diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2017-08-19 23:22:38 +0300 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2017-08-19 23:33:11 +0300 |
commit | d01216de45884300c87e7d3ccb70e53ebb461449 (patch) | |
tree | 480519f5849df4c6048a7f62ec97f96e51174c3e /src/include | |
parent | Merge update after #1483 (diff) | |
download | firejail-d01216de45884300c87e7d3ccb70e53ebb461449.tar.gz firejail-d01216de45884300c87e7d3ccb70e53ebb461449.tar.zst firejail-d01216de45884300c87e7d3ccb70e53ebb461449.zip |
Feature: switch/config option to block secondary architectures
Add a feature for a new (opt-in) command line switch and config file
option to block secondary architectures entirely. Also block changing
Linux execution domain with personality() system call for the primary
architecture.
Closes #1479
Diffstat (limited to 'src/include')
-rw-r--r-- | src/include/seccomp.h | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/src/include/seccomp.h b/src/include/seccomp.h index b1a19a9b6..2f2b2384d 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h | |||
@@ -105,6 +105,11 @@ struct seccomp_data { | |||
105 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ | 105 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ |
106 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 106 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
107 | 107 | ||
108 | #define VALIDATE_ARCHITECTURE_KILL \ | ||
109 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | ||
110 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ | ||
111 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) | ||
112 | |||
108 | #define VALIDATE_ARCHITECTURE_64 \ | 113 | #define VALIDATE_ARCHITECTURE_64 \ |
109 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | 114 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ |
110 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0), \ | 115 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0), \ |
@@ -122,6 +127,10 @@ struct seccomp_data { | |||
122 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \ | 127 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \ |
123 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \ | 128 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \ |
124 | RETURN_ERRNO(EPERM) | 129 | RETURN_ERRNO(EPERM) |
130 | #define HANDLE_X32_KILL \ | ||
131 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \ | ||
132 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \ | ||
133 | KILL_PROCESS | ||
125 | #endif | 134 | #endif |
126 | 135 | ||
127 | #define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ | 136 | #define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ |