diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2017-08-06 21:58:35 +0300 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2017-08-06 23:24:20 +0300 |
commit | 34ee8e03f58c4c51c3aa29f553e06570d0654db2 (patch) | |
tree | 05b191c778a7b871e339bdf6c6017606404a917e /src/fseccomp | |
parent | private-lib fixes (diff) | |
download | firejail-34ee8e03f58c4c51c3aa29f553e06570d0654db2.tar.gz firejail-34ee8e03f58c4c51c3aa29f553e06570d0654db2.tar.zst firejail-34ee8e03f58c4c51c3aa29f553e06570d0654db2.zip |
Seccomp: system call grouping and call numbers
Diffstat (limited to 'src/fseccomp')
-rw-r--r-- | src/fseccomp/fseccomp.h | 3 | ||||
-rw-r--r-- | src/fseccomp/seccomp.c | 317 | ||||
-rw-r--r-- | src/fseccomp/syscall.c | 356 |
3 files changed, 351 insertions, 325 deletions
diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h index 157b71011..0db670380 100644 --- a/src/fseccomp/fseccomp.h +++ b/src/fseccomp/fseccomp.h | |||
@@ -31,8 +31,7 @@ extern int arg_quiet; | |||
31 | // syscall.c | 31 | // syscall.c |
32 | void syscall_print(void); | 32 | void syscall_print(void); |
33 | int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, int arg), int fd, int arg); | 33 | int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, int arg), int fd, int arg); |
34 | int syscall_find_name(const char *name); | 34 | const char *syscall_find_nr(int nr); |
35 | char *syscall_find_nr(int nr); | ||
36 | 35 | ||
37 | // errno.c | 36 | // errno.c |
38 | void errno_print(void); | 37 | void errno_print(void); |
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index a30a9e00b..a3db46aad 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -25,319 +25,24 @@ | |||
25 | #include <sys/types.h> | 25 | #include <sys/types.h> |
26 | 26 | ||
27 | static void add_default_list(int fd, int allow_debuggers) { | 27 | static void add_default_list(int fd, int allow_debuggers) { |
28 | #ifdef SYS_mount | 28 | int r; |
29 | filter_add_blacklist(fd, SYS_mount, 0); | 29 | if (!allow_debuggers) |
30 | #endif | 30 | r = syscall_check_list("@default-nodebuggers", filter_add_blacklist, fd, 0); |
31 | #ifdef SYS_umount2 | 31 | else |
32 | filter_add_blacklist(fd, SYS_umount2, 0); | 32 | r = syscall_check_list("@default", filter_add_blacklist, fd, 0); |
33 | #endif | ||
34 | 33 | ||
35 | if (!allow_debuggers) { | 34 | assert(r == 0); |
36 | #ifdef SYS_ptrace | ||
37 | filter_add_blacklist(fd, SYS_ptrace, 0); | ||
38 | #endif | ||
39 | } | ||
40 | |||
41 | #ifdef SYS_kexec_load | ||
42 | filter_add_blacklist(fd, SYS_kexec_load, 0); | ||
43 | #endif | ||
44 | #ifdef SYS_kexec_file_load | ||
45 | filter_add_blacklist(fd, SYS_kexec_file_load, 0); | ||
46 | #endif | ||
47 | #ifdef SYS_open_by_handle_at | ||
48 | filter_add_blacklist(fd, SYS_open_by_handle_at, 0); | ||
49 | #endif | ||
50 | #ifdef SYS_name_to_handle_at | ||
51 | filter_add_blacklist(fd, SYS_name_to_handle_at, 0); | ||
52 | #endif | ||
53 | #ifdef SYS_init_module | ||
54 | filter_add_blacklist(fd, SYS_init_module, 0); | ||
55 | #endif | ||
56 | #ifdef SYS_finit_module | ||
57 | filter_add_blacklist(fd, SYS_finit_module, 0); | ||
58 | #endif | ||
59 | #ifdef SYS_create_module | ||
60 | filter_add_blacklist(fd, SYS_create_module, 0); | ||
61 | #endif | ||
62 | #ifdef SYS_delete_module | ||
63 | filter_add_blacklist(fd, SYS_delete_module, 0); | ||
64 | #endif | ||
65 | #ifdef SYS_iopl | ||
