diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2017-08-06 23:20:34 +0300 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2017-08-06 23:24:20 +0300 |
commit | d382f230ed46004d81b60b97ddc79380632688d1 (patch) | |
tree | cef3bf2b80aa6c4f2a8fd7c40c12c544e1683c5b /src/fseccomp | |
parent | Seccomp: system call grouping and call numbers (diff) | |
download | firejail-d382f230ed46004d81b60b97ddc79380632688d1.tar.gz firejail-d382f230ed46004d81b60b97ddc79380632688d1.tar.zst firejail-d382f230ed46004d81b60b97ddc79380632688d1.zip |
Seccomp: split @default into more meaningful smaller groups
Diffstat (limited to 'src/fseccomp')
-rw-r--r-- | src/fseccomp/syscall.c | 354 |
1 files changed, 191 insertions, 163 deletions
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index ecf057ee0..5893a2ea8 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c | |||
@@ -41,78 +41,81 @@ static const SyscallEntry syslist[] = { | |||
41 | }; // end of syslist | 41 | }; // end of syslist |
42 | 42 | ||
43 | static const SyscallGroupList sysgroups[] = { | 43 | static const SyscallGroupList sysgroups[] = { |
44 | { .name = "@default", .list = | 44 | { .name = "@clock", .list = |
45 | #ifdef SYS_mount | 45 | #ifdef SYS_adjtimex |
46 | "mount," | 46 | "adjtimex," |
47 | #endif | ||
48 | #ifdef SYS_umount2 | ||
49 | "umount2," | ||
50 | #endif | ||
51 | #ifdef SYS_kexec_load | ||
52 | "kexec_load," | ||
53 | #endif | ||
54 | #ifdef SYS_kexec_file_load | ||
55 | "kexec_file_load," | ||
56 | #endif | ||
57 | #ifdef SYS_open_by_handle_at | ||
58 | "open_by_handle_at," | ||
59 | #endif | ||
60 | #ifdef SYS_name_to_handle_at | ||
61 | "name_to_handle_at," | ||
62 | #endif | 47 | #endif |
63 | #ifdef SYS_init_module | 48 | #ifdef SYS_clock_adjtime |
64 | "init_module," | 49 | "clock_adjtime," |
65 | #endif | 50 | #endif |
66 | #ifdef SYS_finit_module | 51 | #ifdef SYS_clock_settime |
67 | "finit_module," | 52 | "clock_settime," |
68 | #endif | 53 | #endif |
69 | #ifdef SYS_create_module | 54 | #ifdef SYS_settimeofday |
70 | "create_module," | 55 | "settimeofday," |
71 | #endif | 56 | #endif |
72 | #ifdef SYS_delete_module | 57 | #ifdef SYS_stime |
73 | "delete_module," | 58 | "stime" |
74 | #endif | 59 | #endif |
75 | #ifdef SYS_iopl | 60 | }, |
76 | "iopl," | 61 | { .name = "@cpu-emulation", .list = |
62 | #ifdef SYS_modify_ldt | ||
63 | "modify_ldt," | ||
77 | #endif | 64 | #endif |
78 | #ifdef SYS_ioperm | 65 | #ifdef SYS_subpage_prot |
79 | "ioperm," | 66 | "subpage_prot," |
80 | #endif | 67 | #endif |
81 | #ifdef SYS_ioprio_set | 68 | #ifdef SYS_switch_endian |
82 | "ioprio_set," | 69 | "switch_endian," |
83 | #endif | 70 | #endif |
84 | #ifdef SYS_ni_syscall | 71 | #ifdef SYS_vm86 |
85 | "ni_syscall," | 72 | "vm86," |
86 | #endif | 73 | #endif |
87 | #ifdef SYS_swapon | 74 | #ifdef SYS_vm86old |
