vm_writev
+                BLACKLIST(139), // sysfs
+                BLACKLIST(156), // _sysctl
+                BLACKLIST(159), // adjtimex
+                BLACKLIST(305), // clock_adjtime
+                BLACKLIST(212), // lookup_dcookie
+                BLACKLIST(298), // perf_event_open
+                BLACKLIST(300), // fanotify_init
+                BLACKLIST(312), // kcmp
+                BLACKLIST(248), // add_key
+                BLACKLIST(249), // request_key
+                BLACKLIST(250), // keyctl
+                BLACKLIST(134), // uselib
+                BLACKLIST(163), // acct
+                BLACKLIST(154), // modify_ldt
+                BLACKLIST(155), // pivot_root
+                BLACKLIST(206), // io_setup
+                BLACKLIST(207), // io_destroy
+                BLACKLIST(208), // io_getevents
+                BLACKLIST(209), // io_submit
+                BLACKLIST(210), // io_cancel
+                BLACKLIST(216), // remap_file_pages
+                BLACKLIST(237), // mbind
+                BLACKLIST(239), // get_mempolicy
+                BLACKLIST(238), // set_mempolicy
+                BLACKLIST(256), // migrate_pages
+                BLACKLIST(279), // move_pages
+                BLACKLIST(278), // vmsplice
+                BLACKLIST(161), // chroot
+                BLACKLIST(184), // tuxcall
+                BLACKLIST(169), // reboot
+                BLACKLIST(180), // nfsservctl
+                BLACKLIST(177), // get_kernel_syms
+                
+                RETURN_ALLOW
+        };
+        // save filter to file
+        int dst = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        if (dst < 0) {
+                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+                exit(1);
+        }
+        
+        int size = (int) sizeof(filter);
+        int written = 0;
+        while (written < size) {
+                int rv = write(dst, (unsigned char *) filter + written, size - written);
+                if (rv == -1) {
+                        fprintf(stderr, "Error fseccomp: cannot write %s file\n", fname);
+                        exit(1);
+                }
+                written += rv;
+        }
+        close(dst);
+}
+// i386 filter installed on amd64 architectures
+void seccomp_secondary_32(const char *fname) {
+        // hardcoded syscall values
+        struct sock_filter filter[] = {
+                VALIDATE_ARCHITECTURE_32,
+                EXAMINE_SYSCALL,
+                BLACKLIST(21), // mount
+                BLACKLIST(52), // umount2
+// todo: implement --allow-debuggers            
+                BLACKLIST(26), // ptrace
+                BLACKLIST(283), // kexec_load
+                BLACKLIST(341), // name_to_handle_at
+                BLACKLIST(342), // open_by_handle_at
+                BLACKLIST(127), // create_module
+                BLACKLIST(128), // init_module
+                BLACKLIST(350), // finit_module
+                BLACKLIST(129), // delete_module
+                BLACKLIST(110), // iopl
+                BLACKLIST(101), // ioperm
+                BLACKLIST(289), // ioprio_set
+                BLACKLIST(87), // swapon
+                BLACKLIST(115), // swapoff
+                BLACKLIST(103), // syslog
+                BLACKLIST(347), // process_vm_readv
+                BLACKLIST(348), // process_vm_writev
+                BLACKLIST(135), // sysfs
+                BLACKLIST(149), // _sysctl
+                BLACKLIST(124), // adjtimex
+                BLACKLIST(343), // clock_adjtime
+                BLACKLIST(253), // lookup_dcookie
+                BLACKLIST(336), // perf_event_open
+                BLACKLIST(338), // fanotify_init
+                BLACKLIST(349), // kcmp
+                BLACKLIST(286), // add_key
+                BLACKLIST(287), // request_key
+                BLACKLIST(288), // keyctl
+                BLACKLIST(86), // uselib
+                BLACKLIST(51), // acct
+                BLACKLIST(123), // modify_ldt
+                BLACKLIST(217), // pivot_root