66 | filter_add_blacklist(fd, SYS_iopl, 0); | ||
67 | #endif | ||
68 | #ifdef SYS_ioperm | ||
69 | filter_add_blacklist(fd, SYS_ioperm, 0); | ||
70 | #endif | ||
71 | #ifdef SYS_ioprio_set | ||
72 | filter_add_blacklist(fd, SYS_ioprio_set, 0); | ||
73 | #endif | ||
74 | #ifdef SYS_ni_syscall | ||
75 | filter_add_blacklist(fd, SYS_ni_syscall, 0); | ||
76 | #endif | ||
77 | #ifdef SYS_swapon | ||
78 | filter_add_blacklist(fd, SYS_swapon, 0); | ||
79 | #endif | ||
80 | #ifdef SYS_swapoff | ||
81 | filter_add_blacklist(fd, SYS_swapoff, 0); | ||
82 | #endif | ||
83 | #ifdef SYS_syslog | ||
84 | filter_add_blacklist(fd, SYS_syslog, 0); | ||
85 | #endif | ||
86 | |||
87 | if (!allow_debuggers) { | ||
88 | #ifdef SYS_process_vm_readv | ||
89 | filter_add_blacklist(fd, SYS_process_vm_readv, 0); | ||
90 | #endif | ||
91 | } | ||
92 | |||
93 | #ifdef SYS_process_vm_writev | ||
94 | filter_add_blacklist(fd, SYS_process_vm_writev, 0); | ||
95 | #endif | ||
96 | //#ifdef SYS_mknod - emoved in 0.9.29 - it breaks Zotero extension | 35 | //#ifdef SYS_mknod - emoved in 0.9.29 - it breaks Zotero extension |
97 | // filter_add_blacklist(SYS_mknod, 0); | 36 | // filter_add_blacklist(SYS_mknod, 0); |
98 | //#endif | 37 | //#endif |
99 | #ifdef SYS_sysfs | ||
100 | filter_add_blacklist(fd, SYS_sysfs, 0); | ||
101 | #endif | ||
102 | #ifdef SYS__sysctl | ||
103 | filter_add_blacklist(fd, SYS__sysctl, 0); | ||
104 | #endif | ||
105 | #ifdef SYS_adjtimex | ||
106 | filter_add_blacklist(fd, SYS_adjtimex, 0); | ||
107 | #endif | ||
108 | #ifdef SYS_clock_adjtime | ||
109 | filter_add_blacklist(fd, SYS_clock_adjtime, 0); | ||
110 | #endif | ||
111 | #ifdef SYS_lookup_dcookie | ||
112 | filter_add_blacklist(fd, SYS_lookup_dcookie, 0); | ||
113 | #endif | ||
114 | #ifdef SYS_perf_event_open | ||
115 | filter_add_blacklist(fd, SYS_perf_event_open, 0); | ||
116 | #endif | ||
117 | #ifdef SYS_fanotify_init | ||
118 | filter_add_blacklist(fd, SYS_fanotify_init, 0); | ||
119 | #endif | ||
120 | #ifdef SYS_kcmp | ||
121 | filter_add_blacklist(fd, SYS_kcmp, 0); | ||
122 | #endif | ||
123 | #ifdef SYS_add_key | ||
124 | filter_add_blacklist(fd, SYS_add_key, 0); | ||
125 | #endif | ||
126 | #ifdef SYS_request_key | ||
127 | filter_add_blacklist(fd, SYS_request_key, 0); | ||
128 | #endif | ||
129 | #ifdef SYS_keyctl | ||
130 | filter_add_blacklist(fd, SYS_keyctl, 0); | ||
131 | #endif | ||
132 | #ifdef SYS_uselib | ||
133 | filter_add_blacklist(fd, SYS_uselib, 0); | ||
134 | #endif | ||
135 | #ifdef SYS_acct | ||
136 | filter_add_blacklist(fd, SYS_acct, 0); | ||
137 | #endif | ||
138 | #ifdef SYS_modify_ldt | ||
139 | filter_add_blacklist(fd, SYS_modify_ldt, 0); | ||
140 | #endif | ||
141 | #ifdef SYS_pivot_root | ||
142 | filter_add_blacklist(fd, SYS_pivot_root, 0); | ||
143 | #endif | ||
144 | #ifdef SYS_io_setup | ||
145 | filter_add_blacklist(fd, SYS_io_setup, 0); | ||
146 | #endif | ||
147 | #ifdef SYS_io_destroy | ||
148 | filter_add_blacklist(fd, SYS_io_destroy, 0); | ||
149 | #endif | ||
150 | #ifdef SYS_io_getevents | ||
151 | filter_add_blacklist(fd, SYS_io_getevents, 0); | ||
152 | #endif | ||
153 | #ifdef SYS_io_submit | ||
154 | filter_add_blacklist(fd, SYS_io_submit, 0); | ||
155 | #endif | ||
156 | #ifdef SYS_io_cancel | ||
157 | filter_add_blacklist(fd, SYS_io_cancel, 0); | ||
158 | #endif | ||
159 | #ifdef SYS_remap_file_pages | ||
