diff options
| author |  Topi Miettinen <toiwoton@gmail.com> | 2017-08-30 23:03:22 +0300 |
|---|---|---|
| committer | Topi Miettinen <toiwoton@gmail.com> | 2017-08-30 23:03:22 +0300 |
| commit | a3e734279d04b8fd9a96367361fac4a80bbac61d (patch) | |
| tree | 8ee408ceee1bd342056eb569527bff5e90cdcab9 /src | |
| parent | removed alsa tests from travis (diff) | |
| download | firejail-a3e734279d04b8fd9a96367361fac4a80bbac61d.tar.gz firejail-a3e734279d04b8fd9a96367361fac4a80bbac61d.tar.zst firejail-a3e734279d04b8fd9a96367361fac4a80bbac61d.zip | |
Improve cross-platform build
Diffstat (limited to 'src')
| -rw-r--r-- | src/fseccomp/seccomp.c | 30 |
1 files changed, 21 insertions, 9 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index 7262bc2ca..e14a473fe 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
| @@ -191,6 +191,21 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) { | |||
| 191 | close(fd); | 191 | close(fd); |
| 192 | } | 192 | } |
| 193 | 193 | ||
| 194 | #if defined(__x86_64__) || defined(__aarch64__) || defined(__powerpc64__) | ||
| 195 | # define filter_syscall SYS_mmap | ||
| 196 | # undef block_syscall | ||
| 197 | #elif defined(__i386__) | ||
| 198 | # define filter_syscall SYS_mmap2 | ||
| 199 | # define block_syscall SYS_mmap | ||
| 200 | #elif defined(__arm__) | ||
| 201 | # define filter_syscall SYS_mmap2 | ||
| 202 | # undef block_syscall | ||
| 203 | #else | ||
| 204 | # warning "Platform does not support seccomp memory-deny-write-execute filter yet" | ||
| 205 | # undef filter_syscall | ||
| 206 | # undef block_syscall | ||
| 207 | #endif | ||
| 208 | |||
| 194 | void memory_deny_write_execute(const char *fname) { | 209 | void memory_deny_write_execute(const char *fname) { |
| 195 | // open file | 210 | // open file |
| 196 | int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | 211 | int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
| @@ -203,22 +218,19 @@ void memory_deny_write_execute(const char *fname) { | |||
| 203 | 218 | ||
| 204 | // build filter | 219 | // build filter |
| 205 | static const struct sock_filter filter[] = { | 220 | static const struct sock_filter filter[] = { |
| 206 | #ifdef __i386__ | 221 | #ifdef block_syscall |
| 207 | // block old multiplexing mmap syscall for i386 | 222 | // block old multiplexing mmap syscall for i386 |
| 208 | BLACKLIST(SYS_mmap), | 223 | BLACKLIST(block_syscall), |
| 209 | #endif | 224 | #endif |
| 225 | #ifdef filter_syscall | ||
| 210 | // block mmap(,,x|PROT_WRITE|PROT_EXEC) so W&X memory can't be created | 226 | // block mmap(,,x|PROT_WRITE|PROT_EXEC) so W&X memory can't be created |
| 211 | #ifdef __i386__ | 227 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, filter_syscall, 0, 5), |
| 212 | // mmap2 is used for mmap on i386 these days | ||
| 213 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap2, 0, 5), | ||
| 214 | #else | ||
| 215 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap, 0, 5), | ||
| 216 | #endif | ||
| 217 | EXAMINE_ARGUMENT(2), | 228 | EXAMINE_ARGUMENT(2), |
| 218 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_WRITE|PROT_EXEC), | 229 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_WRITE|PROT_EXEC), |
| 219 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1), | 230 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1), |
| 220 | KILL_PROCESS, | 231 | KILL_PROCESS, |
| 221 | RETURN_ALLOW, | 232 | RETURN_ALLOW, |
| 233 | #endif | ||
| 222 | 234 | ||
| 223 | // block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable | 235 | // block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable |
| 224 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5), | 236 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5), |
| @@ -228,7 +240,7 @@ void memory_deny_write_execute(const char *fname) { | |||
| 228 | KILL_PROCESS, | 240 | KILL_PROCESS, |
| 229 | RETURN_ALLOW, | 241 | RETURN_ALLOW, |
| 230 | 242 | ||
| 231 | // shmat is not implemented as a syscall on some platforms (i386, possibly arm) | 243 | // shmat is not implemented as a syscall on some platforms (i386, powerpc64, powerpc64le) |
| 232 | #ifdef SYS_shmat | 244 | #ifdef SYS_shmat |
| 233 | // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created | 245 | // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created |
| 234 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5), | 246 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5), |