+                BLACKLIST(245), // io_setup
+                BLACKLIST(246), // io_destroy
+                BLACKLIST(247), // io_getevents
+                BLACKLIST(248), // io_submit
+                BLACKLIST(249), // io_cancel
+                BLACKLIST(257), // remap_file_pages
+                BLACKLIST(274), // mbind
+                BLACKLIST(275), // get_mempolicy
+                BLACKLIST(276), // set_mempolicy
+                BLACKLIST(294), // migrate_pages
+                BLACKLIST(317), // move_pages
+                BLACKLIST(316), // vmsplice
+                BLACKLIST(61),  // chroot
+                BLACKLIST(88), // reboot
+                BLACKLIST(169), // nfsservctl
+                BLACKLIST(130), // get_kernel_syms
+                
+                RETURN_ALLOW
+        };
+        // save filter to file
+        int dst = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        if (dst < 0) {
+                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+                exit(1);
+        }
+        
+        int size = (int) sizeof(filter);
+        int written = 0;
+        while (written < size) {
+                int rv = write(dst, (unsigned char *) filter + written, size - written);
+                if (rv == -1) {
+                        fprintf(stderr, "Error fseccomp: cannot write %s file\n", fname);
+                        exit(1);
+                }
+                written += rv;
+        }
+        close(dst);
+}
author	netblue30 <netblue30@yahoo.com>	2016-11-02 07:49:01 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-11-02 07:49:01 -0400
commit	72b93c5761b5e42c5742e192f46bac1696c36f4c (patch)
tree	3951e01a771ea3e8f11b8364991bb47f752f011f /src/fseccomp/seccomp_secondary.c
parent	fixed /run/firejail/mnt problem introduced recently (diff)
download	firejail-72b93c5761b5e42c5742e192f46bac1696c36f4c.tar.gz firejail-72b93c5761b5e42c5742e192f46bac1696c36f4c.tar.zst firejail-72b93c5761b5e42c5742e192f46bac1696c36f4c.zip

diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c new file mode 100644 index 000000000..a856e5aef --- /dev/null +++ b/src/fseccomp/seccomp_secondary.c
@@ -0,0 +1,183 @@
	1	/*
	2	* Copyright (C) 2014-2016 Firejail Authors
	3	*
	4	* This file is part of firejail project
	5	*
	6	* This program is free software; you can redistribute it and/or modify
	7	* it under the terms of the GNU General Public License as published by
	8	* the Free Software Foundation; either version 2 of the License, or
	9	* (at your option) any later version.
	10	*
	11	* This program is distributed in the hope that it will be useful,
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	* GNU General Public License for more details.
	15	*
	16	* You should have received a copy of the GNU General Public License along
	17	* with this program; if not, write to the Free Software Foundation, Inc.,
	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
	19	*/
	20	#include "fseccomp.h"
	21	#include "../include/seccomp.h"
	22	#include <sys/syscall.h>
	23
	24	void seccomp_secondary_64(const char *fname) {
	25	// hardcoded syscall values
	26	struct sock_filter filter[] = {
	27	VALIDATE_ARCHITECTURE_64,
	28	EXAMINE_SYSCALL,
	29	BLACKLIST(165), // mount
	30	BLACKLIST(166), // umount2
	31	// todo: implement --allow-debuggers
	32	BLACKLIST(101), // ptrace
	33	BLACKLIST(246), // kexec_load
	34	BLACKLIST(304), // open_by_handle_at
	35	BLACKLIST(303), // name_to_handle_at
	36	BLACKLIST(174), // create_module
	37	BLACKLIST(175), // init_module
	38	BLACKLIST(313), // finit_module
	39	BLACKLIST(176), // delete_module
	40	BLACKLIST(172), // iopl
	41	BLACKLIST(173), // ioperm
	42	BLACKLIST(251), // ioprio_set
	43	BLACKLIST(167), // swapon
	44	BLACKLIST(168), // swapoff
	45	BLACKLIST(103), // syslog
	46	BLACKLIST(310), // process_vm_readv
	47	BLACKLIST(311), // process_vm_writev
	48	BLACKLIST(139), // sysfs
	49	BLACKLIST(156), // _sysctl
	50	BLACKLIST(159), // adjtimex
	51	BLACKLIST(305), // clock_adjtime
	52	BLACKLIST(212), // lookup_dcookie
	53	BLACKLIST(298), // perf_event_open
