diff options
author | netblue30 <netblue30@yahoo.com> | 2016-11-06 13:14:53 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-11-06 13:14:53 -0500 |
commit | 322ce2cdc98cf3eec22ebd0f83296ddde8347d09 (patch) | |
tree | 035026b607ee8b34a9ea03a6f1df30d03c584f43 /src/fseccomp | |
parent | cleanup (diff) | |
download | firejail-322ce2cdc98cf3eec22ebd0f83296ddde8347d09.tar.gz firejail-322ce2cdc98cf3eec22ebd0f83296ddde8347d09.tar.zst firejail-322ce2cdc98cf3eec22ebd0f83296ddde8347d09.zip |
seccomp rework
Diffstat (limited to 'src/fseccomp')
-rw-r--r-- | src/fseccomp/main.c | 2 | ||||
-rw-r--r-- | src/fseccomp/protocol.c | 2 | ||||
-rw-r--r-- | src/fseccomp/syscall.c | 87 |
3 files changed, 65 insertions, 26 deletions
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 22b13bcd9..39e72fdf9 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c | |||
@@ -40,7 +40,7 @@ static void usage(void) { | |||
40 | int main(int argc, char **argv) { | 40 | int main(int argc, char **argv) { |
41 | #if 0 | 41 | #if 0 |
42 | { | 42 | { |
43 | system("cat /proc/self/status"); | 43 | //system("cat /proc/self/status"); |
44 | int i; | 44 | int i; |
45 | for (i = 0; i < argc; i++) | 45 | for (i = 0; i < argc; i++) |
46 | printf("*%s* ", argv[i]); | 46 | printf("*%s* ", argv[i]); |
diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c index 38c5f9d88..7bf560fe1 100644 --- a/src/fseccomp/protocol.c +++ b/src/fseccomp/protocol.c | |||
@@ -107,7 +107,7 @@ void protocol_build_filter(const char *prlist, const char *fname) { | |||
107 | assert(fname); | 107 | assert(fname); |
108 | 108 | ||
109 | #ifndef SYS_socket | 109 | #ifndef SYS_socket |
110 | fprintf(stderr, "Warning: --protocol not supported on this platform\n"); | 110 | fprintf(stderr, "Warning fseccomp: --protocol not supported on this platform\n"); |
111 | return; | 111 | return; |
112 | #else | 112 | #else |
113 | // build the filter | 113 | // build the filter |
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index e2052efde..6696f2b11 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c | |||
@@ -67,12 +67,52 @@ void syscall_print(void) { | |||
67 | printf("\n"); | 67 | printf("\n"); |
68 | } | 68 | } |
69 | 69 | ||
70 | // allowed input: | ||
71 | // - syscall | ||
72 | // - syscall(error) | ||
73 | static void syscall_process_name(const char *name, int *syscall_nr, int *error_nr) { | ||
74 | assert(name); | ||
75 | if (strlen(name) == 0) | ||
76 | goto error; | ||
77 | *error_nr = -1; | ||
78 | |||
79 | // syntax check | ||
80 | char *str = strdup(name); | ||
81 | if (!str) | ||
82 | errExit("strdup"); | ||
83 | |||
84 | char *syscall_name = str; | ||
85 | char *error_name = strchr(str, ':'); | ||
86 | if (error_name) { | ||
87 | *error_name = '\0'; | ||
88 | error_name++; | ||
89 | } | ||
90 | if (strlen(syscall_name) == 0) { | ||
91 | free(str); | ||
92 | goto error; | ||
93 | } | ||
94 | |||
95 | *syscall_nr = syscall_find_name(syscall_name); | ||
96 | if (error_name) { | ||
97 | *error_nr = errno_find_name(error_name); | ||
98 | if (*error_nr == -1) | ||
99 | *syscall_nr = -1; | ||
100 | } | ||
101 | |||
102 | free(str); | ||
103 | return; | ||
104 | |||
105 | error: | ||
106 | fprintf(stderr, "Error fseccomp: invalid syscall list entry %s\n", name); | ||
107 | exit(1); | ||
108 | } | ||
109 | |||
70 | // return 1 if error, 0 if OK | 110 | // return 1 if error, 0 if OK |
71 | int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, int arg), int fd, int arg) { | 111 | int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, int arg), int fd, int arg) { |
72 | // don't allow empty lists | 112 | // don't allow empty lists |
73 | if (slist == NULL || *slist == '\0') { | 113 | if (slist == NULL || *slist == '\0') { |
74 | fprintf(stderr, "Error: empty syscall lists are not allowed\n"); | 114 | fprintf(stderr, "Error fseccomp: empty syscall lists are not allowed\n"); |
75 | return -1; | 115 | exit(1); |
76 | } | 116 | } |
77 | 117 | ||
78 | // work on a copy of the string | 118 | // work on a copy of the string |
@@ -80,29 +120,28 @@ int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, | |||
80 | if (!str) | 120 | if (!str) |
81 | errExit("strdup"); | 121 | errExit("strdup"); |
82 | 122 | ||
83 | char *ptr = str; | 123 | char *ptr =strtok(str, ","); |
84 | char *start = str; | 124 | if (ptr == NULL) { |
85 | while (*ptr != '\0') { | 125 | fprintf(stderr, "Error fseccomp: empty syscall lists are not allowed\n"); |
86 | if (islower(*ptr) || isdigit(*ptr) || *ptr == '_') | 126 | exit(1); |
87 | ; | ||
88 | else if (*ptr == ',') { | ||
89 | *ptr = '\0'; | ||
90 | int nr = syscall_find_name(start); | ||
91 | if (nr == -1) | ||
92 | fprintf(stderr, "Warning: syscall %s not found\n", start); | ||
93 | else if (callback != NULL) | ||
94 | callback(fd, nr, arg); | ||
95 | |||
96 | start = ptr + 1; | ||
97 | } | ||
98 | ptr++; | ||
99 | } | 127 | } |
100 | if (*start != '\0') { | 128 | |
101 | int nr = syscall_find_name(start); | 129 | while (ptr) { |
102 | if (nr == -1) | 130 | printf("ptr %s\n", ptr); |
103 | fprintf(stderr, "Warning: syscall %s not found\n", start); | 131 | |
104 | else if (callback != NULL) | 132 | int syscall_nr; |
105 | callback(fd, nr, arg); | 133 | int error_nr; |
134 | syscall_process_name(ptr, &syscall_nr, &error_nr); | ||
135 | printf("%d, %d\n", syscall_nr, error_nr); | ||
136 | if (syscall_nr == -1) | ||
137 | fprintf(stderr, "Warning fseccomp: syscall %s not found\n", ptr); | ||
138 | else if (callback != NULL) { | ||
139 | if (error_nr != -1) | ||
140 | filter_add_errno(fd, syscall_nr, error_nr); | ||
141 | else | ||
142 | callback(fd, syscall_nr, arg); | ||
143 | } | ||
144 | ptr = strtok(NULL, ","); | ||
106 | } | 145 | } |
107 | 146 | ||
108 | free(str); | 147 | free(str); |