diff options
| author |  Topi Miettinen <toiwoton@gmail.com> | 2017-09-02 14:05:31 +0300 |
|---|---|---|
| committer | Topi Miettinen <toiwoton@gmail.com> | 2017-09-02 14:05:31 +0300 |
| commit | cb5d361a7b52844bb18346f1829b69b4b7084439 (patch) | |
| tree | a5c75843eca9db0ee432dde47454f2ec06224fb8 /src | |
| parent | Workaround for build problems, but correct problem this time (diff) | |
| download | firejail-cb5d361a7b52844bb18346f1829b69b4b7084439.tar.gz firejail-cb5d361a7b52844bb18346f1829b69b4b7084439.tar.zst firejail-cb5d361a7b52844bb18346f1829b69b4b7084439.zip | |
Improve seccomp support for non-x86 architectures
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/firejail.h | 8 | ||||
| -rw-r--r-- | src/firejail/preproc.c | 4 | ||||
| -rw-r--r-- | src/firejail/seccomp.c | 24 | ||||
| -rw-r--r-- | src/fseccomp/seccomp_print.c | 4 | ||||
| -rw-r--r-- | src/fseccomp/seccomp_secondary.c | 2 | ||||
| -rw-r--r-- | src/include/seccomp.h | 58 |
6 files changed, 77 insertions, 23 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 435b9527d..60a43a600 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -54,15 +54,15 @@ | |||
| 54 | 54 | ||
| 55 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter | 55 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter |
| 56 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter | 56 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter |
| 57 | #define RUN_SECCOMP_AMD64 "/run/firejail/mnt/seccomp.amd64" // amd64 filter installed on i386 architectures | 57 | #define RUN_SECCOMP_64 "/run/firejail/mnt/seccomp.64" // 64bit arch filter installed on 32bit architectures |
| 58 | #define RUN_SECCOMP_I386 "/run/firejail/mnt/seccomp.i386" // i386 filter installed on amd64 architectures | 58 | #define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures |
| 59 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute | 59 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute |
| 60 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter | 60 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter |
| 61 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library | 61 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library |
| 62 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make | 62 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make |
| 63 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make | 63 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make |
| 64 | #define PATH_SECCOMP_AMD64 (LIBDIR "/firejail/seccomp.amd64") // amd64 filter built during make | 64 | #define PATH_SECCOMP_64 (LIBDIR "/firejail/seccomp.64") // 64bit arch filter built during make |
| 65 | #define PATH_SECCOMP_I386 (LIBDIR "/firejail/seccomp.i386") // i386 filter built during make | 65 | #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make |
| 66 | #define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make | 66 | #define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make |
| 67 | #define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make | 67 | #define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make |
| 68 | 68 | ||
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index bf1ef0469..0b447e03b 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
| @@ -79,8 +79,8 @@ void preproc_mount_mnt_dir(void) { | |||
