replacing seccomp printing with a seccomp disassembler

author: netblue30 <netblue30@yahoo.com> 2017-12-28 12:28:08 -0500
committer: netblue30 <netblue30@yahoo.com> 2017-12-28 12:28:08 -0500
commit: f9c60d5a3aaecc11b1dbb933bca45c461b03ca83 (patch)
tree: 4538785f5889ee8836afadb36f29308a4ccf7ccb /src/fseccomp
parent: Add netlink and noblacklist openssl to teamspeak3 profile - potential fix for... (diff)
download: firejail-f9c60d5a3aaecc11b1dbb933bca45c461b03ca83.tar.gz
firejail-f9c60d5a3aaecc11b1dbb933bca45c461b03ca83.tar.zst
firejail-f9c60d5a3aaecc11b1dbb933bca45c461b03ca83.zip
2 files changed, 0 insertions, 186 deletions
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index ae0ae64ef..030eaf90b 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -37,7 +37,6 @@ static void usage(void) {
        printf("\tfseccomp default drop file1 file2 list allow-debuggers\n");
        printf("\tfseccomp keep file1 file2 list\n");
        printf("\tfseccomp memory-deny-write-execute file\n");
-        printf("\tfseccomp print file\n");
 }
 int main(int argc, char **argv) {
@@ -93,8 +92,6 @@ printf("\n");
                seccomp_keep(argv[2], argv[3], argv[4]);
        else if (argc == 3 && strcmp(argv[1], "memory-deny-write-execute") == 0)
                memory_deny_write_execute(argv[2]);
-        else if (argc == 3 && strcmp(argv[1], "print") == 0)
-                filter_print(argv[2]);
        else {
                fprintf(stderr, "Error fseccomp: invalid arguments\n");
                return 1;
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c
deleted file mode 100644
index ffc65e7c3..000000000
--- a/src/fseccomp/seccomp_print.c
+++ /dev/null
@@ -1,183 +0,0 @@
-/*
- * Copyright (C) 2014-2017 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "fseccomp.h"
-#include "../include/seccomp.h"
-#include <sys/syscall.h>
-static struct sock_filter *filter = NULL;
-static int filter_cnt = 0;
-static void load_seccomp(const char *fname) {
-        assert(fname);
-        // open filter file
-        int fd = open(fname, O_RDONLY);
-        if (fd == -1)
-                goto errexit;
-        // calculate the number of entries
-        int size = lseek(fd, 0, SEEK_END);
-        if (size == -1)
-                goto errexit;
-        if (lseek(fd, 0 , SEEK_SET) == -1)
-                goto errexit;
-        unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);
-        filter_cnt = entries;
-        // read filter
-        filter = malloc(size);
-        if (filter == NULL)
-                goto errexit;
-        memset(filter, 0, size);
-        int rd = 0;
-        while (rd < size) {
-                int rv = read(fd, (unsigned char *) filter + rd, size - rd);
-                if (rv == -1)
-                        goto errexit;
-                rd += rv;
-        }
-        // close file
-        close(fd);
-        return;
-errexit:
-        fprintf(stderr, "Error fseccomp: cannot read %s\n", fname);
-        exit(1);
-}
-static int detect_filter_type(void) {
-        // the filter ishould already be load in filter variable
-        assert(filter);
-        printf("SECCOMP Filter\n");
-        // testing for main seccomp filter, protocol, mdwe - platform architecture
-        const struct sock_filter start_main[] = {
-                VALIDATE_ARCHITECTURE,
-#if defined(__x86_64__)
-                EXAMINE_SYSCALL,
-                HANDLE_X32
-#else
-                EXAMINE_SYSCALL
-#endif
-        };
-        if (memcmp(&start_main[0], filter, sizeof(start_main)) == 0) {
-                printf("  VALIDATE_ARCHITECTURE\n");
-                printf("  EXAMINE_SYSCALL\n");
-#if defined(__x86_64__)
-                printf("  HANDLE_X32\n");
-#endif
-                return sizeof(start_main) / sizeof(struct sock_filter);
