remove 64bit seccomp filter from 32bit architectures

author: netblue30 <netblue30@yahoo.com> 2018-05-06 11:22:35 -0400
committer: netblue30 <netblue30@yahoo.com> 2018-05-06 11:22:35 -0400
commit: f905f046cc554f8ec2b800bcb9965b0f360cfd91 (patch)
tree: 789d465559540e25d5a97b52ca1a766db8ec14f5 /src
parent: ark.profile: Add private-bin and private-etc (diff)
download: firejail-f905f046cc554f8ec2b800bcb9965b0f360cfd91.tar.gz
firejail-f905f046cc554f8ec2b800bcb9965b0f360cfd91.tar.zst
firejail-f905f046cc554f8ec2b800bcb9965b0f360cfd91.zip
6 files changed, 3 insertions, 92 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 7544b642a..2db171070 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -59,14 +59,12 @@
 #define RUN_SECCOMP_PROTOCOL    "/run/firejail/mnt/seccomp.protocol"    // protocol filter
 #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp"                     // configured filter
-#define RUN_SECCOMP_64  "/run/firejail/mnt/seccomp.64"          // 64bit arch filter installed on 32bit architectures
 #define RUN_SECCOMP_32  "/run/firejail/mnt/seccomp.32"          // 32bit arch filter installed on 64bit architectures
 #define RUN_SECCOMP_MDWX        "/run/firejail/mnt/seccomp.mdwx"                // filter for memory-deny-write-execute
 #define RUN_SECCOMP_BLOCK_SECONDARY     "/run/firejail/mnt/seccomp.block_secondary"     // secondary arch blocking filter
 #define RUN_SECCOMP_POSTEXEC    "/run/firejail/mnt/seccomp.postexec"            // filter for post-exec library
 #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp")                       // default filter built during make
 #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug")   // default filter built during make
-#define PATH_SECCOMP_64 (LIBDIR "/firejail/seccomp.64")                 // 64bit arch filter built during make
 #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32")                 // 32bit arch filter built during make
 #define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx")             // filter for memory-deny-write-execute built during make
 #define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary")       // secondary arch blocking filter built during make
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index 45399bd48..9fb4840c6 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -87,7 +87,6 @@ void preproc_mount_mnt_dir(void) {
                else {
                        //copy default seccomp files
                        copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed
-                        copy_file(PATH_SECCOMP_64, RUN_SECCOMP_64, getuid(), getgid(), 0644); // root needed
                }
                if (arg_allow_debuggers)
                        copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 8abdf6b2c..1498007eb 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1017,18 +1017,9 @@ int sandbox(void* sandbox_arg) {
                else
                        seccomp_filter_drop();
-                // clean unused filters
-#if defined(__LP64__)
-                int rv = unlink(RUN_SECCOMP_64);
-#endif
-#if defined(__ILP32__)
-                int rv = unlink(RUN_SECCOMP_32);
-#endif
-                (void) rv;
        }
        else { // clean seccomp files under /run/firejail/mnt
                int rv = unlink(RUN_SECCOMP_CFG);
-                rv |= unlink(RUN_SECCOMP_64);
                rv |= unlink(RUN_SECCOMP_32);
                (void) rv;
        }
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 1ee6256d4..3da0206e1 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -138,6 +138,7 @@ errexit:
 }
 // 32 bit arch filter installed on 64 bit architectures
+#if defined(__x86_64__)
 #if defined(__LP64__)
 static void seccomp_filter_32(void) {
        if (seccomp_load(RUN_SECCOMP_32) == 0) {
@@ -146,15 +147,6 @@ static void seccomp_filter_32(void) {
        }
 }
 #endif
-// 64 bit arch filter installed on 32 bit architectures
-#if defined(__ILP32__)
-static void seccomp_filter_64(void) {
-        if (seccomp_load(RUN_SECCOMP_64) == 0) {
-                if (arg_debug)
-                        printf("Dual 32/64 bit seccomp filter configured\n");
-        }
-}
 #endif
 static void seccomp_filter_block_secondary(void) {
@@ -177,11 +169,10 @@ int seccomp_filter_drop(void) {
                        if (arg_seccomp_block_secondary)
                                seccomp_filter_block_secondary();
                        else {
+#if defined(__x86_64__)
 #if defined(__LP64__)
                                seccomp_filter_32();
 #endif
-#if defined(__ILP32__)
