diff options
author | netblue30 <netblue30@yahoo.com> | 2018-05-06 11:22:35 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-05-06 11:22:35 -0400 |
commit | f905f046cc554f8ec2b800bcb9965b0f360cfd91 (patch) | |
tree | 789d465559540e25d5a97b52ca1a766db8ec14f5 /src/fseccomp | |
parent | ark.profile: Add private-bin and private-etc (diff) | |
download | firejail-f905f046cc554f8ec2b800bcb9965b0f360cfd91.tar.gz firejail-f905f046cc554f8ec2b800bcb9965b0f360cfd91.tar.zst firejail-f905f046cc554f8ec2b800bcb9965b0f360cfd91.zip |
remove 64bit seccomp filter from 32bit architectures
Diffstat (limited to 'src/fseccomp')
-rw-r--r-- | src/fseccomp/main.c | 2 | ||||
-rw-r--r-- | src/fseccomp/seccomp_secondary.c | 65 |
2 files changed, 0 insertions, 67 deletions
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index ab6683065..7fd96bc43 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c | |||
@@ -70,8 +70,6 @@ printf("\n"); | |||
70 | protocol_print(); | 70 | protocol_print(); |
71 | else if (argc == 5 && strcmp(argv[1], "protocol") == 0 && strcmp(argv[2], "build") == 0) | 71 | else if (argc == 5 && strcmp(argv[1], "protocol") == 0 && strcmp(argv[2], "build") == 0) |
72 | protocol_build_filter(argv[3], argv[4]); | 72 | protocol_build_filter(argv[3], argv[4]); |
73 | else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "64") == 0) | ||
74 | seccomp_secondary_64(argv[3]); | ||
75 | else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0) | 73 | else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0) |
76 | seccomp_secondary_32(argv[3]); | 74 | seccomp_secondary_32(argv[3]); |
77 | else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "block") == 0) | 75 | else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "block") == 0) |
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c index ebda1b938..e398f94d0 100644 --- a/src/fseccomp/seccomp_secondary.c +++ b/src/fseccomp/seccomp_secondary.c | |||
@@ -42,71 +42,6 @@ static void write_filter(const char *fname, size_t size, const void *filter) { | |||
42 | close(dst); | 42 | close(dst); |
43 | } | 43 | } |
44 | 44 | ||
45 | void seccomp_secondary_64(const char *fname) { | ||
46 | // hardcoded syscall values | ||
47 | struct sock_filter filter[] = { | ||
48 | VALIDATE_ARCHITECTURE_64, | ||
49 | EXAMINE_SYSCALL, | ||
50 | BLACKLIST(165), // mount | ||
51 | BLACKLIST(166), // umount2 | ||
52 | // todo: implement --allow-debuggers | ||
53 | BLACKLIST(101), // ptrace | ||
54 | BLACKLIST(246), // kexec_load | ||
55 | BLACKLIST(304), // open_by_handle_at | ||
56 | BLACKLIST(303), // name_to_handle_at | ||
57 | BLACKLIST(174), // create_module | ||
58 | BLACKLIST(175), // init_module | ||
59 | BLACKLIST(313), // finit_module | ||
60 | BLACKLIST(176), // delete_module | ||
61 | BLACKLIST(172), // iopl | ||
62 | BLACKLIST(173), // ioperm | ||
63 | BLACKLIST(251), // ioprio_set | ||
64 | BLACKLIST(167), // swapon | ||
65 | BLACKLIST(168), // swapoff | ||
66 | BLACKLIST(103), // syslog | ||
67 | BLACKLIST(310), // process_vm_readv | ||
68 | BLACKLIST(311), // process_vm_writev | ||
69 | BLACKLIST(139), // sysfs | ||
70 | BLACKLIST(156), // _sysctl | ||
71 | BLACKLIST(159), // adjtimex | ||
72 | BLACKLIST(305), // clock_adjtime | ||
73 | BLACKLIST(212), // lookup_dcookie | ||
74 | BLACKLIST(298), // perf_event_open | ||
75 | BLACKLIST(300), // fanotify_init | ||
76 | BLACKLIST(312), // kcmp | ||
77 | BLACKLIST(248), // add_key | ||
78 | BLACKLIST(249), // request_key | ||
79 | BLACKLIST(250), // keyctl | ||
80 | BLACKLIST(134), // uselib | ||
81 | BLACKLIST(163), // acct | ||
82 | BLACKLIST(154), // modify_ldt | ||
83 | BLACKLIST(155), // pivot_root | ||
84 | BLACKLIST(206), // io_setup | ||
85 | BLACKLIST(207), // io_destroy | ||
86 | BLACKLIST(208), // io_getevents | ||
87 | BLACKLIST(209), // io_submit | ||
88 | BLACKLIST(210), // io_cancel | ||
89 | BLACKLIST(216), // remap_file_pages | ||
90 | BLACKLIST(237), // mbind | ||
91 | // breaking Firefox nightly when playing youtube videos | ||
92 | // TODO: test again when firefox sandbox is finally released | ||
93 | // BLACKLIST(239), // get_mempolicy | ||
94 | BLACKLIST(238), // set_mempolicy | ||
95 | BLACKLIST(256), // migrate_pages | ||
96 | BLACKLIST(279), // move_pages | ||
97 | BLACKLIST(278), // vmsplice | ||
98 | BLACKLIST(161), // chroot | ||
99 | BLACKLIST(184), // tuxcall | ||
100 | BLACKLIST(169), // reboot | ||
101 | BLACKLIST(180), // nfsservctl | ||
102 | BLACKLIST(177), // get_kernel_syms | ||
103 | |||
104 | RETURN_ALLOW | ||
105 | }; | ||
106 | |||
107 | // save filter to file | ||
108 | write_filter(fname, sizeof(filter), filter); | ||
109 | } | ||
110 | 45 | ||
111 | // 32 bit arch filter installed on 64 bit architectures | 46 | // 32 bit arch filter installed on 64 bit architectures |
112 | void seccomp_secondary_32(const char *fname) { | 47 | void seccomp_secondary_32(const char *fname) { |