160 | filter_add_blacklist(fd, SYS_remap_file_pages, 0); | ||
161 | #endif | ||
162 | #ifdef SYS_mbind | ||
163 | filter_add_blacklist(fd, SYS_mbind, 0); | ||
164 | #endif | ||
165 | |||
166 | // breaking Firefox nightly when playing youtube videos | 38 | // breaking Firefox nightly when playing youtube videos |
167 | // TODO: test again when firefox sandbox is finally released | 39 | // TODO: test again when firefox sandbox is finally released |
168 | //#ifdef SYS_get_mempolicy | 40 | //#ifdef SYS_get_mempolicy |
169 | // filter_add_blacklist(fd, SYS_get_mempolicy, 0); | 41 | // filter_add_blacklist(fd, SYS_get_mempolicy, 0); |
170 | //#endif | 42 | //#endif |
171 | |||
172 | #ifdef SYS_set_mempolicy | ||
173 | filter_add_blacklist(fd, SYS_set_mempolicy, 0); | ||
174 | #endif | ||
175 | #ifdef SYS_migrate_pages | ||
176 | filter_add_blacklist(fd, SYS_migrate_pages, 0); | ||
177 | #endif | ||
178 | #ifdef SYS_move_pages | ||
179 | filter_add_blacklist(fd, SYS_move_pages, 0); | ||
180 | #endif | ||
181 | #ifdef SYS_vmsplice | ||
182 | filter_add_blacklist(fd, SYS_vmsplice, 0); | ||
183 | #endif | ||
184 | #ifdef SYS_chroot | ||
185 | filter_add_blacklist(fd, SYS_chroot, 0); | ||
186 | #endif | ||
187 | #ifdef SYS_tuxcall | ||
188 | filter_add_blacklist(fd, SYS_tuxcall, 0); | ||
189 | #endif | ||
190 | #ifdef SYS_reboot | ||
191 | filter_add_blacklist(fd, SYS_reboot, 0); | ||
192 | #endif | ||
193 | #ifdef SYS_nfsservctl | ||
194 | filter_add_blacklist(fd, SYS_nfsservctl, 0); | ||
195 | #endif | ||
196 | #ifdef SYS_get_kernel_syms | ||
197 | filter_add_blacklist(fd, SYS_get_kernel_syms, 0); | ||
198 | #endif | ||
199 | |||
200 | // 0.9.45 | ||
201 | #ifdef SYS_bpf | ||
202 | filter_add_blacklist(fd, SYS_bpf, 0); | ||
203 | #endif | ||
204 | #ifdef SYS_clock_settime | ||
205 | filter_add_blacklist(fd, SYS_clock_settime, 0); | ||
206 | #endif | ||
207 | //#ifdef SYS_clone - in use by Firejail | ||
208 | // filter_add_blacklist(fd, SYS_clone, 0); | ||
209 | //#endif | ||
210 | #ifdef SYS_personality | ||
211 | filter_add_blacklist(fd, SYS_personality, 0); | ||
212 | #endif | ||
213 | #ifdef SYS_process_vm_writev | ||
214 | filter_add_blacklist(fd, SYS_process_vm_writev, 0); | ||
215 | #endif | ||
216 | #ifdef SYS_query_module | ||
217 | filter_add_blacklist(fd, SYS_query_module, 0); | ||
218 | #endif | ||
219 | //#ifdef SYS_quotactl - in use by Firefox | 43 | //#ifdef SYS_quotactl - in use by Firefox |
220 | // filter_add_blacklist(fd, SYS_quotactl, 0); | 44 | // filter_add_blacklist(fd, SYS_quotactl, 0); |
221 | //#endif | 45 | //#endif |
222 | //#ifdef SYS_setns - in use by Firejail | ||
223 | // filter_add_blacklist(fd, SYS_setns, 0); | ||
224 | //#endif | ||
225 | #ifdef SYS_settimeofday | ||
226 | filter_add_blacklist(fd, SYS_settimeofday, 0); | ||
227 | #endif | ||
228 | #ifdef SYS_stime | ||
229 | filter_add_blacklist(fd, SYS_stime, 0); | ||
230 | #endif | ||
231 | #ifdef SYS_umount | ||
232 | filter_add_blacklist(fd, SYS_umount, 0); | ||
233 | #endif | ||
234 | //#ifdef SYS_unshare - in use by Firejail | ||
235 | // filter_add_blacklist(fd, SYS_unshare, 0); | ||
236 | //#endif | ||
237 | #ifdef SYS_userfaultfd | ||
238 | filter_add_blacklist(fd, SYS_userfaultfd, 0); | ||
239 | #endif | ||
240 | #ifdef SYS_ustat | ||
241 | filter_add_blacklist(fd, SYS_ustat, 0); | ||
242 | #endif | ||
243 | #ifdef SYS_vm86 | ||