| 79 | copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed | 79 | copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed |
| 80 | else { | 80 | else { |
| 81 | //copy default seccomp files | 81 | //copy default seccomp files |
| 82 | copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); // root needed | 82 | copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed |
| 83 | copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); // root needed | 83 | copy_file(PATH_SECCOMP_64, RUN_SECCOMP_64, getuid(), getgid(), 0644); // root needed |
| 84 | } | 84 | } |
| 85 | if (arg_allow_debuggers) | 85 | if (arg_allow_debuggers) |
| 86 | copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed | 86 | copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 7b45e2574..e75863c3a 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
| @@ -137,22 +137,22 @@ errexit: | |||
| 137 | exit(1); | 137 | exit(1); |
| 138 | } | 138 | } |
| 139 | 139 | ||
| 140 | // i386 filter installed on amd64 architectures | 140 | // 32 bit arch filter installed on 64 bit architectures |
| 141 | #if defined(__x86_64__) | 141 | #if defined(__LP64__) |
| 142 | static void seccomp_filter_32(void) { | 142 | static void seccomp_filter_32(void) { |
| 143 | if (seccomp_load(RUN_SECCOMP_I386) == 0) { | 143 | if (seccomp_load(RUN_SECCOMP_32) == 0) { |
| 144 | if (arg_debug) | 144 | if (arg_debug) |
| 145 | printf("Dual i386/amd64 seccomp filter configured\n"); | 145 | printf("Dual 32/64 bit seccomp filter configured\n"); |
| 146 | } | 146 | } |
| 147 | } | 147 | } |
| 148 | #endif | 148 | #endif |
| 149 | 149 | ||
| 150 | // amd64 filter installed on i386 architectures | 150 | // 64 bit arch filter installed on 32 bit architectures |
| 151 | #if defined(__i386__) | 151 | #if defined(__ILP32__) |
| 152 | static void seccomp_filter_64(void) { | 152 | static void seccomp_filter_64(void) { |
| 153 | if (seccomp_load(RUN_SECCOMP_AMD64) == 0) { | 153 | if (seccomp_load(RUN_SECCOMP_64) == 0) { |
| 154 | if (arg_debug) | 154 | if (arg_debug) |
| 155 | printf("Dual i386/amd64 seccomp filter configured\n"); | 155 | printf("Dual 32/64 bit seccomp filter configured\n"); |
| 156 | } | 156 | } |
| 157 | } | 157 | } |
| 158 | #endif | 158 | #endif |
| @@ -177,10 +177,10 @@ int seccomp_filter_drop(void) { | |||
| 177 | if (arg_seccomp_block_secondary) | 177 | if (arg_seccomp_block_secondary) |
| 178 | seccomp_filter_block_secondary(); | 178 | seccomp_filter_block_secondary(); |
| 179 | else { | 179 | else { |
| 180 | #if defined(__x86_64__) | 180 | #if defined(__LP64__) |
| 181 | seccomp_filter_32(); | 181 | seccomp_filter_32(); |
| 182 | #endif | 182 | #endif |
| 183 | #if defined(__i386__) | 183 | #if defined(__ILP32__) |
| 184 | seccomp_filter_64(); | 184 | seccomp_filter_64(); |
| 185 | #endif | 185 | #endif |
| 186 | } | 186 | } |
| @@ -190,10 +190,10 @@ int seccomp_filter_drop(void) { | |||
| 190 | if (arg_seccomp_block_secondary) | 190 | if (arg_seccomp_block_secondary) |
| 191 | seccomp_filter_block_secondary(); | 191 | seccomp_filter_block_secondary(); |
| 192 | else { | 192 | else { |
| 193 | #if defined(__x86_64__) | 193 | #if defined(__LP64__) |
| 194 | seccomp_filter_32(); | 194 | seccomp_filter_32(); |
| 195 | #endif | 195 | #endif |
| 196 | #if defined(__i386__) | 196 | #if defined(__ILP32__) |
| 197 | seccomp_filter_64(); | 197 | seccomp_filter_64(); |