-                                seccomp_filter_64();
 #endif
                        }
                }
@@ -190,11 +181,10 @@ int seccomp_filter_drop(void) {
                        if (arg_seccomp_block_secondary)
                                seccomp_filter_block_secondary();
                        else {
+#if defined(__x86_64__)
 #if defined(__LP64__)
                                seccomp_filter_32();
 #endif
-#if defined(__ILP32__)
-                                seccomp_filter_64();
 #endif
                        }
                        if (arg_debug)
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index ab6683065..7fd96bc43 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -70,8 +70,6 @@ printf("\n");
                protocol_print();
        else if (argc == 5 && strcmp(argv[1], "protocol") == 0 && strcmp(argv[2], "build") == 0)
                protocol_build_filter(argv[3], argv[4]);
-        else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "64") == 0)
-                seccomp_secondary_64(argv[3]);
        else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0)
                seccomp_secondary_32(argv[3]);
        else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "block") == 0)
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c
index ebda1b938..e398f94d0 100644
--- a/src/fseccomp/seccomp_secondary.c
+++ b/src/fseccomp/seccomp_secondary.c
@@ -42,71 +42,6 @@ static void write_filter(const char *fname, size_t size, const void *filter) {
        close(dst);
 }
-void seccomp_secondary_64(const char *fname) {
-        // hardcoded syscall values
-        struct sock_filter filter[] = {
-                VALIDATE_ARCHITECTURE_64,
-                EXAMINE_SYSCALL,
-                BLACKLIST(165), // mount
-                BLACKLIST(166), // umount2
-// todo: implement --allow-debuggers
-                BLACKLIST(101), // ptrace
-                BLACKLIST(246), // kexec_load
-                BLACKLIST(304), // open_by_handle_at
-                BLACKLIST(303), // name_to_handle_at
-                BLACKLIST(174), // create_module
-                BLACKLIST(175), // init_module
-                BLACKLIST(313), // finit_module
-                BLACKLIST(176), // delete_module
-                BLACKLIST(172), // iopl
-                BLACKLIST(173), // ioperm
-                BLACKLIST(251), // ioprio_set
-                BLACKLIST(167), // swapon
-                BLACKLIST(168), // swapoff
-                BLACKLIST(103), // syslog
-                BLACKLIST(310), // process_vm_readv
-                BLACKLIST(311), // process_vm_writev
-                BLACKLIST(139), // sysfs
-                BLACKLIST(156), // _sysctl
-                BLACKLIST(159), // adjtimex
-                BLACKLIST(305), // clock_adjtime
-                BLACKLIST(212), // lookup_dcookie
-                BLACKLIST(298), // perf_event_open
-                BLACKLIST(300), // fanotify_init
-                BLACKLIST(312), // kcmp
-                BLACKLIST(248), // add_key
-                BLACKLIST(249), // request_key
-                BLACKLIST(250), // keyctl
-                BLACKLIST(134), // uselib
-                BLACKLIST(163), // acct
-                BLACKLIST(154), // modify_ldt
-                BLACKLIST(155), // pivot_root
-                BLACKLIST(206), // io_setup
-                BLACKLIST(207), // io_destroy
-                BLACKLIST(208), // io_getevents
-                BLACKLIST(209), // io_submit
-                BLACKLIST(210), // io_cancel
-                BLACKLIST(216), // remap_file_pages
-                BLACKLIST(237), // mbind
-// breaking Firefox nightly when playing youtube videos
-// TODO: test again when firefox sandbox is finally released
-//              BLACKLIST(239), // get_mempolicy
-                BLACKLIST(238), // set_mempolicy
-                BLACKLIST(256), // migrate_pages
-                BLACKLIST(279), // move_pages
-                BLACKLIST(278), // vmsplice
-                BLACKLIST(161), // chroot
-                BLACKLIST(184), // tuxcall
-                BLACKLIST(169), // reboot
-                BLACKLIST(180), // nfsservctl
-                BLACKLIST(177), // get_kernel_syms
-                RETURN_ALLOW
-        };
-        // save filter to file
-        write_filter(fname, sizeof(filter), filter);
-}
 // 32 bit arch filter installed on 64 bit architectures
 void seccomp_secondary_32(const char *fname) {
author	netblue30 <netblue30@yahoo.com>	2018-05-06 11:22:35 -0400
committer	netblue30 <netblue30@yahoo.com>	2018-05-06 11:22:35 -0400
