diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2017-09-02 14:05:31 +0300 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2017-09-02 14:05:31 +0300 |
commit | cb5d361a7b52844bb18346f1829b69b4b7084439 (patch) | |
tree | a5c75843eca9db0ee432dde47454f2ec06224fb8 /src | |
parent | Workaround for build problems, but correct problem this time (diff) | |
download | firejail-cb5d361a7b52844bb18346f1829b69b4b7084439.tar.gz firejail-cb5d361a7b52844bb18346f1829b69b4b7084439.tar.zst firejail-cb5d361a7b52844bb18346f1829b69b4b7084439.zip |
Improve seccomp support for non-x86 architectures
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 8 | ||||
-rw-r--r-- | src/firejail/preproc.c | 4 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 24 | ||||
-rw-r--r-- | src/fseccomp/seccomp_print.c | 4 | ||||
-rw-r--r-- | src/fseccomp/seccomp_secondary.c | 2 | ||||
-rw-r--r-- | src/include/seccomp.h | 58 |
6 files changed, 77 insertions, 23 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 435b9527d..60a43a600 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -54,15 +54,15 @@ | |||
54 | 54 | ||
55 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter | 55 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter |
56 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter | 56 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter |
57 | #define RUN_SECCOMP_AMD64 "/run/firejail/mnt/seccomp.amd64" // amd64 filter installed on i386 architectures | 57 | #define RUN_SECCOMP_64 "/run/firejail/mnt/seccomp.64" // 64bit arch filter installed on 32bit architectures |
58 | #define RUN_SECCOMP_I386 "/run/firejail/mnt/seccomp.i386" // i386 filter installed on amd64 architectures | 58 | #define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures |
59 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute | 59 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute |
60 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter | 60 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter |
61 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library | 61 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library |
62 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make | 62 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make |
63 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make | 63 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make |
64 | #define PATH_SECCOMP_AMD64 (LIBDIR "/firejail/seccomp.amd64") // amd64 filter built during make | 64 | #define PATH_SECCOMP_64 (LIBDIR "/firejail/seccomp.64") // 64bit arch filter built during make |
65 | #define PATH_SECCOMP_I386 (LIBDIR "/firejail/seccomp.i386") // i386 filter built during make | 65 | #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make |
66 | #define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make | 66 | #define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make |
67 | #define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make | 67 | #define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make |
68 | 68 | ||
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index bf1ef0469..0b447e03b 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -79,8 +79,8 @@ void preproc_mount_mnt_dir(void) { | |||
79 | copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed | 79 | copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed |
80 | else { | 80 | else { |
81 | //copy default seccomp files | 81 | //copy default seccomp files |
82 | copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); // root needed | 82 | copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed |
83 | copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); // root needed | 83 | copy_file(PATH_SECCOMP_64, RUN_SECCOMP_64, getuid(), getgid(), 0644); // root needed |
84 | } | 84 | } |
85 | if (arg_allow_debuggers) | 85 | if (arg_allow_debuggers) |
86 | copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed | 86 | copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 7b45e2574..e75863c3a 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -137,22 +137,22 @@ errexit: | |||
137 | exit(1); | 137 | exit(1); |
138 | } | 138 | } |
139 | 139 | ||
140 | // i386 filter installed on amd64 architectures | 140 | // 32 bit arch filter installed on 64 bit architectures |
141 | #if defined(__x86_64__) | 141 | #if defined(__LP64__) |
