Merge pull request #3569 from topimiettinen/seccomp-log

seccomp: logging
author: startx2017 <vradu.startx@yandex.com> 2020-08-12 11:34:32 -0500
committer: GitHub <noreply@github.com> 2020-08-12 11:34:32 -0500
commit: 224d86bcddb4fad8399da33f046e678037a89e05 (patch)
tree: e331ef6b99f91601526f499a23bd5e0c2e913e7f /src
parent: Added youtube-viewer profile with Gtk frontends (#3542) (diff)
parent: seccomp: logging (diff)
download: firejail-224d86bcddb4fad8399da33f046e678037a89e05.tar.gz
firejail-224d86bcddb4fad8399da33f046e678037a89e05.tar.zst
firejail-224d86bcddb4fad8399da33f046e678037a89e05.zip
9 files changed, 24 insertions, 11 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 5d6b4af66..f6b3b3252 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -229,6 +229,8 @@ int checkcfg(int val) {
 #ifdef HAVE_SECCOMP
                                if (strcmp(ptr + 21, "kill") == 0)
                                        cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_KILL;
+                                else if (strcmp(ptr + 21, "log") == 0)
+                                        cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_LOG;
                                else {
                                        cfg_val[CFG_SECCOMP_ERROR_ACTION] = errno_find_name(ptr + 21);
                                        if (cfg_val[CFG_SECCOMP_ERROR_ACTION] == -1)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 9c5a050b4..c98f80d13 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -186,7 +186,7 @@ typedef struct config_t {
        char *seccomp_list_drop, *seccomp_list_drop32;  // seccomp drop list
        char *seccomp_list_keep, *seccomp_list_keep32;  // seccomp keep list
        char *protocol;                 // protocol list
-        char *seccomp_error_action;                     // error action: kill or errno
+        char *seccomp_error_action;                     // error action: kill, log or errno
        // rlimits
        long long unsigned rlimit_cpu;
diff --git a/src/firejail/main.c b/src/firejail/main.c
index f37d1ca52..b9cb43444 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1441,6 +1441,8 @@ int main(int argc, char **argv, char **envp) {
                                if (config_seccomp_error_action == -1) {
                                        if (strcmp(argv[i] + 23, "kill") == 0)
                                                arg_seccomp_error_action = SECCOMP_RET_KILL;
+                                        else if (strcmp(argv[i] + 23, "log") == 0)
+                                                arg_seccomp_error_action = SECCOMP_RET_LOG;
                                        else {
                                                arg_seccomp_error_action = errno_find_name(argv[i] + 23);
                                                if (arg_seccomp_error_action == -1)
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 70acd8a2a..970033899 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -991,6 +991,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                        if (config_seccomp_error_action == -1) {
                                if (strcmp(ptr + 21, "kill") == 0)
                                        arg_seccomp_error_action = SECCOMP_RET_KILL;
+                                else if (strcmp(ptr + 21, "log") == 0)
+                                        arg_seccomp_error_action = SECCOMP_RET_LOG;
                                else {
                                        arg_seccomp_error_action = errno_find_name(ptr + 21);
                                        if (arg_seccomp_error_action == -1)
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 4ab464289..73c9a6a8b 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -224,7 +224,8 @@ static char *usage_str =
        "    --seccomp.print=name|pid - print the seccomp filter for the sandbox\n"
        "\tidentified by name or PID.\n"
        "    --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n"
-        "    --seccomp-error-action=errno|kill - change error code or kill process.\n"
+        "    --seccomp-error-action=errno|kill|log - change error code, kill process\n"
+        "\tor log the attempt.\n"
 #endif
        "    --shell=none - run the program directly without a user shell.\n"
        "    --shell=program - set default user shell.\n"
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index 892a88e25..3b3c92b46 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -20,7 +20,7 @@
 #include "fseccomp.h"
