diff options
author | netblue30 <netblue30@yahoo.com> | 2017-08-23 13:12:28 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-08-23 13:12:28 -0400 |
commit | e81ad9569c7e2b9a3d9d9a9500ecef812a94e90b (patch) | |
tree | 26ba14b04e541ecac7eca22c003c827c727a6086 /src | |
parent | fix seccomp.keep for #1490 (diff) | |
download | firejail-e81ad9569c7e2b9a3d9d9a9500ecef812a94e90b.tar.gz firejail-e81ad9569c7e2b9a3d9d9a9500ecef812a94e90b.tar.zst firejail-e81ad9569c7e2b9a3d9d9a9500ecef812a94e90b.zip |
enforce seccomp
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 30 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 14 |
3 files changed, 20 insertions, 26 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 71c5ae87c..435b9527d 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -541,7 +541,7 @@ void fs_private_home_list(void); | |||
541 | char *seccomp_check_list(const char *str); | 541 | char *seccomp_check_list(const char *str); |
542 | int seccomp_install_filters(void); | 542 | int seccomp_install_filters(void); |
543 | int seccomp_load(const char *fname); | 543 | int seccomp_load(const char *fname); |
544 | int seccomp_filter_drop(int enforce_seccomp); | 544 | int seccomp_filter_drop(void); |
545 | int seccomp_filter_keep(void); | 545 | int seccomp_filter_keep(void); |
546 | void seccomp_print_filter(pid_t pid); | 546 | void seccomp_print_filter(pid_t pid); |
547 | 547 | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 853555581..3718004a5 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -45,6 +45,12 @@ | |||
45 | #endif | 45 | #endif |
46 | #include <syscall.h> | 46 | #include <syscall.h> |
47 | 47 | ||
48 | |||
49 | #ifdef HAVE_SECCOMP | ||
50 | int enforce_seccomp = 0; | ||
51 | #endif | ||
52 | |||
53 | |||
48 | static int monitored_pid = 0; | 54 | static int monitored_pid = 0; |
49 | static void sandbox_handler(int sig){ | 55 | static void sandbox_handler(int sig){ |
50 | if (!arg_quiet) { | 56 | if (!arg_quiet) { |
@@ -459,6 +465,7 @@ static void enforce_filters(void) { | |||
459 | // force default seccomp inside the chroot, no keep or drop list | 465 | // force default seccomp inside the chroot, no keep or drop list |
460 | // the list build on top of the default drop list is kept intact | 466 | // the list build on top of the default drop list is kept intact |
461 | arg_seccomp = 1; | 467 | arg_seccomp = 1; |
468 | enforce_seccomp = 1; | ||
462 | if (cfg.seccomp_list_drop) { | 469 | if (cfg.seccomp_list_drop) { |
463 | free(cfg.seccomp_list_drop); | 470 | free(cfg.seccomp_list_drop); |
464 | cfg.seccomp_list_drop = NULL; | 471 | cfg.seccomp_list_drop = NULL; |
@@ -681,27 +688,16 @@ int sandbox(void* sandbox_arg) { | |||
681 | //**************************** | 688 | //**************************** |
682 | // configure filesystem | 689 | // configure filesystem |
683 | //**************************** | 690 | //**************************** |
684 | #ifdef HAVE_SECCOMP | 691 | if (arg_appimage) |
685 | int enforce_seccomp = 0; | ||
686 | #endif | ||
687 | if (arg_appimage) { | ||
688 | enforce_filters(); | 692 | enforce_filters(); |
689 | #ifdef HAVE_SECCOMP | ||
690 | enforce_seccomp = 1; | ||
691 | #endif | ||
692 | } | ||
693 | 693 | ||
694 | #ifdef HAVE_CHROOT | 694 | #ifdef HAVE_CHROOT |
695 | if (cfg.chrootdir) { | 695 | if (cfg.chrootdir) { |
696 | fs_chroot(cfg.chrootdir); | 696 | fs_chroot(cfg.chrootdir); |
697 | 697 | ||
698 | // force caps and seccomp if not started as root | 698 | // force caps and seccomp if not started as root |
699 | if (getuid() != 0) { | 699 | if (getuid() != 0) |
700 | enforce_filters(); | 700 | enforce_filters(); |