commit	f905f046cc554f8ec2b800bcb9965b0f360cfd91 (patch)
tree	789d465559540e25d5a97b52ca1a766db8ec14f5 /src
parent	ark.profile: Add private-bin and private-etc (diff)
download	firejail-f905f046cc554f8ec2b800bcb9965b0f360cfd91.tar.gz firejail-f905f046cc554f8ec2b800bcb9965b0f360cfd91.tar.zst firejail-f905f046cc554f8ec2b800bcb9965b0f360cfd91.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7544b642a..2db171070 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -59,14 +59,12 @@
59		59
60	#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter	60	#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter
61	#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter	61	#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter
62	#define RUN_SECCOMP_64 "/run/firejail/mnt/seccomp.64" // 64bit arch filter installed on 32bit architectures
63	#define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures	62	#define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures
64	#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute	63	#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute
65	#define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter	64	#define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter
66	#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library	65	#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library
67	#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make	66	#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make
68	#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make	67	#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make
69	#define PATH_SECCOMP_64 (LIBDIR "/firejail/seccomp.64") // 64bit arch filter built during make
70	#define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make	68	#define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make
71	#define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make	69	#define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make
72	#define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make	70	#define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make


diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 45399bd48..9fb4840c6 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c
@@ -87,7 +87,6 @@ void preproc_mount_mnt_dir(void) {
87	else {	87	else {
88	//copy default seccomp files	88	//copy default seccomp files
89	copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed	89	copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed
90	copy_file(PATH_SECCOMP_64, RUN_SECCOMP_64, getuid(), getgid(), 0644); // root needed
91	}	90	}
92	if (arg_allow_debuggers)	91	if (arg_allow_debuggers)
93	copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed	92	copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 8abdf6b2c..1498007eb 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -1017,18 +1017,9 @@ int sandbox(void* sandbox_arg) {
1017	else	1017	else
1018	seccomp_filter_drop();	1018	seccomp_filter_drop();
1019		1019
1020	// clean unused filters
1021	#if defined(__LP64__)
1022	int rv = unlink(RUN_SECCOMP_64);
1023	#endif
1024	#if defined(__ILP32__)
1025	int rv = unlink(RUN_SECCOMP_32);
1026	#endif
1027	(void) rv;
1028	}	1020	}
1029	else { // clean seccomp files under /run/firejail/mnt	1021	else { // clean seccomp files under /run/firejail/mnt
1030	int rv = unlink(RUN_SECCOMP_CFG);	1022	int rv = unlink(RUN_SECCOMP_CFG);
1031	rv \|= unlink(RUN_SECCOMP_64);
1032	rv \|= unlink(RUN_SECCOMP_32);	1023	rv \|= unlink(RUN_SECCOMP_32);
1033	(void) rv;	1024	(void) rv;
1034	}	1025	}


diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 1ee6256d4..3da0206e1 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c
@@ -138,6 +138,7 @@ errexit:
138	}	138	}
139		139
140	// 32 bit arch filter installed on 64 bit architectures	140	// 32 bit arch filter installed on 64 bit architectures
		141	#if defined(__x86_64__)
141	#if defined(__LP64__)	142	#if defined(__LP64__)
142	static void seccomp_filter_32(void) {	143	static void seccomp_filter_32(void) {
143	if (seccomp_load(RUN_SECCOMP_32) == 0) {	144	if (seccomp_load(RUN_SECCOMP_32) == 0) {
@@ -146,15 +147,6 @@ static void seccomp_filter_32(void) {
146	}	147	}
147	}	148	}
148	#endif	149	#endif
149
150	// 64 bit arch filter installed on 32 bit architectures
151	#if defined(__ILP32__)
152	static void seccomp_filter_64(void) {
153	if (seccomp_load(RUN_SECCOMP_64) == 0) {
154	if (arg_debug)
155	printf("Dual 32/64 bit seccomp filter configured\n");
156	}
157	}
158	#endif	150	#endif
159		151
160	static void seccomp_filter_block_secondary(void) {	152	static void seccomp_filter_block_secondary(void) {
