diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2017-07-28 13:50:10 +0300 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2017-07-28 14:06:30 +0300 |
commit | 9a3344f9a569de5a2b619ff9ebc01cbd195ee1d0 (patch) | |
tree | b060bcf0ef7da262225c2cdf3812b58e6005ecf9 /src | |
parent | network testing (diff) | |
download | firejail-9a3344f9a569de5a2b619ff9ebc01cbd195ee1d0.tar.gz firejail-9a3344f9a569de5a2b619ff9ebc01cbd195ee1d0.tar.zst firejail-9a3344f9a569de5a2b619ff9ebc01cbd195ee1d0.zip |
Improve seccomp printing
Diffstat (limited to 'src')
-rw-r--r-- | src/fseccomp/seccomp_file.c | 13 | ||||
-rw-r--r-- | src/fseccomp/seccomp_print.c | 40 | ||||
-rw-r--r-- | src/include/seccomp.h | 9 |
3 files changed, 37 insertions, 25 deletions
diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c index c1e8d406f..c74de9faf 100644 --- a/src/fseccomp/seccomp_file.c +++ b/src/fseccomp/seccomp_file.c | |||
@@ -37,22 +37,15 @@ static void write_to_file(int fd, void *data, int size) { | |||
37 | } | 37 | } |
38 | 38 | ||
39 | void filter_init(int fd) { | 39 | void filter_init(int fd) { |
40 | #if defined(__x86_64__) | ||
41 | #define X32_SYSCALL_BIT 0x40000000 | ||
42 | struct sock_filter filter[] = { | 40 | struct sock_filter filter[] = { |
43 | VALIDATE_ARCHITECTURE, | 41 | VALIDATE_ARCHITECTURE, |
42 | #if defined(__x86_64__) | ||
44 | EXAMINE_SYSCALL, | 43 | EXAMINE_SYSCALL, |
45 | // handle X32 ABI | 44 | HANDLE_X32 |
46 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), | ||
47 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), | ||
48 | RETURN_ERRNO(EPERM) | ||
49 | }; | ||
50 | #else | 45 | #else |
51 | struct sock_filter filter[] = { | ||
52 | VALIDATE_ARCHITECTURE, | ||
53 | EXAMINE_SYSCALL | 46 | EXAMINE_SYSCALL |
54 | }; | ||
55 | #endif | 47 | #endif |
48 | }; | ||
56 | 49 | ||
57 | #if 0 | 50 | #if 0 |
58 | { | 51 | { |
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c index 67555e554..e10585a15 100644 --- a/src/fseccomp/seccomp_print.c +++ b/src/fseccomp/seccomp_print.c | |||
@@ -69,9 +69,14 @@ void filter_print(const char *fname) { | |||
69 | load_seccomp(fname); | 69 | load_seccomp(fname); |
70 | 70 | ||
71 | // start filter | 71 | // start filter |
72 | struct sock_filter start[] = { | 72 | const struct sock_filter start[] = { |
73 | VALIDATE_ARCHITECTURE, | 73 | VALIDATE_ARCHITECTURE, |
74 | #if defined(__x86_64__) | ||
75 | EXAMINE_SYSCALL, | ||
76 | HANDLE_X32 | ||
77 | #else | ||
74 | EXAMINE_SYSCALL | 78 | EXAMINE_SYSCALL |
79 | #endif | ||
75 | }; | 80 | }; |
76 | 81 | ||
77 | // print sizes | 82 | // print sizes |
@@ -80,7 +85,10 @@ void filter_print(const char *fname) { | |||
80 | // test the start of the filter | 85 | // test the start of the filter |
81 | if (memcmp(&start[0], filter, sizeof(start)) == 0) { | 86 | if (memcmp(&start[0], filter, sizeof(start)) == 0) { |
82 | printf(" VALIDATE_ARCHITECTURE\n"); | 87 | printf(" VALIDATE_ARCHITECTURE\n"); |
83 | printf(" EXAMINE_SYSCAL\n"); | 88 | printf(" EXAMINE_SYSCALL\n"); |
89 | #if defined(__x86_64__) | ||
90 | printf(" HANDLE_X32\n"); | ||
91 | #endif | ||
84 | } | 92 | } |
85 | else { | 93 | else { |
86 | printf("Invalid seccomp filter %s\n", fname); | 94 | printf("Invalid seccomp filter %s\n", fname); |
@@ -88,34 +96,36 @@ void filter_print(const char *fname) { | |||
88 | } | 96 | } |
89 | 97 | ||
90 | // loop trough blacklists | 98 | // loop trough blacklists |
91 | int i = 4; | 99 | int i = sizeof(start) / sizeof(struct sock_filter); |
92 | while (i < filter_cnt) { | 100 | while (i < filter_cnt) { |
