sbox/fseccomp

6 files changed, 509 insertions, 0 deletions

diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in
new file mode 100644
index 000000000..e7edd1b8f
--- /dev/null
+++ b/src/fseccomp/Makefile.in
@@ -0,0 +1,43 @@
+all: fseccomp
+
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+sysconfdir=@sysconfdir@
+
+VERSION=@PACKAGE_VERSION@
+NAME=@PACKAGE_NAME@
+HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
+HAVE_SECCOMP=@HAVE_SECCOMP@
+HAVE_CHROOT=@HAVE_CHROOT@
+HAVE_BIND=@HAVE_BIND@
+HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+HAVE_NETWORK=@HAVE_NETWORK@
+HAVE_USERNS=@HAVE_USERNS@
+HAVE_X11=@HAVE_X11@
+HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
+HAVE_WHITELIST=@HAVE_WHITELIST@
+HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
+HAVE_APPARMOR=@HAVE_APPARMOR@
+HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
+HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
+
+H_FILE_LIST       = $(sort $(wildcard *.[h]))
+C_FILE_LIST       = $(sort $(wildcard *.c))
+OBJS = $(C_FILE_LIST:.c=.o)
+BINOBJS =  $(foreach file, $(OBJS), $file)
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
+
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h ../include/syscall.h
+        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+
+fseccomp: $(OBJS) ../lib/libnetlink.o ../lib/common.o
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
+
+clean:; rm -f *.o fseccomp
+
+distclean: clean
+        rm -fr Makefile
+
diff --git a/src/fseccomp/errno.c b/src/fseccomp/errno.c
new file mode 100644
index 000000000..625f484bd
--- /dev/null
+++ b/src/fseccomp/errno.c
@@ -0,0 +1,161 @@
+#include "fseccomp.h"
+
+#include <errno.h>
+//#include <attr/xattr.h>
+
+typedef struct {
+        char *name;
+        int nr;
+} ErrnoEntry;
+
+static ErrnoEntry errnolist[] = {
+//
+// code generated using tools/extract-errnos
+//
+        {"EPERM", EPERM},
+        {"ENOENT", ENOENT},
+        {"ESRCH", ESRCH},
+        {"EINTR", EINTR},
+        {"EIO", EIO},
+        {"ENXIO", ENXIO},
+        {"E2BIG", E2BIG},
+        {"ENOEXEC", ENOEXEC},
+        {"EBADF", EBADF},
+        {"ECHILD", ECHILD},
+        {"EAGAIN", EAGAIN},
+        {"ENOMEM", ENOMEM},
+        {"EACCES", EACCES},
+        {"EFAULT", EFAULT},
+        {"ENOTBLK", ENOTBLK},
+        {"EBUSY", EBUSY},
+        {"EEXIST", EEXIST},
+        {"EXDEV", EXDEV},
+        {"ENODEV", ENODEV},
+        {"ENOTDIR", ENOTDIR},
+        {"EISDIR", EISDIR},
+        {"EINVAL", EINVAL},
+        {"ENFILE", ENFILE},
+        {"EMFILE", EMFILE},
+        {"ENOTTY", ENOTTY},
+        {"ETXTBSY", ETXTBSY},
+        {"EFBIG", EFBIG},
+        {"ENOSPC", ENOSPC},
+        {"ESPIPE", ESPIPE},
+        {"EROFS", EROFS},
+        {"EMLINK", EMLINK},
+        {"EPIPE", EPIPE},
+        {"EDOM", EDOM},
+        {"ERANGE", ERANGE},
+        {"EDEADLK", EDEADLK},
+        {"ENAMETOOLONG", ENAMETOOLONG},
+        {"ENOLCK", ENOLCK},
+        {"ENOSYS", ENOSYS},
+        {"ENOTEMPTY", ENOTEMPTY},
+        {"ELOOP", ELOOP},
+        {"EWOULDBLOCK", EWOULDBLOCK},
+        {"ENOMSG", ENOMSG},
+        {"EIDRM", EIDRM},
+        {"ECHRNG", ECHRNG},
+        {"EL2NSYNC", EL2NSYNC},
+        {"EL3HLT", EL3HLT},
+        {"EL3RST", EL3RST},
+        {"ELNRNG", ELNRNG},
+        {"EUNATCH", EUNATCH},
+        {"ENOCSI", ENOCSI},
+        {"EL2HLT", EL2HLT},
+        {"EBADE", EBADE},
+        {"EBADR", EBADR},
+        {"EXFULL", EXFULL},
+        {"ENOANO", ENOANO},
+        {"EBADRQC", EBADRQC},
+        {"EBADSLT", EBADSLT},
+        {"EDEADLOCK", EDEADLOCK},
+        {"EBFONT", EBFONT},
+        {"ENOSTR", ENOSTR},
+        {"ENODATA", ENODATA},
+        {"ETIME", ETIME},
+        {"ENOSR", ENOSR},
+        {"ENONET", ENONET},
+        {"ENOPKG", ENOPKG},
+        {"EREMOTE", EREMOTE},
+        {"ENOLINK", ENOLINK},
+        {"EADV", EADV},
+        {"ESRMNT", ESRMNT},
+        {"ECOMM", ECOMM},