244 | filter_add_blacklist(fd, SYS_vm86, 0); | ||
245 | #endif | ||
246 | #ifdef SYS_vm86old | ||
247 | filter_add_blacklist(fd, SYS_vm86old, 0); | ||
248 | #endif | ||
249 | |||
250 | #ifdef SYS_afs_syscall | ||
251 | filter_add_blacklist(fd, SYS_afs_syscall, 0); | ||
252 | #endif | ||
253 | #ifdef SYS_bdflush | ||
254 | filter_add_blacklist(fd, SYS_bdflush, 0); | ||
255 | #endif | ||
256 | #ifdef SYS_break | ||
257 | filter_add_blacklist(fd, SYS_break, 0); | ||
258 | #endif | ||
259 | #ifdef SYS_ftime | ||
260 | filter_add_blacklist(fd, SYS_ftime, 0); | ||
261 | #endif | ||
262 | #ifdef SYS_getpmsg | ||
263 | filter_add_blacklist(fd, SYS_getpmsg, 0); | ||
264 | #endif | ||
265 | #ifdef SYS_gtty | ||
266 | filter_add_blacklist(fd, SYS_gtty, 0); | ||
267 | #endif | ||
268 | #ifdef SYS_lock | ||
269 | filter_add_blacklist(fd, SYS_lock, 0); | ||
270 | #endif | ||
271 | #ifdef SYS_mpx | ||
272 | filter_add_blacklist(fd, SYS_mpx, 0); | ||
273 | #endif | ||
274 | #ifdef SYS_pciconfig_iobase | ||
275 | filter_add_blacklist(fd, SYS_pciconfig_iobase, 0); | ||
276 | #endif | ||
277 | #ifdef SYS_pciconfig_read | ||
278 | filter_add_blacklist(fd, SYS_pciconfig_read, 0); | ||
279 | #endif | ||
280 | #ifdef SYS_pciconfig_write | ||
281 | filter_add_blacklist(fd, SYS_pciconfig_write, 0); | ||
282 | #endif | ||
283 | #ifdef SYS_prof | ||
284 | filter_add_blacklist(fd, SYS_prof, 0); | ||
285 | #endif | ||
286 | #ifdef SYS_profil | ||
287 | filter_add_blacklist(fd, SYS_profil, 0); | ||
288 | #endif | ||
289 | #ifdef SYS_putpmsg | ||
290 | filter_add_blacklist(fd, SYS_putpmsg, 0); | ||
291 | #endif | ||
292 | #ifdef SYS_rtas | ||
293 | filter_add_blacklist(fd, SYS_rtas, 0); | ||
294 | #endif | ||
295 | #ifdef SYS_s390_runtime_instr | ||
296 | filter_add_blacklist(fd, SYS_s390_runtime_instr, 0); | ||
297 | #endif | ||
298 | #ifdef SYS_s390_mmio_read | ||
299 | filter_add_blacklist(fd, SYS_s390_mmio_read, 0); | ||
300 | #endif | ||
301 | #ifdef SYS_s390_mmio_write | ||
302 | filter_add_blacklist(fd, SYS_s390_mmio_write, 0); | ||
303 | #endif | ||
304 | #ifdef SYS_security | ||
305 | filter_add_blacklist(fd, SYS_security, 0); | ||
306 | #endif | ||
307 | #ifdef SYS_setdomainname | ||
308 | filter_add_blacklist(fd, SYS_setdomainname, 0); | ||
309 | #endif | ||
310 | #ifdef SYS_sethostname | ||
311 | filter_add_blacklist(fd, SYS_sethostname, 0); | ||
312 | #endif | ||
313 | #ifdef SYS_sgetmask | ||
314 | filter_add_blacklist(fd, SYS_sgetmask, 0); | ||
315 | #endif | ||
316 | #ifdef SYS_ssetmask | ||
317 | filter_add_blacklist(fd, SYS_ssetmask, 0); | ||
318 | #endif | ||
319 | #ifdef SYS_stty | ||
320 | filter_add_blacklist(fd, SYS_stty, 0); | ||
321 | #endif | ||
322 | #ifdef SYS_subpage_prot | ||
323 | filter_add_blacklist(fd, SYS_subpage_prot, 0); | ||
324 | #endif | ||
325 | #ifdef SYS_switch_endian | ||
326 | filter_add_blacklist(fd, SYS_switch_endian, 0); | ||
327 | #endif | ||
328 | #ifdef SYS_sys_debug_setcontext | ||
329 | filter_add_blacklist(fd, SYS_sys_debug_setcontext, 0); | ||
330 | #endif | ||
331 | #ifdef SYS_ulimit | ||
332 | filter_add_blacklist(fd, SYS_ulimit, 0); | ||
333 | #endif | ||
334 | #ifdef SYS_vhangup | ||
335 | filter_add_blacklist(fd, SYS_vhangup, 0); | ||
336 | #endif | ||
337 | #ifdef SYS_vserver | ||
338 | filter_add_blacklist(fd, SYS_vserver, 0); | ||
339 | #endif | ||
340 | |||
341 | } | 46 | } |
