diff options
| author |  Topi Miettinen <toiwoton@gmail.com> | 2017-07-28 13:50:10 +0300 |
|---|---|---|
| committer | Topi Miettinen <toiwoton@gmail.com> | 2017-07-28 14:06:30 +0300 |
| commit | 9a3344f9a569de5a2b619ff9ebc01cbd195ee1d0 (patch) | |
| tree | b060bcf0ef7da262225c2cdf3812b58e6005ecf9 /src | |
| parent | network testing (diff) | |
| download | firejail-9a3344f9a569de5a2b619ff9ebc01cbd195ee1d0.tar.gz firejail-9a3344f9a569de5a2b619ff9ebc01cbd195ee1d0.tar.zst firejail-9a3344f9a569de5a2b619ff9ebc01cbd195ee1d0.zip | |
Improve seccomp printing
Diffstat (limited to 'src')
| -rw-r--r-- | src/fseccomp/seccomp_file.c | 13 | ||||
| -rw-r--r-- | src/fseccomp/seccomp_print.c | 40 | ||||
| -rw-r--r-- | src/include/seccomp.h | 9 |
3 files changed, 37 insertions, 25 deletions
diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c index c1e8d406f..c74de9faf 100644 --- a/src/fseccomp/seccomp_file.c +++ b/src/fseccomp/seccomp_file.c | |||
| @@ -37,22 +37,15 @@ static void write_to_file(int fd, void *data, int size) { | |||
| 37 | } | 37 | } |
| 38 | 38 | ||
| 39 | void filter_init(int fd) { | 39 | void filter_init(int fd) { |
| 40 | #if defined(__x86_64__) | ||
| 41 | #define X32_SYSCALL_BIT 0x40000000 | ||
| 42 | struct sock_filter filter[] = { | 40 | struct sock_filter filter[] = { |
| 43 | VALIDATE_ARCHITECTURE, | 41 | VALIDATE_ARCHITECTURE, |
| 42 | #if defined(__x86_64__) | ||
| 44 | EXAMINE_SYSCALL, | 43 | EXAMINE_SYSCALL, |
| 45 | // handle X32 ABI | 44 | HANDLE_X32 |
| 46 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), | ||
| 47 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), | ||
| 48 | RETURN_ERRNO(EPERM) | ||
| 49 | }; | ||
| 50 | #else | 45 | #else |
| 51 | struct sock_filter filter[] = { | ||
| 52 | VALIDATE_ARCHITECTURE, | ||
| 53 | EXAMINE_SYSCALL | 46 | EXAMINE_SYSCALL |
| 54 | }; | ||
| 55 | #endif | 47 | #endif |
| 48 | }; | ||
| 56 | 49 | ||
| 57 | #if 0 | 50 | #if 0 |
| 58 | { | 51 | { |
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c index 67555e554..e10585a15 100644 --- a/src/fseccomp/seccomp_print.c +++ b/src/fseccomp/seccomp_print.c | |||
| @@ -69,9 +69,14 @@ void filter_print(const char *fname) { | |||
| 69 | load_seccomp(fname); | 69 | load_seccomp(fname); |
| 70 | 70 | ||
| 71 | // start filter | 71 | // start filter |
| 72 | struct sock_filter start[] = { | 72 | const struct sock_filter start[] = { |
| 73 | VALIDATE_ARCHITECTURE, | 73 | VALIDATE_ARCHITECTURE, |
| 74 | #if defined(__x86_64__) | ||
| 75 | EXAMINE_SYSCALL, | ||
| 76 | HANDLE_X32 | ||
| 77 | #else | ||
| 74 | EXAMINE_SYSCALL | 78 | EXAMINE_SYSCALL |
| 79 | #endif | ||
| 75 | }; | 80 | }; |
| 76 | 81 | ||
| 77 | // print sizes | 82 | // print sizes |
| @@ -80,7 +85,10 @@ void filter_print(const char *fname) { | |||
| 80 | // test the start of the filter | 85 | // test the start of the filter |
| 81 | if (memcmp(&start[0], filter, sizeof(start)) == 0) { | 86 | if (memcmp(&start[0], filter, sizeof(start)) == 0) { |
| 82 | printf(" VALIDATE_ARCHITECTURE\n"); | 87 | printf(" VALIDATE_ARCHITECTURE\n"); |
| 83 | printf(" EXAMINE_SYSCAL\n"); | 88 | printf(" EXAMINE_SYSCALL\n"); |
| 89 | #if defined(__x86_64__) | ||
| 90 | printf(" HANDLE_X32\n"); | ||
| 91 | #endif | ||
| 84 | } | 92 | } |
| 85 | else { | 93 | else { |
| 86 | printf("Invalid seccomp filter %s\n", fname); | 94 | printf("Invalid seccomp filter %s\n", fname); |
| @@ -88,34 +96,36 @@ void filter_print(const char *fname) { | |||
| 88 | } | 96 | } |
| 89 | 97 | ||
| 90 | // loop trough blacklists | 98 | // loop trough blacklists |
| 91 | int i = 4; | 99 | int i = sizeof(start) / sizeof(struct sock_filter); |