142 | static void seccomp_filter_32(void) { | 142 | static void seccomp_filter_32(void) { |
143 | if (seccomp_load(RUN_SECCOMP_I386) == 0) { | 143 | if (seccomp_load(RUN_SECCOMP_32) == 0) { |
144 | if (arg_debug) | 144 | if (arg_debug) |
145 | printf("Dual i386/amd64 seccomp filter configured\n"); | 145 | printf("Dual 32/64 bit seccomp filter configured\n"); |
146 | } | 146 | } |
147 | } | 147 | } |
148 | #endif | 148 | #endif |
149 | 149 | ||
150 | // amd64 filter installed on i386 architectures | 150 | // 64 bit arch filter installed on 32 bit architectures |
151 | #if defined(__i386__) | 151 | #if defined(__ILP32__) |
152 | static void seccomp_filter_64(void) { | 152 | static void seccomp_filter_64(void) { |
153 | if (seccomp_load(RUN_SECCOMP_AMD64) == 0) { | 153 | if (seccomp_load(RUN_SECCOMP_64) == 0) { |
154 | if (arg_debug) | 154 | if (arg_debug) |
155 | printf("Dual i386/amd64 seccomp filter configured\n"); | 155 | printf("Dual 32/64 bit seccomp filter configured\n"); |
156 | } | 156 | } |
157 | } | 157 | } |
158 | #endif | 158 | #endif |
@@ -177,10 +177,10 @@ int seccomp_filter_drop(void) { | |||
177 | if (arg_seccomp_block_secondary) | 177 | if (arg_seccomp_block_secondary) |
178 | seccomp_filter_block_secondary(); | 178 | seccomp_filter_block_secondary(); |
179 | else { | 179 | else { |
180 | #if defined(__x86_64__) | 180 | #if defined(__LP64__) |
181 | seccomp_filter_32(); | 181 | seccomp_filter_32(); |
182 | #endif | 182 | #endif |
183 | #if defined(__i386__) | 183 | #if defined(__ILP32__) |
184 | seccomp_filter_64(); | 184 | seccomp_filter_64(); |
185 | #endif | 185 | #endif |
186 | } | 186 | } |
@@ -190,10 +190,10 @@ int seccomp_filter_drop(void) { | |||
190 | if (arg_seccomp_block_secondary) | 190 | if (arg_seccomp_block_secondary) |
191 | seccomp_filter_block_secondary(); | 191 | seccomp_filter_block_secondary(); |
192 | else { | 192 | else { |
193 | #if defined(__x86_64__) | 193 | #if defined(__LP64__) |
194 | seccomp_filter_32(); | 194 | seccomp_filter_32(); |
195 | #endif | 195 | #endif |
196 | #if defined(__i386__) | 196 | #if defined(__ILP32__) |
197 | seccomp_filter_64(); | 197 | seccomp_filter_64(); |
198 | #endif | 198 | #endif |
199 | } | 199 | } |
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c index 3793e125d..e8df2bda5 100644 --- a/src/fseccomp/seccomp_print.c +++ b/src/fseccomp/seccomp_print.c | |||
@@ -90,7 +90,7 @@ static int detect_filter_type(void) { | |||
90 | } | 90 | } |
91 | 91 | ||
92 | 92 | ||
93 | // testing for secondare amd64 filter | 93 | // testing for secondary 64 bit filter |
94 | const struct sock_filter start_secondary_64[] = { | 94 | const struct sock_filter start_secondary_64[] = { |
95 | VALIDATE_ARCHITECTURE_64, | 95 | VALIDATE_ARCHITECTURE_64, |
96 | EXAMINE_SYSCALL, | 96 | EXAMINE_SYSCALL, |
@@ -102,7 +102,7 @@ static int detect_filter_type(void) { | |||
102 | return sizeof(start_secondary_64) / sizeof(struct sock_filter); | 102 | return sizeof(start_secondary_64) / sizeof(struct sock_filter); |
103 | } | 103 | } |
104 | 104 | ||
105 | // testing for secondare i386 filter | 105 | // testing for secondary 32 bit filter |
106 | const struct sock_filter start_secondary_32[] = { | 106 | const struct sock_filter start_secondary_32[] = { |
107 | VALIDATE_ARCHITECTURE_32, | 107 | VALIDATE_ARCHITECTURE_32, |
108 | EXAMINE_SYSCALL, | 108 | EXAMINE_SYSCALL, |
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c index dd69b58cc..da6a693e6 100644 --- a/src/fseccomp/seccomp_secondary.c +++ b/src/fseccomp/seccomp_secondary.c | |||
@@ -108,7 +108,7 @@ void seccomp_secondary_64(const char *fname) { | |||
108 | write_filter(fname, sizeof(filter), filter); | 108 | write_filter(fname, sizeof(filter), filter); |
109 | } | 109 | } |
110 | 110 | ||
111 | // i386 filter installed on amd64 architectures | 111 | // 32 bit arch filter installed on 64 bit architectures |
112 | void seccomp_secondary_32(const char *fname) { | 112 | void seccomp_secondary_32(const char *fname) { |
113 | // hardcoded syscall values | 113 | // hardcoded syscall values |
114 | struct sock_filter filter[] = { | 114 | struct sock_filter filter[] = { |
diff --git a/src/include/seccomp.h b/src/include/seccomp.h index 2f2b2384d..133b6ce72 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h | |||
@@ -91,10 +91,64 @@ struct seccomp_data { | |||