88 | "swapon," | 75 | "vm86old" |
89 | #endif | 76 | #endif |
90 | #ifdef SYS_swapoff | 77 | }, |
91 | "swapoff," | 78 | { .name = "@debug", .list = |
79 | #ifdef SYS_lookup_dcookie | ||
80 | "lookup_dcookie," | ||
92 | #endif | 81 | #endif |
93 | #ifdef SYS_syslog | 82 | #ifdef SYS_perf_event_open |
94 | "syslog," | 83 | "perf_event_open," |
95 | #endif | 84 | #endif |
96 | #ifdef SYS_process_vm_writev | 85 | #ifdef SYS_process_vm_writev |
97 | "process_vm_writev," | 86 | "process_vm_writev," |
98 | #endif | 87 | #endif |
99 | #ifdef SYS_sysfs | 88 | #ifdef SYS_rtas |
100 | "sysfs," | 89 | "rtas," |
101 | #endif | 90 | #endif |
102 | #ifdef SYS__sysctl | 91 | #ifdef SYS_s390_runtime_instr |
103 | "_sysctl," | 92 | "s390_runtime_instr," |
104 | #endif | 93 | #endif |
105 | #ifdef SYS_adjtimex | 94 | #ifdef SYS_sys_debug_setcontext |
106 | "adjtimex," | 95 | "sys_debug_setcontext," |
107 | #endif | 96 | #endif |
108 | #ifdef SYS_clock_adjtime | 97 | }, |
109 | "clock_adjtime," | 98 | { .name = "@default", .list = |
99 | "@cpu-emulation," | ||
100 | "@debug," | ||
101 | "@module," | ||
102 | "@obsolete," | ||
103 | "@privileged," | ||
104 | "@resources," | ||
105 | #ifdef SYS_open_by_handle_at | ||
106 | "open_by_handle_at," | ||
110 | #endif | 107 | #endif |
111 | #ifdef SYS_lookup_dcookie | 108 | #ifdef SYS_name_to_handle_at |
112 | "lookup_dcookie," | 109 | "name_to_handle_at," |
113 | #endif | 110 | #endif |
114 | #ifdef SYS_perf_event_open | 111 | #ifdef SYS_ioprio_set |
115 | "perf_event_open," | 112 | "ioprio_set," |
113 | #endif | ||
114 | #ifdef SYS_ni_syscall | ||
115 | "ni_syscall," | ||
116 | #endif | ||
117 | #ifdef SYS_syslog | ||
118 | "syslog," | ||
116 | #endif | 119 | #endif |
117 | #ifdef SYS_fanotify_init | 120 | #ifdef SYS_fanotify_init |
118 | "fanotify_init," | 121 | "fanotify_init," |
@@ -129,18 +132,6 @@ static const SyscallGroupList sysgroups[] = { | |||
129 | #ifdef SYS_keyctl | 132 | #ifdef SYS_keyctl |
130 | "keyctl," | 133 | "keyctl," |
131 | #endif | 134 | #endif |
132 | #ifdef SYS_uselib | ||
133 | "uselib," | ||
134 | #endif | ||
135 | #ifdef SYS_acct | ||
136 | "acct," | ||
137 | #endif | ||
138 | #ifdef SYS_modify_ldt | ||
139 | "modify_ldt," | ||
140 | #endif | ||
141 | #ifdef SYS_pivot_root | ||
142 | "pivot_root," | ||
143 | #endif | ||
144 | #ifdef SYS_io_setup | 135 | #ifdef SYS_io_setup |
145 | "io_setup," | 136 | "io_setup," |
146 | #endif | 137 | #endif |
@@ -159,71 +150,49 @@ static const SyscallGroupList sysgroups[] = { | |||
159 | #ifdef SYS_remap_file_pages | 150 | #ifdef SYS_remap_file_pages |
160 | "remap_file_pages," | 151 | "remap_file_pages," |
161 | #endif | 152 | #endif |
162 | #ifdef SYS_mbind | ||
163 | "mbind," | ||
164 | #endif | ||
165 | #ifdef SYS_set_mempolicy | ||
