diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2021-01-31 00:15:31 +0200 |
---|---|---|
committer | Topi Miettinen <topimiettinen@users.noreply.github.com> | 2021-02-01 20:09:21 +0000 |
commit | 0040969e439dbddb76bc190900b453b71e895068 (patch) | |
tree | 3d9606b116e47f8702d86fde5194d8c8d22fdde5 /src/include | |
parent | Add profile for avidemux (#3935) (diff) | |
download | firejail-0040969e439dbddb76bc190900b453b71e895068.tar.gz firejail-0040969e439dbddb76bc190900b453b71e895068.tar.zst firejail-0040969e439dbddb76bc190900b453b71e895068.zip |
Seccomp error action fixes
fsec-optimize: Optimize BPF with current seccomp error action, not
just KILL
fseccomp: use correct BPF code for errno action
firejail: honor seccomp error action for X32 and secondary filters,
rebuild filters if the error action is changed
Closes: #3933
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Diffstat (limited to 'src/include')
-rw-r--r-- | src/include/seccomp.h | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/src/include/seccomp.h b/src/include/seccomp.h index 90db16d39..b3b75c2d1 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h | |||
@@ -201,7 +201,7 @@ | |||
201 | #define VALIDATE_ARCHITECTURE_KILL \ | 201 | #define VALIDATE_ARCHITECTURE_KILL \ |
202 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | 202 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ |
203 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ | 203 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ |
204 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) | 204 | KILL_OR_RETURN_ERRNO |
205 | 205 | ||
206 | #define VALIDATE_ARCHITECTURE_64 \ | 206 | #define VALIDATE_ARCHITECTURE_64 \ |
207 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | 207 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ |
@@ -222,11 +222,7 @@ | |||
222 | #define HANDLE_X32 \ | 222 | #define HANDLE_X32 \ |
223 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \ | 223 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \ |
224 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \ | 224 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \ |
225 | RETURN_ERRNO(EPERM) | 225 | KILL_OR_RETURN_ERRNO |
226 | #define HANDLE_X32_KILL \ | ||
227 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \ | ||
228 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \ | ||
229 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) | ||
230 | #endif | 226 | #endif |
231 | 227 | ||
232 | #define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ | 228 | #define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ |
@@ -258,6 +254,8 @@ | |||
258 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr) | 254 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr) |
259 | 255 | ||
260 | extern int arg_seccomp_error_action; // error action: errno, log or kill | 256 | extern int arg_seccomp_error_action; // error action: errno, log or kill |
257 | #define DEFAULT_SECCOMP_ERROR_ACTION EPERM | ||
258 | |||
261 | #define KILL_OR_RETURN_ERRNO \ | 259 | #define KILL_OR_RETURN_ERRNO \ |
262 | BPF_STMT(BPF_RET+BPF_K, arg_seccomp_error_action) | 260 | BPF_STMT(BPF_RET+BPF_K, arg_seccomp_error_action) |
263 | 261 | ||