+        {"EPROTO", EPROTO},
+        {"EMULTIHOP", EMULTIHOP},
+        {"EDOTDOT", EDOTDOT},
+        {"EBADMSG", EBADMSG},
+        {"EOVERFLOW", EOVERFLOW},
+        {"ENOTUNIQ", ENOTUNIQ},
+        {"EBADFD", EBADFD},
+        {"EREMCHG", EREMCHG},
+        {"ELIBACC", ELIBACC},
+        {"ELIBBAD", ELIBBAD},
+        {"ELIBSCN", ELIBSCN},
+        {"ELIBMAX", ELIBMAX},
+        {"ELIBEXEC", ELIBEXEC},
+        {"EILSEQ", EILSEQ},
+        {"ERESTART", ERESTART},
+        {"ESTRPIPE", ESTRPIPE},
+        {"EUSERS", EUSERS},
+        {"ENOTSOCK", ENOTSOCK},
+        {"EDESTADDRREQ", EDESTADDRREQ},
+        {"EMSGSIZE", EMSGSIZE},
+        {"EPROTOTYPE", EPROTOTYPE},
+        {"ENOPROTOOPT", ENOPROTOOPT},
+        {"EPROTONOSUPPORT", EPROTONOSUPPORT},
+        {"ESOCKTNOSUPPORT", ESOCKTNOSUPPORT},
+        {"EOPNOTSUPP", EOPNOTSUPP},
+        {"EPFNOSUPPORT", EPFNOSUPPORT},
+        {"EAFNOSUPPORT", EAFNOSUPPORT},
+        {"EADDRINUSE", EADDRINUSE},
+        {"EADDRNOTAVAIL", EADDRNOTAVAIL},
+        {"ENETDOWN", ENETDOWN},
+        {"ENETUNREACH", ENETUNREACH},
+        {"ENETRESET", ENETRESET},
+        {"ECONNABORTED", ECONNABORTED},
+        {"ECONNRESET", ECONNRESET},
+        {"ENOBUFS", ENOBUFS},
+        {"EISCONN", EISCONN},
+        {"ENOTCONN", ENOTCONN},
+        {"ESHUTDOWN", ESHUTDOWN},
+        {"ETOOMANYREFS", ETOOMANYREFS},
+        {"ETIMEDOUT", ETIMEDOUT},
+        {"ECONNREFUSED", ECONNREFUSED},
+        {"EHOSTDOWN", EHOSTDOWN},
+        {"EHOSTUNREACH", EHOSTUNREACH},
+        {"EALREADY", EALREADY},
+        {"EINPROGRESS", EINPROGRESS},
+        {"ESTALE", ESTALE},
+        {"EUCLEAN", EUCLEAN},
+        {"ENOTNAM", ENOTNAM},
+        {"ENAVAIL", ENAVAIL},
+        {"EISNAM", EISNAM},
+        {"EREMOTEIO", EREMOTEIO},
+        {"EDQUOT", EDQUOT},
+        {"ENOMEDIUM", ENOMEDIUM},
+        {"EMEDIUMTYPE", EMEDIUMTYPE},
+        {"ECANCELED", ECANCELED},
+        {"ENOKEY", ENOKEY},
+        {"EKEYEXPIRED", EKEYEXPIRED},
+        {"EKEYREVOKED", EKEYREVOKED},
+        {"EKEYREJECTED", EKEYREJECTED},
+        {"EOWNERDEAD", EOWNERDEAD},
+        {"ENOTRECOVERABLE", ENOTRECOVERABLE},
+        {"ERFKILL", ERFKILL},
+        {"EHWPOISON", EHWPOISON},
+        {"ENOTSUP", ENOTSUP},
+#ifdef  ENOATTR
+        {"ENOATTR", ENOATTR},
+#endif  
+};
+
+void errno_print(void) {
+        int i;
+        int elems = sizeof(errnolist) / sizeof(errnolist[0]);
+        for (i = 0; i < elems; i++) {
+                printf("%d\t- %s\n", errnolist[i].nr, errnolist[i].name);
+        }
+        printf("\n");
+}
diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h
new file mode 100644
index 000000000..57757ea6c
--- /dev/null
+++ b/src/fseccomp/fseccomp.h
@@ -0,0 +1,18 @@
+#ifndef FSECCOMP_H
+#define FSECCOMP_H
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include "../include/common.h"
+
+// syscall.c
+void syscall_print(void);
+
+// errno.c
+void errno_print(void);
+
+// protocol.c
+void protocol_print(void);
+void protocol_build_filter(const char *prlist, const char *fname);
+#endif
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
new file mode 100644
index 000000000..59d426a78
--- /dev/null
+++ b/src/fseccomp/main.c
@@ -0,0 +1,42 @@
+#include "fseccomp.h"
+
+static void usage(void) {
+        printf("Usage:\n");
+        printf("\tfseccomp debug-syscalls\n");
+        printf("\tfseccomp debug-errnos\n");
+        printf("\tfseccomp debug-protocols\n");
+        printf("\tfseccomp protocol build list file\n");
+}
+
+int main(int argc, char **argv) {
+//#if 0
+{
+//system("cat /proc/self/status");
+int i;
+for (i = 0; i < argc; i++)
+        printf("*%s* ", argv[i]);
+printf("\n");
+}       
+//#endif
+        if (argc < 2)
+                return 1;
+                
+        if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
+                usage();
+                return 0;
+        }
+        else if (argc == 2 && strcmp(argv[1], "debug-syscalls") == 0)
+                syscall_print();
+        else if (argc == 2 && strcmp(argv[1], "debug-errnos") == 0)
+                errno_print();
+        else if (argc == 2 && strcmp(argv[1], "debug-protocols") == 0)
+                protocol_print();
+        else if (argc == 5 && strcmp(argv[1], "protocol") == 0 && strcmp(argv[2], "build") == 0)
+                protocol_build_filter(argv[3], argv[4]);
+        else {
+                fprintf(stderr, "Error fseccomp: invalid arguments\n");
+                return 1;
+        }
+
+        return 0;
+}
\ No newline at end of file
diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c
new file mode 100644
index 000000000..38c5f9d88
--- /dev/null
+++ b/src/fseccomp/protocol.c
@@ -0,0 +1,219 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+/*
+        struct sock_filter filter[] = {
+                VALIDATE_ARCHITECTURE,
+                EXAMINE_SYSCALL,
+                ONLY(SYS_socket),
+                EXAMINE_ARGUMENT(0), // allow only AF_INET and AF_INET6, drop everything else
+                WHITELIST(AF_INET),
+                WHITELIST(AF_INET6),
+                WHITELIST(AF_PACKET),
+                RETURN_ERRNO(ENOTSUP)
+        };
+        struct sock_fprog prog = {
+                .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
+                .filter = filter,
+        };
+
+
+        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+                perror("prctl(NO_NEW_PRIVS)");
+                return 1;
+        }
+        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
+                perror("prctl");
+                return 1;
+        }
+*/
+
+#include "fseccomp.h"
+#include "../include/seccomp.h"
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+
+static char *protocol[] = {
+        "unix",
+        "inet",
+        "inet6",
+        "netlink",
+        "packet",
+        NULL
+};
+
+static struct sock_filter protocol_filter_command[] = {
+        WHITELIST(AF_UNIX),
+        WHITELIST(AF_INET),
+        WHITELIST(AF_INET6),
+        WHITELIST(AF_NETLINK),
+        WHITELIST(AF_PACKET)
+};
+// Note: protocol[] and protocol_filter_command are synchronized
+
+// command length
+struct sock_filter whitelist[] = {
+        WHITELIST(AF_UNIX)
+};
+unsigned whitelist_len = sizeof(whitelist) / sizeof(struct sock_filter);
+
+static struct sock_filter *find_protocol_domain(const char *p) {
+        int i = 0;
+        while (protocol[i] != NULL) {
+                if (strcmp(protocol[i], p) == 0)
+                        return &protocol_filter_command[i * whitelist_len];
+                i++;
+        }
+
+        return NULL;
+}       
+
+
+void protocol_print(void) {
+#ifndef SYS_socket
+        fprintf(stderr, "Warning fseccomp: firejail --protocol not supported on this platform\n");
+        return;
+#endif
+
+        int i = 0;
+        while (protocol[i] != NULL) {
+                printf("%s, ", protocol[i]);
+                i++;
+        }
+        printf("\n");
+}
+
+// install protocol filter
+void protocol_build_filter(const char *prlist, const char *fname) {
+        assert(prlist);
+        assert(fname);
+
+#ifndef SYS_socket
+        fprintf(stderr, "Warning: --protocol not supported on this platform\n");
+        return;
+#else
+        // build the filter
+        struct sock_filter filter[32];  // big enough
+        memset(&filter[0], 0, sizeof(filter));
+        uint8_t *ptr = (uint8_t *) &filter[0];
+        
+        // header
+        struct sock_filter filter_start[] = {
+                VALIDATE_ARCHITECTURE,
+                EXAMINE_SYSCALL,
+                ONLY(SYS_socket),
+                EXAMINE_ARGUMENT(0)
+        };
+        memcpy(ptr, &filter_start[0], sizeof(filter_start));
+        ptr += sizeof(filter_start);
+
+#if 0
+printf("entries %u\n", (unsigned) (sizeof(filter_start) / sizeof(struct sock_filter)));