701 | #ifdef HAVE_SECCOMP | ||
702 | enforce_seccomp = 1; | ||
703 | #endif | ||
704 | } | ||
705 | else | 701 | else |
706 | arg_seccomp = 1; | 702 | arg_seccomp = 1; |
707 | 703 | ||
@@ -717,12 +713,8 @@ int sandbox(void* sandbox_arg) { | |||
717 | if (arg_overlay) { | 713 | if (arg_overlay) { |
718 | fs_overlayfs(); | 714 | fs_overlayfs(); |
719 | // force caps and seccomp if not started as root | 715 | // force caps and seccomp if not started as root |
720 | if (getuid() != 0) { | 716 | if (getuid() != 0) |
721 | enforce_filters(); | 717 | enforce_filters(); |
722 | #ifdef HAVE_SECCOMP | ||
723 | enforce_seccomp = 1; | ||
724 | #endif | ||
725 | } | ||
726 | else | 718 | else |
727 | arg_seccomp = 1; | 719 | arg_seccomp = 1; |
728 | } | 720 | } |
@@ -1004,7 +996,7 @@ int sandbox(void* sandbox_arg) { | |||
1004 | if (cfg.seccomp_list_keep) | 996 | if (cfg.seccomp_list_keep) |
1005 | seccomp_filter_keep(); | 997 | seccomp_filter_keep(); |
1006 | else | 998 | else |
1007 | seccomp_filter_drop(enforce_seccomp); | 999 | seccomp_filter_drop(); |
1008 | } | 1000 | } |
1009 | 1001 | ||
1010 | if (arg_debug) { | 1002 | if (arg_debug) { |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index bd57cff42..7b45e2574 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -30,8 +30,8 @@ typedef struct filter_list { | |||
30 | } FilterList; | 30 | } FilterList; |
31 | 31 | ||
32 | static FilterList *filter_list_head = NULL; | 32 | static FilterList *filter_list_head = NULL; |
33 | |||
34 | static int err_printed = 0; | 33 | static int err_printed = 0; |
34 | extern int enforce_seccomp; | ||
35 | 35 | ||
36 | char *seccomp_check_list(const char *str) { | 36 | char *seccomp_check_list(const char *str) { |
37 | assert(str); | 37 | assert(str); |
@@ -73,6 +73,12 @@ int seccomp_install_filters(void) { | |||
73 | printf("Installing %s seccomp filter\n", fl->fname); | 73 | printf("Installing %s seccomp filter\n", fl->fname); |
74 | 74 | ||
75 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog)) { | 75 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog)) { |
76 | |||
77 | if (enforce_seccomp) { | ||
78 | fprintf(stderr, "Error: a seccomp-enabled Linux kernel is required, exiting...\n"); | ||
79 | exit(1); | ||
80 | } | ||
81 | |||
76 | if (!err_printed) | 82 | if (!err_printed) |
77 | fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); | 83 | fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); |
78 | err_printed = 1; | 84 | err_printed = 1; |
@@ -159,7 +165,7 @@ static void seccomp_filter_block_secondary(void) { | |||
159 | } | 165 | } |
160 | 166 | ||
161 | // drop filter for seccomp option | 167 | // drop filter for seccomp option |
162 | int seccomp_filter_drop(int enforce_seccomp) { | 168 | int seccomp_filter_drop(void) { |
163 | // if we have multiple seccomp commands, only one of them is executed | 169 | // if we have multiple seccomp commands, only one of them is executed |
164 | // in the following order: | 170 | // in the following order: |
165 | // - seccomp.drop list | 171 | // - seccomp.drop list |
@@ -233,10 +239,6 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
233 | if (arg_debug) | 239 | if (arg_debug) |
234 | printf("seccomp filter configured\n"); | 240 | printf("seccomp filter configured\n"); |
235 | } | 241 | } |
236 | else if (enforce_seccomp) { | ||
237 | fprintf(stderr, "Error: a seccomp-enabled Linux kernel is required, exiting...\n"); | ||
238 | exit(1); | ||
239 | } | ||
240 | 242 | ||
241 | if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) { | 243 | if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) { |
242 | struct stat st; | 244 | struct stat st; |