342 | 47 | ||
343 | // default list | 48 | // default list |
@@ -418,12 +123,10 @@ void seccomp_keep(const char *fname, char *list) { | |||
418 | 123 | ||
419 | // build filter | 124 | // build filter |
420 | filter_init(fd); | 125 | filter_init(fd); |
421 | // these 4 syscalls are used by firejail after the seccomp filter is initialized | 126 | // these syscalls are used by firejail after the seccomp filter is initialized |
422 | filter_add_whitelist(fd, SYS_setuid, 0); | 127 | int r; |
423 | filter_add_whitelist(fd, SYS_setgid, 0); | 128 | r = syscall_check_list("@default-keep", filter_add_whitelist, fd, 0); |
424 | filter_add_whitelist(fd, SYS_setgroups, 0); | 129 | assert(r == 0); |
425 | filter_add_whitelist(fd, SYS_dup, 0); | ||
426 | filter_add_whitelist(fd, SYS_prctl, 0); | ||
427 | 130 | ||
428 | if (syscall_check_list(list, filter_add_whitelist, fd, 0)) { | 131 | if (syscall_check_list(list, filter_add_whitelist, fd, 0)) { |
429 | fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); | 132 | fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); |
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index 0a86dade0..ecf057ee0 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c | |||
@@ -21,11 +21,16 @@ | |||
21 | #include <sys/syscall.h> | 21 | #include <sys/syscall.h> |
22 | 22 | ||
23 | typedef struct { | 23 | typedef struct { |
24 | char *name; | 24 | const char * const name; |
25 | int nr; | 25 | int nr; |
26 | } SyscallEntry; | 26 | } SyscallEntry; |
27 | 27 | ||
28 | static SyscallEntry syslist[] = { | 28 | typedef struct { |
29 | const char * const name; | ||
30 | const char * const list; | ||
31 | } SyscallGroupList; | ||
32 | |||
33 | static const SyscallEntry syslist[] = { | ||
29 | // | 34 | // |
30 | // code generated using tools/extract-syscall | 35 | // code generated using tools/extract-syscall |
31 | // | 36 | // |
@@ -35,8 +40,302 @@ static SyscallEntry syslist[] = { | |||
35 | // | 40 | // |
36 | }; // end of syslist | 41 | }; // end of syslist |
37 | 42 | ||
43 | static const SyscallGroupList sysgroups[] = { | ||
44 | { .name = "@default", .list = | ||
45 | #ifdef SYS_mount | ||
46 | "mount," | ||
47 | #endif | ||
48 | #ifdef SYS_umount2 | ||
49 | "umount2," | ||
50 | #endif | ||
51 | #ifdef SYS_kexec_load | ||
52 | "kexec_load," | ||
53 | #endif | ||
54 | #ifdef SYS_kexec_file_load | ||
55 | "kexec_file_load," | ||
56 | #endif | ||
57 | #ifdef SYS_open_by_handle_at | ||
58 | "open_by_handle_at," | ||
59 | #endif | ||
60 | #ifdef SYS_name_to_handle_at | ||
61 | "name_to_handle_at," | ||
62 | #endif | ||
63 | #ifdef SYS_init_module | ||
64 | "init_module," | ||
65 | #endif | ||
66 | #ifdef SYS_finit_module | ||
67 | "finit_module," | ||
68 | #endif | ||
69 | #ifdef SYS_create_module | ||
70 | "create_module," | ||
71 | #endif | ||
72 | #ifdef SYS_delete_module | ||
73 | "delete_module," | ||
74 | #endif | ||
75 | #ifdef SYS_iopl | ||
76 | "iopl," | ||
77 | #endif | ||
78 | #ifdef SYS_ioperm | ||
79 | "ioperm," | ||
80 | #endif | ||
81 | #ifdef SYS_ioprio_set | ||
82 | "ioprio_set," | ||
83 | #endif | ||
84 | #ifdef SYS_ni_syscall | ||
85 | "ni_syscall," | ||
86 | #endif | ||
87 | #ifdef SYS_swapon | ||
88 | "swapon," | ||
89 | #endif | ||
90 | #ifdef SYS_swapoff | ||
91 | "swapoff," | ||
92 | #endif | ||
93 | #ifdef SYS_syslog | ||
94 | "syslog," | ||
95 | #endif | ||