166 | "set_mempolicy," | ||
167 | #endif | ||
168 | #ifdef SYS_migrate_pages | ||
169 | "migrate_pages," | ||
170 | #endif | ||
171 | #ifdef SYS_move_pages | ||
172 | "move_pages," | ||
173 | #endif | ||
174 | #ifdef SYS_vmsplice | 153 | #ifdef SYS_vmsplice |
175 | "vmsplice," | 154 | "vmsplice," |
176 | #endif | 155 | #endif |
177 | #ifdef SYS_chroot | ||
178 | "chroot," | ||
179 | #endif | ||
180 | #ifdef SYS_tuxcall | ||
181 | "tuxcall," | ||
182 | #endif | ||
183 | #ifdef SYS_reboot | ||
184 | "reboot," | ||
185 | #endif | ||
186 | #ifdef SYS_nfsservctl | ||
187 | "nfsservctl," | ||
188 | #endif | ||
189 | #ifdef SYS_get_kernel_syms | ||
190 | "get_kernel_syms," | ||
191 | #endif | ||
192 | #ifdef SYS_bpf | ||
193 | "bpf," | ||
194 | #endif | ||
195 | #ifdef SYS_clock_settime | ||
196 | "clock_settime," | ||
197 | #endif | ||
198 | #ifdef SYS_personality | 156 | #ifdef SYS_personality |
199 | "personality," | 157 | "personality," |
200 | #endif | 158 | #endif |
201 | #ifdef SYS_process_vm_writev | ||
202 | "process_vm_writev," | ||
203 | #endif | ||
204 | #ifdef SYS_query_module | ||
205 | "query_module," | ||
206 | #endif | ||
207 | #ifdef SYS_settimeofday | ||
208 | "settimeofday," | ||
209 | #endif | ||
210 | #ifdef SYS_stime | ||
211 | "stime," | ||
212 | #endif | ||
213 | #ifdef SYS_umount | 159 | #ifdef SYS_umount |
214 | "umount," | 160 | "umount," |
215 | #endif | 161 | #endif |
216 | #ifdef SYS_userfaultfd | 162 | #ifdef SYS_userfaultfd |
217 | "userfaultfd," | 163 | "userfaultfd" |
218 | #endif | 164 | #endif |
219 | #ifdef SYS_ustat | 165 | }, |
220 | "ustat," | 166 | { .name = "@default-nodebuggers", .list = |
167 | "@default," | ||
168 | #ifdef SYS_ptrace | ||
169 | "ptrace," | ||
221 | #endif | 170 | #endif |
222 | #ifdef SYS_vm86 | 171 | #ifdef SYS_process_vm_readv |
223 | "vm86," | 172 | "process_vm_readv" |
224 | #endif | 173 | #endif |
225 | #ifdef SYS_vm86old | 174 | }, |
226 | "vm86old," | 175 | { .name = "@default-keep", .list = |
176 | "dup," | ||
177 | "prctl," | ||
178 | "setgid," | ||
179 | "setgroups," | ||
180 | "setuid" | ||
181 | }, | ||
182 | { .name = "@module", .list = | ||
183 | #ifdef SYS_delete_module | ||
184 | "delete_module," | ||
185 | #endif | ||
186 | #ifdef SYS_finit_module | ||
187 | "finit_module," | ||
188 | #endif | ||
189 | #ifdef SYS_init_module | ||
190 | "init_module" | ||
191 | #endif | ||
192 | }, | ||
193 | { .name = "@obsolete", .list = | ||
194 | #ifdef SYS__sysctl | ||
195 | "_sysctl," | ||
227 | #endif | 196 | #endif |
228 | #ifdef SYS_afs_syscall | 197 | #ifdef SYS_afs_syscall |
229 | "afs_syscall," | 198 | "afs_syscall," |
@@ -234,9 +203,15 @@ static const SyscallGroupList sysgroups[] = { | |||
234 | #ifdef SYS_break | 203 | #ifdef SYS_break |
235 | "break," | 204 | "break," |
236 | #endif | 205 | #endif |