| 198 | #endif | 198 | #endif |
| 199 | } | 199 | } |
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c index 3793e125d..e8df2bda5 100644 --- a/src/fseccomp/seccomp_print.c +++ b/src/fseccomp/seccomp_print.c | |||
| @@ -90,7 +90,7 @@ static int detect_filter_type(void) { | |||
| 90 | } | 90 | } |
| 91 | 91 | ||
| 92 | 92 | ||
| 93 | // testing for secondare amd64 filter | 93 | // testing for secondary 64 bit filter |
| 94 | const struct sock_filter start_secondary_64[] = { | 94 | const struct sock_filter start_secondary_64[] = { |
| 95 | VALIDATE_ARCHITECTURE_64, | 95 | VALIDATE_ARCHITECTURE_64, |
| 96 | EXAMINE_SYSCALL, | 96 | EXAMINE_SYSCALL, |
| @@ -102,7 +102,7 @@ static int detect_filter_type(void) { | |||
| 102 | return sizeof(start_secondary_64) / sizeof(struct sock_filter); | 102 | return sizeof(start_secondary_64) / sizeof(struct sock_filter); |
| 103 | } | 103 | } |
| 104 | 104 | ||
| 105 | // testing for secondare i386 filter | 105 | // testing for secondary 32 bit filter |
| 106 | const struct sock_filter start_secondary_32[] = { | 106 | const struct sock_filter start_secondary_32[] = { |
| 107 | VALIDATE_ARCHITECTURE_32, | 107 | VALIDATE_ARCHITECTURE_32, |
| 108 | EXAMINE_SYSCALL, | 108 | EXAMINE_SYSCALL, |
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c index dd69b58cc..da6a693e6 100644 --- a/src/fseccomp/seccomp_secondary.c +++ b/src/fseccomp/seccomp_secondary.c | |||
| @@ -108,7 +108,7 @@ void seccomp_secondary_64(const char *fname) { | |||
| 108 | write_filter(fname, sizeof(filter), filter); | 108 | write_filter(fname, sizeof(filter), filter); |
| 109 | } | 109 | } |
| 110 | 110 | ||
| 111 | // i386 filter installed on amd64 architectures | 111 | // 32 bit arch filter installed on 64 bit architectures |
| 112 | void seccomp_secondary_32(const char *fname) { | 112 | void seccomp_secondary_32(const char *fname) { |
| 113 | // hardcoded syscall values | 113 | // hardcoded syscall values |
| 114 | struct sock_filter filter[] = { | 114 | struct sock_filter filter[] = { |
diff --git a/src/include/seccomp.h b/src/include/seccomp.h index 2f2b2384d..133b6ce72 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h | |||
| @@ -91,10 +91,64 @@ struct seccomp_data { | |||
| 91 | 91 | ||
| 92 | #if defined(__i386__) | 92 | #if defined(__i386__) |
| 93 | # define ARCH_NR AUDIT_ARCH_I386 | 93 | # define ARCH_NR AUDIT_ARCH_I386 |
| 94 | # define ARCH_32 AUDIT_ARCH_I386 | ||
| 95 | # define ARCH_64 AUDIT_ARCH_X86_64 | ||
| 94 | #elif defined(__x86_64__) | 96 | #elif defined(__x86_64__) |
| 95 | # define ARCH_NR AUDIT_ARCH_X86_64 | 97 | # define ARCH_NR AUDIT_ARCH_X86_64 |
| 98 | # define ARCH_32 AUDIT_ARCH_I386 | ||
| 99 | # define ARCH_64 AUDIT_ARCH_X86_64 | ||
| 100 | #elif defined(__aarch64__) | ||
| 101 | # define ARCH_NR AUDIT_ARCH_AARCH64 | ||
| 102 | # define ARCH_32 AUDIT_ARCH_ARM | ||
| 103 | # define ARCH_64 AUDIT_ARCH_AARCH64 | ||
| 96 | #elif defined(__arm__) | 104 | #elif defined(__arm__) |
| 97 | # define ARCH_NR AUDIT_ARCH_ARM | 105 | # define ARCH_NR AUDIT_ARCH_ARM |
| 106 | # define ARCH_32 AUDIT_ARCH_ARM | ||
| 107 | # define ARCH_64 AUDIT_ARCH_AARCH64 | ||
| 108 | #elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32 | ||
| 109 | # define ARCH_NR AUDIT_ARCH_MIPS | ||
| 110 | # define ARCH_32 AUDIT_ARCH_MIPS | ||
| 111 | # define ARCH_64 AUDIT_ARCH_MIPS64 | ||
