aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLibravatar Topi Miettinen <toiwoton@gmail.com>2017-07-29 17:39:48 +0300
committerLibravatar Topi Miettinen <topimiettinen@users.noreply.github.com>2017-07-30 16:48:16 +0000
commitfee33da1683746369ed15638f3d010d2a2a525fb (patch)
treef88017b70b3a92d253000482689ba4f9fd51abc6 /src
parentPrivate /lib feature (diff)
downloadfirejail-fee33da1683746369ed15638f3d010d2a2a525fb.tar.gz
firejail-fee33da1683746369ed15638f3d010d2a2a525fb.tar.zst
firejail-fee33da1683746369ed15638f3d010d2a2a525fb.zip
Improve loading of seccomp filter
Also fixes a memory leak and double load.
Diffstat (limited to 'src')
-rw-r--r--src/firejail/seccomp.c23
1 files changed, 8 insertions, 15 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 29f928ee7..6e0fc0919 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -19,6 +19,7 @@
19*/ 19*/
20 20
21#ifdef HAVE_SECCOMP 21#ifdef HAVE_SECCOMP
22#include <sys/mman.h>
22#include "firejail.h" 23#include "firejail.h"
23#include "../include/seccomp.h" 24#include "../include/seccomp.h"
24 25
@@ -64,24 +65,14 @@ int seccomp_load(const char *fname) {
64 int size = lseek(fd, 0, SEEK_END); 65 int size = lseek(fd, 0, SEEK_END);
65 if (size == -1) 66 if (size == -1)
66 goto errexit; 67 goto errexit;
67 if (lseek(fd, 0 , SEEK_SET) == -1)
68 goto errexit;
69 unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter); 68 unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);
70 if (arg_debug) 69 if (arg_debug)
71 printf("configuring %d seccomp entries from %s\n", entries, fname); 70 printf("configuring %d seccomp entries from %s\n", entries, fname);
72 71
73 // read filter 72 // read filter
74 struct sock_filter *filter = malloc(size); 73 struct sock_filter *filter = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
75 if (filter == NULL) 74 if (filter == MAP_FAILED)
76 goto errexit; 75 goto errexit;
77 memset(filter, 0, size);
78 int rd = 0;
79 while (rd < size) {
80 int rv = read(fd, (unsigned char *) filter + rd, size - rd);
81 if (rv == -1)
82 goto errexit;
83 rd += rv;
84 }
85 76
86 // close file 77 // close file
87 close(fd); 78 close(fd);
@@ -91,14 +82,16 @@ int seccomp_load(const char *fname) {
91 .len = entries, 82 .len = entries,
92 .filter = filter, 83 .filter = filter,
93 }; 84 };
85 int r = 0;
94 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { 86 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
95 if (!err_printed) 87 if (!err_printed)
96 fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); 88 fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
97 err_printed = 1; 89 err_printed = 1;
98 return 1; 90 r = 1;
99 } 91 }
100 92
101 return 0; 93 munmap(filter, size);
94 return r;
102 95
103errexit: 96errexit:
104 fprintf(stderr, "Error: cannot read %s\n", fname); 97 fprintf(stderr, "Error: cannot read %s\n", fname);
@@ -194,7 +187,7 @@ int seccomp_filter_drop(int enforce_seccomp) {
194 sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, 187 sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
195 PATH_FSECCOMP, "print", RUN_SECCOMP_CFG); 188 PATH_FSECCOMP, "print", RUN_SECCOMP_CFG);
196 189
197 return seccomp_load(RUN_SECCOMP_CFG); 190 return 0;
198} 191}
199 192
200// keep filter for seccomp option 193// keep filter for seccomp option
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-19 16:28:55 +0000