| 92 | while (i < filter_cnt) { | 100 | while (i < filter_cnt) { |
| 93 | // minimal parsing! | 101 | // minimal parsing! |
| 94 | unsigned char *ptr = (unsigned char *) &filter[i]; | 102 | struct sock_filter *s = (struct sock_filter *) &filter[i]; |
| 95 | int *nr = (int *) (ptr + 4); | 103 | if (s->code == BPF_JMP+BPF_JEQ+BPF_K && (s + 1)->code == BPF_RET+BPF_K && (s + 1)->k == SECCOMP_RET_ALLOW ) { |
| 96 | if (*ptr == 0x15 && *(ptr +14) == 0xff && *(ptr + 15) == 0x7f ) { | 104 | printf(" WHITELIST %d %s\n", s->k, syscall_find_nr(s->k)); |
| 97 | printf(" WHITELIST %d %s\n", *nr, syscall_find_nr(*nr)); | ||
| 98 | i += 2; | 105 | i += 2; |
| 99 | } | 106 | } |
| 100 | else if (*ptr == 0x15 && *(ptr +14) == 0 && *(ptr + 15) == 0) { | 107 | else if (s->code == BPF_JMP+BPF_JEQ+BPF_K && (s + 1)->code == BPF_RET+BPF_K && (s + 1)->k == SECCOMP_RET_KILL ) { |
| 101 | printf(" BLACKLIST %d %s\n", *nr, syscall_find_nr(*nr)); | 108 | printf(" BLACKLIST %d %s\n", s->k, syscall_find_nr(s->k)); |
| 102 | i += 2; | 109 | i += 2; |
| 103 | } | 110 | } |
| 104 | else if (*ptr == 0x15 && *(ptr +14) == 0x5 && *(ptr + 15) == 0) { | 111 | else if (s->code == BPF_JMP+BPF_JEQ+BPF_K && (s + 1)->code == BPF_RET+BPF_K && ((s + 1)->k & ~SECCOMP_RET_DATA) == SECCOMP_RET_ERRNO) { |
| 105 | int err = *(ptr + 13) << 8 | *(ptr + 12); | 112 | printf(" BLACKLIST_ERRNO %d %s %d %s\n", s->k, syscall_find_nr(s->k), (s + 1)->k & SECCOMP_RET_DATA, errno_find_nr((s + 1)->k & SECCOMP_RET_DATA)); |
| 106 | printf(" ERRNO %d %s %d %s\n", *nr, syscall_find_nr(*nr), err, errno_find_nr(err)); | ||
| 107 | i += 2; | 113 | i += 2; |
| 108 | } | 114 | } |
| 109 | else if (*ptr == 0x06 && *(ptr +6) == 0 && *(ptr + 7) == 0 ) { | 115 | else if (s->code == BPF_RET+BPF_K && (s->k & ~SECCOMP_RET_DATA) == SECCOMP_RET_ERRNO) { |
| 116 | printf(" RETURN_ERRNO %d %s\n", s->k & SECCOMP_RET_DATA, errno_find_nr(s->k & SECCOMP_RET_DATA)); | ||
| 117 | i++; | ||
| 118 | } | ||
| 119 | else if (s->code == BPF_RET+BPF_K && s->k == SECCOMP_RET_KILL) { | ||
| 110 | printf(" KILL_PROCESS\n"); | 120 | printf(" KILL_PROCESS\n"); |
| 111 | i++; | 121 | i++; |
| 112 | } | 122 | } |
| 113 | else if (*ptr == 0x06 && *(ptr +6) == 0xff && *(ptr + 7) == 0x7f ) { | 123 | else if (s->code == BPF_RET+BPF_K && s->k == SECCOMP_RET_ALLOW) { |
| 114 | printf(" RETURN_ALLOW\n"); | 124 | printf(" RETURN_ALLOW\n"); |
| 115 | i++; | 125 | i++; |
| 116 | } | 126 | } |
| 117 | else { | 127 | else { |
| 118 | printf(" UNKNOWN ENTRY!!!\n"); | 128 | printf(" UNKNOWN ENTRY %x!\n", s->code); |
| 119 | i++; | 129 | i++; |
| 120 | } | 130 | } |
| 121 | } | 131 | } |
diff --git a/src/include/seccomp.h b/src/include/seccomp.h index ced1ed2e3..b1a19a9b6 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h | |||
| @@ -115,6 +115,15 @@ struct seccomp_data { | |||
| 115 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_I386, 1, 0), \ | 115 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_I386, 1, 0), \ |
| 116 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 116 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
| 117 | 117 | ||
| 118 | #if defined(__x86_64__) | ||
| 119 | // handle X32 ABI | ||
| 120 | #define X32_SYSCALL_BIT 0x40000000 | ||
| 121 | #define HANDLE_X32 \ | ||
| 122 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \ | ||
| 123 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \ | ||
| 124 | RETURN_ERRNO(EPERM) | ||
| 125 | #endif | ||
| 126 | |||
| 118 | #define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ | 127 | #define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ |
| 119 | (offsetof(struct seccomp_data, nr))) | 128 | (offsetof(struct seccomp_data, nr))) |
| 120 | 129 | ||