-        }
-        // testing for secondary 64 bit filter
-        const struct sock_filter start_secondary_64[] = {
-                VALIDATE_ARCHITECTURE_64,
-                EXAMINE_SYSCALL,
-        };
-        if (memcmp(&start_secondary_64[0], filter, sizeof(start_secondary_64)) == 0) {
-                printf("  VALIDATE_ARCHITECTURE_64\n");
-                printf("  EXAMINE_SYSCALL\n");
-                return sizeof(start_secondary_64) / sizeof(struct sock_filter);
-        }
-        // testing for secondary 32 bit filter
-        const struct sock_filter start_secondary_32[] = {
-                VALIDATE_ARCHITECTURE_32,
-                EXAMINE_SYSCALL,
-        };
-        if (memcmp(&start_secondary_32[0], filter, sizeof(start_secondary_32)) == 0) {
-                printf("  VALIDATE_ARCHITECTURE_32\n");
-                printf("  EXAMINE_SYSCALL\n");
-                return sizeof(start_secondary_32) / sizeof(struct sock_filter);
-        }
-        const struct sock_filter start_secondary_block[] = {
-                VALIDATE_ARCHITECTURE_KILL,
-#if defined(__x86_64__)
-                EXAMINE_SYSCALL,
-                HANDLE_X32_KILL,
-#else
-                EXAMINE_SYSCALL
-#endif
-        };
-        if (memcmp(&start_secondary_block[0], filter, sizeof(start_secondary_block)) == 0) {
-                printf("  VALIDATE_ARCHITECTURE_KILL\n");
-                printf("  EXAMINE_SYSCALL\n");
-#if defined(__x86_64__)
-                printf("  HANDLE_X32_KILL\n");
-#endif
-                return sizeof(start_secondary_block) / sizeof(struct sock_filter);
-        }
-        return 0; // filter unrecognized
-}
-// debug filter
-void filter_print(const char *fname) {
-        assert(fname);
-        load_seccomp(fname);
-        int i = detect_filter_type();
-        if (i == 0) {
-                printf("Invalid seccomp filter %s\n", fname);
-                return;
-        }
-        // loop trough the rest of commands
-        while (i < filter_cnt) {
-                // minimal parsing!
-                struct sock_filter *s = (struct sock_filter *) &filter[i];
-                if (s->code == BPF_JMP+BPF_JEQ+BPF_K && (s + 1)->code == BPF_RET+BPF_K && (s + 1)->k == SECCOMP_RET_ALLOW ) {
-                        printf("  WHITELIST %d %s\n", s->k, syscall_find_nr(s->k));
-                        i += 2;
-                }
-                else if (s->code == BPF_JMP+BPF_JEQ+BPF_K && (s + 1)->code == BPF_RET+BPF_K && (s + 1)->k == SECCOMP_RET_KILL ) {
-                        printf("  BLACKLIST %d %s\n", s->k, syscall_find_nr(s->k));
-                        i += 2;
-                }
-                else if (s->code == BPF_JMP+BPF_JEQ+BPF_K && (s + 1)->code == BPF_RET+BPF_K && ((s + 1)->k & ~SECCOMP_RET_DATA) == SECCOMP_RET_ERRNO) {
-                        printf("  BLACKLIST_ERRNO %d %s %d %s\n", s->k, syscall_find_nr(s->k), (s + 1)->k & SECCOMP_RET_DATA, errno_find_nr((s + 1)->k & SECCOMP_RET_DATA));
-                        i += 2;
-                }
-                else if (s->code == BPF_RET+BPF_K && (s->k & ~SECCOMP_RET_DATA) == SECCOMP_RET_ERRNO) {
-                        printf("  RETURN_ERRNO %d %s\n", s->k & SECCOMP_RET_DATA, errno_find_nr(s->k & SECCOMP_RET_DATA));
-                        i++;
-                }
-                else if (s->code == BPF_RET+BPF_K && s->k == SECCOMP_RET_KILL) {
-                        printf("  KILL_PROCESS\n");
-                        i++;
-                }
-                else if (s->code == BPF_RET+BPF_K && s->k == SECCOMP_RET_ALLOW) {
-                        printf("  RETURN_ALLOW\n");
-                        i++;
-                }
-                else {