93 | // minimal parsing! | 101 | // minimal parsing! |
94 | unsigned char *ptr = (unsigned char *) &filter[i]; | 102 | struct sock_filter *s = (struct sock_filter *) &filter[i]; |
95 | int *nr = (int *) (ptr + 4); | 103 | if (s->code == BPF_JMP+BPF_JEQ+BPF_K && (s + 1)->code == BPF_RET+BPF_K && (s + 1)->k == SECCOMP_RET_ALLOW ) { |
96 | if (*ptr == 0x15 && *(ptr +14) == 0xff && *(ptr + 15) == 0x7f ) { | 104 | printf(" WHITELIST %d %s\n", s->k, syscall_find_nr(s->k)); |
97 | printf(" WHITELIST %d %s\n", *nr, syscall_find_nr(*nr)); | ||
98 | i += 2; | 105 | i += 2; |
99 | } | 106 | } |
100 | else if (*ptr == 0x15 && *(ptr +14) == 0 && *(ptr + 15) == 0) { | 107 | else if (s->code == BPF_JMP+BPF_JEQ+BPF_K && (s + 1)->code == BPF_RET+BPF_K && (s + 1)->k == SECCOMP_RET_KILL ) { |
101 | printf(" BLACKLIST %d %s\n", *nr, syscall_find_nr(*nr)); | 108 | printf(" BLACKLIST %d %s\n", s->k, syscall_find_nr(s->k)); |
102 | i += 2; | 109 | i += 2; |
103 | } | 110 | } |
104 | else if (*ptr == 0x15 && *(ptr +14) == 0x5 && *(ptr + 15) == 0) { | 111 | else if (s->code == BPF_JMP+BPF_JEQ+BPF_K && (s + 1)->code == BPF_RET+BPF_K && ((s + 1)->k & ~SECCOMP_RET_DATA) == SECCOMP_RET_ERRNO) { |
105 | int err = *(ptr + 13) << 8 | *(ptr + 12); | 112 | printf(" BLACKLIST_ERRNO %d %s %d %s\n", s->k, syscall_find_nr(s->k), (s + 1)->k & SECCOMP_RET_DATA, errno_find_nr((s + 1)->k & SECCOMP_RET_DATA)); |
106 | printf(" ERRNO %d %s %d %s\n", *nr, syscall_find_nr(*nr), err, errno_find_nr(err)); | ||
107 | i += 2; | 113 | i += 2; |
108 | } | 114 | } |
109 | else if (*ptr == 0x06 && *(ptr +6) == 0 && *(ptr + 7) == 0 ) { | 115 | else if (s->code == BPF_RET+BPF_K && (s->k & ~SECCOMP_RET_DATA) == SECCOMP_RET_ERRNO) { |
116 | printf(" RETURN_ERRNO %d %s\n", s->k & SECCOMP_RET_DATA, errno_find_nr(s->k & SECCOMP_RET_DATA)); | ||
117 | i++; | ||
118 | } | ||
119 | else if (s->code == BPF_RET+BPF_K && s->k == SECCOMP_RET_KILL) { | ||
110 | printf(" KILL_PROCESS\n"); | 120 | printf(" KILL_PROCESS\n"); |
111 | i++; | 121 | i++; |
112 | } | 122 | } |
113 | else if (*ptr == 0x06 && *(ptr +6) == 0xff && *(ptr + 7) == 0x7f ) { | 123 | else if (s->code == BPF_RET+BPF_K && s->k == SECCOMP_RET_ALLOW) { |
114 | printf(" RETURN_ALLOW\n"); | 124 | printf(" RETURN_ALLOW\n"); |
115 | i++; | 125 | i++; |
116 | } | 126 | } |
117 | else { | 127 | else { |
118 | printf(" UNKNOWN ENTRY!!!\n"); | 128 | printf(" UNKNOWN ENTRY %x!\n", s->code); |
119 | i++; | 129 | i++; |
120 | } | 130 | } |
121 | } | 131 | } |
diff --git a/src/include/seccomp.h b/src/include/seccomp.h index ced1ed2e3..b1a19a9b6 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h | |||
@@ -115,6 +115,15 @@ struct seccomp_data { | |||
115 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_I386, 1, 0), \ | 115 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_I386, 1, 0), \ |
116 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 116 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
117 | 117 | ||
118 | #if defined(__x86_64__) | ||
119 | // handle X32 ABI | ||
120 | #define X32_SYSCALL_BIT 0x40000000 | ||
121 | #define HANDLE_X32 \ | ||
122 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \ | ||
123 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \ | ||
124 | RETURN_ERRNO(EPERM) | ||
125 | #endif | ||
126 | |||
118 | #define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ | 127 | #define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ |
119 | (offsetof(struct seccomp_data, nr))) | 128 | (offsetof(struct seccomp_data, nr))) |
120 | 129 | ||