 #include "../include/seccomp.h"
 int arg_quiet = 0;
-int arg_seccomp_error_action = EPERM; // error action: errno or kill
+int arg_seccomp_error_action = EPERM; // error action: errno, log or kill
 static void usage(void) {
        printf("Usage:\n");
@@ -73,6 +73,8 @@ printf("\n");
        if (error_action) {
                if (strcmp(error_action, "kill") == 0)
                        arg_seccomp_error_action = SECCOMP_RET_KILL;
+                else if (strcmp(error_action, "log") == 0)
+                        arg_seccomp_error_action = SECCOMP_RET_LOG;
                else {
                        arg_seccomp_error_action = errno_find_name(error_action);
                        if (arg_seccomp_error_action == -1)
diff --git a/src/include/seccomp.h b/src/include/seccomp.h
index 50920ce3a..29b858c70 100644
--- a/src/include/seccomp.h
+++ b/src/include/seccomp.h
@@ -274,7 +274,7 @@ struct seccomp_data {
 #define RETURN_ERRNO(nr) \
        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr)
-extern int arg_seccomp_error_action;    // error action: errno or kill
+extern int arg_seccomp_error_action;    // error action: errno, log or kill
 #define KILL_OR_RETURN_ERRNO \
        BPF_STMT(BPF_RET+BPF_K, arg_seccomp_error_action)
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 7b5653942..0784e7fd7 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -433,8 +433,10 @@ Enable seccomp filter and whitelist the system calls in the list.
 \fBseccomp.32.keep syscall,syscall,syscall
 Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system.
 .TP
-\fBseccomp-error-action kill | ERRNO
+\fBseccomp-error-action kill | log | ERRNO
-Return a different error instead of EPERM to the process or kill it when an attempt is made to call a blocked system call.
+Return a different error instead of EPERM to the process, kill it when
+an attempt is made to call a blocked system call, or allow but log the
+attempt.
 .TP
 \fBx11
 Enable X11 sandboxing.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 69cd4a7bc..e216531ae 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1059,7 +1059,7 @@ that are both writable and executable, to change mappings to be
 executable, or to create executable shared memory. The filter examines
 the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create
 and shmat system calls and returns error EPERM to the process (or
-kills it, see \-\-seccomp-error-action below) if necessary.
+kills it or log the attempt, see \-\-seccomp-error-action below) if necessary.
 .br
 .br
@@ -2122,8 +2122,8 @@ Instead of dropping the syscall by returning EPERM, another error
 number can be returned using \fBsyscall:errno\fR syntax. This can be
 also changed globally with \-\-seccomp-error-action or
 in /etc/firejail/firejail.config file.  The process can also be killed
-by using \fBsyscall:kill\fR syntax.
+by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
+\fBsyscall:log\fR.
 .br
 .br
@@ -2193,7 +2193,8 @@ Instead of dropping the syscall by returning EPERM, another error
 number can be returned using \fBsyscall:errno\fR syntax. This can be
 also changed globally with \-\-seccomp-error-action or
 in /etc/firejail/firejail.config file.  The process can also be killed
-by using \fBsyscall:kill\fR syntax.
+by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
+\fBsyscall:log\fR.
 .br
 .br
@@ -2402,7 +2403,8 @@ By default, if a seccomp filter blocks a system call, the process gets
 EPERM as the error. With \-\-seccomp-error-action=error, another error
 number can be returned, for example ENOSYS or EACCES. The process can
 also be killed (like in versions <0.9.63 of Firejail) by using
-\-\-seccomp-error-action=kill syntax. Not killing the process weakens
+\-\-seccomp-error-action=kill syntax, or the attempt may be logged
+with \-\-seccomp-error-action=log. Not killing the process weakens
 Firejail slightly when trying to contain intrusion, but it may also
 allow tighter filters if the only alternative is to allow a system
 call.
author	startx2017 <vradu.startx@yandex.com>	2020-08-12 11:34:32 -0500
committer	GitHub <noreply@github.com>	2020-08-12 11:34:32 -0500
commit	224d86bcddb4fad8399da33f046e678037a89e05 (patch)
tree	e331ef6b99f91601526f499a23bd5e0c2e913e7f /src
parent	Added youtube-viewer profile with Gtk frontends (#3542) (diff)
parent	seccomp: logging (diff)
download	firejail-224d86bcddb4fad8399da33f046e678037a89e05.tar.gz firejail-224d86bcddb4fad8399da33f046e678037a89e05.tar.zst firejail-224d86bcddb4fad8399da33f046e678037a89e05.zip

diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 5d6b4af66..f6b3b3252 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c
@@ -229,6 +229,8 @@ int checkcfg(int val) {
229	#ifdef HAVE_SECCOMP	229	#ifdef HAVE_SECCOMP
230	if (strcmp(ptr + 21, "kill") == 0)	230	if (strcmp(ptr + 21, "kill") == 0)
231	cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_KILL;	231	cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_KILL;
		232	else if (strcmp(ptr + 21, "log") == 0)
		233	cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_LOG;
232	else {	234	else {
233	cfg_val[CFG_SECCOMP_ERROR_ACTION] = errno_find_name(ptr + 21);	235	cfg_val[CFG_SECCOMP_ERROR_ACTION] = errno_find_name(ptr + 21);
234	if (cfg_val[CFG_SECCOMP_ERROR_ACTION] == -1)	236	if (cfg_val[CFG_SECCOMP_ERROR_ACTION] == -1)


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 9c5a050b4..c98f80d13 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -186,7 +186,7 @@ typedef struct config_t {
186	char seccomp_list_drop, seccomp_list_drop32; // seccomp drop list	186	char seccomp_list_drop, seccomp_list_drop32; // seccomp drop list
187	char seccomp_list_keep, seccomp_list_keep32; // seccomp keep list	187	char seccomp_list_keep, seccomp_list_keep32; // seccomp keep list
188	char *protocol; // protocol list	188	char *protocol; // protocol list
189	char *seccomp_error_action; // error action: kill or errno	189	char *seccomp_error_action; // error action: kill, log or errno
190		190
191	// rlimits	191	// rlimits
192	long long unsigned rlimit_cpu;	192	long long unsigned rlimit_cpu;


diff --git a/src/firejail/main.c b/src/firejail/main.c index f37d1ca52..b9cb43444 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -1441,6 +1441,8 @@ int main(int argc, char argv, char envp) {
1441	if (config_seccomp_error_action == -1) {	1441	if (config_seccomp_error_action == -1) {
1442	if (strcmp(argv[i] + 23, "kill") == 0)	1442	if (strcmp(argv[i] + 23, "kill") == 0)
1443	arg_seccomp_error_action = SECCOMP_RET_KILL;	1443	arg_seccomp_error_action = SECCOMP_RET_KILL;
		1444	else if (strcmp(argv[i] + 23, "log") == 0)
		1445	arg_seccomp_error_action = SECCOMP_RET_LOG;
1444	else {	1446	else {
1445	arg_seccomp_error_action = errno_find_name(argv[i] + 23);	1447	arg_seccomp_error_action = errno_find_name(argv[i] + 23);
1446	if (arg_seccomp_error_action == -1)	1448	if (arg_seccomp_error_action == -1)


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 70acd8a2a..970033899 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -991,6 +991,8 @@ int profile_check_line(char ptr, int lineno, const char fname) {
991	if (config_seccomp_error_action == -1) {	991	if (config_seccomp_error_action == -1) {
992	if (strcmp(ptr + 21, "kill") == 0)	992	if (strcmp(ptr + 21, "kill") == 0)
993	arg_seccomp_error_action = SECCOMP_RET_KILL;	993	arg_seccomp_error_action = SECCOMP_RET_KILL;
		994	else if (strcmp(ptr + 21, "log") == 0)
		995	arg_seccomp_error_action = SECCOMP_RET_LOG;
994	else {	996	else {
995	arg_seccomp_error_action = errno_find_name(ptr + 21);	997	arg_seccomp_error_action = errno_find_name(ptr + 21);
996	if (arg_seccomp_error_action == -1)	998	if (arg_seccomp_error_action == -1)


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 4ab464289..73c9a6a8b 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -224,7 +224,8 @@ static char *usage_str =
224	" --seccomp.print=name\|pid - print the seccomp filter for the sandbox\n"	224	" --seccomp.print=name\|pid - print the seccomp filter for the sandbox\n"
225	"\tidentified by name or PID.\n"	225	"\tidentified by name or PID.\n"
226	" --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n"	226	" --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n"
227	" --seccomp-error-action=errno\|kill - change error code or kill process.\n"	227	" --seccomp-error-action=errno\|kill\|log - change error code, kill process\n"
		228	"\tor log the attempt.\n"
228	#endif	229	#endif
229	" --shell=none - run the program directly without a user shell.\n"	230	" --shell=none - run the program directly without a user shell.\n"
230	" --shell=program - set default user shell.\n"	231	" --shell=program - set default user shell.\n"


diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 892a88e25..3b3c92b46 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c
@@ -20,7 +20,7 @@
20	#include "fseccomp.h"	20	#include "fseccomp.h"
21	#include "../include/seccomp.h"	21	#include "../include/seccomp.h"
22	int arg_quiet = 0;	22	int arg_quiet = 0;
23	int arg_seccomp_error_action = EPERM; // error action: errno or kill	23	int arg_seccomp_error_action = EPERM; // error action: errno, log or kill
24		24
25	static void usage(void) {	25	static void usage(void) {
26	printf("Usage:\n");	26	printf("Usage:\n");
@@ -73,6 +73,8 @@ printf("\n");
73	if (error_action) {	73	if (error_action) {
74	if (strcmp(error_action, "kill") == 0)	74	if (strcmp(error_action, "kill") == 0)
75	arg_seccomp_error_action = SECCOMP_RET_KILL;	75	arg_seccomp_error_action = SECCOMP_RET_KILL;
		76	else if (strcmp(error_action, "log") == 0)
		77	arg_seccomp_error_action = SECCOMP_RET_LOG;
76	else {	78	else {
77	arg_seccomp_error_action = errno_find_name(error_action);	79	arg_seccomp_error_action = errno_find_name(error_action);
78	if (arg_seccomp_error_action == -1)	80	if (arg_seccomp_error_action == -1)


