Memory-deny-write-execute feature

Feature to block attempts to create writable and executable memory.
author: Topi Miettinen <toiwoton@gmail.com> 2017-07-29 19:53:27 +0300
committer: Topi Miettinen <topimiettinen@users.noreply.github.com> 2017-07-30 16:48:16 +0000
commit: 53606495188a5cc16ea67e3b65561127a98925b3 (patch)
tree: 554c6e90c785ae015f8d784b593d9cdf75fde315 /src/fseccomp
parent: Improve loading of seccomp filter (diff)
download: firejail-53606495188a5cc16ea67e3b65561127a98925b3.tar.gz
firejail-53606495188a5cc16ea67e3b65561127a98925b3.tar.zst
firejail-53606495188a5cc16ea67e3b65561127a98925b3.zip
4 files changed, 61 insertions, 1 deletions
diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h
index 1e4881e9c..157b71011 100644
--- a/src/fseccomp/fseccomp.h
+++ b/src/fseccomp/fseccomp.h
@@ -48,6 +48,7 @@ void seccomp_secondary_64(const char *fname);
 void seccomp_secondary_32(const char *fname);
 // seccomp_file.c
+void write_to_file(int fd, const void *data, int size);
 void filter_init(int fd);
 void filter_add_whitelist(int fd, int syscall, int arg);
 void filter_add_blacklist(int fd, int syscall, int arg);
@@ -64,6 +65,8 @@ void seccomp_drop(const char *fname, char *list, int allow_debuggers);
 void seccomp_default_drop(const char *fname, char *list, int allow_debuggers);
 // whitelisted filter
 void seccomp_keep(const char *fname, char *list);
+// block writable and executable memory
+void memory_deny_write_execute(const char *fname);
 // seccomp_print
 void filter_print(const char *fname);
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index e322b5bbb..3d95d5bb2 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -35,6 +35,7 @@ static void usage(void) {
        printf("\tfseccomp default drop file list\n");
        printf("\tfseccomp default drop file list allow-debuggers\n");
        printf("\tfseccomp keep file list\n");
+        printf("\tfseccomp memory-deny-write-execute file\n");
        printf("\tfseccomp print file\n");
 }
@@ -87,6 +88,8 @@ printf("\n");
                seccomp_default_drop(argv[3], argv[4], 1);
        else if (argc == 4 && strcmp(argv[1], "keep") == 0)
                seccomp_keep(argv[2], argv[3]);
+        else if (argc == 3 && strcmp(argv[1], "memory-deny-write-execute") == 0)
+                memory_deny_write_execute(argv[2]);
        else if (argc == 3 && strcmp(argv[1], "print") == 0)
                filter_print(argv[2]);
        else {
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index 4f8de8c5e..7d2ccbbce 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -19,7 +19,10 @@
 */
 #include "fseccomp.h"
 #include "../include/seccomp.h"
+#include <sys/mman.h>
+#include <sys/shm.h>
 #include <sys/syscall.h>
+#include <sys/types.h>
 static void add_default_list(int fd, int allow_debuggers) {
 #ifdef SYS_mount
@@ -428,3 +431,54 @@ void seccomp_keep(const char *fname, char *list) {
        // close file
        close(fd);
 }
+void memory_deny_write_execute(const char *fname) {
+        // open file
+        int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        if (fd < 0) {
+                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+                exit(1);
+        }
+        filter_init(fd);
+        // build filter
+        static const struct sock_filter filter[] = {
+#ifndef __x86_64__
+                // block old multiplexing mmap syscall for i386
+                BLACKLIST(SYS_mmap),
+#endif
+                // block mmap(,,x|PROT_WRITE|PROT_EXEC) so W&X memory can't be created
+#ifndef __x86_64__
+                // mmap2 is used for mmap on i386 these days
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap2, 0, 5),
+#else
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap, 0, 5),
+#endif
+                EXAMINE_ARGUMENT(2),
+                BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_WRITE|PROT_EXEC),
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1),
+                KILL_PROCESS,
+                RETURN_ALLOW,
+                // block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5),
+                EXAMINE_ARGUMENT(2),
+                BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_EXEC),
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1),
+                KILL_PROCESS,
+                RETURN_ALLOW,
+                // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5),
+                EXAMINE_ARGUMENT(2),
+                BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC),
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1),
+                KILL_PROCESS,
+                RETURN_ALLOW
+        };
+        write_to_file(fd, filter, sizeof(filter));
+        filter_end_blacklist(fd);
+        // close file
+        close(fd);
+}
diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c
index c74de9faf..16ffd5302 100644
--- a/src/fseccomp/seccomp_file.c
+++ b/src/fseccomp/seccomp_file.c
@@ -21,7 +21,7 @@
 #include "../include/seccomp.h"
 #include <sys/syscall.h>
-static void write_to_file(int fd, void *data, int size) {
+void write_to_file(int fd, const void *data, int size) {
        assert(data);
        assert(size);
author	Topi Miettinen <toiwoton@gmail.com>	2017-07-29 19:53:27 +0300
committer	Topi Miettinen <topimiettinen@users.noreply.github.com>	2017-07-30 16:48:16 +0000
commit	53606495188a5cc16ea67e3b65561127a98925b3 (patch)
tree	554c6e90c785ae015f8d784b593d9cdf75fde315 /src/fseccomp
parent	Improve loading of seccomp filter (diff)
download	firejail-53606495188a5cc16ea67e3b65561127a98925b3.tar.gz firejail-53606495188a5cc16ea67e3b65561127a98925b3.tar.zst firejail-53606495188a5cc16ea67e3b65561127a98925b3.zip

diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h index 1e4881e9c..157b71011 100644 --- a/src/fseccomp/fseccomp.h +++ b/src/fseccomp/fseccomp.h
@@ -48,6 +48,7 @@ void seccomp_secondary_64(const char *fname);
48	void seccomp_secondary_32(const char *fname);	48	void seccomp_secondary_32(const char *fname);
49		49
50	// seccomp_file.c	50	// seccomp_file.c
		51	void write_to_file(int fd, const void *data, int size);
51	void filter_init(int fd);	52	void filter_init(int fd);
52	void filter_add_whitelist(int fd, int syscall, int arg);	53	void filter_add_whitelist(int fd, int syscall, int arg);
53	void filter_add_blacklist(int fd, int syscall, int arg);	54	void filter_add_blacklist(int fd, int syscall, int arg);
@@ -64,6 +65,8 @@ void seccomp_drop(const char fname, char list, int allow_debuggers);
64	void seccomp_default_drop(const char fname, char list, int allow_debuggers);	65	void seccomp_default_drop(const char fname, char list, int allow_debuggers);
65	// whitelisted filter	66	// whitelisted filter
66	void seccomp_keep(const char fname, char list);	67	void seccomp_keep(const char fname, char list);
		68	// block writable and executable memory
		69	void memory_deny_write_execute(const char *fname);
67		70
68	// seccomp_print	71	// seccomp_print
69	void filter_print(const char *fname);	72	void filter_print(const char *fname);


diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index e322b5bbb..3d95d5bb2 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c
@@ -35,6 +35,7 @@ static void usage(void) {
35	printf("\tfseccomp default drop file list\n");	35	printf("\tfseccomp default drop file list\n");
36	printf("\tfseccomp default drop file list allow-debuggers\n");	36	printf("\tfseccomp default drop file list allow-debuggers\n");
37	printf("\tfseccomp keep file list\n");	37	printf("\tfseccomp keep file list\n");
		38	printf("\tfseccomp memory-deny-write-execute file\n");
38	printf("\tfseccomp print file\n");	39	printf("\tfseccomp print file\n");
39	}	40	}
40		41
@@ -87,6 +88,8 @@ printf("\n");
87	seccomp_default_drop(argv[3], argv[4], 1);	88	seccomp_default_drop(argv[3], argv[4], 1);
88	else if (argc == 4 && strcmp(argv[1], "keep") == 0)	89	else if (argc == 4 && strcmp(argv[1], "keep") == 0)
89	seccomp_keep(argv[2], argv[3]);	90	seccomp_keep(argv[2], argv[3]);
		91	else if (argc == 3 && strcmp(argv[1], "memory-deny-write-execute") == 0)
		92	memory_deny_write_execute(argv[2]);
90	else if (argc == 3 && strcmp(argv[1], "print") == 0)	93	else if (argc == 3 && strcmp(argv[1], "print") == 0)
91	filter_print(argv[2]);	94	filter_print(argv[2]);
92	else {	95	else {


diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index 4f8de8c5e..7d2ccbbce 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c
@@ -19,7 +19,10 @@
19	*/	19	*/
20	#include "fseccomp.h"	20	#include "fseccomp.h"
21	#include "../include/seccomp.h"	21	#include "../include/seccomp.h"
		22	#include <sys/mman.h>
		23	#include <sys/shm.h>
22	#include <sys/syscall.h>	24	#include <sys/syscall.h>
		25	#include <sys/types.h>
23		26
24	static void add_default_list(int fd, int allow_debuggers) {	27	static void add_default_list(int fd, int allow_debuggers) {
25	#ifdef SYS_mount	28	#ifdef SYS_mount
@@ -428,3 +431,54 @@ void seccomp_keep(const char fname, char list) {
428	// close file	431	// close file
429	close(fd);	432	close(fd);
430	}	433	}
		434
		435	void memory_deny_write_execute(const char *fname) {
		436	// open file
		437	int fd = open(fname, O_CREAT\|O_WRONLY\|O_TRUNC, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH);
		438	if (fd < 0) {
		439	fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
		440	exit(1);
		441	}
		442
		443	filter_init(fd);
		444
		445	// build filter
		446	static const struct sock_filter filter[] = {
		447	#ifndef __x86_64__
		448	// block old multiplexing mmap syscall for i386
		449	BLACKLIST(SYS_mmap),
		450	#endif
		451	// block mmap(,,x\|PROT_WRITE\|PROT_EXEC) so W&X memory can't be created
		452	#ifndef __x86_64__
		453	// mmap2 is used for mmap on i386 these days
		454	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap2, 0, 5),
		455	#else
		456	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap, 0, 5),
		457	#endif
		458	EXAMINE_ARGUMENT(2),
		459	BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_WRITE\|PROT_EXEC),
		460	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE\|PROT_EXEC, 0, 1),
		461	KILL_PROCESS,
		462	RETURN_ALLOW,
		463	// block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable
		464	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5),
		465	EXAMINE_ARGUMENT(2),
		466	BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_EXEC),
		467	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1),
		468	KILL_PROCESS,
		469	RETURN_ALLOW,
		470	// block shmat(,,x\|SHM_EXEC) so W&X shared memory can't be created
		471	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5),
		472	EXAMINE_ARGUMENT(2),
		473	BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC),
		474	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1),
		475	KILL_PROCESS,
		476	RETURN_ALLOW
		477	};
		478	write_to_file(fd, filter, sizeof(filter));
		479
		480	filter_end_blacklist(fd);
		481
		482	// close file
		483	close(fd);
		484	}


diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c index c74de9faf..16ffd5302 100644 --- a/src/fseccomp/seccomp_file.c +++ b/src/fseccomp/seccomp_file.c
@@ -21,7 +21,7 @@
21	#include "../include/seccomp.h"	21	#include "../include/seccomp.h"
22	#include <sys/syscall.h>	22	#include <sys/syscall.h>
23		23
24	static void write_to_file(int fd, void *data, int size) {	24	void write_to_file(int fd, const void *data, int size) {
25	assert(data);	25	assert(data);
26	assert(size);	26	assert(size);
27		27