	54	BLACKLIST(300), // fanotify_init
	55	BLACKLIST(312), // kcmp
	56	BLACKLIST(248), // add_key
	57	BLACKLIST(249), // request_key
	58	BLACKLIST(250), // keyctl
	59	BLACKLIST(134), // uselib
	60	BLACKLIST(163), // acct
	61	BLACKLIST(154), // modify_ldt
	62	BLACKLIST(155), // pivot_root
	63	BLACKLIST(206), // io_setup
	64	BLACKLIST(207), // io_destroy
	65	BLACKLIST(208), // io_getevents
	66	BLACKLIST(209), // io_submit
	67	BLACKLIST(210), // io_cancel
	68	BLACKLIST(216), // remap_file_pages
	69	BLACKLIST(237), // mbind
	70	BLACKLIST(239), // get_mempolicy
	71	BLACKLIST(238), // set_mempolicy
	72	BLACKLIST(256), // migrate_pages
	73	BLACKLIST(279), // move_pages
	74	BLACKLIST(278), // vmsplice
	75	BLACKLIST(161), // chroot
	76	BLACKLIST(184), // tuxcall
	77	BLACKLIST(169), // reboot
	78	BLACKLIST(180), // nfsservctl
	79	BLACKLIST(177), // get_kernel_syms
	80
	81	RETURN_ALLOW
	82	};
	83
	84	// save filter to file
	85	int dst = open(fname, O_CREAT\|O_WRONLY\|O_TRUNC, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH);
	86	if (dst < 0) {
	87	fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
	88	exit(1);
	89	}
	90
	91	int size = (int) sizeof(filter);
	92	int written = 0;
	93	while (written < size) {
	94	int rv = write(dst, (unsigned char *) filter + written, size - written);
	95	if (rv == -1) {
	96	fprintf(stderr, "Error fseccomp: cannot write %s file\n", fname);
	97	exit(1);
	98	}
	99	written += rv;
	100	}
	101	close(dst);
	102	}
	103
	104	// i386 filter installed on amd64 architectures
	105	void seccomp_secondary_32(const char *fname) {
	106	// hardcoded syscall values
	107	struct sock_filter filter[] = {
	108	VALIDATE_ARCHITECTURE_32,
	109	EXAMINE_SYSCALL,
	110	BLACKLIST(21), // mount
	111	BLACKLIST(52), // umount2
	112	// todo: implement --allow-debuggers
	113	BLACKLIST(26), // ptrace
	114	BLACKLIST(283), // kexec_load
	115	BLACKLIST(341), // name_to_handle_at
	116	BLACKLIST(342), // open_by_handle_at
	117	BLACKLIST(127), // create_module
	118	BLACKLIST(128), // init_module
	119	BLACKLIST(350), // finit_module
	120	BLACKLIST(129), // delete_module
	121	BLACKLIST(110), // iopl
	122	BLACKLIST(101), // ioperm
	123	BLACKLIST(289), // ioprio_set
	124	BLACKLIST(87), // swapon
	125	BLACKLIST(115), // swapoff
	126	BLACKLIST(103), // syslog
	127	BLACKLIST(347), // process_vm_readv
	128	BLACKLIST(348), // process_vm_writev
	129	BLACKLIST(135), // sysfs
	130	BLACKLIST(149), // _sysctl
	131	BLACKLIST(124), // adjtimex
	132	BLACKLIST(343), // clock_adjtime
	133	BLACKLIST(253), // lookup_dcookie
	134	BLACKLIST(336), // perf_event_open
	135	BLACKLIST(338), // fanotify_init
	136	BLACKLIST(349), // kcmp
	137	BLACKLIST(286), // add_key
	138	BLACKLIST(287), // request_key
	139	BLACKLIST(288), // keyctl
	140	BLACKLIST(86), // uselib
	141	BLACKLIST(51), // acct
	142	BLACKLIST(123), // modify_ldt
	143	BLACKLIST(217), // pivot_root
	144	BLACKLIST(245), // io_setup
	145	BLACKLIST(246), // io_destroy
	146	BLACKLIST(247), // io_getevents
	147	BLACKLIST(248), // io_submit
	148	BLACKLIST(249), // io_cancel
	149	BLACKLIST(257), // remap_file_pages
	150	BLACKLIST(274), // mbind
	151	BLACKLIST(275), // get_mempolicy
	152	BLACKLIST(276), // set_mempolicy
	153	BLACKLIST(294), // migrate_pages
	154	BLACKLIST(317), // move_pages
	155	BLACKLIST(316), // vmsplice
	156	BLACKLIST(61), // chroot
	157	BLACKLIST(88), // reboot
	158	BLACKLIST(169), // nfsservctl
	159	BLACKLIST(130), // get_kernel_syms
	160
	161	RETURN_ALLOW
	162	};
	163
	164	// save filter to file
	165	int dst = open(fname, O_CREAT\|O_WRONLY\|O_TRUNC, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH);
	166	if (dst < 0) {
	167	fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
	168	exit(1);
	169	}
	170
	171	int size = (int) sizeof(filter);
	172	int written = 0;
	173	while (written < size) {
	174	int rv = write(dst, (unsigned char *) filter + written, size - written);
	175	if (rv == -1) {
	176	fprintf(stderr, "Error fseccomp: cannot write %s file\n", fname);
	177	exit(1);
	178	}
	179	written += rv;
	180	}
	181	close(dst);
	182	}
	183