96 | #ifdef SYS_process_vm_writev | ||
97 | "process_vm_writev," | ||
98 | #endif | ||
99 | #ifdef SYS_sysfs | ||
100 | "sysfs," | ||
101 | #endif | ||
102 | #ifdef SYS__sysctl | ||
103 | "_sysctl," | ||
104 | #endif | ||
105 | #ifdef SYS_adjtimex | ||
106 | "adjtimex," | ||
107 | #endif | ||
108 | #ifdef SYS_clock_adjtime | ||
109 | "clock_adjtime," | ||
110 | #endif | ||
111 | #ifdef SYS_lookup_dcookie | ||
112 | "lookup_dcookie," | ||
113 | #endif | ||
114 | #ifdef SYS_perf_event_open | ||
115 | "perf_event_open," | ||
116 | #endif | ||
117 | #ifdef SYS_fanotify_init | ||
118 | "fanotify_init," | ||
119 | #endif | ||
120 | #ifdef SYS_kcmp | ||
121 | "kcmp," | ||
122 | #endif | ||
123 | #ifdef SYS_add_key | ||
124 | "add_key," | ||
125 | #endif | ||
126 | #ifdef SYS_request_key | ||
127 | "request_key," | ||
128 | #endif | ||
129 | #ifdef SYS_keyctl | ||
130 | "keyctl," | ||
131 | #endif | ||
132 | #ifdef SYS_uselib | ||
133 | "uselib," | ||
134 | #endif | ||
135 | #ifdef SYS_acct | ||
136 | "acct," | ||
137 | #endif | ||
138 | #ifdef SYS_modify_ldt | ||
139 | "modify_ldt," | ||
140 | #endif | ||
141 | #ifdef SYS_pivot_root | ||
142 | "pivot_root," | ||
143 | #endif | ||
144 | #ifdef SYS_io_setup | ||
145 | "io_setup," | ||
146 | #endif | ||
147 | #ifdef SYS_io_destroy | ||
148 | "io_destroy," | ||
149 | #endif | ||
150 | #ifdef SYS_io_getevents | ||
151 | "io_getevents," | ||
152 | #endif | ||
153 | #ifdef SYS_io_submit | ||
154 | "io_submit," | ||
155 | #endif | ||
156 | #ifdef SYS_io_cancel | ||
157 | "io_cancel," | ||
158 | #endif | ||
159 | #ifdef SYS_remap_file_pages | ||
160 | "remap_file_pages," | ||
161 | #endif | ||
162 | #ifdef SYS_mbind | ||
163 | "mbind," | ||
164 | #endif | ||
165 | #ifdef SYS_set_mempolicy | ||
166 | "set_mempolicy," | ||
167 | #endif | ||
168 | #ifdef SYS_migrate_pages | ||
169 | "migrate_pages," | ||
170 | #endif | ||
171 | #ifdef SYS_move_pages | ||
172 | "move_pages," | ||
173 | #endif | ||
174 | #ifdef SYS_vmsplice | ||
175 | "vmsplice," | ||
176 | #endif | ||
177 | #ifdef SYS_chroot | ||
178 | "chroot," | ||
179 | #endif | ||
180 | #ifdef SYS_tuxcall | ||
181 | "tuxcall," | ||
182 | #endif | ||
183 | #ifdef SYS_reboot | ||
184 | "reboot," | ||
185 | #endif | ||
186 | #ifdef SYS_nfsservctl | ||
187 | "nfsservctl," | ||
188 | #endif | ||
189 | #ifdef SYS_get_kernel_syms | ||
190 | "get_kernel_syms," | ||
191 | #endif | ||
192 | #ifdef SYS_bpf | ||
193 | "bpf," | ||
194 | #endif | ||
195 | #ifdef SYS_clock_settime | ||
196 | "clock_settime," | ||
197 | #endif | ||
198 | #ifdef SYS_personality | ||
199 | "personality," | ||
200 | #endif | ||
201 | #ifdef SYS_process_vm_writev | ||
202 | "process_vm_writev," | ||
203 | #endif | ||
204 | #ifdef SYS_query_module | ||
205 | "query_module," | ||
206 | #endif | ||
207 | #ifdef SYS_settimeofday | ||
208 | "settimeofday," | ||
209 | #endif | ||
210 | #ifdef SYS_stime | ||
211 | "stime," | ||
212 | #endif | ||
213 | #ifdef SYS_umount | ||
214 | "umount," | ||
215 | #endif | ||
216 | #ifdef SYS_userfaultfd | ||
217 | "userfaultfd," | ||
218 | #endif | ||
219 | #ifdef SYS_ustat | ||
220 | "ustat," | ||
221 | #endif | ||
222 | #ifdef SYS_vm86 | ||
223 | "vm86," | ||
224 | #endif | ||
225 | #ifdef SYS_vm86old | ||
226 | "vm86old," | ||
227 | #endif | ||
228 | #ifdef SYS_afs_syscall | ||
229 | "afs_syscall," | ||
230 | #endif | ||
231 | #ifdef SYS_bdflush | ||