@@ -177,11 +169,10 @@ int seccomp_filter_drop(void) {
177	if (arg_seccomp_block_secondary)	169	if (arg_seccomp_block_secondary)
178	seccomp_filter_block_secondary();	170	seccomp_filter_block_secondary();
179	else {	171	else {
		172	#if defined(__x86_64__)
180	#if defined(__LP64__)	173	#if defined(__LP64__)
181	seccomp_filter_32();	174	seccomp_filter_32();
182	#endif	175	#endif
183	#if defined(__ILP32__)
184	seccomp_filter_64();
185	#endif	176	#endif
186	}	177	}
187	}	178	}
@@ -190,11 +181,10 @@ int seccomp_filter_drop(void) {
190	if (arg_seccomp_block_secondary)	181	if (arg_seccomp_block_secondary)
191	seccomp_filter_block_secondary();	182	seccomp_filter_block_secondary();
192	else {	183	else {
		184	#if defined(__x86_64__)
193	#if defined(__LP64__)	185	#if defined(__LP64__)
194	seccomp_filter_32();	186	seccomp_filter_32();
195	#endif	187	#endif
196	#if defined(__ILP32__)
197	seccomp_filter_64();
198	#endif	188	#endif
199	}	189	}
200	if (arg_debug)	190	if (arg_debug)


diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index ab6683065..7fd96bc43 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c
@@ -70,8 +70,6 @@ printf("\n");
70	protocol_print();	70	protocol_print();
71	else if (argc == 5 && strcmp(argv[1], "protocol") == 0 && strcmp(argv[2], "build") == 0)	71	else if (argc == 5 && strcmp(argv[1], "protocol") == 0 && strcmp(argv[2], "build") == 0)
72	protocol_build_filter(argv[3], argv[4]);	72	protocol_build_filter(argv[3], argv[4]);
73	else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "64") == 0)
74	seccomp_secondary_64(argv[3]);
75	else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0)	73	else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0)
76	seccomp_secondary_32(argv[3]);	74	seccomp_secondary_32(argv[3]);
77	else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "block") == 0)	75	else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "block") == 0)


diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c index ebda1b938..e398f94d0 100644 --- a/src/fseccomp/seccomp_secondary.c +++ b/src/fseccomp/seccomp_secondary.c
@@ -42,71 +42,6 @@ static void write_filter(const char fname, size_t size, const void filter) {
42	close(dst);	42	close(dst);
43	}	43	}
44		44
45	void seccomp_secondary_64(const char *fname) {
46	// hardcoded syscall values
47	struct sock_filter filter[] = {
48	VALIDATE_ARCHITECTURE_64,
49	EXAMINE_SYSCALL,
50	BLACKLIST(165), // mount
51	BLACKLIST(166), // umount2
52	// todo: implement --allow-debuggers
53	BLACKLIST(101), // ptrace
54	BLACKLIST(246), // kexec_load
55	BLACKLIST(304), // open_by_handle_at
56	BLACKLIST(303), // name_to_handle_at
57	BLACKLIST(174), // create_module
58	BLACKLIST(175), // init_module
59	BLACKLIST(313), // finit_module
60	BLACKLIST(176), // delete_module
61	BLACKLIST(172), // iopl
62	BLACKLIST(173), // ioperm
63	BLACKLIST(251), // ioprio_set
64	BLACKLIST(167), // swapon
65	BLACKLIST(168), // swapoff
66	BLACKLIST(103), // syslog
67	BLACKLIST(310), // process_vm_readv
68	BLACKLIST(311), // process_vm_writev
69	BLACKLIST(139), // sysfs
70	BLACKLIST(156), // _sysctl
71	BLACKLIST(159), // adjtimex
72	BLACKLIST(305), // clock_adjtime
73	BLACKLIST(212), // lookup_dcookie
74	BLACKLIST(298), // perf_event_open
75	BLACKLIST(300), // fanotify_init
76	BLACKLIST(312), // kcmp
77	BLACKLIST(248), // add_key
78	BLACKLIST(249), // request_key
79	BLACKLIST(250), // keyctl
80	BLACKLIST(134), // uselib
81	BLACKLIST(163), // acct
82	BLACKLIST(154), // modify_ldt
83	BLACKLIST(155), // pivot_root
84	BLACKLIST(206), // io_setup
85	BLACKLIST(207), // io_destroy
86	BLACKLIST(208), // io_getevents
87	BLACKLIST(209), // io_submit
88	BLACKLIST(210), // io_cancel
89	BLACKLIST(216), // remap_file_pages
90	BLACKLIST(237), // mbind
91	// breaking Firefox nightly when playing youtube videos
92	// TODO: test again when firefox sandbox is finally released
93	// BLACKLIST(239), // get_mempolicy
94	BLACKLIST(238), // set_mempolicy
95	BLACKLIST(256), // migrate_pages
96	BLACKLIST(279), // move_pages
97	BLACKLIST(278), // vmsplice
98	BLACKLIST(161), // chroot
99	BLACKLIST(184), // tuxcall
100	BLACKLIST(169), // reboot
101	BLACKLIST(180), // nfsservctl
102	BLACKLIST(177), // get_kernel_syms
103
104	RETURN_ALLOW
105	};
106
107	// save filter to file
108	write_filter(fname, sizeof(filter), filter);
109	}
110		45
111	// 32 bit arch filter installed on 64 bit architectures	46	// 32 bit arch filter installed on 64 bit architectures
112	void seccomp_secondary_32(const char *fname) {	47	void seccomp_secondary_32(const char *fname) {