seccomp rework

author: netblue30 <netblue30@yahoo.com> 2016-11-06 13:14:53 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-11-06 13:14:53 -0500
commit: 322ce2cdc98cf3eec22ebd0f83296ddde8347d09 (patch)
tree: 035026b607ee8b34a9ea03a6f1df30d03c584f43 /src/fseccomp
parent: cleanup (diff)
download: firejail-322ce2cdc98cf3eec22ebd0f83296ddde8347d09.tar.gz
firejail-322ce2cdc98cf3eec22ebd0f83296ddde8347d09.tar.zst
firejail-322ce2cdc98cf3eec22ebd0f83296ddde8347d09.zip
3 files changed, 65 insertions, 26 deletions
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index 22b13bcd9..39e72fdf9 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -40,7 +40,7 @@ static void usage(void) {
 int main(int argc, char **argv) {
 #if 0
 {
-system("cat /proc/self/status");
+//system("cat /proc/self/status");
 int i;
 for (i = 0; i < argc; i++)
        printf("*%s* ", argv[i]);
diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c
index 38c5f9d88..7bf560fe1 100644
--- a/src/fseccomp/protocol.c
+++ b/src/fseccomp/protocol.c
@@ -107,7 +107,7 @@ void protocol_build_filter(const char *prlist, const char *fname) {
        assert(fname);
 #ifndef SYS_socket
-        fprintf(stderr, "Warning: --protocol not supported on this platform\n");
+        fprintf(stderr, "Warning fseccomp: --protocol not supported on this platform\n");
        return;
 #else
        // build the filter
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c
index e2052efde..6696f2b11 100644
--- a/src/fseccomp/syscall.c
+++ b/src/fseccomp/syscall.c
@@ -67,12 +67,52 @@ void syscall_print(void) {
        printf("\n");
 }
+// allowed input:
+// - syscall
+// - syscall(error)
+static void syscall_process_name(const char *name, int *syscall_nr, int *error_nr) {
+        assert(name);
+        if (strlen(name) == 0)
+                goto error;
+        *error_nr = -1;
+        
+        // syntax check
+        char *str = strdup(name);
+        if (!str)
+                errExit("strdup");
+        char *syscall_name = str;
+        char *error_name = strchr(str, ':');
+        if (error_name) {
+                *error_name = '\0';
+                error_name++;
+        }
+        if (strlen(syscall_name) == 0) {
+                free(str);
+                goto error;
+        }
+        *syscall_nr = syscall_find_name(syscall_name);
+        if (error_name) {
+                *error_nr = errno_find_name(error_name);
+                if (*error_nr == -1)
+                        *syscall_nr = -1;
+        }
+        free(str);
+        return;
+        
+error:
+        fprintf(stderr, "Error fseccomp: invalid syscall list entry %s\n", name);
+        exit(1);
+}
 // return 1 if error, 0 if OK
 int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, int arg), int fd, int arg) {
        // don't allow empty lists
        if (slist == NULL || *slist == '\0') {
-                fprintf(stderr, "Error: empty syscall lists are not allowed\n");
+                fprintf(stderr, "Error fseccomp: empty syscall lists are not allowed\n");
-                return -1;
+                exit(1);
        }
        // work on a copy of the string
@@ -80,29 +120,28 @@ int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall,
        if (!str)
                errExit("strdup");
-        char *ptr = str;
+        char *ptr =strtok(str, ",");
-        char *start = str;
+        if (ptr == NULL) {
-        while (*ptr != '\0') {
+                fprintf(stderr, "Error fseccomp: empty syscall lists are not allowed\n");
-                if (islower(*ptr) || isdigit(*ptr) || *ptr == '_')
+                exit(1);
-                        ;
-                else if (*ptr == ',') {
-                        *ptr = '\0';
-                        int nr = syscall_find_name(start);
-                        if (nr == -1)
-                                fprintf(stderr, "Warning: syscall %s not found\n", start);
-                        else if (callback != NULL)
-                                callback(fd, nr, arg);
-                                
-                        start = ptr + 1;
-                }
-                ptr++;
        }
-        if (*start != '\0') {
-                int nr = syscall_find_name(start);
+        while (ptr) {
-                if (nr == -1)
+printf("ptr %s\n", ptr);
-                        fprintf(stderr, "Warning: syscall %s not found\n", start);
+                
-                else if (callback != NULL)
+                int syscall_nr;
-                        callback(fd, nr, arg);
+                int error_nr;
+                syscall_process_name(ptr, &syscall_nr, &error_nr);
+printf("%d, %d\n", syscall_nr, error_nr);               
+                if (syscall_nr == -1)
+                        fprintf(stderr, "Warning fseccomp: syscall %s not found\n", ptr);
+                else if (callback != NULL) {
+                        if (error_nr != -1)
+                                filter_add_errno(fd, syscall_nr, error_nr);
+                        else
+                                callback(fd, syscall_nr, arg);
+                }
+                ptr = strtok(NULL, ",");
        }
        
        free(str);
author	netblue30 <netblue30@yahoo.com>	2016-11-06 13:14:53 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-11-06 13:14:53 -0500
commit	322ce2cdc98cf3eec22ebd0f83296ddde8347d09 (patch)
tree	035026b607ee8b34a9ea03a6f1df30d03c584f43 /src/fseccomp
parent	cleanup (diff)
download	firejail-322ce2cdc98cf3eec22ebd0f83296ddde8347d09.tar.gz firejail-322ce2cdc98cf3eec22ebd0f83296ddde8347d09.tar.zst firejail-322ce2cdc98cf3eec22ebd0f83296ddde8347d09.zip

diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 22b13bcd9..39e72fdf9 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c
@@ -40,7 +40,7 @@ static void usage(void) {
40	int main(int argc, char **argv) {	40	int main(int argc, char **argv) {
41	#if 0	41	#if 0
42	{	42	{
43	system("cat /proc/self/status");	43	//system("cat /proc/self/status");
44	int i;	44	int i;
45	for (i = 0; i < argc; i++)	45	for (i = 0; i < argc; i++)
46	printf("%s ", argv[i]);	46	printf("%s ", argv[i]);


diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c index 38c5f9d88..7bf560fe1 100644 --- a/src/fseccomp/protocol.c +++ b/src/fseccomp/protocol.c
@@ -107,7 +107,7 @@ void protocol_build_filter(const char prlist, const char fname) {
107	assert(fname);	107	assert(fname);
108		108
109	#ifndef SYS_socket	109	#ifndef SYS_socket
110	fprintf(stderr, "Warning: --protocol not supported on this platform\n");	110	fprintf(stderr, "Warning fseccomp: --protocol not supported on this platform\n");
111	return;	111	return;
112	#else	112	#else
113	// build the filter	113	// build the filter


diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index e2052efde..6696f2b11 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c
@@ -67,12 +67,52 @@ void syscall_print(void) {
67	printf("\n");	67	printf("\n");
68	}	68	}
69		69
		70	// allowed input:
		71	// - syscall
		72	// - syscall(error)
		73	static void syscall_process_name(const char name, int syscall_nr, int *error_nr) {
		74	assert(name);
		75	if (strlen(name) == 0)
		76	goto error;
		77	*error_nr = -1;
		78
		79	// syntax check
		80	char *str = strdup(name);
		81	if (!str)
		82	errExit("strdup");
		83
		84	char *syscall_name = str;
		85	char *error_name = strchr(str, ':');
		86	if (error_name) {
		87	*error_name = '\0';
		88	error_name++;
		89	}
		90	if (strlen(syscall_name) == 0) {
		91	free(str);
		92	goto error;
		93	}
		94
		95	*syscall_nr = syscall_find_name(syscall_name);
		96	if (error_name) {
		97	*error_nr = errno_find_name(error_name);
		98	if (*error_nr == -1)
		99	*syscall_nr = -1;
		100	}
		101
		102	free(str);
		103	return;
		104
		105	error:
		106	fprintf(stderr, "Error fseccomp: invalid syscall list entry %s\n", name);
		107	exit(1);
		108	}
		109
70	// return 1 if error, 0 if OK	110	// return 1 if error, 0 if OK
71	int syscall_check_list(const char slist, void (callback)(int fd, int syscall, int arg), int fd, int arg) {	111	int syscall_check_list(const char slist, void (callback)(int fd, int syscall, int arg), int fd, int arg) {
72	// don't allow empty lists	112	// don't allow empty lists
73	if (slist == NULL \|\| *slist == '\0') {	113	if (slist == NULL \|\| *slist == '\0') {
74	fprintf(stderr, "Error: empty syscall lists are not allowed\n");	114	fprintf(stderr, "Error fseccomp: empty syscall lists are not allowed\n");
75	return -1;	115	exit(1);
76	}	116	}
77		117
78	// work on a copy of the string	118	// work on a copy of the string
@@ -80,29 +120,28 @@ int syscall_check_list(const char slist, void (callback)(int fd, int syscall,
80	if (!str)	120	if (!str)
81	errExit("strdup");	121	errExit("strdup");
82		122
83	char *ptr = str;	123	char *ptr =strtok(str, ",");
84	char *start = str;	124	if (ptr == NULL) {
85	while (*ptr != '\0') {	125	fprintf(stderr, "Error fseccomp: empty syscall lists are not allowed\n");
86	if (islower(ptr) \|\| isdigit(ptr) \|\| *ptr == '_')	126	exit(1);
87	;
88	else if (*ptr == ',') {
89	*ptr = '\0';
90	int nr = syscall_find_name(start);
91	if (nr == -1)
92	fprintf(stderr, "Warning: syscall %s not found\n", start);
93	else if (callback != NULL)
94	callback(fd, nr, arg);
95
96	start = ptr + 1;
97	}
98	ptr++;
99	}	127	}
100	if (*start != '\0') {	128
101	int nr = syscall_find_name(start);	129	while (ptr) {
102	if (nr == -1)	130	printf("ptr %s\n", ptr);
103	fprintf(stderr, "Warning: syscall %s not found\n", start);	131
104	else if (callback != NULL)	132	int syscall_nr;
105	callback(fd, nr, arg);	133	int error_nr;
		134	syscall_process_name(ptr, &syscall_nr, &error_nr);
		135	printf("%d, %d\n", syscall_nr, error_nr);
		136	if (syscall_nr == -1)
		137	fprintf(stderr, "Warning fseccomp: syscall %s not found\n", ptr);
		138	else if (callback != NULL) {
		139	if (error_nr != -1)
		140	filter_add_errno(fd, syscall_nr, error_nr);
		141	else
		142	callback(fd, syscall_nr, arg);
		143	}
		144	ptr = strtok(NULL, ",");
106	}	145	}
107		146
108	free(str);	147	free(str);