206 | #ifdef SYS_create_module | ||
207 | "create_module," | ||
208 | #endif | ||
237 | #ifdef SYS_ftime | 209 | #ifdef SYS_ftime |
238 | "ftime," | 210 | "ftime," |
239 | #endif | 211 | #endif |
212 | #ifdef SYS_get_kernel_syms | ||
213 | "get_kernel_syms," | ||
214 | #endif | ||
240 | #ifdef SYS_getpmsg | 215 | #ifdef SYS_getpmsg |
241 | "getpmsg," | 216 | "getpmsg," |
242 | #endif | 217 | #endif |
@@ -249,15 +224,6 @@ static const SyscallGroupList sysgroups[] = { | |||
249 | #ifdef SYS_mpx | 224 | #ifdef SYS_mpx |
250 | "mpx," | 225 | "mpx," |
251 | #endif | 226 | #endif |
252 | #ifdef SYS_pciconfig_iobase | ||
253 | "pciconfig_iobase," | ||
254 | #endif | ||
255 | #ifdef SYS_pciconfig_read | ||
256 | "pciconfig_read," | ||
257 | #endif | ||
258 | #ifdef SYS_pciconfig_write | ||
259 | "pciconfig_write," | ||
260 | #endif | ||
261 | #ifdef SYS_prof | 227 | #ifdef SYS_prof |
262 | "prof," | 228 | "prof," |
263 | #endif | 229 | #endif |
@@ -267,27 +233,12 @@ static const SyscallGroupList sysgroups[] = { | |||
267 | #ifdef SYS_putpmsg | 233 | #ifdef SYS_putpmsg |
268 | "putpmsg," | 234 | "putpmsg," |
269 | #endif | 235 | #endif |
270 | #ifdef SYS_rtas | 236 | #ifdef SYS_query_module |
271 | "rtas," | 237 | "query_module," |
272 | #endif | ||
273 | #ifdef SYS_s390_runtime_instr | ||
274 | "s390_runtime_instr," | ||
275 | #endif | ||
276 | #ifdef SYS_s390_mmio_read | ||
277 | "s390_mmio_read," | ||
278 | #endif | ||
279 | #ifdef SYS_s390_mmio_write | ||
280 | "s390_mmio_write," | ||
281 | #endif | 238 | #endif |
282 | #ifdef SYS_security | 239 | #ifdef SYS_security |
283 | "security," | 240 | "security," |
284 | #endif | 241 | #endif |
285 | #ifdef SYS_setdomainname | ||
286 | "setdomainname," | ||
287 | #endif | ||
288 | #ifdef SYS_sethostname | ||
289 | "sethostname," | ||
290 | #endif | ||
291 | #ifdef SYS_sgetmask | 242 | #ifdef SYS_sgetmask |
292 | "sgetmask," | 243 | "sgetmask," |
293 | #endif | 244 | #endif |
@@ -297,40 +248,117 @@ static const SyscallGroupList sysgroups[] = { | |||
297 | #ifdef SYS_stty | 248 | #ifdef SYS_stty |
298 | "stty," | 249 | "stty," |
299 | #endif | 250 | #endif |
300 | #ifdef SYS_subpage_prot | 251 | #ifdef SYS_sysfs |
301 | "subpage_prot," | 252 | "sysfs," |
302 | #endif | ||
303 | #ifdef SYS_switch_endian | ||
304 | "switch_endian," | ||
305 | #endif | 253 | #endif |
306 | #ifdef SYS_sys_debug_setcontext | 254 | #ifdef SYS_tuxcall |
307 | "sys_debug_setcontext," | 255 | "tuxcall," |
308 | #endif | 256 | #endif |
309 | #ifdef SYS_ulimit | 257 | #ifdef SYS_ulimit |
310 | "ulimit," | 258 | "ulimit," |
311 | #endif | 259 | #endif |
312 | #ifdef SYS_vhangup | 260 | #ifdef SYS_uselib |
313 | "vhangup," | 261 | "uselib," |
262 | #endif | ||
263 | #ifdef SYS_ustat | ||
264 | "ustat," | ||
314 | #endif | 265 | #endif |
