diff options
author | netblue30 <netblue30@yahoo.com> | 2017-08-18 17:30:36 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-08-18 17:30:36 -0400 |
commit | 10e48d54f13f9874bdc9168db911028c33de5c51 (patch) | |
tree | 21c75d466e75e47692bcb15950dae4969d5fa884 /src/fseccomp | |
parent | testing: memwrexe runs only on x86_64 (diff) | |
download | firejail-10e48d54f13f9874bdc9168db911028c33de5c51.tar.gz firejail-10e48d54f13f9874bdc9168db911028c33de5c51.tar.zst firejail-10e48d54f13f9874bdc9168db911028c33de5c51.zip |
seccomp testing
Diffstat (limited to 'src/fseccomp')
-rw-r--r-- | src/fseccomp/seccomp_print.c | 64 |
1 files changed, 48 insertions, 16 deletions
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c index e10585a15..19fe7a545 100644 --- a/src/fseccomp/seccomp_print.c +++ b/src/fseccomp/seccomp_print.c | |||
@@ -63,13 +63,14 @@ errexit: | |||
63 | exit(1); | 63 | exit(1); |
64 | } | 64 | } |
65 | 65 | ||
66 | // debug filter | 66 | static int detect_filter_type(void) { |
67 | void filter_print(const char *fname) { | 67 | // the filter ishould already be load in filter variable |
68 | assert(fname); | 68 | assert(filter); |
69 | load_seccomp(fname); | ||
70 | 69 | ||
71 | // start filter | 70 | printf("SECCOMP Filter\n"); |
72 | const struct sock_filter start[] = { | 71 | |
72 | // testing for main seccomp filter, protocol, mdwe - platform architecture | ||
73 | const struct sock_filter start_main[] = { | ||
73 | VALIDATE_ARCHITECTURE, | 74 | VALIDATE_ARCHITECTURE, |
74 | #if defined(__x86_64__) | 75 | #if defined(__x86_64__) |
75 | EXAMINE_SYSCALL, | 76 | EXAMINE_SYSCALL, |
@@ -78,25 +79,56 @@ void filter_print(const char *fname) { | |||
78 | EXAMINE_SYSCALL | 79 | EXAMINE_SYSCALL |
79 | #endif | 80 | #endif |
80 | }; | 81 | }; |
81 | 82 | ||
82 | // print sizes | 83 | if (memcmp(&start_main[0], filter, sizeof(start_main)) == 0) { |
83 | printf("SECCOMP Filter:\n"); | ||
84 | |||
85 | // test the start of the filter | ||
86 | if (memcmp(&start[0], filter, sizeof(start)) == 0) { | ||
87 | printf(" VALIDATE_ARCHITECTURE\n"); | 84 | printf(" VALIDATE_ARCHITECTURE\n"); |
88 | printf(" EXAMINE_SYSCALL\n"); | 85 | printf(" EXAMINE_SYSCALL\n"); |
89 | #if defined(__x86_64__) | 86 | #if defined(__x86_64__) |
90 | printf(" HANDLE_X32\n"); | 87 | printf(" HANDLE_X32\n"); |
91 | #endif | 88 | #endif |
89 | return sizeof(start_main) / sizeof(struct sock_filter); | ||
92 | } | 90 | } |
93 | else { | 91 | |
92 | |||
93 | // testing for secondare amd64 filter | ||
94 | const struct sock_filter start_secondary_64[] = { | ||
95 | VALIDATE_ARCHITECTURE, | ||
96 | EXAMINE_SYSCALL, | ||
97 | }; | ||
98 | |||
99 | if (memcmp(&start_secondary_64[0], filter, sizeof(start_secondary_64)) == 0) { | ||
100 | printf(" VALIDATE_ARCHITECTURE_64\n"); | ||
101 | printf(" EXAMINE_SYSCALL\n"); | ||
102 | return sizeof(start_secondary_64) / sizeof(struct sock_filter); | ||
103 | } | ||
104 | |||
105 | // testing for secondare i386 filter | ||
106 | const struct sock_filter start_secondary_32[] = { | ||
107 | VALIDATE_ARCHITECTURE_32, | ||
108 | EXAMINE_SYSCALL, | ||
109 | }; | ||
110 | |||
111 | if (memcmp(&start_secondary_32[0], filter, sizeof(start_secondary_32)) == 0) { | ||
112 | printf(" VALIDATE_ARCHITECTURE_32\n"); | ||
113 | printf(" EXAMINE_SYSCALL\n"); | ||
114 | return sizeof(start_secondary_32) / sizeof(struct sock_filter); | ||
115 | } | ||
116 | |||
117 | return 0; // filter unrecognized | ||
118 | } | ||
119 | |||
120 | // debug filter | ||
121 | void filter_print(const char *fname) { | ||
122 | assert(fname); | ||
123 | load_seccomp(fname); | ||
124 | |||
125 | int i = detect_filter_type(); | ||
126 | if (i == 0) { | ||
94 | printf("Invalid seccomp filter %s\n", fname); | 127 | printf("Invalid seccomp filter %s\n", fname); |
95 | return; | 128 | return; |
96 | } | 129 | } |
97 | 130 | ||
98 | // loop trough blacklists | 131 | // loop trough the rest of commands |
99 | int i = sizeof(start) / sizeof(struct sock_filter); | ||
100 | while (i < filter_cnt) { | 132 | while (i < filter_cnt) { |
101 | // minimal parsing! | 133 | // minimal parsing! |
102 | struct sock_filter *s = (struct sock_filter *) &filter[i]; | 134 | struct sock_filter *s = (struct sock_filter *) &filter[i]; |