diff options
| author |  Topi Miettinen <toiwoton@gmail.com> | 2017-08-19 23:22:38 +0300 |
|---|---|---|
| committer | Topi Miettinen <toiwoton@gmail.com> | 2017-08-19 23:33:11 +0300 |
| commit | d01216de45884300c87e7d3ccb70e53ebb461449 (patch) | |
| tree | 480519f5849df4c6048a7f62ec97f96e51174c3e /src/include | |
| parent | Merge update after #1483 (diff) | |
| download | firejail-d01216de45884300c87e7d3ccb70e53ebb461449.tar.gz firejail-d01216de45884300c87e7d3ccb70e53ebb461449.tar.zst firejail-d01216de45884300c87e7d3ccb70e53ebb461449.zip | |
Feature: switch/config option to block secondary architectures
Add a feature for a new (opt-in) command line switch and config file
option to block secondary architectures entirely. Also block changing
Linux execution domain with personality() system call for the primary
architecture.
Closes #1479
Diffstat (limited to 'src/include')
| -rw-r--r-- | src/include/seccomp.h | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/src/include/seccomp.h b/src/include/seccomp.h index b1a19a9b6..2f2b2384d 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h | |||
| @@ -105,6 +105,11 @@ struct seccomp_data { | |||
| 105 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ | 105 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ |
| 106 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 106 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
| 107 | 107 | ||
| 108 | #define VALIDATE_ARCHITECTURE_KILL \ | ||
| 109 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | ||
| 110 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ | ||
| 111 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) | ||
| 112 | |||
| 108 | #define VALIDATE_ARCHITECTURE_64 \ | 113 | #define VALIDATE_ARCHITECTURE_64 \ |
| 109 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | 114 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ |
| 110 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0), \ | 115 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0), \ |
| @@ -122,6 +127,10 @@ struct seccomp_data { | |||
| 122 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \ | 127 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \ |
| 123 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \ | 128 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \ |
| 124 | RETURN_ERRNO(EPERM) | 129 | RETURN_ERRNO(EPERM) |
| 130 | #define HANDLE_X32_KILL \ | ||
| 131 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \ | ||
| 132 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \ | ||
| 133 | KILL_PROCESS | ||
| 125 | #endif | 134 | #endif |
| 126 | 135 | ||
| 127 | #define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ | 136 | #define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ |