diff options
author | valoq <valoq@mailbox.org> | 2016-10-29 19:20:40 +0200 |
---|---|---|
committer | valoq <valoq@mailbox.org> | 2016-10-29 19:20:40 +0200 |
commit | 4109b0dc8c13eace4d143a4a5f59018f9e29785d (patch) | |
tree | 1b3d6f85fa6f6de4ab3f5b78815de9a3c00437e6 /src/include/seccomp.h | |
parent | added profile for wire (diff) | |
parent | Merge pull request #878 from msva/patch-1 (diff) | |
download | firejail-4109b0dc8c13eace4d143a4a5f59018f9e29785d.tar.gz firejail-4109b0dc8c13eace4d143a4a5f59018f9e29785d.tar.zst firejail-4109b0dc8c13eace4d143a4a5f59018f9e29785d.zip |
Merge remote-tracking branch 'upstream/master'
Diffstat (limited to 'src/include/seccomp.h')
-rw-r--r-- | src/include/seccomp.h | 149 |
1 files changed, 149 insertions, 0 deletions
diff --git a/src/include/seccomp.h b/src/include/seccomp.h new file mode 100644 index 000000000..7d646dd9e --- /dev/null +++ b/src/include/seccomp.h | |||
@@ -0,0 +1,149 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | /* default seccomp filter | ||
22 | // seccomp | ||
23 | struct sock_filter filter[] = { | ||
24 | VALIDATE_ARCHITECTURE, | ||
25 | EXAMINE_SYSCALL, | ||
26 | BLACKLIST(SYS_mount), // mount/unmount filesystems | ||
27 | BLACKLIST(SYS_umount2), | ||
28 | BLACKLIST(SYS_ptrace), // trace processes | ||
29 | BLACKLIST(SYS_kexec_load), // loading a different kernel | ||
30 | BLACKLIST(SYS_open_by_handle_at), // open by handle | ||
31 | BLACKLIST(SYS_init_module), // kernel module handling | ||
32 | BLACKLIST(SYS_finit_module), | ||
33 | BLACKLIST(SYS_delete_module), | ||
34 | BLACKLIST(SYS_iopl), // io permissions | ||
35 | BLACKLIST(SYS_ioperm), | ||
36 | BLACKLIST(SYS_iopl), // io permissions | ||
37 | BLACKLIST(SYS_ni_syscall), | ||
38 | BLACKLIST(SYS_swapon), // swap on/off | ||
39 | BLACKLIST(SYS_swapoff), | ||
40 | BLACKLIST(SYS_syslog), // kernel printk control | ||
41 | RETURN_ALLOW | ||
42 | }; | ||
43 | |||
44 | struct sock_fprog prog = { | ||
45 | .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])), | ||
46 | .filter = filter, | ||
47 | }; | ||
48 | |||
49 | |||
50 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { | ||
51 | perror("prctl(NO_NEW_PRIVS)"); | ||
52 | return 1; | ||
53 | } | ||
54 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) { | ||
55 | perror("prctl"); | ||
56 | return 1; | ||
57 | } | ||
58 | */ | ||
59 | |||
60 | #ifndef SECCOMP_H | ||
61 | #define SECCOMP_H | ||
62 | #include <errno.h> | ||
63 | #include <linux/filter.h> | ||
64 | #include <sys/syscall.h> | ||
65 | #include <linux/capability.h> | ||
66 | #include <linux/audit.h> | ||
67 | #include <sys/stat.h> | ||
68 | #include <fcntl.h> | ||
69 | |||
70 | #include <sys/prctl.h> | ||
71 | #ifndef PR_SET_NO_NEW_PRIVS | ||
72 | # define PR_SET_NO_NEW_PRIVS 38 | ||
73 | #endif | ||
74 | |||
75 | #if HAVE_SECCOMP_H | ||
76 | #include <linux/seccomp.h> | ||
77 | #else | ||
78 | #define SECCOMP_MODE_FILTER 2 | ||
79 | #define SECCOMP_RET_KILL 0x00000000U | ||
80 | #define SECCOMP_RET_TRAP 0x00030000U | ||
81 | #define SECCOMP_RET_ALLOW 0x7fff0000U | ||
82 | #define SECCOMP_RET_ERRNO 0x00050000U | ||
83 | #define SECCOMP_RET_DATA 0x0000ffffU | ||
84 | struct seccomp_data { | ||
85 | int nr; | ||
86 | __u32 arch; | ||
87 | __u64 instruction_pointer; | ||
88 | __u64 args[6]; | ||
89 | }; | ||
90 | #endif | ||
91 | |||
92 | #if defined(__i386__) | ||
93 | # define ARCH_NR AUDIT_ARCH_I386 | ||
94 | #elif defined(__x86_64__) | ||
95 | # define ARCH_NR AUDIT_ARCH_X86_64 | ||
96 | #elif defined(__arm__) | ||
97 | # define ARCH_NR AUDIT_ARCH_ARM | ||
98 | #else | ||
99 | # warning "Platform does not support seccomp filter yet" | ||
100 | # define ARCH_NR 0 | ||
101 | #endif | ||
102 | |||
103 | #define VALIDATE_ARCHITECTURE \ | ||
104 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | ||
105 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ | ||
106 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | ||
107 | |||
108 | #define VALIDATE_ARCHITECTURE_64 \ | ||
109 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | ||
110 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0), \ | ||
111 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | ||
112 | |||
113 | #define VALIDATE_ARCHITECTURE_32 \ | ||
114 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | ||
115 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_I386, 1, 0), \ | ||
116 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | ||
117 | |||
118 | #define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ | ||
119 | (offsetof(struct seccomp_data, nr))) | ||
120 | |||
121 | #define EXAMINE_ARGUMENT(nr) BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ | ||
122 | (offsetof(struct seccomp_data, args[nr]))) | ||
123 | |||
124 | #define ONLY(syscall_nr) \ | ||
125 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 1, 0), \ | ||
126 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | ||
127 | |||
128 | #define BLACKLIST(syscall_nr) \ | ||
129 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \ | ||
130 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) | ||
131 | |||
132 | #define WHITELIST(syscall_nr) \ | ||
133 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \ | ||
134 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | ||
135 | |||
136 | #define BLACKLIST_ERRNO(syscall_nr, nr) \ | ||
137 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \ | ||
138 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr) | ||
139 | |||
140 | #define RETURN_ALLOW \ | ||
141 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | ||
142 | |||
143 | #define RETURN_ERRNO(nr) \ | ||
144 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr) | ||
145 | |||
146 | #define KILL_PROCESS \ | ||
147 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) | ||
148 | |||
149 | #endif | ||