diff --git a/src/include/seccomp.h b/src/include/seccomp.h index 50920ce3a..29b858c70 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h
@@ -274,7 +274,7 @@ struct seccomp_data {
274	#define RETURN_ERRNO(nr) \	274	#define RETURN_ERRNO(nr) \
275	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO \| nr)	275	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO \| nr)
276		276
277	extern int arg_seccomp_error_action; // error action: errno or kill	277	extern int arg_seccomp_error_action; // error action: errno, log or kill
278	#define KILL_OR_RETURN_ERRNO \	278	#define KILL_OR_RETURN_ERRNO \
279	BPF_STMT(BPF_RET+BPF_K, arg_seccomp_error_action)	279	BPF_STMT(BPF_RET+BPF_K, arg_seccomp_error_action)
280		280


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 7b5653942..0784e7fd7 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -433,8 +433,10 @@ Enable seccomp filter and whitelist the system calls in the list.
433	\fBseccomp.32.keep syscall,syscall,syscall	433	\fBseccomp.32.keep syscall,syscall,syscall
434	Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system.	434	Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system.
435	.TP	435	.TP
436	\fBseccomp-error-action kill \| ERRNO	436	\fBseccomp-error-action kill \| log \| ERRNO
437	Return a different error instead of EPERM to the process or kill it when an attempt is made to call a blocked system call.	437	Return a different error instead of EPERM to the process, kill it when
		438	an attempt is made to call a blocked system call, or allow but log the
		439	attempt.
438	.TP	440	.TP
439	\fBx11	441	\fBx11
440	Enable X11 sandboxing.	442	Enable X11 sandboxing.


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 69cd4a7bc..e216531ae 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1059,7 +1059,7 @@ that are both writable and executable, to change mappings to be
1059	executable, or to create executable shared memory. The filter examines	1059	executable, or to create executable shared memory. The filter examines
1060	the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create	1060	the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create
1061	and shmat system calls and returns error EPERM to the process (or	1061	and shmat system calls and returns error EPERM to the process (or
1062	kills it, see \-\-seccomp-error-action below) if necessary.	1062	kills it or log the attempt, see \-\-seccomp-error-action below) if necessary.
1063	.br	1063	.br
1064		1064
1065	.br	1065	.br
@@ -2122,8 +2122,8 @@ Instead of dropping the syscall by returning EPERM, another error
2122	number can be returned using \fBsyscall:errno\fR syntax. This can be	2122	number can be returned using \fBsyscall:errno\fR syntax. This can be
2123	also changed globally with \-\-seccomp-error-action or	2123	also changed globally with \-\-seccomp-error-action or
2124	in /etc/firejail/firejail.config file. The process can also be killed	2124	in /etc/firejail/firejail.config file. The process can also be killed
2125	by using \fBsyscall:kill\fR syntax.	2125	by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
2126		2126	\fBsyscall:log\fR.
2127	.br	2127	.br
2128		2128
2129	.br	2129	.br
@@ -2193,7 +2193,8 @@ Instead of dropping the syscall by returning EPERM, another error
2193	number can be returned using \fBsyscall:errno\fR syntax. This can be	2193	number can be returned using \fBsyscall:errno\fR syntax. This can be
2194	also changed globally with \-\-seccomp-error-action or	2194	also changed globally with \-\-seccomp-error-action or
2195	in /etc/firejail/firejail.config file. The process can also be killed	2195	in /etc/firejail/firejail.config file. The process can also be killed
2196	by using \fBsyscall:kill\fR syntax.	2196	by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
		2197	\fBsyscall:log\fR.
2197	.br	2198	.br
2198		2199
2199	.br	2200	.br
@@ -2402,7 +2403,8 @@ By default, if a seccomp filter blocks a system call, the process gets
2402	EPERM as the error. With \-\-seccomp-error-action=error, another error	2403	EPERM as the error. With \-\-seccomp-error-action=error, another error
2403	number can be returned, for example ENOSYS or EACCES. The process can	2404	number can be returned, for example ENOSYS or EACCES. The process can
2404	also be killed (like in versions <0.9.63 of Firejail) by using	2405	also be killed (like in versions <0.9.63 of Firejail) by using
2405	\-\-seccomp-error-action=kill syntax. Not killing the process weakens	2406	\-\-seccomp-error-action=kill syntax, or the attempt may be logged
		2407	with \-\-seccomp-error-action=log. Not killing the process weakens
2406	Firejail slightly when trying to contain intrusion, but it may also	2408	Firejail slightly when trying to contain intrusion, but it may also
2407	allow tighter filters if the only alternative is to allow a system	2409	allow tighter filters if the only alternative is to allow a system
2408	call.	2410	call.