232 | "bdflush," | ||
233 | #endif | ||
234 | #ifdef SYS_break | ||
235 | "break," | ||
236 | #endif | ||
237 | #ifdef SYS_ftime | ||
238 | "ftime," | ||
239 | #endif | ||
240 | #ifdef SYS_getpmsg | ||
241 | "getpmsg," | ||
242 | #endif | ||
243 | #ifdef SYS_gtty | ||
244 | "gtty," | ||
245 | #endif | ||
246 | #ifdef SYS_lock | ||
247 | "lock," | ||
248 | #endif | ||
249 | #ifdef SYS_mpx | ||
250 | "mpx," | ||
251 | #endif | ||
252 | #ifdef SYS_pciconfig_iobase | ||
253 | "pciconfig_iobase," | ||
254 | #endif | ||
255 | #ifdef SYS_pciconfig_read | ||
256 | "pciconfig_read," | ||
257 | #endif | ||
258 | #ifdef SYS_pciconfig_write | ||
259 | "pciconfig_write," | ||
260 | #endif | ||
261 | #ifdef SYS_prof | ||
262 | "prof," | ||
263 | #endif | ||
264 | #ifdef SYS_profil | ||
265 | "profil," | ||
266 | #endif | ||
267 | #ifdef SYS_putpmsg | ||
268 | "putpmsg," | ||
269 | #endif | ||
270 | #ifdef SYS_rtas | ||
271 | "rtas," | ||
272 | #endif | ||
273 | #ifdef SYS_s390_runtime_instr | ||
274 | "s390_runtime_instr," | ||
275 | #endif | ||
276 | #ifdef SYS_s390_mmio_read | ||
277 | "s390_mmio_read," | ||
278 | #endif | ||
279 | #ifdef SYS_s390_mmio_write | ||
280 | "s390_mmio_write," | ||
281 | #endif | ||
282 | #ifdef SYS_security | ||
283 | "security," | ||
284 | #endif | ||
285 | #ifdef SYS_setdomainname | ||
286 | "setdomainname," | ||
287 | #endif | ||
288 | #ifdef SYS_sethostname | ||
289 | "sethostname," | ||
290 | #endif | ||
291 | #ifdef SYS_sgetmask | ||
292 | "sgetmask," | ||
293 | #endif | ||
294 | #ifdef SYS_ssetmask | ||
295 | "ssetmask," | ||
296 | #endif | ||
297 | #ifdef SYS_stty | ||
298 | "stty," | ||
299 | #endif | ||
300 | #ifdef SYS_subpage_prot | ||
301 | "subpage_prot," | ||
302 | #endif | ||
303 | #ifdef SYS_switch_endian | ||
304 | "switch_endian," | ||
305 | #endif | ||
306 | #ifdef SYS_sys_debug_setcontext | ||
307 | "sys_debug_setcontext," | ||
308 | #endif | ||
309 | #ifdef SYS_ulimit | ||
310 | "ulimit," | ||
311 | #endif | ||
312 | #ifdef SYS_vhangup | ||
313 | "vhangup," | ||
314 | #endif | ||
315 | #ifdef SYS_vserver | ||
316 | "vserver" | ||
317 | #endif | ||
318 | }, | ||
319 | { .name = "@default-nodebuggers", .list = | ||
320 | "@default," | ||
321 | #ifdef SYS_ptrace | ||
322 | "ptrace," | ||
323 | #endif | ||
324 | #ifdef SYS_process_vm_readv | ||
325 | "process_vm_readv" | ||
326 | #endif | ||
327 | }, | ||
328 | { .name = "@default-keep", .list = | ||
329 | "dup," | ||
330 | "prctl," | ||
331 | "setgid," | ||
332 | "setgroups," | ||
333 | "setuid" | ||
334 | } | ||
335 | }; | ||
336 | |||
38 | // return -1 if error, or syscall number | 337 | // return -1 if error, or syscall number |
39 | int syscall_find_name(const char *name) { | 338 | static int syscall_find_name(const char *name) { |
40 | int i; | 339 | int i; |
41 | int elems = sizeof(syslist) / sizeof(syslist[0]); | 340 | int elems = sizeof(syslist) / sizeof(syslist[0]); |
42 | for (i = 0; i < elems; i++) { | 341 | for (i = 0; i < elems; i++) { |
@@ -47,7 +346,7 @@ int syscall_find_name(const char *name) { | |||
47 | return -1; | 346 | return -1; |
48 | } | 347 | } |
49 | 348 | ||
50 | char *syscall_find_nr(int nr) { | 349 | const char *syscall_find_nr(int nr) { |
51 | int i; | 350 | int i; |
52 | int elems = sizeof(syslist) / sizeof(syslist[0]); | 351 | int elems = sizeof(syslist) / sizeof(syslist[0]); |