| 112 | #elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32 | ||
| 113 | # define ARCH_NR AUDIT_ARCH_MIPSEL | ||
| 114 | # define ARCH_32 AUDIT_ARCH_MIPSEL | ||
| 115 | # define ARCH_64 AUDIT_ARCH_MIPSEL64 | ||
| 116 | #elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64 | ||
| 117 | # define ARCH_NR AUDIT_ARCH_MIPS64 | ||
| 118 | # define ARCH_32 AUDIT_ARCH_MIPS | ||
| 119 | # define ARCH_64 AUDIT_ARCH_MIPS64 | ||
| 120 | #elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64 | ||
| 121 | # define ARCH_NR AUDIT_ARCH_MIPSEL64 | ||
| 122 | # define ARCH_32 AUDIT_ARCH_MIPSEL | ||
| 123 | # define ARCH_64 AUDIT_ARCH_MIPSEL64 | ||
| 124 | #elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32 | ||
| 125 | # define ARCH_NR AUDIT_ARCH_MIPS64N32 | ||
| 126 | # define ARCH_32 AUDIT_ARCH_MIPS64N32 | ||
| 127 | # define ARCH_64 AUDIT_ARCH_MIPS64 | ||
| 128 | #elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32 | ||
| 129 | # define ARCH_NR AUDIT_ARCH_MIPSEL64N32 | ||
| 130 | # define ARCH_32 AUDIT_ARCH_MIPSEL64N32 | ||
| 131 | # define ARCH_64 AUDIT_ARCH_MIPSEL64 | ||
| 132 | #elif defined(__powerpc64__) && __BYTE_ORDER == __BIG_ENDIAN | ||
| 133 | # define ARCH_NR AUDIT_ARCH_PPC64 | ||
| 134 | # define ARCH_32 AUDIT_ARCH_PPC | ||
| 135 | # define ARCH_64 AUDIT_ARCH_PPC64 | ||
| 136 | #elif defined(__powerpc64__) && __BYTE_ORDER == __LITTLE_ENDIAN | ||
| 137 | # define ARCH_NR AUDIT_ARCH_PPC64LE | ||
| 138 | # define ARCH_32 AUDIT_ARCH_PPC | ||
| 139 | # define ARCH_64 AUDIT_ARCH_PPC64LE | ||
| 140 | #elif defined(__powerpc__) | ||
| 141 | # define ARCH_NR AUDIT_ARCH_PPC | ||
| 142 | # define ARCH_32 AUDIT_ARCH_PPC | ||
| 143 | # define ARCH_64 AUDIT_ARCH_PPC64LE | ||
| 144 | #elif defined(__s390x__) | ||
| 145 | # define ARCH_NR AUDIT_ARCH_S390X | ||
| 146 | # define ARCH_32 AUDIT_ARCH_S390 | ||
| 147 | # define ARCH_64 AUDIT_ARCH_S390X | ||
| 148 | #elif defined(__s390__) | ||
| 149 | # define ARCH_NR AUDIT_ARCH_S390 | ||
| 150 | # define ARCH_32 AUDIT_ARCH_S390 | ||
| 151 | # define ARCH_64 AUDIT_ARCH_S390X | ||
| 98 | #else | 152 | #else |
| 99 | # warning "Platform does not support seccomp filter yet" | 153 | # warning "Platform does not support seccomp filter yet" |
| 100 | # define ARCH_NR 0 | 154 | # define ARCH_NR 0 |
| @@ -112,12 +166,12 @@ struct seccomp_data { | |||
| 112 | 166 | ||
| 113 | #define VALIDATE_ARCHITECTURE_64 \ | 167 | #define VALIDATE_ARCHITECTURE_64 \ |
| 114 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | 168 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ |
| 115 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0), \ | 169 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_64, 1, 0), \ |
| 116 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 170 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
| 117 | 171 | ||
| 118 | #define VALIDATE_ARCHITECTURE_32 \ | 172 | #define VALIDATE_ARCHITECTURE_32 \ |
| 119 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | 173 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ |
| 120 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_I386, 1, 0), \ | 174 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_32, 1, 0), \ |
| 121 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 175 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
| 122 | 176 | ||
| 123 | #if defined(__x86_64__) | 177 | #if defined(__x86_64__) |