diff options
author | netblue30 <netblue30@yahoo.com> | 2015-10-27 08:51:41 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-10-27 08:51:41 -0400 |
commit | a1ea3e726196e5fa54950ebd0f88d25b6e9fe98c (patch) | |
tree | ddee416d477a40373ad81d7e07a9228965a53e1c /src | |
parent | syscall testing (diff) | |
download | firejail-a1ea3e726196e5fa54950ebd0f88d25b6e9fe98c.tar.gz firejail-a1ea3e726196e5fa54950ebd0f88d25b6e9fe98c.tar.zst firejail-a1ea3e726196e5fa54950ebd0f88d25b6e9fe98c.zip |
seccomp refactoring
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 10 | ||||
-rw-r--r-- | src/firejail/main.c | 34 | ||||
-rw-r--r-- | src/firejail/profile.c | 12 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 16 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 18 |
5 files changed, 44 insertions, 46 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index ab2fedbd8..91bb420b6 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -107,6 +107,12 @@ typedef struct config_t { | |||
107 | uint32_t dns2; | 107 | uint32_t dns2; |
108 | uint32_t dns3; | 108 | uint32_t dns3; |
109 | 109 | ||
110 | // seccomp | ||
111 | char *seccomp_list;// optional seccomp list on top of default filter | ||
112 | char *seccomp_list_drop; // seccomp drop list | ||
113 | char *seccomp_list_keep; // seccomp keep list | ||
114 | char **seccomp_list_errno; // seccomp errno[nr] lists | ||
115 | |||
110 | // rlimits | 116 | // rlimits |
111 | unsigned rlimit_nofile; | 117 | unsigned rlimit_nofile; |
112 | unsigned rlimit_nproc; | 118 | unsigned rlimit_nproc; |
@@ -152,10 +158,6 @@ extern int arg_zsh; // use zsh as default shell | |||
152 | extern int arg_csh; // use csh as default shell | 158 | extern int arg_csh; // use csh as default shell |
153 | 159 | ||
154 | extern int arg_seccomp; // enable default seccomp filter | 160 | extern int arg_seccomp; // enable default seccomp filter |
155 | extern char *arg_seccomp_list;// optional seccomp list on top of default filter | ||
156 | extern char *arg_seccomp_list_drop; // seccomp drop list | ||
157 | extern char *arg_seccomp_list_keep; // seccomp keep list | ||
158 | extern char **arg_seccomp_list_errno; // seccomp errno[nr] lists | ||
159 | 161 | ||
160 | extern int arg_caps_default_filter; // enable default capabilities filter | 162 | extern int arg_caps_default_filter; // enable default capabilities filter |
161 | extern int arg_caps_drop; // drop list | 163 | extern int arg_caps_drop; // drop list |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 8d11caef3..b59ff699c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -58,10 +58,6 @@ int arg_zsh = 0; // use zsh as default shell | |||
58 | int arg_csh = 0; // use csh as default shell | 58 | int arg_csh = 0; // use csh as default shell |
59 | 59 | ||
60 | int arg_seccomp = 0; // enable default seccomp filter | 60 | int arg_seccomp = 0; // enable default seccomp filter |
61 | char *arg_seccomp_list = NULL; // optional seccomp list on top of default filter | ||
62 | char *arg_seccomp_list_drop = NULL; // seccomp drop list | ||
63 | char *arg_seccomp_list_keep = NULL; // seccomp keep list | ||
64 | char **arg_seccomp_list_errno = NULL; // seccomp errno[nr] lists | ||
65 | 61 | ||
66 | int arg_caps_default_filter = 0; // enable default capabilities filter | 62 | int arg_caps_default_filter = 0; // enable default capabilities filter |
67 | int arg_caps_drop = 0; // drop list | 63 | int arg_caps_drop = 0; // drop list |
@@ -468,8 +464,8 @@ int main(int argc, char **argv) { | |||
468 | exit(1); | 464 | exit(1); |
