diff options
| author |  netblue30 <netblue30@yahoo.com> | 2015-10-15 12:26:49 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2015-10-15 12:26:49 -0400 |
| commit | 0cd353a7b71db740ac02635aa09c20f531b8a53e (patch) | |
| tree | c3f72138c68f3abf25b7741e1cfd32d1fc5819c7 /todo | |
| parent | --quiet (diff) | |
| download | firejail-0cd353a7b71db740ac02635aa09c20f531b8a53e.tar.gz firejail-0cd353a7b71db740ac02635aa09c20f531b8a53e.tar.zst firejail-0cd353a7b71db740ac02635aa09c20f531b8a53e.zip | |
new syscalls added to default seccomp filter
Diffstat (limited to 'todo')
| -rw-r--r-- | todo | 134 |
1 files changed, 134 insertions, 0 deletions
| @@ -45,3 +45,137 @@ make[1]: *** [seccomp.o] Error 1 | |||
| 45 | 45 | ||
| 46 | 7. Add IRC clients: KVIrc (KDE), BitchX (CLI), Smuxi, Konversation (KDE), HexChat, Irssi (CLI), WeeChat (CLI) | 46 | 7. Add IRC clients: KVIrc (KDE), BitchX (CLI), Smuxi, Konversation (KDE), HexChat, Irssi (CLI), WeeChat (CLI) |
| 47 | RSS: Liferea, akregator (KDE), newsbeuter (CLI), rawdog, | 47 | RSS: Liferea, akregator (KDE), newsbeuter (CLI), rawdog, |
| 48 | |||
| 49 | 8. To investigate | ||
| 50 | void SupervisorMain::setupSeccomp() { | ||
| 51 | // Install a rudimentary seccomp blacklist. | ||
| 52 | // TODO(security): Change this to a whitelist. | ||
| 53 | |||
| 54 | scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW); | ||
| 55 | if (ctx == nullptr) | ||
| 56 | KJ_FAIL_SYSCALL("seccomp_init", 0); // No real error code | ||
| 57 | KJ_DEFER(seccomp_release(ctx)); | ||
| 58 | |||
| 59 | #define CHECK_SECCOMP(call) \ | ||
| 60 | do { \ | ||
| 61 | if (auto result = (call)) { \ | ||
| 62 | KJ_FAIL_SYSCALL(#call, -result); \ | ||
| 63 | } \ | ||
| 64 | } while (0) | ||
| 65 | |||
| 66 | // Native code only for now, so there are no seccomp_arch_add calls. | ||
| 67 | |||
| 68 | // Redundant, but this is standard and harmless. | ||
| 69 | CHECK_SECCOMP(seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 1)); | ||
| 70 | |||
| 71 | // It's easy to inadvertently issue an x32 syscall (e.g. syscall(-1)). Such syscalls | ||
| 72 | // should fail, but there's no need to kill the issuer. | ||
| 73 | CHECK_SECCOMP(seccomp_attr_set(ctx, SCMP_FLTATR_ACT_BADARCH, SCMP_ACT_ERRNO(ENOSYS))); | ||
| 74 | |||
| 75 | #pragma GCC diagnostic push | ||
| 76 | #pragma GCC diagnostic ignored "-Wmissing-field-initializers" // SCMP_* macros produce these | ||
| 77 | // Disable some things that seem scary. | ||
| 78 | if (!devmode) { | ||
| 79 | // ptrace is scary | ||
| 80 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(ptrace), 0)); | ||
| 81 | } else { | ||
| 82 | // Try to be somewhat safe with ptrace in dev mode. Note that the ability to modify | ||
| 83 | // orig_ax using ptrace allows a complete seccomp bypass. | ||
| 84 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(ptrace), 1, | ||
| 85 | SCMP_A0(SCMP_CMP_EQ, PTRACE_POKEUSER))); | ||
| 86 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(ptrace), 1, | ||
| 87 | SCMP_A0(SCMP_CMP_EQ, PTRACE_SETREGS))); | ||
| 88 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(ptrace), 1, | ||
| 89 | SCMP_A0(SCMP_CMP_EQ, PTRACE_SETFPREGS))); | ||
| 90 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(ptrace), 1, | ||
| 91 | SCMP_A0(SCMP_CMP_EQ, PTRACE_SETREGSET))); | ||
| 92 | } | ||
| 93 | |||
| 94 | // Restrict the set of allowable network protocol families | ||
| 95 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
| 96 | SCMP_A0(SCMP_CMP_GE, AF_NETLINK + 1))); | ||
| 97 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
| 98 | SCMP_A0(SCMP_CMP_EQ, AF_AX25))); | ||
| 99 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
| 100 | SCMP_A0(SCMP_CMP_EQ, AF_IPX))); | ||
| 101 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
| 102 | SCMP_A0(SCMP_CMP_EQ, AF_APPLETALK))); | ||
| 103 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
| 104 | SCMP_A0(SCMP_CMP_EQ, AF_NETROM))); | ||
| 105 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
| 106 | SCMP_A0(SCMP_CMP_EQ, AF_BRIDGE))); | ||
| 107 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
| 108 | SCMP_A0(SCMP_CMP_EQ, AF_ATMPVC))); | ||
| 109 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