315 | #ifdef SYS_vserver | 266 | #ifdef SYS_vserver |
316 | "vserver" | 267 | "vserver" |
317 | #endif | 268 | #endif |
318 | }, | 269 | }, |
319 | { .name = "@default-nodebuggers", .list = | 270 | { .name = "@privileged", .list = |
320 | "@default," | 271 | "@clock," |
321 | #ifdef SYS_ptrace | 272 | "@module," |
322 | "ptrace," | 273 | "@raw-io," |
274 | "@reboot," | ||
275 | "@swap," | ||
276 | #ifdef SYS_acct | ||
277 | "acct," | ||
323 | #endif | 278 | #endif |
324 | #ifdef SYS_process_vm_readv | 279 | #ifdef SYS_bpf |
325 | "process_vm_readv" | 280 | "bpf," |
281 | #endif | ||
282 | #ifdef SYS_chroot | ||
283 | "chroot," | ||
284 | #endif | ||
285 | #ifdef SYS_mount | ||
286 | "mount," | ||
287 | #endif | ||
288 | #ifdef SYS_nfsservctl | ||
289 | "nfsservctl," | ||
290 | #endif | ||
291 | #ifdef SYS_pivot_root | ||
292 | "pivot_root," | ||
293 | #endif | ||
294 | #ifdef SYS_setdomainname | ||
295 | "setdomainname," | ||
296 | #endif | ||
297 | #ifdef SYS_sethostname | ||
298 | "sethostname," | ||
299 | #endif | ||
300 | #ifdef SYS_umount2 | ||
301 | "umount2," | ||
302 | #endif | ||
303 | #ifdef SYS_vhangup | ||
304 | "vhangup" | ||
326 | #endif | 305 | #endif |
327 | }, | 306 | }, |
328 | { .name = "@default-keep", .list = | 307 | { .name = "@raw-io", .list = |
329 | "dup," | 308 | #ifdef SYS_ioperm |
330 | "prctl," | 309 | "ioperm," |
331 | "setgid," | 310 | #endif |
332 | "setgroups," | 311 | #ifdef SYS_iopl |
333 | "setuid" | 312 | "iopl," |
313 | #endif | ||
314 | #ifdef SYS_pciconfig_iobase | ||
315 | "pciconfig_iobase," | ||
316 | #endif | ||
317 | #ifdef SYS_pciconfig_read | ||
318 | "pciconfig_read," | ||
319 | #endif | ||
320 | #ifdef SYS_pciconfig_write | ||
321 | "pciconfig_write," | ||
322 | #endif | ||
323 | #ifdef SYS_s390_mmio_read | ||
324 | "s390_mmio_read," | ||
325 | #endif | ||
326 | #ifdef SYS_s390_mmio_write | ||
327 | "s390_mmio_write" | ||
328 | #endif | ||
329 | }, | ||
330 | { .name = "@reboot", .list = | ||
331 | #ifdef SYS_kexec_load | ||
332 | "kexec_load," | ||
333 | #endif | ||
334 | #ifdef SYS_kexec_file_load | ||
335 | "kexec_file_load," | ||
336 | #endif | ||
337 | #ifdef SYS_reboot | ||
338 | "reboot," | ||
339 | #endif | ||
340 | }, | ||
341 | { .name = "@resources", .list = | ||
342 | #ifdef SYS_set_mempolicy | ||
343 | "set_mempolicy," | ||
344 | #endif | ||
345 | #ifdef SYS_migrate_pages | ||
346 | "migrate_pages," | ||
347 | #endif | ||
348 | #ifdef SYS_move_pages | ||
349 | "move_pages," | ||
350 | #endif | ||
351 | #ifdef SYS_mbind | ||
352 | "mbind" | ||
353 | #endif | ||
354 | }, | ||
355 | { .name = "@swap", .list = | ||
356 | #ifdef SYS_swapon | ||
357 | "swapon," | ||
358 | #endif | ||
359 | #ifdef SYS_swapoff | ||
360 | "swapoff" | ||
361 | #endif | ||
334 | } | 362 | } |
335 | }; | 363 | }; |
336 | 364 | ||