469 | } | 465 | } |
470 | arg_seccomp = 1; | 466 | arg_seccomp = 1; |
471 | arg_seccomp_list = strdup(argv[i] + 10); | 467 | cfg.seccomp_list = strdup(argv[i] + 10); |
472 | if (!arg_seccomp_list) | 468 | if (!cfg.seccomp_list) |
473 | errExit("strdup"); | 469 | errExit("strdup"); |
474 | } | 470 | } |
475 | else if (strncmp(argv[i], "--seccomp.drop=", 15) == 0) { | 471 | else if (strncmp(argv[i], "--seccomp.drop=", 15) == 0) { |
@@ -478,8 +474,8 @@ int main(int argc, char **argv) { | |||
478 | exit(1); | 474 | exit(1); |
479 | } | 475 | } |
480 | arg_seccomp = 1; | 476 | arg_seccomp = 1; |
481 | arg_seccomp_list_drop = strdup(argv[i] + 15); | 477 | cfg.seccomp_list_drop = strdup(argv[i] + 15); |
482 | if (!arg_seccomp_list_drop) | 478 | if (!cfg.seccomp_list_drop) |
483 | errExit("strdup"); | 479 | errExit("strdup"); |
484 | } | 480 | } |
485 | else if (strncmp(argv[i], "--seccomp.keep=", 15) == 0) { | 481 | else if (strncmp(argv[i], "--seccomp.keep=", 15) == 0) { |
@@ -488,12 +484,12 @@ int main(int argc, char **argv) { | |||
488 | exit(1); | 484 | exit(1); |
489 | } | 485 | } |
490 | arg_seccomp = 1; | 486 | arg_seccomp = 1; |
491 | arg_seccomp_list_keep = strdup(argv[i] + 15); | 487 | cfg.seccomp_list_keep = strdup(argv[i] + 15); |
492 | if (!arg_seccomp_list_keep) | 488 | if (!cfg.seccomp_list_keep) |
493 | errExit("strdup"); | 489 | errExit("strdup"); |
494 | } | 490 | } |
495 | else if (strncmp(argv[i], "--seccomp.e", 11) == 0 && strchr(argv[i], '=')) { | 491 | else if (strncmp(argv[i], "--seccomp.e", 11) == 0 && strchr(argv[i], '=')) { |
496 | if (arg_seccomp && !arg_seccomp_list_errno) { | 492 | if (arg_seccomp && !cfg.seccomp_list_errno) { |
497 | fprintf(stderr, "Error: seccomp already enabled\n"); | 493 | fprintf(stderr, "Error: seccomp already enabled\n"); |
498 | exit(1); | 494 | exit(1); |
499 | } | 495 | } |
@@ -506,17 +502,17 @@ int main(int argc, char **argv) { | |||
506 | exit(1); | 502 | exit(1); |
507 | } | 503 | } |
508 | 504 | ||
509 | if (!arg_seccomp_list_errno) | 505 | if (!cfg.seccomp_list_errno) |
510 | arg_seccomp_list_errno = calloc(highest_errno+1, sizeof(arg_seccomp_list_errno[0])); | 506 | cfg.seccomp_list_errno = calloc(highest_errno+1, sizeof(cfg.seccomp_list_errno[0])); |
511 | 507 | ||
512 | if (arg_seccomp_list_errno[nr]) { | 508 | if (cfg.seccomp_list_errno[nr]) { |
513 | fprintf(stderr, "Error: errno %s already configured\n", errnoname); | 509 | fprintf(stderr, "Error: errno %s already configured\n", errnoname); |
514 | free(errnoname); | 510 | free(errnoname); |
515 | exit(1); | 511 | exit(1); |
516 | } | 512 | } |
517 | arg_seccomp = 1; | 513 | arg_seccomp = 1; |
518 | arg_seccomp_list_errno[nr] = strdup(eq+1); | 514 | cfg.seccomp_list_errno[nr] = strdup(eq+1); |
519 | if (!arg_seccomp_list_errno[nr]) | 515 | if (!cfg.seccomp_list_errno[nr]) |
520 | errExit("strdup"); | 516 | errExit("strdup"); |
521 | free(errnoname); | 517 | free(errnoname); |
522 | } | 518 | } |
@@ -1393,10 +1389,10 @@ int main(int argc, char **argv) { | |||
1393 | 1389 | ||
1394 | // free globals | 1390 | // free globals |
1395 | #ifdef HAVE_SECCOMP | 1391 | #ifdef HAVE_SECCOMP |
1396 | if (arg_seccomp_list_errno) { | 1392 | if (cfg.seccomp_list_errno) { |
1397 | for (i = 0; i < highest_errno; i++) | 1393 | for (i = 0; i < highest_errno; i++) |
1398 | free(arg_seccomp_list_errno[i]); | 1394 | free(cfg.seccomp_list_errno[i]); |
1399 | free(arg_seccomp_list_errno); | 1395 | free(cfg.seccomp_list_errno); |
1400 | } | 1396 | } |