+{
+        unsigned j;
+        unsigned char *ptr2 = (unsigned char *) &filter[0];
+        for (j = 0; j < sizeof(filter); j++, ptr2++) {
+                if ((j % (sizeof(struct sock_filter))) == 0)
+                        printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
+                printf("%02x, ", (*ptr2) & 0xff);
+        }
+        printf("\n");
+}
+printf("whitelist_len %u, struct sock_filter len %u\n", whitelist_len, (unsigned) sizeof(struct sock_filter));
+#endif
+
+
+        // parse list and add commands
+        char *tmplist = strdup(prlist);
+        if (!tmplist)
+                errExit("strdup");
+        char *token = strtok(tmplist, ",");
+        if (!token)
+                errExit("strtok");
+                
+        while (token) {
+                struct sock_filter *domain = find_protocol_domain(token);
+                if (domain == NULL) {
+                        fprintf(stderr, "Error fseccomp: %s is not a valid protocol\n", token);
+                        exit(1);
+                }
+                memcpy(ptr, domain, whitelist_len * sizeof(struct sock_filter));
+                ptr += whitelist_len * sizeof(struct sock_filter);
+                token = strtok(NULL, ",");
+
+#if 0
+printf("entries %u\n",  (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter));
+{
+        unsigned j;
+        unsigned char *ptr2 = (unsigned char *) &filter[0];
+        for (j = 0; j < sizeof(filter); j++, ptr2++) {
+                if ((j % (sizeof(struct sock_filter))) == 0)
+                        printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
+                printf("%02x, ", (*ptr2) & 0xff);
+        }
+        printf("\n");
+}
+#endif
+
+
+        }       
+        free(tmplist);
+
+        // add end of filter
+        struct sock_filter filter_end[] = {
+                RETURN_ERRNO(ENOTSUP)
+        };
+        memcpy(ptr, &filter_end[0], sizeof(filter_end));
+        ptr += sizeof(filter_end);
+
+#if 0
+printf("entries %u\n",  (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter));
+{
+        unsigned j;
+        unsigned char *ptr2 = (unsigned char *) &filter[0];
+        for (j = 0; j < sizeof(filter); j++, ptr2++) {
+                if ((j % (sizeof(struct sock_filter))) == 0)
+                        printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
+                printf("%02x, ", (*ptr2) & 0xff);
+        }
+        printf("\n");
+}
+#endif  
+        // save filter to file
+        int dst = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        if (dst < 0) {
+                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+                exit(1);
+        }
+        
+        int size = (int) ((uintptr_t) ptr - (uintptr_t) (filter));
+        int written = 0;
+        while (written < size) {
+                int rv = write(dst, (unsigned char *) filter + written, size - written);
+                if (rv == -1) {
+                        fprintf(stderr, "Error fseccomp: cannot write %s file\n", fname);
+                        exit(1);
+                }
+                written += rv;
+        }
+        close(dst);
+#endif // SYS_socket    
+}
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c
new file mode 100644
index 000000000..c67d45598
--- /dev/null
+++ b/src/fseccomp/syscall.c
@@ -0,0 +1,26 @@
+#include "fseccomp.h"
+#include <sys/syscall.h>
+
+typedef struct {
+        char *name;
+        int nr;
+} SyscallEntry;
+
+static SyscallEntry syslist[] = {
+//
+// code generated using tools/extract-syscall
+//
+#include "../include/syscall.h"
+//
+// end of generated code
+//
+}; // end of syslist
+
+void syscall_print(void) {
+        int i;
+        int elems = sizeof(syslist) / sizeof(syslist[0]);
+        for (i = 0; i < elems; i++) {
+                printf("%d\t- %s\n", syslist[i].nr, syslist[i].name);
+        }
+        printf("\n");
+}