diff options
| author |  startx2017 <vradu.startx@yandex.com> | 2017-07-11 08:27:57 -0400 |
|---|---|---|
| committer | startx2017 <vradu.startx@yandex.com> | 2017-07-11 08:27:57 -0400 |
| commit | ce3e345c87a45a6c9faf408295c2cc4c8ee60178 (patch) | |
| tree | d1803eee0fe0961118286a8180acb5a8655bd486 /src | |
| parent | profiles: tracelog breaks integrated browser in steam (diff) | |
| download | firejail-ce3e345c87a45a6c9faf408295c2cc4c8ee60178.tar.gz firejail-ce3e345c87a45a6c9faf408295c2cc4c8ee60178.tar.zst firejail-ce3e345c87a45a6c9faf408295c2cc4c8ee60178.zip | |
fix #1371; rework seccomp_filter_drop() function
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/profile.c | 8 | ||||
| -rw-r--r-- | src/firejail/seccomp.c | 57 |
2 files changed, 37 insertions, 28 deletions
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index af943581e..88f04f47f 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
| @@ -81,8 +81,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 81 | if (cfg.profile_ignore[i] == NULL) | 81 | if (cfg.profile_ignore[i] == NULL) |
| 82 | break; | 82 | break; |
| 83 | 83 | ||
| 84 | if (strncmp(ptr, cfg.profile_ignore[i], strlen(cfg.profile_ignore[i])) == 0) | 84 | int len = strlen(cfg.profile_ignore[i]); |
| 85 | return 0; // ignore line | 85 | if (strncmp(ptr, cfg.profile_ignore[i], len) == 0) { |
| 86 | // full word match | ||
| 87 | if (*(ptr + len) == '\0' || *(ptr + len) == ' ') | ||
| 88 | return 0; // ignore line | ||
| 89 | } | ||
| 86 | } | 90 | } |
| 87 | 91 | ||
| 88 | if (strncmp(ptr, "ignore ", 7) == 0) { | 92 | if (strncmp(ptr, "ignore ", 7) == 0) { |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 15379215c..de9fe27f3 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
| @@ -123,40 +123,48 @@ void seccomp_filter_64(void) { | |||
| 123 | 123 | ||
| 124 | // drop filter for seccomp option | 124 | // drop filter for seccomp option |
| 125 | int seccomp_filter_drop(int enforce_seccomp) { | 125 | int seccomp_filter_drop(int enforce_seccomp) { |
| 126 | // default seccomp | 126 | printf("cfg.seccomp_list %p, cfg.seccomp_list_drop %p\n", cfg.seccomp_list, cfg.seccomp_list_drop); |
| 127 | if (cfg.seccomp_list_drop == NULL && cfg.seccomp_list == NULL) { | 127 | // if we have multiple seccomp commands, only one of them is executed |
| 128 | // in the following order: | ||
| 129 | // - seccomp.drop list | ||
| 130 | // - seccomp list | ||
| 131 | // - seccomp | ||
| 132 | if (cfg.seccomp_list_drop == NULL) { | ||
| 133 | // default seccomp | ||
| 134 | if (cfg.seccomp_list == NULL) { | ||
| 128 | #if defined(__x86_64__) | 135 | #if defined(__x86_64__) |
| 129 | seccomp_filter_32(); | 136 | seccomp_filter_32(); |
| 130 | #endif | 137 | #endif |
| 131 | #if defined(__i386__) | 138 | #if defined(__i386__) |
| 132 | seccomp_filter_64(); | 139 | seccomp_filter_64(); |
| 133 | #endif | 140 | #endif |
| 134 | } | 141 | } |
| 135 | // default seccomp filter with additional drop list | 142 | // default seccomp filter with additional drop list |
| 136 | else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) { | 143 | else { // cfg.seccomp_list != NULL |
| 137 | #if defined(__x86_64__) | 144 | #if defined(__x86_64__) |
| 138 | seccomp_filter_32(); | 145 | seccomp_filter_32(); |
| 139 | #endif | 146 | #endif |
| 140 | #if defined(__i386__) | 147 | #if defined(__i386__) |
| 141 | seccomp_filter_64(); | 148 | seccomp_filter_64(); |
| 142 | #endif | 149 | #endif |
| 143 | if (arg_debug) | 150 | if (arg_debug) |
| 144 | printf("Build default+drop seccomp filter\n"); | 151 | printf("Build default+drop seccomp filter\n"); |
| 145 | 152 | ||
| 146 | // build the seccomp filter as a regular user | 153 | // build the seccomp filter as a regular user |
| 147 | int rv; | 154 | int rv; |
| 148 | if (arg_allow_debuggers) | 155 | if (arg_allow_debuggers) |
| 149 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6, | 156 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6, |
| 150 | PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list, "allow-debuggers"); | 157 | PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list, "allow-debuggers"); |
| 151 | else | 158 | else |
| 152 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, | 159 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, |
| 153 | PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list); | 160 | PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list); |
| 154 | if (rv) | 161 | if (rv) |
| 155 | exit(rv); | 162 | exit(rv); |
| 163 | } | ||
| 156 | } | 164 | } |
| 157 | 165 | ||
| 158 | // drop list without defaults - secondary filters are not installed | 166 | // drop list without defaults - secondary filters are not installed |
| 159 | else if (cfg.seccomp_list == NULL && cfg.seccomp_list_drop) { | 167 | else { // cfg.seccomp_list_drop != NULL |
| 160 | if (arg_debug) | 168 | if (arg_debug) |
| 161 | printf("Build drop seccomp filter\n"); | 169 | printf("Build drop seccomp filter\n"); |
| 162 | 170 | ||
| @@ -172,9 +180,6 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
| 172 | if (rv) | 180 | if (rv) |
| 173 | exit(rv); | 181 | exit(rv); |
| 174 | } | 182 | } |
| 175 | else { | ||
| 176 | assert(0); | ||
| 177 | } | ||
| 178 | 183 | ||
| 179 | // load the filter | 184 | // load the filter |
| 180 | if (seccomp_load(RUN_SECCOMP_CFG) == 0) { | 185 | if (seccomp_load(RUN_SECCOMP_CFG) == 0) { |