91 | 91 | ||
92 | #if defined(__i386__) | 92 | #if defined(__i386__) |
93 | # define ARCH_NR AUDIT_ARCH_I386 | 93 | # define ARCH_NR AUDIT_ARCH_I386 |
94 | # define ARCH_32 AUDIT_ARCH_I386 | ||
95 | # define ARCH_64 AUDIT_ARCH_X86_64 | ||
94 | #elif defined(__x86_64__) | 96 | #elif defined(__x86_64__) |
95 | # define ARCH_NR AUDIT_ARCH_X86_64 | 97 | # define ARCH_NR AUDIT_ARCH_X86_64 |
98 | # define ARCH_32 AUDIT_ARCH_I386 | ||
99 | # define ARCH_64 AUDIT_ARCH_X86_64 | ||
100 | #elif defined(__aarch64__) | ||
101 | # define ARCH_NR AUDIT_ARCH_AARCH64 | ||
102 | # define ARCH_32 AUDIT_ARCH_ARM | ||
103 | # define ARCH_64 AUDIT_ARCH_AARCH64 | ||
96 | #elif defined(__arm__) | 104 | #elif defined(__arm__) |
97 | # define ARCH_NR AUDIT_ARCH_ARM | 105 | # define ARCH_NR AUDIT_ARCH_ARM |
106 | # define ARCH_32 AUDIT_ARCH_ARM | ||
107 | # define ARCH_64 AUDIT_ARCH_AARCH64 | ||
108 | #elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32 | ||
109 | # define ARCH_NR AUDIT_ARCH_MIPS | ||
110 | # define ARCH_32 AUDIT_ARCH_MIPS | ||
111 | # define ARCH_64 AUDIT_ARCH_MIPS64 | ||
112 | #elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32 | ||
113 | # define ARCH_NR AUDIT_ARCH_MIPSEL | ||
114 | # define ARCH_32 AUDIT_ARCH_MIPSEL | ||
115 | # define ARCH_64 AUDIT_ARCH_MIPSEL64 | ||
116 | #elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64 | ||
117 | # define ARCH_NR AUDIT_ARCH_MIPS64 | ||
118 | # define ARCH_32 AUDIT_ARCH_MIPS | ||
119 | # define ARCH_64 AUDIT_ARCH_MIPS64 | ||
120 | #elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64 | ||
121 | # define ARCH_NR AUDIT_ARCH_MIPSEL64 | ||
122 | # define ARCH_32 AUDIT_ARCH_MIPSEL | ||
123 | # define ARCH_64 AUDIT_ARCH_MIPSEL64 | ||
124 | #elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32 | ||
125 | # define ARCH_NR AUDIT_ARCH_MIPS64N32 | ||
126 | # define ARCH_32 AUDIT_ARCH_MIPS64N32 | ||
127 | # define ARCH_64 AUDIT_ARCH_MIPS64 | ||
128 | #elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32 | ||
129 | # define ARCH_NR AUDIT_ARCH_MIPSEL64N32 | ||
130 | # define ARCH_32 AUDIT_ARCH_MIPSEL64N32 | ||
131 | # define ARCH_64 AUDIT_ARCH_MIPSEL64 | ||
132 | #elif defined(__powerpc64__) && __BYTE_ORDER == __BIG_ENDIAN | ||
133 | # define ARCH_NR AUDIT_ARCH_PPC64 | ||
134 | # define ARCH_32 AUDIT_ARCH_PPC | ||
135 | # define ARCH_64 AUDIT_ARCH_PPC64 | ||
136 | #elif defined(__powerpc64__) && __BYTE_ORDER == __LITTLE_ENDIAN | ||
137 | # define ARCH_NR AUDIT_ARCH_PPC64LE | ||
138 | # define ARCH_32 AUDIT_ARCH_PPC | ||
139 | # define ARCH_64 AUDIT_ARCH_PPC64LE | ||
140 | #elif defined(__powerpc__) | ||
141 | # define ARCH_NR AUDIT_ARCH_PPC | ||
142 | # define ARCH_32 AUDIT_ARCH_PPC | ||
143 | # define ARCH_64 AUDIT_ARCH_PPC64LE | ||
144 | #elif defined(__s390x__) | ||
145 | # define ARCH_NR AUDIT_ARCH_S390X | ||
146 | # define ARCH_32 AUDIT_ARCH_S390 | ||
147 | # define ARCH_64 AUDIT_ARCH_S390X | ||
148 | #elif defined(__s390__) | ||
149 | # define ARCH_NR AUDIT_ARCH_S390 | ||
150 | # define ARCH_32 AUDIT_ARCH_S390 | ||
151 | # define ARCH_64 AUDIT_ARCH_S390X | ||
98 | #else | 152 | #else |
99 | # warning "Platform does not support seccomp filter yet" | 153 | # warning "Platform does not support seccomp filter yet" |
100 | # define ARCH_NR 0 | 154 | # define ARCH_NR 0 |
@@ -112,12 +166,12 @@ struct seccomp_data { | |||
112 | 166 | ||
113 | #define VALIDATE_ARCHITECTURE_64 \ | 167 | #define VALIDATE_ARCHITECTURE_64 \ |
114 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | 168 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ |
115 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0), \ | 169 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_64, 1, 0), \ |
116 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 170 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
117 | 171 | ||
118 | #define VALIDATE_ARCHITECTURE_32 \ | 172 | #define VALIDATE_ARCHITECTURE_32 \ |
119 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | 173 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ |
120 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_I386, 1, 0), \ | 174 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_32, 1, 0), \ |
121 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 175 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
122 | 176 | ||
123 | #if defined(__x86_64__) | 177 | #if defined(__x86_64__) |