| 110 | SCMP_A0(SCMP_CMP_EQ, AF_X25))); | ||
| 111 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
| 112 | SCMP_A0(SCMP_CMP_EQ, AF_ROSE))); | ||
| 113 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
| 114 | SCMP_A0(SCMP_CMP_EQ, AF_DECnet))); | ||
| 115 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
| 116 | SCMP_A0(SCMP_CMP_EQ, AF_NETBEUI))); | ||
| 117 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
| 118 | SCMP_A0(SCMP_CMP_EQ, AF_SECURITY))); | ||
| 119 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
| 120 | SCMP_A0(SCMP_CMP_EQ, AF_KEY))); | ||
| 121 | #pragma GCC diagnostic pop | ||
| 122 | |||
| 123 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(add_key), 0)); | ||
| 124 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(request_key), 0)); | ||
| 125 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(keyctl), 0)); | ||
| 126 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(syslog), 0)); | ||
| 127 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(uselib), 0)); | ||
| 128 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(personality), 0)); | ||
| 129 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(acct), 0)); | ||
| 130 | |||
| 131 | // 16-bit code is unnecessary in the sandbox, and modify_ldt is a historic source | ||
| 132 | // of interesting information leaks. | ||
| 133 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(modify_ldt), 0)); | ||
| 134 | |||
| 135 | // Despite existing at a 64-bit syscall, set_thread_area is only useful | ||
| 136 | // for 32-bit programs. 64-bit programs use arch_prctl instead. | ||
| 137 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(set_thread_area), 0)); | ||
| 138 | |||
| 139 | // Disable namespaces. Nested sandboxing could be useful but the attack surface is large. | ||
| 140 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(unshare), 0)); | ||
| 141 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(mount), 0)); | ||
| 142 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(pivot_root), 0)); | ||
| 143 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(quotactl), 0)); | ||
| 144 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(clone), 1, | ||
| 145 | SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER))); | ||
| 146 | |||
| 147 | // AIO is scary. | ||
| 148 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(io_setup), 0)); | ||
| 149 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(io_destroy), 0)); | ||
| 150 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(io_getevents), 0)); | ||
| 151 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(io_submit), 0)); | ||
| 152 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(io_cancel), 0)); | ||
| 153 | |||
| 154 | // Scary vm syscalls | ||
| 155 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(remap_file_pages), 0)); | ||
| 156 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(mbind), 0)); | ||
| 157 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(get_mempolicy), 0)); | ||
| 158 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(set_mempolicy), 0)); | ||
| 159 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(migrate_pages), 0)); | ||
| 160 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(move_pages), 0)); | ||
| 161 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(vmsplice), 0)); | ||
| 162 | |||
| 163 | // Scary futex operations | ||
| 164 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(set_robust_list), 0)); | ||
| 165 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(get_robust_list), 0)); | ||
| 166 | |||
| 167 | // Utterly terrifying profiling operations | ||
| 168 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(perf_event_open), 0)); | ||
| 169 | |||
| 170 | // TOOD(someday): See if we can get away with turning off mincore, madvise, sysinfo etc. | ||
| 171 | |||
| 172 | // TODO(someday): Turn off POSIX message queues and other such esoteric features. | ||
| 173 | |||
| 174 | if (seccompDumpPfc) { | ||
| 175 | seccomp_export_pfc(ctx, 1); | ||
| 176 | } | ||
| 177 | |||
| 178 | CHECK_SECCOMP(seccomp_load(ctx)); | ||
| 179 | |||
| 180 | #undef CHECK_SECCOMP | ||
| 181 | } | ||