diff options
author | netblue30 <netblue30@yahoo.com> | 2017-08-23 11:41:31 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-08-23 11:41:31 -0400 |
commit | 5129e321ca42172bf8e6b85c5679adb8da163492 (patch) | |
tree | 878f7c83adc899e04b697bcb8210a87fd3b12b2a /src | |
parent | deb, rpm (diff) | |
download | firejail-5129e321ca42172bf8e6b85c5679adb8da163492.tar.gz firejail-5129e321ca42172bf8e6b85c5679adb8da163492.tar.zst firejail-5129e321ca42172bf8e6b85c5679adb8da163492.zip |
fix seccomp.keep for #1490
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/sandbox.c | 8 | ||||
-rw-r--r-- | src/firejail/sbox.c | 7 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 25 | ||||
-rw-r--r-- | src/fseccomp/seccomp.c | 10 |
4 files changed, 44 insertions, 6 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 150c23de7..853555581 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1006,6 +1006,14 @@ int sandbox(void* sandbox_arg) { | |||
1006 | else | 1006 | else |
1007 | seccomp_filter_drop(enforce_seccomp); | 1007 | seccomp_filter_drop(enforce_seccomp); |
1008 | } | 1008 | } |
1009 | |||
1010 | if (arg_debug) { | ||
1011 | printf("\nSeccomp files:\n"); | ||
1012 | int rv = system("ls -l /run/firejail/mnt/seccomp*\n"); | ||
1013 | (void) rv; | ||
1014 | printf("\n"); | ||
1015 | } | ||
1016 | |||
1009 | if (arg_memory_deny_write_execute) { | 1017 | if (arg_memory_deny_write_execute) { |
1010 | if (arg_debug) | 1018 | if (arg_debug) |
1011 | printf("Install memory write&execute filter\n"); | 1019 | printf("Install memory write&execute filter\n"); |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 8f96f8fca..1d6cc2353 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -222,5 +222,12 @@ int sbox_run(unsigned filter, int num, ...) { | |||
222 | exit(1); | 222 | exit(1); |
223 | } | 223 | } |
224 | 224 | ||
225 | #if 0 | ||
226 | printf("** sbox run out *********************************\n"); | ||
227 | system("ls -l /run/firejail/mnt\n"); | ||
228 | system("ls -l /proc/self/fd"); | ||
229 | printf("** sbox run out *********************************\n"); | ||
230 | #endif | ||
231 | |||
225 | return status; | 232 | return status; |
226 | } | 233 | } |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 52b4679ae..bd57cff42 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -258,23 +258,36 @@ int seccomp_filter_keep(void) { | |||
258 | seccomp_filter_block_secondary(); | 258 | seccomp_filter_block_secondary(); |
259 | 259 | ||
260 | if (arg_debug) | 260 | if (arg_debug) |
261 | printf("Build drop seccomp filter\n"); | 261 | printf("Build keep seccomp filter\n"); |
262 | 262 | ||
263 | // build the seccomp filter as a regular user | 263 | // build the seccomp filter as a regular user |
264 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, | 264 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, |
265 | PATH_FSECCOMP, "keep", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list_keep); | 265 | PATH_FSECCOMP, "keep", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list_keep); |
266 | |||
267 | if (rv) { | ||
268 | fprintf(stderr, "Error: cannot configure seccomp filter\n"); | ||
269 | exit(rv); | ||
270 | } | ||
271 | |||
266 | if (arg_debug) | 272 | if (arg_debug) |
267 | printf("seccomp filter configured\n"); | 273 | printf("seccomp filter configured\n"); |
268 | 274 | ||
275 | // load the filter | ||
276 | if (seccomp_load(RUN_SECCOMP_CFG) == 0) { | ||
277 | if (arg_debug) | ||
278 | printf("seccomp filter configured\n"); | ||
279 | } | ||
269 | 280 | ||
270 | if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) { | 281 | if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) { |
271 | sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FSECCOMP, "print", RUN_SECCOMP_CFG); | ||
272 | struct stat st; | 282 | struct stat st; |
273 | if (stat(RUN_SECCOMP_POSTEXEC, &st) != -1 && st.st_size != 0) | 283 | if (stat(RUN_SECCOMP_POSTEXEC, &st) != -1 && st.st_size != 0) { |
274 | sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FSECCOMP, "print", RUN_SECCOMP_POSTEXEC); | 284 | printf("configuring postexec seccomp filter in %s\n", RUN_SECCOMP_POSTEXEC); |
285 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, | ||
286 | PATH_FSECCOMP, "print", RUN_SECCOMP_POSTEXEC); | ||
287 | } | ||
275 | } | 288 | } |
276 | 289 | ||
277 | return seccomp_load(RUN_SECCOMP_CFG); | 290 | return 0; |
278 | } | 291 | } |
279 | 292 | ||
280 | void seccomp_print_filter(pid_t pid) { | 293 | void seccomp_print_filter(pid_t pid) { |
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index 0112d8aec..7ae74c340 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -188,6 +188,12 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) { | |||
188 | // close file | 188 | // close file |
189 | close(fd); | 189 | close(fd); |
190 | 190 | ||
191 | #if 0 | ||
192 | // There is something very wrong here with the file descriptors, "ls -l /proc/self/fd" will show no file | ||
193 | // after running this code. We don't need the postexec filter in this case anyway. | ||
194 | printf("@@seccomp_keep start %s %s %s\n", fname1, fname2, list); | ||
195 | system("ls -l /proc/self/fd"); | ||
196 | printf("@@seccomp_keep start %s %s %s\n", fname1, fname2, list); | ||
191 | // open file for post-exec filter | 197 | // open file for post-exec filter |
192 | fd = open(fname2, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | 198 | fd = open(fname2, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
193 | if (fd < 0) { | 199 | if (fd < 0) { |
@@ -207,6 +213,10 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) { | |||
207 | 213 | ||
208 | // close file | 214 | // close file |
209 | close(fd); | 215 | close(fd); |
216 | printf("@@seccomp_keep end %s %s %s\n", fname1, fname2, list); | ||
217 | system("ls -l /proc/self/fd"); | ||
218 | printf("@@seccomp_keep end %s %s %s\n", fname1, fname2, list); | ||
219 | #endif | ||
210 | } | 220 | } |
211 | 221 | ||
212 | void memory_deny_write_execute(const char *fname) { | 222 | void memory_deny_write_execute(const char *fname) { |