53 | for (i = 0; i < elems; i++) { | 352 | for (i = 0; i < elems; i++) { |
@@ -67,6 +366,17 @@ void syscall_print(void) { | |||
67 | printf("\n"); | 366 | printf("\n"); |
68 | } | 367 | } |
69 | 368 | ||
369 | static const char *syscall_find_group(const char *name) { | ||
370 | int i; | ||
371 | int elems = sizeof(sysgroups) / sizeof(sysgroups[0]); | ||
372 | for (i = 0; i < elems; i++) { | ||
373 | if (strcmp(name, sysgroups[i].name) == 0) | ||
374 | return sysgroups[i].list; | ||
375 | } | ||
376 | |||
377 | return NULL; | ||
378 | } | ||
379 | |||
70 | // allowed input: | 380 | // allowed input: |
71 | // - syscall | 381 | // - syscall |
72 | // - syscall(error) | 382 | // - syscall(error) |
@@ -92,7 +402,10 @@ static void syscall_process_name(const char *name, int *syscall_nr, int *error_n | |||
92 | goto error; | 402 | goto error; |
93 | } | 403 | } |
94 | 404 | ||
95 | *syscall_nr = syscall_find_name(syscall_name); | 405 | if (*syscall_name == '$') |
406 | *syscall_nr = strtol(syscall_name + 1, NULL, 0); | ||
407 | else | ||
408 | *syscall_nr = syscall_find_name(syscall_name); | ||
96 | if (error_name) { | 409 | if (error_name) { |
97 | *error_nr = errno_find_name(error_name); | 410 | *error_nr = errno_find_name(error_name); |
98 | if (*error_nr == -1) | 411 | if (*error_nr == -1) |
@@ -120,7 +433,8 @@ int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, | |||
120 | if (!str) | 433 | if (!str) |
121 | errExit("strdup"); | 434 | errExit("strdup"); |
122 | 435 | ||
123 | char *ptr =strtok(str, ","); | 436 | char *saveptr; |
437 | char *ptr = strtok_r(str, ",", &saveptr); | ||
124 | if (ptr == NULL) { | 438 | if (ptr == NULL) { |
125 | fprintf(stderr, "Error fseccomp: empty syscall lists are not allowed\n"); | 439 | fprintf(stderr, "Error fseccomp: empty syscall lists are not allowed\n"); |
126 | exit(1); | 440 | exit(1); |
@@ -129,18 +443,28 @@ int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, | |||
129 | while (ptr) { | 443 | while (ptr) { |
130 | int syscall_nr; | 444 | int syscall_nr; |
131 | int error_nr; | 445 | int error_nr; |
132 | syscall_process_name(ptr, &syscall_nr, &error_nr); | 446 | if (*ptr == '@') { |
133 | if (syscall_nr == -1) { | 447 | const char *new_list = syscall_find_group(ptr); |
134 | if (!arg_quiet) | 448 | if (!new_list) { |
135 | fprintf(stderr, "Warning fseccomp: syscall \"%s\" not available on this platform\n", ptr); | 449 | fprintf(stderr, "Error fseccomp: unknown syscall group %s\n", ptr); |
450 | exit(1); | ||
451 | } | ||
452 | syscall_check_list(new_list, callback, fd, arg); | ||
136 | } | 453 | } |
137 | else if (callback != NULL) { | 454 | else { |
138 | if (error_nr != -1) | 455 | syscall_process_name(ptr, &syscall_nr, &error_nr); |
139 | filter_add_errno(fd, syscall_nr, error_nr); | 456 | if (syscall_nr == -1) { |
140 | else | 457 | if (!arg_quiet) |
141 | callback(fd, syscall_nr, arg); | 458 | fprintf(stderr, "Warning fseccomp: syscall \"%s\" not available on this platform\n", ptr); |
459 | } | ||
460 | else if (callback != NULL) { | ||
461 | if (error_nr != -1) | ||
462 | filter_add_errno(fd, syscall_nr, error_nr); | ||
463 | else | ||
464 | callback(fd, syscall_nr, arg); | ||
465 | } | ||
142 | } | 466 | } |
143 | ptr = strtok(NULL, ","); | 467 | ptr = strtok_r(NULL, ",", &saveptr); |
144 | } | 468 | } |
145 | 469 | ||
146 | free(str); | 470 | free(str); |