1401 | #endif | 1397 | #endif |
1402 | 1398 | ||
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 3edeabee9..1fadab1fa 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -160,8 +160,8 @@ int profile_check_line(char *ptr, int lineno) { | |||
160 | if (strncmp(ptr, "seccomp ", 8) == 0) { | 160 | if (strncmp(ptr, "seccomp ", 8) == 0) { |
161 | arg_seccomp = 1; | 161 | arg_seccomp = 1; |
162 | #ifdef HAVE_SECCOMP | 162 | #ifdef HAVE_SECCOMP |
163 | arg_seccomp_list = strdup(ptr + 8); | 163 | cfg.seccomp_list = strdup(ptr + 8); |
164 | if (!arg_seccomp_list) | 164 | if (!cfg.seccomp_list) |
165 | errExit("strdup"); | 165 | errExit("strdup"); |
166 | #endif | 166 | #endif |
167 | return 0; | 167 | return 0; |
@@ -171,8 +171,8 @@ int profile_check_line(char *ptr, int lineno) { | |||
171 | if (strncmp(ptr, "seccomp.drop ", 13) == 0) { | 171 | if (strncmp(ptr, "seccomp.drop ", 13) == 0) { |
172 | arg_seccomp = 1; | 172 | arg_seccomp = 1; |
173 | #ifdef HAVE_SECCOMP | 173 | #ifdef HAVE_SECCOMP |
174 | arg_seccomp_list_drop = strdup(ptr + 13); | 174 | cfg.seccomp_list_drop = strdup(ptr + 13); |
175 | if (!arg_seccomp_list_drop) | 175 | if (!cfg.seccomp_list_drop) |
176 | errExit("strdup"); | 176 | errExit("strdup"); |
177 | #endif | 177 | #endif |
178 | return 0; | 178 | return 0; |
@@ -182,8 +182,8 @@ int profile_check_line(char *ptr, int lineno) { | |||
182 | if (strncmp(ptr, "seccomp.keep ", 13) == 0) { | 182 | if (strncmp(ptr, "seccomp.keep ", 13) == 0) { |
183 | arg_seccomp = 1; | 183 | arg_seccomp = 1; |
184 | #ifdef HAVE_SECCOMP | 184 | #ifdef HAVE_SECCOMP |
185 | arg_seccomp_list_keep= strdup(ptr + 13); | 185 | cfg.seccomp_list_keep= strdup(ptr + 13); |
186 | if (!arg_seccomp_list_keep) | 186 | if (!cfg.seccomp_list_keep) |
187 | errExit("strdup"); | 187 | errExit("strdup"); |
188 | #endif | 188 | #endif |
189 | return 0; | 189 | return 0; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 3c5a176e6..d2c943ea1 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -190,13 +190,13 @@ int sandbox(void* sandbox_arg) { | |||
190 | // force default seccomp inside the chroot, no keep or drop list | 190 | // force default seccomp inside the chroot, no keep or drop list |
191 | // the list build on top of the default drop list is kept intact | 191 | // the list build on top of the default drop list is kept intact |
192 | arg_seccomp = 1; | 192 | arg_seccomp = 1; |
193 | if (arg_seccomp_list_drop) { | 193 | if (cfg.seccomp_list_drop) { |
194 | free(arg_seccomp_list_drop); | 194 | free(cfg.seccomp_list_drop); |
195 | arg_seccomp_list_drop = NULL; | 195 | cfg.seccomp_list_drop = NULL; |
196 | } | 196 | } |
197 | if (arg_seccomp_list_keep) { | 197 | if (cfg.seccomp_list_keep) { |
198 | free(arg_seccomp_list_keep); | 198 | free(cfg.seccomp_list_keep); |
199 | arg_seccomp_list_keep = NULL; | 199 | cfg.seccomp_list_keep = NULL; |
200 | } | 200 | } |
201 | 201 | ||
202 | // disable all capabilities | 202 | // disable all capabilities |
@@ -428,9 +428,9 @@ int sandbox(void* sandbox_arg) { | |||
428 | #ifdef HAVE_SECCOMP | 428 | #ifdef HAVE_SECCOMP |
429 | // if a keep list is available, disregard the drop list | 429 | // if a keep list is available, disregard the drop list |
430 | if (arg_seccomp == 1) { | 430 | if (arg_seccomp == 1) { |
431 | if (arg_seccomp_list_keep) | 431 | if (cfg.seccomp_list_keep) |
432 | seccomp_filter_keep(); // this will also save the fmyilter to MNT_DIR/seccomp file | 432 | seccomp_filter_keep(); // this will also save the fmyilter to MNT_DIR/seccomp file |
433 | else if (arg_seccomp_list_errno) | 433 | else if (cfg.seccomp_list_errno) |
434 | seccomp_filter_errno(); // this will also save the filter to MNT_DIR/seccomp file | 434 | seccomp_filter_errno(); // this will also save the filter to MNT_DIR/seccomp file |
435 | else | 435 | else |
436 | seccomp_filter_drop(); // this will also save the filter to MNT_DIR/seccomp file | 436 | seccomp_filter_drop(); // this will also save the filter to MNT_DIR/seccomp file |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 29c87b18b..dd7b8d344 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -343,7 +343,7 @@ int seccomp_filter_drop(void) { | |||
343 | filter_init(); | 343 | filter_init(); |
344 | 344 | ||
345 | // default seccomp | 345 | // default seccomp |
346 | if (arg_seccomp_list_drop == NULL) { | 346 | if (cfg.seccomp_list_drop == NULL) { |
347 | #ifdef SYS_mount | 347 | #ifdef SYS_mount |
348 | filter_add_blacklist(SYS_mount, 0); | 348 | filter_add_blacklist(SYS_mount, 0); |
349 | #endif | 349 | #endif |
@@ -507,15 +507,15 @@ int seccomp_filter_drop(void) { | |||
507 | } | 507 | } |
508 | 508 | ||
509 | // default seccomp filter with additional drop list | 509 | // default seccomp filter with additional drop list |
510 | if (arg_seccomp_list && arg_seccomp_list_drop == NULL) { | 510 | if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) { |
511 | if (syscall_check_list(arg_seccomp_list, filter_add_blacklist, 0)) { | 511 | if (syscall_check_list(cfg.seccomp_list, filter_add_blacklist, 0)) { |
512 | fprintf(stderr, "Error: cannot load seccomp filter\n"); | 512 | fprintf(stderr, "Error: cannot load seccomp filter\n"); |
513 | exit(1); | 513 | exit(1); |
514 | } | 514 | } |
515 | } | 515 | } |
516 | // drop list | 516 | // drop list |
517 | else if (arg_seccomp_list == NULL && arg_seccomp_list_drop) { | 517 | else if (cfg.seccomp_list == NULL && cfg.seccomp_list_drop) { |
518 | if (syscall_check_list(arg_seccomp_list_drop, filter_add_blacklist, 0)) { | 518 | if (syscall_check_list(cfg.seccomp_list_drop, filter_add_blacklist, 0)) { |
519 | fprintf(stderr, "Error: cannot load seccomp filter\n"); | 519 | fprintf(stderr, "Error: cannot load seccomp filter\n"); |
520 | exit(1); | 520 | exit(1); |
521 | } | 521 | } |
@@ -558,8 +558,8 @@ int seccomp_filter_keep(void) { | |||
558 | filter_add_whitelist(SYS_dup, 0); | 558 | filter_add_whitelist(SYS_dup, 0); |
559 | 559 | ||
560 | // apply keep list | 560 | // apply keep list |
561 | if (arg_seccomp_list_keep) { | 561 | if (cfg.seccomp_list_keep) { |
562 | if (syscall_check_list(arg_seccomp_list_keep, filter_add_whitelist, 0)) { | 562 | if (syscall_check_list(cfg.seccomp_list_keep, filter_add_whitelist, 0)) { |
563 | fprintf(stderr, "Error: cannot load seccomp filter\n"); | 563 | fprintf(stderr, "Error: cannot load seccomp filter\n"); |
564 | exit(1); | 564 | exit(1); |
565 | } | 565 | } |
@@ -599,8 +599,8 @@ int seccomp_filter_errno(void) { | |||
599 | // apply errno list | 599 | // apply errno list |
600 | 600 | ||
601 | for (i = 0; i < higest_errno; i++) { | 601 | for (i = 0; i < higest_errno; i++) { |
602 | if (arg_seccomp_list_errno[i]) { | 602 | if (cfg.seccomp_list_errno[i]) { |
603 | if (syscall_check_list(arg_seccomp_list_errno[i], filter_add_errno, i)) { | 603 | if (syscall_check_list(cfg.seccomp_list_errno[i], filter_add_errno, i)) { |
604 | fprintf(stderr, "Error: cannot load seccomp filter\n"); | 604 | fprintf(stderr, "Error: cannot load seccomp filter\n"); |
605 | exit(1); | 605 | exit(1); |
606 | } | 606 | } |