diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2017-09-10 10:34:42 +0300 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2017-09-10 10:34:42 +0300 |
commit | c3acf2d222589bf9d94cacfe180ab38fa46c9cb1 (patch) | |
tree | 6b073d1b72e7c378c78a6f063c78facbd8831bcb /src | |
parent | Merge pull request #1542 from hawkeye116477/master (diff) | |
download | firejail-c3acf2d222589bf9d94cacfe180ab38fa46c9cb1.tar.gz firejail-c3acf2d222589bf9d94cacfe180ab38fa46c9cb1.tar.zst firejail-c3acf2d222589bf9d94cacfe180ab38fa46c9cb1.zip |
Improve seccomp architecture support
Diffstat (limited to 'src')
-rw-r--r-- | src/fseccomp/syscall.c | 6 | ||||
-rw-r--r-- | src/include/seccomp.h | 26 |
2 files changed, 32 insertions, 0 deletions
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index d0692b2ef..69b6e5271 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c | |||
@@ -274,6 +274,9 @@ static const SyscallGroupList sysgroups[] = { | |||
274 | #ifdef SYS_vserver | 274 | #ifdef SYS_vserver |
275 | "vserver" | 275 | "vserver" |
276 | #endif | 276 | #endif |
277 | #if !defined(SYS__sysctl) && !defined(SYS_afs_syscall) && !defined(SYS_bdflush) && !defined(SYS_break) && !defined(SYS_create_module) && !defined(SYS_ftime) && !defined(SYS_get_kernel_syms) && !defined(SYS_getpmsg) && !defined(SYS_gtty) && !defined(SYS_lock) && !defined(SYS_mpx) && !defined(SYS_prof) && !defined(SYS_profil) && !defined(SYS_putpmsg) && !defined(SYS_query_module) && !defined(SYS_security) && !defined(SYS_sgetmask) && !defined(SYS_ssetmask) && !defined(SYS_stty) && !defined(SYS_sysfs) && !defined(SYS_tuxcall) && !defined(SYS_ulimit) && !defined(SYS_uselib) && !defined(SYS_ustat) && !defined(SYS_vserver) | ||
278 | "__dummy_syscall__" // workaround for arm64 which doesn't have any of above defined and empty syscall lists are not allowed | ||
279 | #endif | ||
277 | }, | 280 | }, |
278 | { .name = "@privileged", .list = | 281 | { .name = "@privileged", .list = |
279 | "@clock," | 282 | "@clock," |
@@ -334,6 +337,9 @@ static const SyscallGroupList sysgroups[] = { | |||
334 | #ifdef SYS_s390_mmio_write | 337 | #ifdef SYS_s390_mmio_write |
335 | "s390_mmio_write" | 338 | "s390_mmio_write" |
336 | #endif | 339 | #endif |
340 | #if !defined(SYS_ioperm) && !defined(SYS_iopl) && !defined(SYS_pciconfig_iobase) && !defined(SYS_pciconfig_read) && !defined(SYS_pciconfig_write) && !defined(SYS_s390_mmio_read) && !defined(SYS_s390_mmio_write) | ||
341 | "__dummy_syscall__" // workaround for s390x which doesn't have any of above defined and empty syscall lists are not allowed | ||
342 | #endif | ||
337 | }, | 343 | }, |
338 | { .name = "@reboot", .list = | 344 | { .name = "@reboot", .list = |
339 | #ifdef SYS_kexec_load | 345 | #ifdef SYS_kexec_load |
diff --git a/src/include/seccomp.h b/src/include/seccomp.h index 133b6ce72..b8bfce96b 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h | |||
@@ -149,9 +149,35 @@ struct seccomp_data { | |||
149 | # define ARCH_NR AUDIT_ARCH_S390 | 149 | # define ARCH_NR AUDIT_ARCH_S390 |
150 | # define ARCH_32 AUDIT_ARCH_S390 | 150 | # define ARCH_32 AUDIT_ARCH_S390 |
151 | # define ARCH_64 AUDIT_ARCH_S390X | 151 | # define ARCH_64 AUDIT_ARCH_S390X |
152 | #elif defined(__sh64__) && __BYTE_ORDER == __BIG_ENDIAN | ||
153 | # define ARCH_NR AUDIT_ARCH_SH64 | ||
154 | # define ARCH_32 AUDIT_ARCH_SH | ||
155 | # define ARCH_64 AUDIT_ARCH_SH64 | ||
156 | #elif defined(__sh64__) && __BYTE_ORDER == __LITTLE_ENDIAN | ||
157 | # define ARCH_NR AUDIT_ARCH_SHEL64 | ||
158 | # define ARCH_32 AUDIT_ARCH_SHEL | ||
159 | # define ARCH_64 AUDIT_ARCH_SHEL64 | ||
160 | #elif defined(__sh__) && __BYTE_ORDER == __BIG_ENDIAN | ||
161 | # define ARCH_NR AUDIT_ARCH_SH | ||
162 | # define ARCH_32 AUDIT_ARCH_SH | ||
163 | # define ARCH_64 AUDIT_ARCH_SH64 | ||
164 | #elif defined(__sh__) && __BYTE_ORDER == __LITTLE_ENDIAN | ||
165 | # define ARCH_NR AUDIT_ARCH_SHEL | ||
166 | # define ARCH_32 AUDIT_ARCH_SHEL | ||
167 | # define ARCH_64 AUDIT_ARCH_SHEL64 | ||
168 | #elif defined(__sparc64__) | ||
169 | # define ARCH_NR AUDIT_ARCH_SPARC64 | ||
170 | # define ARCH_32 AUDIT_ARCH_SPARC | ||
171 | # define ARCH_64 AUDIT_ARCH_SPARC64 | ||
172 | #elif defined(__sparc__) | ||
173 | # define ARCH_NR AUDIT_ARCH_SPARC | ||
174 | # define ARCH_32 AUDIT_ARCH_SPARC | ||
175 | # define ARCH_64 AUDIT_ARCH_SPARC64 | ||
152 | #else | 176 | #else |
153 | # warning "Platform does not support seccomp filter yet" | 177 | # warning "Platform does not support seccomp filter yet" |
154 | # define ARCH_NR 0 | 178 | # define ARCH_NR 0 |
179 | # define ARCH_32 0 | ||
180 | # define ARCH_64 0 | ||
155 | #endif | 181 | #endif |
156 | 182 | ||
157 | #define VALIDATE_ARCHITECTURE \ | 183 | #define VALIDATE_ARCHITECTURE \ |