-                        printf("  UNKNOWN ENTRY %x!\n", s->code);
-                        i++;
-                }
-        }
-}
author	netblue30 <netblue30@yahoo.com>	2017-12-28 12:28:08 -0500
committer	netblue30 <netblue30@yahoo.com>	2017-12-28 12:28:08 -0500
commit	f9c60d5a3aaecc11b1dbb933bca45c461b03ca83 (patch)
tree	4538785f5889ee8836afadb36f29308a4ccf7ccb /src/fseccomp
parent	Add netlink and noblacklist openssl to teamspeak3 profile - potential fix for... (diff)
download	firejail-f9c60d5a3aaecc11b1dbb933bca45c461b03ca83.tar.gz firejail-f9c60d5a3aaecc11b1dbb933bca45c461b03ca83.tar.zst firejail-f9c60d5a3aaecc11b1dbb933bca45c461b03ca83.zip

diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index ae0ae64ef..030eaf90b 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c
@@ -37,7 +37,6 @@ static void usage(void) {
37	printf("\tfseccomp default drop file1 file2 list allow-debuggers\n");	37	printf("\tfseccomp default drop file1 file2 list allow-debuggers\n");
38	printf("\tfseccomp keep file1 file2 list\n");	38	printf("\tfseccomp keep file1 file2 list\n");
39	printf("\tfseccomp memory-deny-write-execute file\n");	39	printf("\tfseccomp memory-deny-write-execute file\n");
40	printf("\tfseccomp print file\n");
41	}	40	}
42		41
43	int main(int argc, char **argv) {	42	int main(int argc, char **argv) {
@@ -93,8 +92,6 @@ printf("\n");
93	seccomp_keep(argv[2], argv[3], argv[4]);	92	seccomp_keep(argv[2], argv[3], argv[4]);
94	else if (argc == 3 && strcmp(argv[1], "memory-deny-write-execute") == 0)	93	else if (argc == 3 && strcmp(argv[1], "memory-deny-write-execute") == 0)
95	memory_deny_write_execute(argv[2]);	94	memory_deny_write_execute(argv[2]);
96	else if (argc == 3 && strcmp(argv[1], "print") == 0)
97	filter_print(argv[2]);
98	else {	95	else {
99	fprintf(stderr, "Error fseccomp: invalid arguments\n");	96	fprintf(stderr, "Error fseccomp: invalid arguments\n");
100	return 1;	97	return 1;


diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c deleted file mode 100644 index ffc65e7c3..000000000 --- a/src/fseccomp/seccomp_print.c +++ /dev/null
@@ -1,183 +0,0 @@
1	/*
2	* Copyright (C) 2014-2017 Firejail Authors
3	*
4	* This file is part of firejail project
5	*
6	* This program is free software; you can redistribute it and/or modify
7	* it under the terms of the GNU General Public License as published by
8	* the Free Software Foundation; either version 2 of the License, or
9	* (at your option) any later version.
10	*
11	* This program is distributed in the hope that it will be useful,
12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14	* GNU General Public License for more details.
15	*
16	* You should have received a copy of the GNU General Public License along
17	* with this program; if not, write to the Free Software Foundation, Inc.,
18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19	*/
20	#include "fseccomp.h"
21	#include "../include/seccomp.h"
22	#include <sys/syscall.h>
23
24	static struct sock_filter *filter = NULL;
25	static int filter_cnt = 0;
26
27	static void load_seccomp(const char *fname) {
28	assert(fname);
29
30	// open filter file
31	int fd = open(fname, O_RDONLY);
32	if (fd == -1)
33	goto errexit;
34
35	// calculate the number of entries
36	int size = lseek(fd, 0, SEEK_END);
37	if (size == -1)
38	goto errexit;
39	if (lseek(fd, 0 , SEEK_SET) == -1)
40	goto errexit;
41	unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);
42	filter_cnt = entries;
43
44	// read filter
45	filter = malloc(size);
46	if (filter == NULL)
47	goto errexit;
48	memset(filter, 0, size);
49	int rd = 0;
50	while (rd < size) {
51	int rv = read(fd, (unsigned char *) filter + rd, size - rd);
52	if (rv == -1)
53	goto errexit;
54	rd += rv;
55	}
56
57	// close file
58	close(fd);
59	return;
60
61	errexit:
62	fprintf(stderr, "Error fseccomp: cannot read %s\n", fname);
63	exit(1);
64	}
65
66	static int detect_filter_type(void) {
67	// the filter ishould already be load in filter variable
68	assert(filter);
69
70	printf("SECCOMP Filter\n");
71
72	// testing for main seccomp filter, protocol, mdwe - platform architecture
73	const struct sock_filter start_main[] = {
74	VALIDATE_ARCHITECTURE,
75	#if defined(__x86_64__)
76	EXAMINE_SYSCALL,
77	HANDLE_X32
78	#else
79	EXAMINE_SYSCALL
80	#endif
81	};
82
83	if (memcmp(&start_main[0], filter, sizeof(start_main)) == 0) {
84	printf(" VALIDATE_ARCHITECTURE\n");
85	printf(" EXAMINE_SYSCALL\n");
86	#if defined(__x86_64__)
87	printf(" HANDLE_X32\n");
88	#endif
89	return sizeof(start_main) / sizeof(struct sock_filter);
90	}
91
92
93	// testing for secondary 64 bit filter
94	const struct sock_filter start_secondary_64[] = {
95	VALIDATE_ARCHITECTURE_64,
96	EXAMINE_SYSCALL,
97	};
98
99	if (memcmp(&start_secondary_64[0], filter, sizeof(start_secondary_64)) == 0) {
100	printf(" VALIDATE_ARCHITECTURE_64\n");
101	printf(" EXAMINE_SYSCALL\n");
102	return sizeof(start_secondary_64) / sizeof(struct sock_filter);
103	}
104
105	// testing for secondary 32 bit filter
106	const struct sock_filter start_secondary_32[] = {
107	VALIDATE_ARCHITECTURE_32,
108	EXAMINE_SYSCALL,
109	};
110
111	if (memcmp(&start_secondary_32[0], filter, sizeof(start_secondary_32)) == 0) {
112	printf(" VALIDATE_ARCHITECTURE_32\n");
113	printf(" EXAMINE_SYSCALL\n");
114	return sizeof(start_secondary_32) / sizeof(struct sock_filter);
115	}
116
117	const struct sock_filter start_secondary_block[] = {
118	VALIDATE_ARCHITECTURE_KILL,
119	#if defined(__x86_64__)
120	EXAMINE_SYSCALL,
121	HANDLE_X32_KILL,
122	#else
123	EXAMINE_SYSCALL
124	#endif
125	};
126
127	if (memcmp(&start_secondary_block[0], filter, sizeof(start_secondary_block)) == 0) {
128	printf(" VALIDATE_ARCHITECTURE_KILL\n");
129	printf(" EXAMINE_SYSCALL\n");
130	#if defined(__x86_64__)
131	printf(" HANDLE_X32_KILL\n");
132	#endif
133	return sizeof(start_secondary_block) / sizeof(struct sock_filter);
134	}
135
136	return 0; // filter unrecognized
137	}
138
139	// debug filter
140	void filter_print(const char *fname) {
141	assert(fname);
142	load_seccomp(fname);
143
144	int i = detect_filter_type();
145	if (i == 0) {
146	printf("Invalid seccomp filter %s\n", fname);
147	return;
148	}
149
150	// loop trough the rest of commands
151	while (i < filter_cnt) {
152	// minimal parsing!
153	struct sock_filter s = (struct sock_filter ) &filter[i];
154	if (s->code == BPF_JMP+BPF_JEQ+BPF_K && (s + 1)->code == BPF_RET+BPF_K && (s + 1)->k == SECCOMP_RET_ALLOW ) {
155	printf(" WHITELIST %d %s\n", s->k, syscall_find_nr(s->k));
156	i += 2;
157	}
158	else if (s->code == BPF_JMP+BPF_JEQ+BPF_K && (s + 1)->code == BPF_RET+BPF_K && (s + 1)->k == SECCOMP_RET_KILL ) {
159	printf(" BLACKLIST %d %s\n", s->k, syscall_find_nr(s->k));
160	i += 2;
161	}
162	else if (s->code == BPF_JMP+BPF_JEQ+BPF_K && (s + 1)->code == BPF_RET+BPF_K && ((s + 1)->k & ~SECCOMP_RET_DATA) == SECCOMP_RET_ERRNO) {
163	printf(" BLACKLIST_ERRNO %d %s %d %s\n", s->k, syscall_find_nr(s->k), (s + 1)->k & SECCOMP_RET_DATA, errno_find_nr((s + 1)->k & SECCOMP_RET_DATA));
164	i += 2;
165	}
166	else if (s->code == BPF_RET+BPF_K && (s->k & ~SECCOMP_RET_DATA) == SECCOMP_RET_ERRNO) {
167	printf(" RETURN_ERRNO %d %s\n", s->k & SECCOMP_RET_DATA, errno_find_nr(s->k & SECCOMP_RET_DATA));
168	i++;
169	}
170	else if (s->code == BPF_RET+BPF_K && s->k == SECCOMP_RET_KILL) {
171	printf(" KILL_PROCESS\n");
172	i++;
173	}
174	else if (s->code == BPF_RET+BPF_K && s->k == SECCOMP_RET_ALLOW) {
175	printf(" RETURN_ALLOW\n");
176	i++;
177	}
178	else {
179	printf(" UNKNOWN ENTRY %x!\n", s->code);
180	i++;
181	}
182	}
183	}